diff --git a/en_US.ISO8859-1/books/handbook/desktop/chapter.sgml b/en_US.ISO8859-1/books/handbook/desktop/chapter.sgml
index 320dd89905..d757b5261d 100644
--- a/en_US.ISO8859-1/books/handbook/desktop/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/desktop/chapter.sgml
@@ -1,1161 +1,1159 @@
ChristopheJunietContributed by Desktop ApplicationsSynopsisFreeBSD can run a wide variety of desktop applications, such
as browsers and word processors. Most of these are available as
packages or can be automatically built from the ports
collection. Many new users expect to find these kinds of
applications on their desktop. This chapter will show you how
to install some popular desktop applications effortlessly,
either from their packages or from the ports collection.Note that when installing programs from the ports, they are
compiled from source. This can take a very long time, depending
on what you are compiling and the processing power of your
machine(s). If building from source takes a prohibitively long
amount of time for you, you can install most of the programs of
the ports collection from pre-built packages.As FreeBSD features Linux binary compatibility, many
applications originally developed for Linux are available for
your desktop. It is strongly recommended that you read
before installing any of the Linux
applications. Many of the ports using the Linux binary
compatibility start with linux-. Remember this
when you search for a particular port, for instance with
&man.whereis.1;. In the following text, it is assumed that you
have enabled Linux binary compatibility before installing any of
the Linux applications.Here are the categories covered by this chapter:Browsers (such as Mozilla,
Netscape,
Opera)Productivity (such as
KOffice,
AbiWord,
The GIMP,
OpenOffice.org)Document Viewers (such as Acrobat
Reader,
gv,
Xpdf,
GQview)Finance (such as
GnuCash,
Gnumeric,
Abacus)Before reading this chapter, you should:Know how to install additional third-party software
().Know how to install additional Linux software
().For information on how to get a multimedia environment, read
. If you want to setup and use
electronic mail, please refer to .BrowsersFreeBSD does not come with a particular browser
pre-installed. Instead, the
www
directory of the ports collection contains a lot of browsers
ready to be installed. If you do not have time to compile
everything (this can take a very long time in some cases) many
of them are available as packages.KDE and
GNOME already provide HTML browsers.
Please refer to for more information on
how to setup these complete desktops.If you are looking for light-weight browsers, you should
investigate the ports collection for
www/dillo,
www/links, or
www/w3m.This section covers these applications:Application NameResources NeededInstallation from PortsMajor DependenciesMozillaheavyheavyGtk+NetscapeheavylightLinux Binary CompatibilityOperalightlightFreeBSD version: None. Linux version: Linux Binary Compatibility and
linux-openmotifMozillaMozillaMozilla is perhaps the most
suitable browser for your FreeBSD Desktop. It is modern,
stable, and fully ported to FreeBSD. It features a very
standards-compliant HTML display engine. It provides a mail
and news reader. It even has a HTML composer if you plan to
write some web pages yourself. Users of
Netscape will recognize the
similarities with Communicator
suite, as both browsers shared the same basis.On slow machines, with a CPU speed less than 233MHz or
with less than 64MB of RAM, Mozilla
can be too resource-consuming to be fully usable. You may
want to look at the Opera browser
instead, described a little later in this chapter.If you cannot or do not want to compile
Mozilla for any reason, the FreeBSD
GNOME team has already done this for you. Just install the
package from the network by:&prompt.root; pkg_add -r mozillaIf the package is not available, and you have enough time
and disk space, you can get the source for
Mozilla, compile it and install it
on your system. This is accomplished by:&prompt.root; cd /usr/ports/www/mozilla
&prompt.root; make install cleanThe Mozilla port ensures a
correct initialization by running the chrome registry setup
with root privileges. However, if you
want to fetch some add-ons like mouse gestures, you must run
Mozilla as
root to get them properly
installed.Once you have completed the installation of
Mozilla, you do not need to be
root any longer. You can start
Mozilla as a browser by typing:&prompt.user; mozillaYou can start it directly as a mail and news reader as
shown below:&prompt.user; mozilla -mailTomRhodesContributed by Mozilla, Java, and Shockwave FlashInstalling Mozilla is simple, but
unfortunately installing Mozilla with
support for things like java and
Shockwave Flash consumes both time and disk
space.The first thing is to download the files which will be used
with Mozilla. Take your current web
browser up to
-
- http://www.sun.com/software/java2/download.html and
+ and
create an account on their website. Remember to save the username
and password from here as it may be needed in the future. Download
a copy of the file j2sdk-1_3_1-src.tar.gz and place this in
/usr/ports/distfiles/ as the port will not
fetch it automatically. This is due to license restrictions. While
we are here, open the java environment from
-
- http://java.sun.com/webapps/download/Display?BundleId=7163.
+ .
The filename is j2sdk-1_3_1_06-linux-i586.bin and is large (about 25
megabytes!). Like before, this file must be placed into
/usr/ports/distfiles/. Finally download a copy
of the java patchkit from
-
- http://www.eyesbeyond.com/freebsddom/java/ and place it
+
+ and place it
into /usr/ports/distfiles/.Install the java/jdk13 port
with the standard make install clean and
then install the www/flashpluginwrapper
port. This port requires
emulators/linux_base which is a
large port. True that other flash plugins exist, however they have
not worked for me.Now copy the flash plug-in files with:&prompt.root; cp /usr/local/lib/flash/libflashplayer.so \
/usr/X11R6/lib/mozilla/plugins/libflashplayer_linux.so&prompt.root; cp /usr/local/lib/flash/ShockwaveFlash.class \
/usr/X11R6/lib/mozilla/plugins/If you are using
www/mozilla-devel,
the destination directories will be different.Now add the following lines to the top of (but right under
#!/bin/sh) Mozilla startup script:
/usr/X11R6/bin/mozilla.LD_PRELOAD=/usr/local/lib/libflashplayer.so.1
export LD_PRELOADThis will enable the flash plug-in.Install the www/mozilla port,
if Mozilla is already installed then just
start it with:&prompt.user; mozilla &And access the About Plug-ins option from the
Help menu. A list should appear with all the currently
available plugins. java and
shockwave flash should both be listed.NetscapeNetscapeThe ports collection contains several versions of the
Netscape browser. Since the native FreeBSD ones contain a
serious security bug, installing them is strongly
discouraged. Instead, use a more recent Linux or DIGITAL UNIX
version.The latest stable release of the Netscape browser is
Netscape 7. It can be installed
from the ports collection:&prompt.root; cd /usr/ports/www/netscape7
&prompt.root; make install cleanThere are localized versions in the French, German, and
Japanese categories.Netscape 4.x versions are not
recommended because they are not compliant with today's
standards. However, Netscape 7.x
and newer versions are only available for the i386
platform.OperaOperaOpera is a very fast,
full-featured, and standards-compliant browser. It comes in
two favors: a native FreeBSD version and a
version that runs under Linux emulation.
For each operating system, there is a no-cost version of the
browser that displays advertising and an ad-free
version that can be purchased on the Opera web site.To browse the Web with the FreeBSD version of Opera,
install the package:&prompt.root; pkg_add -r operaSome FTP sites do not have all the packages, but the same
result can be obtained with the ports collection by
typing:&prompt.root; cd /usr/ports/www/opera
&prompt.root; make install cleanTo install the Linux version of
Opera, substitute
linux-opera in place of
opera in the examples above. The Linux
version is useful in situations requiring the use of plug-ins
that are only available for Linux, such as Adobe
Acrobat Reader. In all other respects, the
FreeBSD and Linux versions appear to be functionally
identical.ProductivityWhen it comes to productivity, new users often look for a
good office suite or a friendly word processor. While some
desktop environments like
KDE already provide an office suite,
there is no default application. FreeBSD provides all that is
needed, regardless of your desktop environment.This section covers these applications:Application NameResources NeededInstallation from PortsMajor DependenciesKOfficelightheavyKDEAbiWordlightlightGtk+ or GNOMEThe GimplightheavyGtk+OpenOffice.orgheavyhugeGCC 3.1, JDK 1.3, MozillaKOfficeKOfficeoffice suiteKOfficeThe KDE community has provided its desktop environment
with an office suite which can be used outside
KDE. It includes the four standard
components that can be found in other office suites.
KWord is the word processor,
KSpread is the spreadsheet program,
KPresenter manages slide
presentations, and Kontour lets you
draw graphical documents.Before installing the latest
KOffice, make sure you have an
up-to-date version of KDE.To install KOffice as a
package, issue the following command:&prompt.root; pkg_add -r kofficeIf the package is not available, you can use the ports
collection. For instance, to install
KOffice for
KDE3, do:&prompt.root; cd /usr/ports/editors/koffice-kde3
&prompt.root; make install cleanAbiWordAbiWordAbiWord is a free word
processing program similar in look and feel to Microsoft Word.
It is suitable for typing papers, letters, reports, memos, and
so forth. It is very fast, contains many features, and is
very user-friendly.AbiWord can import or export
many file formats, including some proprietary ones like
Microsoft .doc.AbiWord is available as a
package. You can install it by:&prompt.root; pkg_add -r AbiWord-gnomeIf the package is not available, it can be compiled from
the ports collection. The ports collection should be more
up to date. It can be done as follows:&prompt.root; cd /usr/ports/editors/AbiWord
&prompt.root; make install cleanThe GIMPThe GIMPFor image authoring or picture retouching,
The GIMP is a very sophisticated
image manipulation program. It can be used as a simple paint
program or as a quality photo retouching suite. It supports a
large number of plug-ins and features a scripting interface.
The GIMP can read and write a wide
range of file formats. It supports interfaces with scanners
and tablets.You can install the package by issuing this
command:&prompt.root; pkg_add -r gimpIf your FTP site does not have this package, you can use
the ports collection. The
graphics
directory of the ports collection also contains
The Gimp Manual. Here is how to
get them installed:&prompt.root; cd /usr/ports/graphics/gimp1
&prompt.root; make install clean
&prompt.root; cd /usr/ports/graphics/gimp-manual-pdf
&prompt.root; make install cleanThe
graphics
directory of the ports collection holds the development
version of The GIMP in
graphics/gimp-devel.
HTML and PostScript versions of
The Gimp Manual are in
graphics/gimp-manual-html and
graphics/gimp-manual-ps.OpenOffice.orgOpenOffice.orgoffice suiteOpenOffice.orgOpenOffice.org includes all of the
mandatory applications in a complete office productivity
suite: a word processor, a spreadsheet, a presentation manager,
and a drawing program. Its user interface is very similar
to other office suites, and it can import and export in various
popular file formats. It is available in a number of
different languages including interfaces, spell checkers, and
dictionaries.The word processor of
OpenOffice.org uses a native XML
file format for increased portability and flexibility. The
spreadsheet program features a macro language and it can be
interfaced with external databases.
OpenOffice.org is already stable
and runs natively on Windows, Solaris, Linux, FreeBSD
and Mac OS X. More
information about OpenOffice.org
can be found on the
OpenOffice web site.
For FreeBSD specific information, and to directly
download packages use the FreeBSD OpenOffice
Porting Team's web site.To install OpenOffice.org,
do:&prompt.root; pkg_add -r openofficeOnce the package is installed, you must run the setup
program and choose a .
Run this command as the user who will use
OpenOffice.org:&prompt.user; openoffice-setupIf the OpenOffice.org packages
are not available, you still have the option to compile the
port. However, you must bear in mind that it requires a lot of
disk space and a fairly long time to compile.&prompt.root; cd /usr/ports/editors/openoffice
&prompt.root; make install cleanOnce this is done, run the setup as the user who will use
OpenOffice.org and choose a
by:&prompt.user; cd /usr/ports/editors/openoffice
&prompt.user; make install-userIf you want to use a localized version, here are the available
ports:LanguagePortArabiceditors/openoffice-arDanisheditors/openoffice-dkSpanisheditors/openoffice-esGreekeditors/openoffice-grItalianeditors/openoffice-itDutcheditors/openoffice-nlPolisheditors/openoffice-plSwedisheditors/openoffice-seTurkisheditors/openoffice-trFrenchfrench/openofficeGermangerman/openofficeJapanesejapanese/openofficeKoreankorean/openofficePortugueseportuguese/openofficeRussianrussian/openofficeDocument ViewersSome new document formats have recently gained popularity.
The standard viewers they require may not be available in the
base system. We will see how to install them in this
section.This section covers these applications:Application NameResources NeededInstallation from PortsMajor DependenciesAcrobat ReaderlightlightLinux Binary CompatibilitygvlightlightXaw3dXpdflightlightFreeTypeGQviewlightlightGtk+ or GNOMEAcrobat ReaderAcrobat ReaderPDFviewingMany documents are now distributed as PDF files,
which stands for Portable Document Format. One
of the recommended viewers for these types of files is
Acrobat Reader, released by Adobe
for Linux. As FreeBSD can run Linux binaries, it is also
available for FreeBSD.To install the Acrobat Reader 5
package, do:&prompt.root; pkg_add -r acroread5As usual, if the package is not available or you want the
latest version, you can use the ports collection as
well:&prompt.root; cd /usr/ports/print/acroread5
&prompt.root; make install cleanAcrobat Reader is
available in several different versions. At this time of
writing, there are:
print/acroread (version 3.0.2),
print/acroread4 (version 4.0.5), and
print/acroread5 (version 5.0.6).
They may not all have been packaged for your version of
FreeBSD. The ports collection will always contain
the latest versions.gvgvPDFviewingPostScriptviewinggv is a PostScript and PDF
viewer. It is originally based on
ghostview but it has a nicer look
thanks to the Xaw3d library. It is fast and its interface is
clean. gv has many features like
orientation, paper size, scale, or antialias. Almost any
operation can be done either from the keyboard or the
mouse.To install gv as a package,
do:&prompt.root; pkg_add -r gvIf you cannot get the package, you can use the ports
collection:&prompt.root; cd /usr/ports/print/gv
&prompt.root; make install cleanXpdfXpdfPDFviewingIf you want a small FreeBSD PDF viewer,
Xpdf is a light-weight and
efficient viewer. It requires very few resources and is
very stable. It uses the standard X fonts and does not
require Motif or any other X toolkit.To install the Xpdf package,
issue this command:&prompt.root; pkg_add -r xpdfIf the package is not available or you prefer to use the
ports collection, do:&prompt.root; cd /usr/ports/graphics/xpdf
&prompt.root; make install cleanOnce the installation is complete, you can launch
Xpdf and use the right mouse button
to activate the menu.GQviewGQviewGQview is an image manager.
You can view a file with a single click, launch an external
editor, get thumbnail previews, and much more. It also
features a slideshow mode and some basic file operations. You
can manage image collections and easily find duplicates.
GQview can do full screen viewing
and supports internationalization.If you want to install the
GQview package, do:&prompt.root; pkg_add -r gqviewIf the package is not available or you prefer to use the
ports collection, do:&prompt.root; cd /usr/ports/graphics/gqview
&prompt.root; make install cleanFinanceIf, for any reason, you would like to manage your personal
finances on your FreeBSD Desktop, there are some powerful and
easy to use applications ready to be installed. Some of them
are compatible with widespread file formats like those of
Quicken or Excel documents.This section covers these applications:Application NameResources NeededInstallation from PortsMajor DependenciesGnuCashlightheavyGNOMEGnumericlightheavyGNOMEAbacuslightlightTcl/TkGnuCashGnuCashGnuCash is part of the
GNOME effort to provide
user-friendly yet powerful applications to end-users. With
GnuCash, you can keep track of your
income and expenses, your bank accounts, or your stocks. It
features an intuitive interface while remaining very
professional.GnuCash provides a smart
register, a hierarchical system of accounts, many keyboard
accelerators and auto-completion methods. It can split a
single transaction into several more detailed pieces.
GnuCash can import and merge
Quicken QIF files. It also handles most international date
and currency formats.To install GnuCash on your
system, do:&prompt.root; pkg_add -r gnucashIf the package is not available, you can use the ports
collection:&prompt.root; cd /usr/ports/finance/gnucash
&prompt.root; make install cleanGnumericGnumericspreadsheetGnumericGnumeric is a spreadsheet, part
of the GNOME desktop environment.
It features convenient automatic guessing of user
input according to the cell format and an autofill system for
many sequences. It can import files in a number of popular
formats like those of Excel, Lotus 1-2-3, or Quattro Pro.
Gnumeric supports graphs through
the math/guppi graphing
program. It has a large number of built-in functions and
allows all of the usual cell formats such as number, currency,
date, time, and much more.To install Gnumeric as a
package, type in:&prompt.root; pkg_add -r gnumericIf the package is not available, you can use the ports
collection by doing:&prompt.root; cd /usr/ports/math/gnumeric
&prompt.root; make install cleanAbacusAbacusspreadsheetAbacusAbacus is a small and easy to
use spreadsheet. It includes many built-in functions useful
in several domains such as statistics, finances, and
mathematics. It can import and export the Excel file format.
Abacus can produce PostScript
output.To install Abacus from its
package, do:&prompt.root; pkg_add -r abacusIf the package is not available, you can use the ports
collection by doing:&prompt.root; cd /usr/ports/deskutils/abacus
&prompt.root; make install cleanSummaryWhile FreeBSD is popular among ISPs for its performance and
stability, it is quite ready for day-to-day use as a desktop.
With several thousand applications available as
packages or
ports,
you can build a perfect desktop that suits all your needs.Once you have achieved the installation of your desktop, you
may want to go one step further with
misc/instant-workstation.
This meta-port allows you to build a typical set
of ports for a workstation. You can customize it by editing
/usr/ports/misc/instant-workstation/Makefile.
Follow the syntax used for the default set to add or remove
ports, and build it with the usual procedure.
Eventually, you will be able to create a big package that
corresponds to your very own desktop and install it to your
other workstations!Here is a quick review of all the desktop applications
covered in this chapter:Application NamePackage NamePorts NameMozillamozillawww/mozillaNetscapelinux-netscape7www/netscape7Operalinux-operawww/linux-operaKOfficekoffice-kde3editors/koffice-kde3AbiWordAbiWord-gnomeeditors/AbiWordThe GIMPgimpgraphics/gimp1OpenOffice.orgopenofficeeditors/openofficeAcrobat Readeracroread5print/acroread5gvgvprint/gvXpdfxpdfgraphics/xpdfGQviewgqviewgraphics/gqviewGnuCashgnucashfinance/gnucashGnumericgnumericmath/gnumericAbacusabacusdeskutils/abacus
diff --git a/en_US.ISO8859-1/books/handbook/mirrors/chapter.sgml b/en_US.ISO8859-1/books/handbook/mirrors/chapter.sgml
index 90d65363e2..70d624ae5f 100644
--- a/en_US.ISO8859-1/books/handbook/mirrors/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/mirrors/chapter.sgml
@@ -1,4699 +1,4662 @@
Obtaining FreeBSDCDROM and DVD PublishersRetail Boxed ProductsFreeBSD is available as a boxed product (FreeBSD CDs,
additional software, and printed documentation) from several
retailers:CompUSA
- WWW: http://www.compusa.com/
+ WWW: Frys Electronics
- WWW: http://www.frys.com/
+ WWW: CD and DVD SetsFreeBSD CD and DVD sets are available from many online
retailers:Daemon News Mall560 South State Street, Suite A2Orem, UT84058USA
Phone: +1 800 407-5170
Fax: +1 1 801 765-0877
Email: sales@bsdmall.com
WWW: http://www.bsdmall.com/FreeBSD Mall, Inc.3623 Sanford StreetConcord, CA94520-1405USA
Phone: +1 925 674-0783
Fax: +1 925 674-0821
Email: info@freebsdmall.com
- WWW: http://www.freebsdmall.com/
+ WWW: FreeBSD Services Ltd11 Lapwing CloseBicesterOX26 6XRUnited Kingdom
- WWW: http://www.freebsd-services.com/
+ WWW: Hinner EDVSt. Augustinus-Str. 10D-81825MünchenGermany
Phone: (089) 428 419
- WWW: http://www.hinner.de/linux/freebsd.html
+ WWW: Ingram Micro1600 E. St. Andrew PlaceSanta Ana, CA92705-4926USA
Phone: 1 (800) 456-8000
- WWW: http://www.ingrammicro.com/
+ WWW: The Linux EmporiumHilliard House, Lester WayWallingfordOX10 9TAUnited Kingdom
Phone: +44 1491 837010
Fax: +44 1491 837016
WWW: http://www.linuxemporium.co.uk/bsd.htmlUNIXDVD.COM LTD57 Primrose AvenueSheffieldS5 6FSUnited Kingdom
- WWW: http://www.unixdvd.com/
+ WWW: DistributorsIf you are a reseller and want to carry FreeBSD CDROM products,
please contact a distributor:Cylogistics2672 Bayshore Parkway, Suite 610Mountain View, CA94043USA
Phone: +1 650 694-4949
Fax: +1 650 694-4953
Email: sales@cylogistics.com
- WWW: http://www.cylogistics.com/
+ WWW: FreeBSD Services Ltd11 Lapwing CloseBicesterOX26 6XRUnited Kingdom
- WWW: http://www.freebsd-services.com/
+ WWW: Kudzu, LLC7375 Washington Ave. S.Edina, MN55439USA
Phone: +1 952 947-0822
Fax: +1 952 947-0876
Email: sales@kudzuenterprises.comNavarre Corp7400 49th Ave SouthNew Hope, MN55428USA
Phone: +1 763 535-8333
Fax: +1 763 535-0341
- WWW: http://www.navarre.com/
+ WWW: FTP SitesThe official sources for FreeBSD are available via anonymous FTP
from:
- ftp://ftp.FreeBSD.org/pub/FreeBSD/.
+ .
The FreeBSD mirror
sites database is more accurate than the mirror listing in the
Handbook, as it gets its information from the DNS rather than relying on
static lists of hosts.Additionally, FreeBSD is available via anonymous FTP from the
following mirror sites. If you choose to obtain FreeBSD via anonymous
FTP, please try to use a site near you.Argentina,
Australia,
Austria,
Brazil,
Bulgaria,
Canada,
China,
Czech Republic,
Denmark,
Estonia,
Finland,
France,
Germany,
Greece,
Hong Kong,
Hungary,
Iceland,
Ireland,
Italy,
Japan,
Korea,
Lithuania,
Netherlands,
New Zealand,
Norway,
Poland,
Portugal,
Romania,
Russia,
Saudi Arabia,
Singapore,
Slovak Republic,
Slovenia,
South Africa,
Spain,
Sweden,
Switzerland,
Taiwan,
Thailand,
UK,
Ukraine,
USA.ArgentinaIn case of problems, please contact the hostmaster
hostmaster@ar.FreeBSD.org for this domain.
- ftp://ftp.ar.FreeBSD.org/pub/FreeBSD/
+ AustraliaIn case of problems, please contact the hostmaster
hostmaster@au.FreeBSD.org for this domain.
- ftp://ftp.au.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp2.au.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp3.au.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp4.au.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp5.au.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp6.au.FreeBSD.org/pub/FreeBSD/
+ AustriaIn case of problems, please contact the hostmaster
hostmaster@at.FreeBSD.org for this domain.
- ftp://ftp.at.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp2.at.FreeBSD.org/pub/FreeBSD/
+ BrazilIn case of problems, please contact the hostmaster
hostmaster@br.FreeBSD.org for this domain.
- ftp://ftp.br.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp2.br.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp3.br.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp4.br.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp5.br.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp6.br.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp7.br.FreeBSD.org/pub/FreeBSD/
+ BulgariaIn case of problems, please contact the hostmaster
hostmaster@bg.FreeBSD.org for this domain.
- ftp://ftp.bg.FreeBSD.org/pub/FreeBSD/
+ CanadaIn case of problems, please contact the hostmaster
hostmaster@ca.FreeBSD.org for this domain.
- ftp://ftp.ca.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp2.ca.FreeBSD.org/pub/FreeBSD/
+ ChinaIn case of problems, please contact the hostmaster
phj@cn.FreeBSD.org for this domain.
- ftp://ftp.cn.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp2.cn.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp3.cn.FreeBSD.org/pub/FreeBSD/
+ Czech RepublicIn case of problems, please contact the hostmaster
hostmaster@cz.FreeBSD.org for this domain.
- ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/ Contact: calda@dzungle.ms.mff.cuni.cz
+ Contact: calda@dzungle.ms.mff.cuni.czDenmarkIn case of problems, please contact the hostmaster
hostmaster@dk.FreeBSD.org for this domain.
- ftp://ftp.dk.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp2.dk.FreeBSD.org/pub/FreeBSD/
+ EstoniaIn case of problems, please contact the hostmaster
hostmaster@ee.FreeBSD.org for this domain.
- ftp://ftp.ee.FreeBSD.org/pub/FreeBSD/
+ FinlandIn case of problems, please contact the hostmaster
hostmaster@fi.FreeBSD.org for this domain.
- ftp://ftp.fi.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp3.fi.FreeBSD.org/pub/FreeBSD/
+ FranceIn case of problems, please contact the hostmaster
hostmaster@fr.FreeBSD.org for this domain.
- ftp://ftp.fr.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp2.fr.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp3.fr.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp5.fr.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp6.fr.FreeBSD.org/pub/FreeBSD/
+
- ftp://ftp8.fr.FreeBSD.org/pub/FreeBSD/
+ GermanyIn case of problems, please contact the mirror admins
de-bsd-hubs@de.FreeBSD.org for this domain.GreeceIn case of problems, please contact the hostmaster
hostmaster@gr.FreeBSD.org for this domain.Hong KongHungaryIn case of problems, please contact the hostmaster
mohacsi@ik.bme.hu for this domain.IcelandIn case of problems, please contact the hostmaster
hostmaster@is.FreeBSD.org for this domain.IrelandIn case of problems, please contact the hostmaster
hostmaster@ie.FreeBSD.org for this domain.ItalyIn case of problems, please contact the hostmaster
hostmaster@it.FreeBSD.org for this domain.JapanIn case of problems, please contact the hostmaster
hostmaster@jp.FreeBSD.org for this domain.KoreaIn case of problems, please contact the hostmaster
hostmaster@kr.FreeBSD.org for this domain.LithuaniaIn case of problems, please contact the hostmaster
hostmaster@lt.FreeBSD.org for this domain.NetherlandsIn case of problems, please contact the hostmaster
hostmaster@nl.FreeBSD.org for this domain.New ZealandIn case of problems, please contact the hostmaster
hostmaster@nz.FreeBSD.org for this domain.NorwayIn case of problems, please contact the hostmaster
hostmaster@no.FreeBSD.org for this domain.PolandIn case of problems, please contact the hostmaster
hostmaster@pl.FreeBSD.org for this domain.PortugalIn case of problems, please contact the hostmaster
hostmaster@pt.FreeBSD.org for this domain.RomaniaIn case of problems, please contact the hostmaster
hostmaster@ro.FreeBSD.org for this domain.RussiaIn case of problems, please contact the hostmaster
hostmaster@ru.FreeBSD.org for this domain.Saudi ArabiaIn case of problems, please contact
ftpadmin@isu.net.saSingaporeIn case of problems, please contact the hostmaster
hostmaster@sg.FreeBSD.org for this domain.South AfricaIn case of problems, please contact the hostmaster
hostmaster@za.FreeBSD.org for this domain.Slovak RepublicIn case of problems, please contact the hostmaster
hostmaster@sk.FreeBSD.org for this domain.SloveniaIn case of problems, please contact the hostmaster
hostmaster@si.FreeBSD.org for this domain.SpainIn case of problems, please contact the hostmaster
hostmaster@es.FreeBSD.org for this domain.SwedenIn case of problems, please contact the hostmaster
hostmaster@se.FreeBSD.org for this domain.SwitzerlandIn case of problems, please contact the hostmaster
hostmaster@ch.FreeBSD.org for this domain.TaiwanIn case of problems, please contact the hostmaster
hostmaster@tw.FreeBSD.org for this domain.Thailand
Contact: ftpadmin@ftp.nectec.or.th.Ukraine
Contact: freebsd-mnt@lucky.net.UKIn case of problems, please contact the hostmaster
hostmaster@uk.FreeBSD.org for this domain.USAIn case of problems, please contact the hostmaster
hostmaster@FreeBSD.org for this domain.Anonymous CVSIntroductionAnonymous CVS (or, as it is otherwise known,
anoncvs) is a feature provided by the CVS
utilities bundled with FreeBSD for synchronizing with a remote
CVS repository. Among other things, it allows users of FreeBSD
to perform, with no special privileges, read-only CVS operations
against one of the FreeBSD project's official anoncvs servers.
To use it, one simply sets the CVSROOT
environment variable to point at the appropriate anoncvs server,
provides the well-known password anoncvs with the
cvs login command, and then uses the
&man.cvs.1; command to access it like any local
repository.The cvs login command, stores the passwords
that are used for authenticating to the CVS server in a file
called .cvspass in your
HOME directory. If this file does not exist,
you might get an error when trying to use cvs
login for the first time. Just make an empty
.cvspass file, and retry to login.While it can also be said that the CVSup and anoncvs
services both perform essentially the same function, there are
various trade-offs which can influence the user's choice of
synchronization methods. In a nutshell,
CVSup is much more efficient in its
usage of network resources and is by far the most technically
sophisticated of the two, but at a price. To use
CVSup, a special client must first be
installed and configured before any bits can be grabbed, and
then only in the fairly large chunks which
CVSup calls
collections.Anoncvs, by contrast, can be used
to examine anything from an individual file to a specific
program (like ls or grep)
by referencing the CVS module name. Of course,
anoncvs is also only good for
read-only operations on the CVS repository, so if it is your
intention to support local development in one repository shared
with the FreeBSD project bits then
CVSup is really your only
option.Using Anonymous CVSConfiguring &man.cvs.1; to use an Anonymous CVS repository
is a simple matter of setting the CVSROOT
environment variable to point to one of the FreeBSD project's
anoncvs servers. At the time of this
writing, the following servers are available:USA:
:pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
(Use cvs login and enter the password
anoncvs when prompted.)Germany:
:pserver:anoncvs@anoncvs.de.FreeBSD.org:/home/ncvs
(Use cvs login and enter the password
anoncvs when prompted.)Germany:
:pserver:anoncvs@anoncvs2.de.FreeBSD.org:/home/ncvs
(rsh, pserver, ssh, ssh/2022)
Japan:
:pserver:anoncvs@anoncvs.jp.FreeBSD.org:/home/ncvs
(Use cvs login and enter the password
anoncvs when prompted.)Since CVS allows one to check out virtually
any version of the FreeBSD sources that ever existed (or, in
some cases, will exist), you need to be
familiar with the revision () flag to
&man.cvs.1; and what some of the permissible values for it in
the FreeBSD Project repository are.There are two kinds of tags, revision tags and branch tags.
A revision tag refers to a specific revision. Its meaning stays
the same from day to day. A branch tag, on the other hand,
refers to the latest revision on a given line of development, at
any given time. Because a branch tag does not refer to a
specific revision, it may mean something different tomorrow than
it means today. contains revision tags that users
might be interested
in. Again, none of these are valid for the ports collection
since the ports collection does not have multiple
revisions.When you specify a branch tag, you normally receive the
latest versions of the files on that line of development. If
you wish to receive some past version, you can do so by
specifying a date with the flag.
See the &man.cvs.1; manual page for more details.ExamplesWhile it really is recommended that you read the manual page
for &man.cvs.1; thoroughly before doing anything, here are some
quick examples which essentially show how to use Anonymous
CVS:Checking Out Something from -CURRENT (&man.ls.1;) and
Deleting It Again:&prompt.user; setenv CVSROOT :pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
&prompt.user; cvs loginAt the prompt, enter the passwordanoncvs.
&prompt.user; cvs co ls
&prompt.user; cvs release -d ls
&prompt.user; cvs logoutChecking Out the Version of &man.ls.1; in the 3.X-STABLE
Branch:&prompt.user; setenv CVSROOT :pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
&prompt.user; cvs loginAt the prompt, enter the passwordanoncvs.
&prompt.user; cvs co -rRELENG_3 ls
&prompt.user; cvs release -d ls
&prompt.user; cvs logoutCreating a List of Changes (as unified diffs) to &man.ls.1;&prompt.user; setenv CVSROOT :pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
&prompt.user; cvs loginAt the prompt, enter the passwordanoncvs.
&prompt.user; cvs rdiff -u -rRELENG_3_0_0_RELEASE -rRELENG_3_4_0_RELEASE ls
&prompt.user; cvs logoutFinding Out What Other Module Names Can Be Used:&prompt.user; setenv CVSROOT :pserver:anoncvs@anoncvs.FreeBSD.org:/home/ncvs
&prompt.user; cvs loginAt the prompt, enter the passwordanoncvs.
&prompt.user; cvs co modules
&prompt.user; more modules/modules
&prompt.user; cvs release -d modules
&prompt.user; cvs logoutOther ResourcesThe following additional resources may be helpful in learning
CVS:CVS Tutorial from Cal Poly.CVS Home,
the CVS development and support community.CVSweb is
the FreeBSD Project web interface for CVS.Using CTMCTM is a method for keeping a
remote directory tree in sync with a central one. It has been
developed for usage with FreeBSD's source trees, though other
people may find it useful for other purposes as time goes by.
Little, if any, documentation currently exists at this time on the
process of creating deltas, so talk to &a.phk; for more
information should you wish to use CTM
for other things.Why Should I Use CTM?CTM will give you a local copy of
the FreeBSD source trees. There are a number of
flavors of the tree available. Whether you wish
to track the entire CVS tree or just one of the branches,
CTM can provide you the information.
If you are an active developer on FreeBSD, but have lousy or
non-existent TCP/IP connectivity, or simply wish to have the
changes automatically sent to you,
CTM was made for you. You will need
to obtain up to three deltas per day for the most active
branches. However, you should consider having them sent by
automatic email. The sizes of the updates are always kept as
small as possible. This is typically less than 5K, with an
occasional (one in ten) being 10-50K and every now and then a
large 100K+ or more coming around.You will also need to make yourself aware of the various
caveats related to working directly from the development sources
rather than a pre-packaged release. This is particularly true
if you choose the current sources. It is
recommended that you read Staying
current with FreeBSD.What Do I Need to Use
CTM?You will need two things: The CTM
program, and the initial deltas to feed it (to get up to
current levels).The CTM program has been part of
FreeBSD ever since version 2.0 was released, and lives in
/usr/src/usr.sbin/ctm if you have a copy
of the source available.If you are running a pre-2.0 version of FreeBSD, you can
fetch the current CTM sources
directly from:The deltas you feed
CTM can be had two ways, FTP or
email. If you have general FTP access to the Internet then the
following FTP sites support access to
CTM:or see section mirrors.FTP the relevant directory and fetch the
README file, starting from there.If you wish to get your deltas via email:Send email to &a.majordomo; to subscribe to one of the
CTM distribution lists.
ctm-cvs-cur supports the entire CVS tree.
ctm-src-cur supports the head of the development
branch. ctm-src-2_2 supports the 2.2 release
branch, etc.. (If you do not know how to subscribe yourself
using majordomo, send a message first containing the word
help — it will send you back usage
instructions.)When you begin receiving your CTM
updates in the mail, you may use the
ctm_rmail program to unpack and apply them.
You can actually use the ctm_rmail program
directly from a entry in /etc/aliases if
you want to have the process run in a fully automated fashion.
Check the ctm_rmail manual page for more
details.No matter what method you use to get the
CTM deltas, you should subscribe to
the ctm-announce@FreeBSD.org mailing list. In
the future, this will be the only place where announcements
concerning the operations of the
CTM system will be posted. Send an
email to &a.majordomo; with a single line of
subscribe ctm-announce to get added to the
list.Using CTM for the First
TimeBefore you can start using CTM
deltas, you will need to get to a starting point for the deltas
produced subsequently to it.First you should determine what you already have. Everyone
can start from an empty directory. You must use
an initial Empty delta to start off your
CTM supported tree. At some point it
is intended that one of these started deltas be
distributed on the CD for your convenience, however, this does
not currently happen.Since the trees are many tens of megabytes, you should
prefer to start from something already at hand. If you have a
-RELEASE CD, you can copy or extract an initial source from it.
This will save a significant transfer of data.You can recognize these starter deltas by the
X appended to the number
(src-cur.3210XEmpty.gz for instance). The
designation following the X corresponds to
the origin of your initial seed.
Empty is an empty directory. As a rule a
base transition from Empty is produced
every 100 deltas. By the way, they are large! 70 to 80
Megabytes of gzip'd data is common for the
XEmpty deltas.Once you have picked a base delta to start from, you will also
need all deltas with higher numbers following it.Using CTM in Your Daily
LifeTo apply the deltas, simply say:&prompt.root; cd /where/ever/you/want/the/stuff
&prompt.root; ctm -v -v /where/you/store/your/deltas/src-xxx.*CTM understands deltas which have
been put through gzip, so you do not need to
gunzip them first, this saves disk space.Unless it feels very secure about the entire process,
CTM will not touch your tree. To
verify a delta you can also use the flag and
CTM will not actually touch your
tree; it will merely verify the integrity of the delta and see
if it would apply cleanly to your current tree.There are other options to CTM
as well, see the manual pages or look in the sources for more
information.That is really all there is to it. Every time you get a new
delta, just run it through CTM to
keep your sources up to date.Do not remove the deltas if they are hard to download again.
You just might want to keep them around in case something bad
happens. Even if you only have floppy disks, consider using
fdwrite to make a copy.Keeping Your Local ChangesAs a developer one would like to experiment with and change
files in the source tree. CTM
supports local modifications in a limited way: before checking
for the presence of a file foo, it first
looks for foo.ctm. If this file exists,
CTM will operate on it instead of
foo.This behavior gives us a simple way to maintain local
changes: simply copy the files you plan to modify to the
corresponding file names with a .ctm
suffix. Then you can freely hack the code, while CTM keeps the
.ctm file up-to-date.Other Interesting CTM OptionsFinding Out Exactly What Would Be Touched by an
UpdateYou can determine the list of changes that
CTM will make on your source
repository using the option to
CTM.This is useful if you would like to keep logs of the
changes, pre- or post- process the modified files in any
manner, or just are feeling a tad paranoid.Making Backups Before UpdatingSometimes you may want to backup all the files that would
be changed by a CTM update.Specifying the option
causes CTM to backup all files that
would be touched by a given CTM
delta to backup-file.Restricting the Files Touched by an UpdateSometimes you would be interested in restricting the scope
of a given CTM update, or may be
interested in extracting just a few files from a sequence of
deltas.You can control the list of files that
CTM would operate on by specifying
filtering regular expressions using the
and options.For example, to extract an up-to-date copy of
lib/libc/Makefile from your collection of
saved CTM deltas, run the commands:&prompt.root; cd /where/ever/you/want/to/extract/it/
&prompt.root; ctm -e '^lib/libc/Makefile' ~ctm/src-xxx.*For every file specified in a
CTM delta, the
and options are applied in the order given
on the command line. The file is processed by
CTM only if it is marked as
eligible after all the and
options are applied to it.Future Plans for CTMTons of them:Use some kind of authentication into the CTM system, so
as to allow detection of spoofed CTM updates.Clean up the options to CTM,
they became confusing and counter intuitive.Miscellaneous StuffThere is a sequence of deltas for the
ports collection too, but interest has not
been all that high yet.CTM MirrorsCTM/FreeBSD is available via anonymous
FTP from the following mirror sites. If you choose to obtain CTM via
anonymous FTP, please try to use a site near you.In case of problems, please contact &a.phk;.California, Bay Area, official sourceSouth Africa, backup server for old deltasTaiwan/R.O.C.If you did not find a mirror near to you or the mirror is
incomplete, try to use a search engine such as
alltheweb.Using CVSupIntroductionCVSup is a software package for
distributing and updating source trees from a master CVS
repository on a remote server host. The FreeBSD sources are
maintained in a CVS repository on a central development machine
in California. With CVSup, FreeBSD
users can easily keep their own source trees up to date.CVSup uses the so-called
pull model of updating. Under the pull
model, each client asks the server for updates, if and when they
are wanted. The server waits passively for update requests from
its clients. Thus all updates are instigated by the client.
The server never sends unsolicited updates. Users must either
run the CVSup client manually to get
an update, or they must set up a cron job to
run it automatically on a regular basis.The term CVSup, capitalized just
so, refers to the entire software package. Its main components
are the client cvsup which runs on each
user's machine, and the server cvsupd which
runs at each of the FreeBSD mirror sites.As you read the FreeBSD documentation and mailing lists, you
may see references to sup.
Sup was the predecessor of
CVSup, and it served a similar
purpose. CVSup is used much in the
same way as sup and, in fact, uses configuration files which are
backward-compatible with sup's.
Sup is no longer used in the FreeBSD
project, because CVSup is both faster
and more flexible.InstallationThe easiest way to install CVSup
is to use the precompiled net/cvsup package
from the FreeBSD packages collection.
If you prefer to build CVSup from
source, you can use the net/cvsup
port instead. But be forewarned: the
net/cvsup port depends on the Modula-3
system, which takes a substantial amount of time and
disk space to download and build.If you are going to be using
CVSup on a machine which will not have
XFree86 installed, such as a server, be
sure to use the port which does not include the
CVSup GUI,
net/cvsup-without-gui.If you do not know anything about
CVSup at all and want a
single package which will install it, set up the configuration
file and start the transfer via a pointy-clicky type of
interface, then get the net/cvsupit
package. Just hand it to &man.pkg.add.1; and it will lead you
through the configuration process in a menu-oriented
fashion.CVSup ConfigurationCVSup's operation is controlled
by a configuration file called the supfile.
There are some sample supfiles in the
directory /usr/share/examples/cvsup/.The information in a supfile answers
the following questions for cvsup:Which files do you
want to receive?Which versions of them
do you want?Where do you want to
get them from?Where do you want to
put them on your own machine?Where do you want to
put your status files?In the following sections, we will construct a typical
supfile by answering each of these
questions in turn. First, we describe the overall structure of
a supfile.A supfile is a text file. Comments
begin with # and extend to the end of the
line. Lines that are blank and lines that contain only
comments are ignored.Each remaining line describes a set of files that the user
wishes to receive. The line begins with the name of a
collection, a logical grouping of files defined by
the server. The name of the collection tells the server which
files you want. After the collection name come zero or more
fields, separated by white space. These fields answer the
questions listed above. There are two types of fields: flag
fields and value fields. A flag field consists of a keyword
standing alone, e.g., delete or
compress. A value field also begins with a
keyword, but the keyword is followed without intervening white
space by = and a second word. For example,
release=cvs is a value field.A supfile typically specifies more than
one collection to receive. One way to structure a
supfile is to specify all of the relevant
fields explicitly for each collection. However, that tends to
make the supfile lines quite long, and it
is inconvenient because most fields are the same for all of the
collections in a supfile.
CVSup provides a defaulting mechanism
to avoid these problems. Lines beginning with the special
pseudo-collection name *default can be used
to set flags and values which will be used as defaults for the
subsequent collections in the supfile. A
default value can be overridden for an individual collection, by
specifying a different value with the collection itself.
Defaults can also be changed or augmented in mid-supfile by
additional *default lines.With this background, we will now proceed to construct a
supfile for receiving and updating the main
source tree of FreeBSD-CURRENT.Which files do you want
to receive?The files available via CVSup
are organized into named groups called
collections. The collections that are
available are described in the following section. In this
example, we
wish to receive the entire main source tree for the FreeBSD
system. There is a single large collection
src-all which will give us all of that.
As a first step toward constructing our
supfile, we
simply list the collections, one per line (in this case,
only one line):src-allWhich version(s) of them
do you want?With CVSup, you can receive
virtually any version of the sources that ever existed.
That is possible because the
cvsupd server works directly from
the CVS repository, which contains all of the versions. You
specify which one of them you want using the
tag= and value
fields.Be very careful to specify any tag=
fields correctly. Some tags are valid only for certain
collections of files. If you specify an incorrect or
misspelled tag, CVSup
will delete files which you probably
do not want deleted. In particular, use only
tag=. for the
ports-* collections.The tag= field names a symbolic tag
in the repository. There are two kinds of tags, revision
tags and branch tags. A revision tag refers to a specific
revision. Its meaning stays the same from day to day. A
branch tag, on the other hand, refers to the latest revision
on a given line of development, at any given time. Because
a branch tag does not refer to a specific revision, it may
mean something different tomorrow than it means
today. contains branch tags that
users might be interested in. When specifying a tag in
CVSup's configuration file, it
must be preceded with tag=
(RELENG_4 will become
tag=RELENG_4).
Keep in mind that only the tag=. is
relevant for the ports collection.Be very careful to type the tag name exactly as shown.
CVSup cannot distinguish
between valid and invalid tags. If you misspell the tag,
CVSup will behave as though you
had specified a valid tag which happens to refer to no
files at all. It will delete your existing sources in
that case.When you specify a branch tag, you normally receive the
latest versions of the files on that line of development.
If you wish to receive some past version, you can do so by
specifying a date with the value
field. The &man.cvsup.1; manual page explains how to do
that.For our example, we wish to receive FreeBSD-CURRENT. We
add this line at the beginning of our
supfile:*default tag=.There is an important special case that comes into play
if you specify neither a tag= field nor a
date= field. In that case, you receive
the actual RCS files directly from the server's CVS
repository, rather than receiving a particular version.
Developers generally prefer this mode of operation. By
maintaining a copy of the repository itself on their
systems, they gain the ability to browse the revision
histories and examine past versions of files. This gain is
achieved at a large cost in terms of disk space,
however.Where do you want to get
them from?We use the host= field to tell
cvsup where to obtain its updates. Any
of the CVSup mirror
sites will do, though you should try to select one
that is close to you in cyberspace. In this example we will
use a fictional FreeBSD distribution site,
cvsup666.FreeBSD.org:*default host=cvsup666.FreeBSD.orgYou will need to change the host to one that actually
exists before running CVSup.
On any particular run of
cvsup, you can override the host setting
on the command line, with .Where do you want to put
them on your own machine?The prefix= field tells
cvsup where to put the files it receives.
In this example, we will put the source files directly into
our main source tree, /usr/src. The
src directory is already implicit in
the collections we have chosen to receive, so this is the
correct specification:*default prefix=/usrWhere should
cvsup maintain its status files?The CVSup client maintains
certain status files in what
is called the base directory. These files
help CVSup to work more
efficiently, by keeping track of which updates you have
already received. We will use the standard base directory,
/usr/local/etc/cvsup:*default base=/usr/local/etc/cvsupThis setting is used by default if it is not specified
in the supfile, so we actually do not
need the above line.If your base directory does not already exist, now would
be a good time to create it. The cvsup
client will refuse to run if the base directory does not
exist.Miscellaneous supfile
settings:There is one more line of boiler plate that normally
needs to be present in the
supfile:*default release=cvs delete use-rel-suffix compressrelease=cvs indicates that the server
should get its information out of the main FreeBSD CVS
repository. This is virtually always the case, but there
are other possibilities which are beyond the scope of this
discussion.delete gives
CVSup permission to delete files.
You should always specify this, so that
CVSup can keep your source tree
fully up-to-date. CVSup is
careful to delete only those files for which it is
responsible. Any extra files you happen to have will be
left strictly alone.use-rel-suffix is ... arcane. If you
really want to know about it, see the &man.cvsup.1; manual
page. Otherwise, just specify it and do not worry about
it.compress enables the use of
gzip-style compression on the communication channel. If
your network link is T1 speed or faster, you probably should
not use compression. Otherwise, it helps
substantially.Putting it all together:Here is the entire supfile for our
example:*default tag=.
*default host=cvsup666.FreeBSD.org
*default prefix=/usr
*default base=/usr/local/etc/cvsup
*default release=cvs delete use-rel-suffix compress
src-allThe refuse FileAs mentioned above, CVSup uses
a pull method. Basically, this means that
you connect to the CVSup server, and
it says, Here is what you can download from
me..., and your client responds OK, I will take
this, this, this, and this. In the default
configuration, the CVSup client will
take every file associated with the collection and tag you
chose in the configuration file. However, this is not always
what you want, especially if you are synching the doc, ports, or
www trees — most people cannot read four or five
languages, and therefore they do not need to download the
language-specific files. If you are
CVSuping the ports collection, you
can get around this by specifying each collection individually
(e.g., ports-astrology,
ports-biology, etc instead of simply
saying ports-all). However, since the doc
and www trees do not have language-specific collections, you
must use one of CVSup's many nifty
features; the refuse file.The refuse file essentially tells
CVSup that it should not take every
single file from a collection; in other words, it tells the
client to refuse certain files from the
server. The refuse file can be found (or, if you do not yet
have one, should be placed) in
base/sup/refuse.
base is defined in your supfile; by
default, base is
/usr/local/etc/cvsup,
which means that by default the refuse file is in
/usr/local/etc/cvsup/sup/refuse.The refuse file has a very simple format; it simply
contains the names of files or directories that you do not wish
to download. For example, if you cannot speak any languages other
than English and some German, and you do not feel the need to use
the German applications (or applications for any other
languages, except for English), you can put the following in your
refuse file:ports/chinese
ports/french
ports/german
ports/hebrew
ports/japanese
ports/hungarian
ports/korean
ports/portuguese
ports/russian
ports/ukrainian
ports/vietnamese
doc/de_DE.ISO8859-1
doc/el_GR.ISO8859-7
doc/es_ES.ISO8859-1
doc/fr_FR.ISO8859-1
doc/it_IT.ISO8859-15
doc/ja_JP.eucJP
doc/nl_NL.ISO8859-1
doc/pt_BR.ISO8859-1
doc/ru_RU.KOI8-R
doc/sr_YU.ISO8859-2
doc/zh_TW.Big5and so forth for the other languages (you can find the
full list by browsing the FreeBSD
FTP server). Note that the name
of the repository is the first directory in the
refuse file.With this very useful feature, those users who are on
slow links or pay by the minute for their Internet connection
will be able to save valuable time as they will no longer need
to download files that they will never use. For more
information on refuse files and other neat
features of CVSup, please view its
manual page.Running CVSupYou are now ready to try an update. The command line for
doing this is quite simple:&prompt.root; cvsup supfilewhere supfile
is of course the name of the supfile you have just created.
Assuming you are running under X11, cvsup
will display a GUI window with some buttons to do the usual
things. Press the go button, and watch it
run.Since you are updating your actual
/usr/src tree in this example, you will
need to run the program as root so that
cvsup has the permissions it needs to update
your files. Having just created your configuration file, and
having never used this program before, that might
understandably make you nervous. There is an easy way to do a
trial run without touching your precious files. Just create an
empty directory somewhere convenient, and name it as an extra
argument on the command line:&prompt.root; mkdir /var/tmp/dest
&prompt.root; cvsup supfile /var/tmp/destThe directory you specify will be used as the destination
directory for all file updates.
CVSup will examine your usual files
in /usr/src, but it will not modify or
delete any of them. Any file updates will instead land in
/var/tmp/dest/usr/src.
CVSup will also leave its base
directory status files untouched when run this way. The new
versions of those files will be written into the specified
directory. As long as you have read access to
/usr/src, you do not even need to be
root to perform this kind of trial run.If you are not running X11 or if you just do not like GUIs,
you should add a couple of options to the command line when you
run cvsup:&prompt.root; cvsup -g -L 2 supfileThe tells
CVSup not to use its GUI. This is
automatic if you are not running X11, but otherwise you have to
specify it.The tells
CVSup to print out the
details of all the file updates it is doing. There are three
levels of verbosity, from to
. The default is 0, which means total
silence except for error messages.There are plenty of other options available. For a brief
list of them, type cvsup -H. For more
detailed descriptions, see the manual page.Once you are satisfied with the way updates are working, you
can arrange for regular runs of CVSup
using &man.cron.8;.
Obviously, you should not let CVSup
use its GUI when running it from &man.cron.8;.CVSup File CollectionsThe file collections available via
CVSup are organized hierarchically.
There are a few large collections, and they are divided into
smaller sub-collections. Receiving a large collection is
equivalent to receiving each of its sub-collections. The
hierarchical relationships among collections are reflected by
the use of indentation in the list below.The most commonly used collections are
src-all, and
ports-all. The other collections are used
only by small groups of people for specialized purposes, and
some mirror sites may not carry all of them.cvs-all release=cvsThe main FreeBSD CVS repository, including the
cryptography code.distrib release=cvsFiles related to the distribution and mirroring
of FreeBSD.doc-all release=cvsSources for the FreeBSD Handbook and other
documentation. This does not include files for
the FreeBSD web site.ports-all release=cvsThe FreeBSD Ports Collection.If you do not want to update the whole of
ports-all (the whole ports tree),
but use one of the subcollections listed below,
make sure that you always update
the ports-base subcollection!
Whenever something changes in the ports build
infrastructure represented by
ports-base, it is virtually certain
that those changes will be used by real
ports real soon. Thus, if you only update the
real ports and they use some of the new
features, there is a very high chance that their build
will fail with some mysterious error message. The
very first thing to do in this
case is to make sure that your
ports-base subcollection is up to
date.ports-archivers
release=cvsArchiving tools.ports-astro
release=cvsAstronomical ports.ports-audio
release=cvsSound support.ports-base
release=cvsThe Ports Collection build infrastructure -
various files located in the
Mk/ and
Tools/ subdirectories of
/usr/ports.Please see the important
warning above: you should
always update this
subcollection, whenever you update any part of
the FreeBSD Ports Collection!ports-benchmarks
release=cvsBenchmarks.ports-biology
release=cvsBiology.ports-cad
release=cvsComputer aided design tools.ports-chinese
release=cvsChinese language support.ports-comms
release=cvsCommunication software.ports-converters
release=cvscharacter code converters.ports-databases
release=cvsDatabases.ports-deskutils
release=cvsThings that used to be on the desktop
before computers were invented.ports-devel
release=cvsDevelopment utilities.ports-editors
release=cvsEditors.ports-emulators
release=cvsEmulators for other operating
systems.ports-finance
release=cvsMonetary, financial and related applications.ports-ftp
release=cvsFTP client and server utilities.ports-games
release=cvsGames.ports-german
release=cvsGerman language support.ports-graphics
release=cvsGraphics utilities.ports-hungarian
release=cvsHungarian language support.ports-irc
release=cvsInternet Relay Chat utilities.ports-japanese
release=cvsJapanese language support.ports-java
release=cvsJava utilities.ports-korean
release=cvsKorean language support.ports-lang
release=cvsProgramming languages.ports-mail
release=cvsMail software.ports-math
release=cvsNumerical computation software.ports-mbone
release=cvsMBone applications.ports-misc
release=cvsMiscellaneous utilities.ports-multimedia
release=cvsMultimedia software.ports-net
release=cvsNetworking software.ports-news
release=cvsUSENET news software.ports-palm
release=cvsSoftware support for Palm
series.ports-portuguese
release=cvsPortuguese language support.ports-print
release=cvsPrinting software.ports-russian
release=cvsRussian language support.ports-security
release=cvsSecurity utilities.ports-shells
release=cvsCommand line shells.ports-sysutils
release=cvsSystem utilities.ports-textproc
release=cvstext processing utilities (does not
include desktop publishing).ports-vietnamese
release=cvsVietnamese language support.ports-www
release=cvsSoftware related to the World Wide
Web.ports-x11
release=cvsPorts to support the X window
system.ports-x11-clocks
release=cvsX11 clocks.ports-x11-fm
release=cvsX11 file managers.ports-x11-fonts
release=cvsX11 fonts and font utilities.ports-x11-toolkits
release=cvsX11 toolkits.ports-x11-serversX11 servers.ports-x11-wmX11 window managers.src-all release=cvsThe main FreeBSD sources, including the
cryptography code.src-base
release=cvsMiscellaneous files at the top of
/usr/src.src-bin
release=cvsUser utilities that may be needed in
single-user mode
(/usr/src/bin).src-contrib
release=cvsUtilities and libraries from outside the
FreeBSD project, used relatively unmodified
(/usr/src/contrib).src-crypto release=cvsCryptography utilities and libraries from
outside the FreeBSD project, used relatively
unmodified
(/usr/src/crypto).src-eBones release=cvsKerberos and DES
(/usr/src/eBones). Not
used in current releases of FreeBSD.src-etc
release=cvsSystem configuration files
(/usr/src/etc).src-games
release=cvsGames
(/usr/src/games).src-gnu
release=cvsUtilities covered by the GNU Public
License (/usr/src/gnu).src-include
release=cvsHeader files
(/usr/src/include).src-kerberos5
release=cvsKerberos5 security package
(/usr/src/kerberos5).src-kerberosIV
release=cvsKerberosIV security package
(/usr/src/kerberosIV).src-lib
release=cvsLibraries
(/usr/src/lib).src-libexec
release=cvsSystem programs normally executed by other
programs
(/usr/src/libexec).src-release
release=cvsFiles required to produce a FreeBSD
release
(/usr/src/release).src-sbin release=cvsSystem utilities for single-user mode
(/usr/src/sbin).src-secure
release=cvsCryptographic libraries and commands
(/usr/src/secure).src-share
release=cvsFiles that can be shared across multiple
systems
(/usr/src/share).src-sys
release=cvsThe kernel
(/usr/src/sys).src-sys-crypto
release=cvsKernel cryptography code
(/usr/src/sys/crypto).src-tools
release=cvsVarious tools for the maintenance of
FreeBSD
(/usr/src/tools).src-usrbin
release=cvsUser utilities
(/usr/src/usr.bin).src-usrsbin
release=cvsSystem utilities
(/usr/src/usr.sbin).www release=cvsThe sources for the FreeBSD WWW site.distrib release=selfThe CVSup server's own
configuration files. Used by CVSup
mirror sites.gnats release=currentThe GNATS bug-tracking database.mail-archive release=currentFreeBSD mailing list archive.www release=currentThe pre-processed FreeBSD WWW site files (not the
source files). Used by WWW mirror sites.For More InformationFor the CVSup FAQ and other
information about CVSup, see
The
CVSup Home Page.Most FreeBSD-related discussion of
CVSup takes place on the
&a.hackers;. New versions of the software are announced there,
as well as on the &a.announce;.Questions and bug reports should be addressed to the author
of the program at cvsup-bugs@polstra.com.CVSup SitesCVSup servers for FreeBSD are running
at the following sites:Argentinacvsup.ar.FreeBSD.org (maintainer
msagre@cactus.fi.uba.ar)Australiacvsup.au.FreeBSD.org (maintainer
cvsup@ntt.net.au)cvsup2.au.FreeBSD.org (maintainer
cvsup@isp.net.au)cvsup3.au.FreeBSD.org (maintainer
cvsup@speednet.com.au)cvsup4.au.FreeBSD.org (maintainer
cvsup@ideal.net.au)cvsup5.au.FreeBSD.org (maintainer
cvsup@netlead.com.au)Austriacvsup.at.FreeBSD.org (maintainer
postmaster@wu-wien.ac.at)cvsup2.at.FreeBSD.org (maintainer
ftp-admin.zid@univie.ac.at)Brazilcvsup.br.FreeBSD.org (maintainer
cvsup@cvsup.br.FreeBSD.org)cvsup2.br.FreeBSD.org (maintainer
tps@ti.sk)cvsup3.br.FreeBSD.org (maintainer
camposr@matrix.com.br)cvsup4.br.FreeBSD.org (maintainer
cvsup@tcoip.com.br)cvsup5.br.FreeBSD.org (maintainer
hostmaster@br.FreeBSD.org)Bulgariacvsup.bg.FreeBSD.org (maintainer
hostmaster@bg.FreeBSD.org)Canadacvsup.ca.FreeBSD.org (maintainer
cvsup@ca.FreeBSD.org)Chinacvsup.cn.FreeBSD.org (maintainer
phj@cn.FreeBSD.org)Czech Republiccvsup.cz.FreeBSD.org (maintainer
cejkar@fit.vutbr.cz)Denmarkcvsup.dk.FreeBSD.org (maintainer
jesper@FreeBSD.org)Estoniacvsup.ee.FreeBSD.org (maintainer
taavi@uninet.ee)Finlandcvsup.fi.FreeBSD.org (maintainer
count@key.sms.fi)cvsup2.fi.FreeBSD.org (maintainer
count@key.sms.fi)Francecvsup.fr.FreeBSD.org (maintainer
hostmaster@fr.FreeBSD.org)cvsup2.fr.FreeBSD.org (maintainer
ftpmaint@uvsq.fr)cvsup3.fr.FreeBSD.org (maintainer
ftpmaint@enst.fr)cvsup4.fr.FreeBSD.org (maintainer
ftpmaster@t-online.fr)cvsup5.fr.FreeBSD.org (maintainer
freebsdcvsup@teaser.net)cvsup8.fr.FreeBSD.org (maintainer
ftpmaint@crc.u-strasbg.fr)Germanycvsup.de.FreeBSD.org (maintainer
cvsup@cosmo-project.de)cvsup2.de.FreeBSD.org (maintainer
cvsup@apfel.de)cvsup3.de.FreeBSD.org (maintainer
ag@leo.org)cvsup4.de.FreeBSD.org (maintainer
cvsup@cosmo-project.de)cvsup5.de.FreeBSD.org (maintainer
&a.rse;)cvsup6.de.FreeBSD.org (maintainer
adminmail@heitec.net)cvsup7.de.FreeBSD.org (maintainer
karsten@rohrbach.de)Greececvsup.gr.FreeBSD.org (maintainer
ftpadm@duth.gr)cvsup2.gr.FreeBSD.org (maintainer
paschos@cs.uoi.gr)Hungarycvsup.hu.FreeBSD.org (maintainer
janos.mohacsi@bsd.hu)Icelandcvsup.is.FreeBSD.org (maintainer
hostmaster@is.FreeBSD.org)Irelandcvsup.ie.FreeBSD.org (maintainer
dwmalone@maths.tcd.ie),
Trinity College, Dublin.Japancvsup.jp.FreeBSD.org (maintainer
cvsupadm@jp.FreeBSD.org)cvsup2.jp.FreeBSD.org (maintainer
&a.max;)cvsup3.jp.FreeBSD.org (maintainer
shige@cin.nihon-u.ac.jp)cvsup4.jp.FreeBSD.org (maintainer
cvsup-admin@ftp.media.kyoto-u.ac.jp)cvsup5.jp.FreeBSD.org (maintainer
cvsup@imasy.or.jp)cvsup6.jp.FreeBSD.org (maintainer
cvsupadm@jp.FreeBSD.org)Koreacvsup.kr.FreeBSD.org (maintainer
cjh@kr.FreeBSD.org)cvsup2.kr.FreeBSD.org (maintainer
holywar@mail.holywar.net)cvsup3.kr.FreeBSD.org (maintainer
leo@florida.sarang.net)Kuwaitcvsup1.kw.FreeBSD.org (maintainer
sysadmin@kems.net)Latviacvsup.lv.FreeBSD.org (maintainer
system@soft.lv)Lithuaniacvsup.lt.FreeBSD.org (maintainer
domas.mituzas@delfi.lt)cvsup2.lt.FreeBSD.org (maintainer
vaidas.damosevicius@if.lt)New Zealandcvsup.nz.FreeBSD.org (maintainer
cvsup@langille.org)Netherlandscvsup.nl.FreeBSD.org (maintainer
xaa@xaa.iae.nl)cvsup2.nl.FreeBSD.org (maintainer
cvsup@nl.uu.net)cvsup3.nl.FreeBSD.org (maintainer
cvsup@vuurwerk.nl)cvsup4.nl.FreeBSD.org (maintainer
hostmaster@cvsup4.nl.FreeBSD.org)Norwaycvsup.no.FreeBSD.org (maintainer
Per.Hove@math.ntnu.no)Polandcvsup.pl.FreeBSD.org (maintainer
Mariusz@kam.pl)cvsup2.pl.FreeBSD.org (maintainer
hostmaster@cvsup2.pl.FreeBSD.org)cvsup3.pl.FreeBSD.org (maintainer
hostmaster@cvsup3.pl.FreeBSD.org)Portugalcvsup.pt.FreeBSD.org (maintainer
jpedras@webvolution.net)Romaniacvsup.ro.FreeBSD.org (maintainer
razor@ldc.ro)cvsup2.ro.FreeBSD.org (maintainer
hostmaster@rofug.ro)cvsup3.ro.FreeBSD.org (maintainer
veedee@c7.campus.utcluj.ro)Russiacvsup.ru.FreeBSD.org (maintainer
ache@nagual.pp.ru)cvsup2.ru.FreeBSD.org (maintainer
dv@dv.ru)cvsup3.ru.FreeBSD.org (maintainer
fjoe@iclub.nsu.ru)cvsup4.ru.FreeBSD.org (maintainer
maxim@macomnet.ru)cvsup5.ru.FreeBSD.org (maintainer
maxim@macomnet.ru)cvsup6.ru.FreeBSD.org (maintainer
pvr@corbina.net)San Marinocvsup.sm.FreeBSD.org (maintainer
sysadmin@alexdupre.com)Singaporecvsup.sg.FreeBSD.org (maintainer
mirror-maintainer@mirror.averse.net)Slovak Republiccvsup.sk.FreeBSD.org (maintainer
scorp@scorp.sk)cvsup2.sk.FreeBSD.org (maintainer
scorp@scorp.sk)Sloveniacvsup.si.FreeBSD.org (maintainer
blaz@si.FreeBSD.org)cvsup2.si.FreeBSD.org (maintainer
cuk@cuk.nu)South Africacvsup.za.FreeBSD.org (maintainer
&a.markm;)cvsup2.za.FreeBSD.org (maintainer
&a.markm;)Spaincvsup.es.FreeBSD.org (maintainer
&a.jesusr;)cvsup2.es.FreeBSD.org (maintainer
&a.jesusr;)cvsup3.es.FreeBSD.org (maintainer
jose@we.lc.ehu.es)Swedencvsup.se.FreeBSD.org (maintainer
pantzer@ludd.luth.se)cvsup2.se.FreeBSD.org (maintainer
cvsup@dataphone.net)Taiwancvsup.tw.FreeBSD.org (maintainer
ijliao@FreeBSD.org)cvsup3.tw.FreeBSD.org (maintainer
foxfair@FreeBSD.org)cvsup4.tw.FreeBSD.org (maintainer
einstein@NHCTC.edu.tw)cvsup5.tw.FreeBSD.org (maintainer
einstein@NHCTC.edu.tw)cvsup6.tw.FreeBSD.org (maintainer
jason@tw.FreeBSD.org)cvsup7.tw.FreeBSD.org (maintainer
cvsup@abpe.org)cvsup8.tw.FreeBSD.org (maintainer
heboy@FreeBSD.tku.edu.tw)cvsup9.tw.FreeBSD.org (maintainer
cs871256@csie.ncu.edu.tw)cvsup10.tw.FreeBSD.org (maintainer
rafan@infor.org)cvsup11.tw.FreeBSD.org (maintainer
vanilla@FreeBSD.org)cvsup12.tw.FreeBSD.org (maintainer
GEO.bbs@birdnest.twbbs.org)cvsup13.tw.FreeBSD.org (maintainer
cdsheen@tw.FreeBSD.org)Turkeycvsup.tr.FreeBSD.org (maintainer
roots@enderunix.org)Ukrainecvsup2.ua.FreeBSD.org (maintainer
freebsd-mnt@lucky.net)cvsup3.ua.FreeBSD.org (maintainer
ftpmaster@ukr.net), Kievcvsup4.ua.FreeBSD.org (maintainer
phantom@cris.net)cvsup5.ua.FreeBSD.org (maintainer
never@nevermind.kiev.ua)cvsup6.ua.FreeBSD.org (maintainer
freebsd-cvs@colocall.net)cvsup7.ua.FreeBSD.org (maintainer
never@nevermind.kiev.ua)United Kingdomcvsup.uk.FreeBSD.org (maintainer
ftp-admin@plig.net)cvsup2.uk.FreeBSD.org (maintainer
&a.brian;)cvsup3.uk.FreeBSD.org (maintainer
ben.hughes@uk.easynet.net)cvsup4.uk.FreeBSD.org (maintainer
ejb@leguin.org.uk)cvsup5.uk.FreeBSD.org (maintainer
mirror@teleglobe.net)USAcvsup1.FreeBSD.org (maintainer
cwt@networks.cwu.edu), Washington
statecvsup2.FreeBSD.org (maintainers
djs@secure.net and &a.nectar;), Virginiacvsup3.FreeBSD.org (maintainer
&a.wollman;), Massachusettscvsup5.FreeBSD.org (maintainer
mjr@blackened.com), Arizonacvsup6.FreeBSD.org (maintainer
cvsup@cvsup.adelphiacom.net), Illinoiscvsup7.FreeBSD.org (maintainer
&a.jdp;), Washington statecvsup8.FreeBSD.org (maintainer
hostmaster@bigmirror.com), Washington
statecvsup9.FreeBSD.org (maintainer
&a.jdp;), Minnesotacvsup10.FreeBSD.org (maintainer
&a.jdp;), Californiacvsup11.FreeBSD.org (maintainer
cvsup@research.uu.net), Virginiacvsup12.FreeBSD.org (maintainer
&a.will;), Indianacvsup13.FreeBSD.org (maintainer
dima@valueclick.com), Californiacvsup14.FreeBSD.org (maintainer
freebsd-cvsup@mfnx.net), Californiacvsup15.FreeBSD.org (maintainer
cvsup@math.uic.edu), Illinoiscvsup16.FreeBSD.org (maintainer
pth3k@virginia.edu), Virginiacvsup17.FreeBSD.org (maintainer
cvsup@mirrortree.com), Washington stateCVS TagsWhen obtaining or updating sources from
cvs and
CVSup a revision tag (reference to a
date in time) must be specified. The following tags are
available, each specifying different branches of FreeBSD at
different points of time:The ports tree does not have any tag associated with it,
it is always CURRENT.The most common tags are:HEADSymbolic name for the main line, or FreeBSD-CURRENT.
Also the default when no revision is specified.In CVSup, this tag is represented
by a . (not punctuation, but a literal
. character).In CVS, this is the default when no revision tag is
specified. It is usually not
a good idea to checkout or update to CURRENT sources
on a STABLE machine, unless that is your intent.RELENG_5_0The release branch for FreeBSD-5.0, used only
for security advisories and other seriously critical fixes.RELENG_4The line of development for FreeBSD-4.X, also known
as FreeBSD-STABLE.RELENG_4_8The release branch for FreeBSD-4.8, used only
for security advisories and other seriously critical fixes.RELENG_4_7The release branch for FreeBSD-4.7, used only
for security advisories and other seriously critical fixes.RELENG_4_6The release branch for FreeBSD-4.6 and FreeBSD-4.6.2,
used only for security advisories and other seriously
critical fixes.RELENG_4_5The release branch for FreeBSD-4.5, used only
for security advisories and other seriously critical fixes.RELENG_4_4The release branch for FreeBSD-4.4, used only
for security advisories and other seriously critical fixes.RELENG_4_3The release branch for FreeBSD-4.3, used only
for security advisories and other seriously critical fixes.RELENG_3The line of development for FreeBSD-3.X, also known
as 3.X-STABLE.RELENG_2_2The line of development for FreeBSD-2.2.X, also known
as 2.2-STABLE. This branch is mostly obsolete.Other revision tags that are available include:RELENG_4_8_0_RELEASEFreeBSD 4.8RELENG_5_0_0_RELEASEFreeBSD 5.0RELENG_4_7_0_RELEASEFreeBSD 4.7RELENG_4_6_2_RELEASEFreeBSD 4.6.2RELENG_4_6_1_RELEASEFreeBSD 4.6.1RELENG_4_6_0_RELEASEFreeBSD 4.6RELENG_4_5_0_RELEASEFreeBSD 4.5.RELENG_4_4_0_RELEASEFreeBSD 4.4.RELENG_4_3_0_RELEASEFreeBSD 4.3.RELENG_4_2_0_RELEASEFreeBSD 4.2.RELENG_4_1_1_RELEASEFreeBSD 4.1.1.RELENG_4_1_0_RELEASEFreeBSD 4.1.RELENG_4_0_0_RELEASEFreeBSD 4.0.RELENG_3_5_0_RELEASEFreeBSD-3.5.RELENG_3_4_0_RELEASEFreeBSD-3.4.RELENG_3_3_0_RELEASEFreeBSD-3.3.RELENG_3_2_0_RELEASEFreeBSD-3.2.RELENG_3_1_0_RELEASEFreeBSD-3.1.RELENG_3_0_0_RELEASEFreeBSD-3.0.RELENG_2_2_8_RELEASEFreeBSD-2.2.8.RELENG_2_2_7_RELEASEFreeBSD-2.2.7.RELENG_2_2_6_RELEASEFreeBSD-2.2.6.RELENG_2_2_5_RELEASEFreeBSD-2.2.5.RELENG_2_2_2_RELEASEFreeBSD-2.2.2.RELENG_2_2_1_RELEASEFreeBSD-2.2.1.RELENG_2_2_0_RELEASEFreeBSD-2.2.0.AFS SitesAFS servers for FreeBSD are running at the following sites:SwedenThe path to the files are:
/afs/stacken.kth.se/ftp/pub/FreeBSD/stacken.kth.se # Stacken Computer Club, KTH, Sweden
130.237.234.43 #hot.stacken.kth.se
130.237.237.230 #fishburger.stacken.kth.se
130.237.234.3 #milko.stacken.kth.seMaintainer ftp@stacken.kth.sersync sitesThe following sites make FreeBSD available through the rsync
protocol. The rsync utility works in
much the same way as the rcp command,
but has more options and uses the rsync remote-update protocol
which transfers only the differences between two sets of files,
thus greatly speeding up the synchronization over the network.
This is most useful if you are a mirror site for the
FreeBSD FTP server, or the CVS repository. The
rsync suite is available for many
operating systems, on FreeBSD, see the
net/rsync
port or use the package.Czech Republicrsync://ftp.cz.FreeBSD.org/Available collections:ftp: A partial mirror of the FreeBSD FTP
server.FreeBSD: A full mirror of the FreeBSD FTP
server.Germanyrsync://grappa.unix-ag.uni-kl.de/Available collections:freebsd-cvs: The full FreeBSD CVS
repository.This machine also mirrors the CVS repositories of the
NetBSD and the OpenBSD projects, among others.Netherlandsrsync://ftp.nl.FreeBSD.org/Available collections:vol/3/freebsd-core: A full mirror of the
FreeBSD FTP server.United Kingdomrsync://rsync.mirror.ac.uk/Available collections:ftp.freebsd.org: A full mirror of the
FreeBSD FTP server.United States of Americarsync://ftp-master.FreeBSD.org/This server may only be used by FreeBSD primary mirror
sites.Available collections:FreeBSD: The master archive of the FreeBSD
FTP server.acl: The FreeBSD master ACL
list.rsync://ftp13.FreeBSD.org/Available collections:FreeBSD: A full mirror of the FreeBSD FTP
server.
diff --git a/en_US.ISO8859-1/books/handbook/ports/chapter.sgml b/en_US.ISO8859-1/books/handbook/ports/chapter.sgml
index da108a638d..bea55ab4dc 100644
--- a/en_US.ISO8859-1/books/handbook/ports/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/ports/chapter.sgml
@@ -1,1584 +1,1583 @@
Installing Applications: Packages and PortsSynopsisportspackagesFreeBSD is bundled with a rich collection of system tools as
part of the base system. However, there is only so much one can
do before needing to install an additional third-party
application to get real work done. FreeBSD provides two
complementary technologies for installing third party software
on your system: the FreeBSD Ports Collection, and binary
software packages. Either system may be used to install the
newest version of your favorite applications from local media or
straight off the network.After reading this chapter, you will know:How to install third-party binary software packages.How to build third-party software from the ports
collection.How to remove previously installed packages or ports.Overview of Software InstallationIf you have used a Unix system before you will know that the typical
procedure for installing third party software goes something like
this:Download the software, which might be distributed in source code
format, or as a binary.Unpack the software from its distribution format (typically a
tarball compressed with either &man.compress.1; or &man.gzip.1;).Locate the documentation (perhaps an INSTALL or README
file, or some files in a doc/ subdirectory) and
read up on how to install the software.If the software was distributed in source format, compile it.
This may involve editing a Makefile, or
running a configure script, and other work.Test and install the software.And that is only if everything goes well. If you are installing a
software package that was not deliberately ported to FreeBSD you may
even have to go in and edit the code to make it work properly.Should you want to, you can continue to install software the
traditional way with FreeBSD. However, FreeBSD
provides two technologies which can save you a lot of effort:
packages and ports. At the time of writing, over &os.numports;
third party applications have been made available in this
way.For any given application, the FreeBSD package for that application
is a single file which you must download. The package contains
pre-compiled copies of all the commands for the application, as well as
any configuration files or documentation. A downloaded package file can
be manipulated with FreeBSD package management commands, such as
&man.pkg.add.1;, &man.pkg.delete.1;, &man.pkg.info.1;, and so on.Installing a new application can be carried out with a single
command.A FreeBSD port for an application is a collection of files designed
to automate the process of compiling an application from source
code.Remember that there are a number of steps you would normally carry
out if you compiled a program yourself (downloading, unpacking, patching, compiling,
installing). The files that make up a port contain all the necessary
information to allow the system to do this for you. You run a handful
of simple commands and the source code for the application is
automatically downloaded, extracted, patched, compiled, and installed
for you.In fact, the ports system can also be used to generate packages
which can later be manipulated with pkg_add
and the other package management commands that will be introduced
shortly.Both packages and ports understand
dependencies. Suppose you want to install an
application that depends on a specific library being installed. Both
the application and the library have been made available as FreeBSD
ports and packages. If you use the pkg_add command
or the ports system to add the application, both will notice that the
library has not been installed, and automatically install the
library first.Given that the two technologies are quite similar, you might be
wondering why FreeBSD bothers with both. Packages and ports both have
their own strengths, and which one you use will depend on your own
preference.Package BenefitsA compressed package tarball is typically smaller than the
compressed tarball containing the source code for the application.Packages do not require any additional compilation. For large
applications, such as Mozilla,
KDE, or GNOME
this can be important, particularly if you are on a slow system.Packages do not require you to understand the process
involved in compiling software on FreeBSD.Ports BenefitsPackages are normally compiled with conservative options,
because they have to run on the maximum number of systems. By
installing from the port, you can tweak the compilation options to
(for example) generate code that is specific to a Pentium
III or Athlon processor.Some applications have compile time options relating to what they
can and cannot do. For example, Apache
can be configured with a wide variety of different built-in options.
By building from the port you do not have to accept the default
options, and can set them yourself.In some cases, multiple packages will exist for the same
application to specify certain settings. For example,
Ghostscript is available as a
ghostscript package and a
ghostscript-nox11 package, depending on whether
or not you have installed an X11 server. This sort of rough
tweaking is possible with packages, but rapidly becomes impossible
if an application has more than one or two different compile time
options.The licensing conditions of some software distributions forbid
binary distribution. They must be distributed as source
code.Some people do not trust binary distributions. At least with
source code, you can (in theory) read through it and look for
potential problems yourself.If you have local patches, you will need the source in order to
apply them.Some people like having code around, so they can read it if they
get bored, hack it, borrow from it (license permitting, of course),
and so on.To keep track of updated ports, subscribe to the
&a.ports; and the &a.ports-bugs;.The remainder of this chapter will explain how to use packages and
ports to install and manage third party software on FreeBSD.Finding Your ApplicationBefore you can install any applications you need to know what you
want, and what the application is called.FreeBSD's list of available applications is growing all the
time. Fortunately, there are a number of ways to
find what you want:The FreeBSD web site maintains an up-to-date searchable list of
all the available applications, at
http://www.FreeBSD.org/ports/.
The ports are divided into categories, and you may either
search for an application by name (if you know it), or see
all the applications available in a category.FreshPortsDan Langille maintains FreshPorts, at
- http://www.FreshPorts.org/.
+ .
FreshPorts tracks changes to the applications in the ports tree as
they happen, allows you to watch one or more
ports, and can send you email when they are updated.FreshMeatIf you do not know the name of the application you want, try
using a site like FreshMeat
- (http://www.freshmeat.net/)
+ ()
to find an application, then check back at the FreeBSD site to see
if the application has been ported yet.ChernLeeContributed by Using the Packages SystemInstalling a Packagepackagesinstallingpkg_addYou can use the &man.pkg.add.1; utility to install a
FreeBSD software package from a local file or from a server on
the network.Downloading a Package Manually and then Installing It Locally&prompt.root; ftp -a ftp2.FreeBSD.org
Connected to ftp2.FreeBSD.org.
220 ftp2.FreeBSD.org FTP server (Version 6.00LS) ready.
331 Guest login ok, send your email address as password.
230-
230- This machine is in Vienna, VA, USA, hosted by Verio.
230- Questions? E-mail freebsd@vienna.verio.net.
230-
230-
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>cd /pub/FreeBSD/ports/packages/sysutils/
250 CWD command successful.
ftp>get lsof-4.56.4.tgz
local: lsof-4.56.4.tgz remote: lsof-4.56.4.tgz
200 PORT command successful.
150 Opening BINARY mode data connection for 'lsof-4.56.4.tgz' (92375 bytes).
100% |**************************************************| 92375 00:00 ETA
226 Transfer complete.
92375 bytes received in 5.60 seconds (16.11 KB/s)
ftp>exit
&prompt.root; pkg_add lsof-4.56.4.tgzIf you do not have a source of local packages (such as a
FreeBSD CD-ROM set) then it will probably be easier to use the
option to &man.pkg.add.1;. This will cause the utility to
automatically determine the correct object format and release
and then fetch and install the package from an FTP site.
pkg_add&prompt.root; pkg_add -r lsofThe example above would download the correct package and add
it without any further user intervention. &man.pkg.add.1; uses
&man.fetch.3; to download the files, which honours various
environment variables, including FTP_PASSIVE_MODE,
FTP_PROXY, and FTP_PASSWORD. You
may need to set one or more of these if you are behind a firewall,
or need to use an FTP/HTTP proxy. See &man.fetch.3; for the
complete list. You can also note that in the example above
lsof is used instead of
lsof-4.56.4. When the remote fetching
feature is used, the version number of the package must be
removed. &man.pkg.add.1; will automatically fetch the latest
version of the application.Package files are distributed in .tgz format. You can
find them at
- ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/packages/,
+ url="ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/packages/">,
or on the FreeBSD CD-ROM distribution. Every CD on the
FreeBSD 4-CD set (and the PowerPak, etc.) contains packages in
the /packages directory. The layout of
the packages is similar to that of the
/usr/ports tree. Each category has its
own directory, and every package can be found within the
All directory.
The directory structure of the package system matches
the ports layout; they work with each other to form the entire
package/port system.
Managing Packagespackagesmanaging&man.pkg.info.1; is a utility that lists and describes
the various packages installed.
pkg_info&prompt.root; pkg_info
cvsup-16.1 A general network file distribution system optimized for CV
docbook-1.2 Meta-port for the different versions of the DocBook DTD
...&man.pkg.version.1; is a utility that summarizes the
versions of all installed packages. It compares the package
version to the current version found in the ports tree.
pkg_version&prompt.root; pkg_version
cvsup =
docbook =
...The symbols in the second column indicate the relative age
of the installed version and the version available in the local
ports tree.SymbolMeaning=The version of the
installed package matches that of the one found in the
local ports tree.<The installed version is older than the one available
in the ports tree.>The installed version is newer
than the one found in the local ports tree. (local ports
tree is probably out of date)?The installed package cannot be
found in the ports index.*There are multiple versions of the
package.Deleting a Packagepkg_deletepackagesdeletingTo remove a previously installed software package, use the
&man.pkg.delete.1; utility.
&prompt.root; pkg_delete xchat-1.7.1MiscellaneousAll package information is stored within the
/var/db/pkg directory. The installed
file list and descriptions of each package can be found within
files in this directory.
Using the Ports CollectionThe following sections provide basic instructions on using the
ports collection to install or remove programs from your
system.Obtaining the Ports CollectionBefore you can install ports, you must first obtain the
ports collection—which is essentially a set of Makefiles,
patches, and description files placed in
/usr/ports.
When installing your FreeBSD system,
Sysinstall asked if you would like to
install the ports collection. If you chose no, you can follow
these instructions to obtain the ports collection:Sysinstall MethodThis method involves using
sysinstall again to manually
install the ports collection.As root, run /stand/sysinstall as
shown below:&prompt.root; /stand/sysinstallScroll down and select Configure,
press Enter.Scroll down and select
Distributions, press Enter.Scroll down to ports, press
Space.Scroll up to Exit, press
Enter.Select your desired installation media, such as CDROM,
FTP, and so on.Scroll up to Exit and press
Enter.Press X to exit
sysinstall.The alternative method to obtain and keep your ports
collection up to date is by using
CVSup. Look at the ports
CVSup file,
/usr/share/examples/cvsup/ports-supfile.
See Using CVSup () for more information on using
CVSup and this file.CVSup MethodThis is a quick method for getting the ports collection
using CVSup. If you want to keep
your ports tree up to date, or learn more about
CVSup, read the previously
mentioned sections.Install the net/cvsup port. See CVSup Installation () for more details.As root, copy
/usr/share/examples/cvsup/ports-supfile
to a new location, such as /root or your
home directory.Edit ports-supfile.Change CHANGE_THIS.FreeBSD.org to a
CVSup server near you. See CVSup Mirrors () for a complete listing of mirror
sites.Run cvsup:&prompt.root; cvsup -g -L 2 /root/ports-supfileRunning this command later will
download and apply all the recent changes to your ports
collection, except actually rebuilding the ports for your own system.Installing PortsportsinstallingThe first thing that should be explained
when it comes to the ports collection is what is actually meant
by a skeleton. In a nutshell, a port skeleton is a
minimal set of files that tell your FreeBSD system how to
cleanly compile and install a program. Each port skeleton includes:A Makefile. The
Makefile contains various statements that
specify how the application should be compiled and where it
should be installed on your system.A distinfo file. This file contains
information about the files that must be downloaded to build the
port and their checksums, to verify that files have not been
corrupted during the download.A files directory. This directory
contains patches to make the program compile and install on
your FreeBSD system. Patches are basically small files that
specify changes to particular files. They are in plain text
format, and basically say Remove line 10 or
Change line 26 to this .... Patches are also
known as diffs because they are generated by the
&man.diff.1; program.This directory may also contain other files used to build
the port.A pkg-comment file. This is a one-line
description of the program.A pkg-descr file. This is a more
detailed, often multiple-line, description of the program.A pkg-plist file. This is a list of all
the files that will be installed by the port. It also tells the
ports system what files to remove upon deinstallation.Some ports have other files, such as
pkg-message. The ports system uses these
files to handle special situations. If you want more details
on these files, and on ports in general, check out the FreeBSD Porter's
Handbook.Now that you have enough background information to know what
the ports collection is used for, you are ready to install your
first port. There are two ways this can be done, and each is
explained below.Before we get into that, however, you will need to choose a
port to install. There are a few ways to do this, with the
easiest method being the ports listing on the FreeBSD
web site. You can browse through the ports listed there
or use the search function on the site. Each port also includes
a description so you can read a bit about each port before
deciding to install it.Another method is to use the &man.whereis.1;
command. Simply type whereis file,
where file is the program you want to
install. If it is found on
your system, you will be told where it is, as follows:&prompt.root; whereis lsof
lsof: /usr/ports/sysutils/lsofThis tells us that lsof (a system utility)
can be found in the
/usr/ports/sysutils/lsof directory.Yet another way to find a particular port is by using the
ports collection's built-in search mechanism. To use the search
feature, you will need to be in the
/usr/ports directory. Once in that
directory, run make search name=program-name
where program-name is the name of the program you
want to find. For example, if you were looking for
lsof:&prompt.root; cd /usr/ports
&prompt.root; make search name=lsof
Port: lsof-4.56.4
Path: /usr/ports/sysutils/lsof
Info: Lists information about open files (similar to fstat(1))
Maint: obrien@FreeBSD.org
Index: sysutils
B-deps:
R-deps: The part of the output you want to pay particular attention
to is the Path: line, since that tells you where to
find the port. The other information provided is not needed in order
to install the port, so it will not be covered
here.For more in-depth searching you can also use
make search key=string where
string is some text to search for. This searches
port names, comments, descriptions and dependencies and can be used
to find ports which relate to a particular subject if you don't
know the name of the program you are looking for.In both of these cases, the search string is case-insensitive.
Searching for LSOF will yield the same results as
searching for lsof.You must be logged in as root to install
ports.Now that you have found a port you would like to install,
you are ready to do the actual installation. The port
includes instructions on how to build source code, but not the
actual source code. You can get the source code from a CD-ROM
or from the Internet. Source code is distributed in whatever
manner the software author desires. Frequently this is a
tarred and gzipped file, but it might be compressed with some
other tool or even uncompressed. The program source code,
whatever form it comes in, is called a
distfile. You can get the distfile from a
CD-ROM or from the Internet.Installing Ports from a CD-ROMportsinstalling from CD-ROMThe FreeBSD Project's official CD-ROM images no longer
include distfiles. They take up a lot of room that is
better used for precompiled packages. CD-ROM products such as
the FreeBSD PowerPak do include distfiles, and you can
order these sets from a vendor such as the FreeBSD Mall.
This section assumes you have such a FreeBSD CD-ROM
set.Place your FreeBSD CD-ROM in the drive. Mount it on
/cdrom. (If you use a different mount
point, the install will not work.) To begin, change to the
directory for the port you want to install:&prompt.root; cd /usr/ports/sysutils/lsofOnce inside the lsof directory,
you will see the port
skeleton. The next step is to compile, or build, the
port. This is done by simply typing make at
the prompt. Once you have done so, you should see something
like this:&prompt.root; make
>> lsof_4.57D.freebsd.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
>> Attempting to fetch from file:/cdrom/ports/distfiles/.
===> Extracting for lsof-4.57
...
[extraction output snipped]
...
>> Checksum OK for lsof_4.57D.freebsd.tar.gz.
===> Patching for lsof-4.57
===> Applying FreeBSD patches for lsof-4.57
===> Configuring for lsof-4.57
...
[configure output snipped]
...
===> Building for lsof-4.57
...
[compilation output snipped]
...
&prompt.root;Notice that once the compile is complete you are
returned to your prompt. The next step is to install the
port. In order to install it, you simply need to tack one word
onto the make command, and that word is
install:&prompt.root; make install
===> Installing for lsof-4.57
...
[installation output snipped]
...
===> Generating temporary packing list
===> Compressing manual pages for lsof-4.57
===> Registering installation for lsof-4.57
===> SECURITY NOTE:
This port has installed the following binaries which execute with
increased privileges.
&prompt.root;Once you are returned to your prompt, you should be able to
run the application you just installed. Since
lsof is a
program that runs with increased privileges, a security
warning is shown. During the building and installation of
ports, you should take heed of any other warnings that
may appear.You can save an extra step by just running make
install instead of make and
make install as two separate steps.Some shells keep a cache of the commands that are available in
the directories listed in the PATH environment
variable, to speed up lookup operations for the executable file of
these commands. If you are using one of these shells, you might
have to use the rehash command after installing
a port, before the newly installed commands can be used. This is
true for both shells that are part of the base-system (such as
tcsh) and shells that are available as ports
(for instance,
shells/zsh).Please be aware that the licenses of a few ports do not
allow for inclusion on the CD-ROM. This could be because a
registration form needs
to be filled out before downloading or redistribution is not
allowed, or for another reason. If you wish to install a port not
included on the CD-ROM, you will need to be online in order to
do so (see the next
section).Installing Ports from the InternetAs with the last section, this section makes an assumption
that you have a working Internet connection. If you do not,
you will need to perform the CD-ROM
installation, or put a copy of the distfile into /usr/ports/distfiles manually.Installing a port from the Internet is done exactly the same
way as it would be if you were installing from a CD-ROM. The
only difference between the two is that the distfile
is downloaded from the Internet instead of read from the
CD-ROM.The steps involved are identical:&prompt.root; make install
>> lsof_4.57D.freebsd.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
>> Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/.
Receiving lsof_4.57D.freebsd.tar.gz (439860 bytes): 100%
439860 bytes transferred in 18.0 seconds (23.90 kBps)
===> Extracting for lsof-4.57
...
[extraction output snipped]
...
>> Checksum OK for lsof_4.57D.freebsd.tar.gz.
===> Patching for lsof-4.57
===> Applying FreeBSD patches for lsof-4.57
===> Configuring for lsof-4.57
...
[configure output snipped]
...
===> Building for lsof-4.57
...
[compilation output snipped]
...
===> Installing for lsof-4.57
...
[installation output snipped]
...
===> Generating temporary packing list
===> Compressing manual pages for lsof-4.57
===> Registering installation for lsof-4.57
===> SECURITY NOTE:
This port has installed the following binaries which execute with
increased privileges.
&prompt.root;As you can see, the only difference is the line that tells
you where the system is fetching the port distfile from.The ports system uses &man.fetch.1; to download the files,
which honours various environment variables, including
FTP_PASSIVE_MODE, FTP_PROXY,
and FTP_PASSWORD. You may need to set one or more
of these if you are behind a firewall, or need to use an FTP/HTTP
proxy. See &man.fetch.3; for the complete list.Removing Installed PortsportsremovingNow that you know how to install ports, you are probably
wondering how to remove them, just in case you install one and
later on decide that you installed the wrong port.
We will remove our previous example (which was
lsof for
those of you not paying attention). As with installing ports,
the first thing you must do is change to the port directory,
/usr/ports/sysutils/lsof. After you change
directories, you are ready to uninstall lsof.
This is done with
the make deinstall command:&prompt.root; cd /usr/ports/sysutils/lsof
&prompt.root; make deinstall
===> Deinstalling for lsof-4.57That was easy enough. You have removed
lsof
from your system. If you would like to reinstall it, you can do
so by running make reinstall from the
/usr/ports/sysutils/lsof directory.The make deinstall and make
reinstall sequence does not work once you have run
make clean. If you want to deinstall a
port after cleaning, use &man.pkg.delete.1; as
discussed in the Packages
section of the Handbook.Post-installation activitiesAfter installing a new application you will normally want to read
any documentation it may have included, edit any configuration files
that are required, ensure that the application starts at boot time (if
it is a daemon), and so on.The exact steps you need to take to configure each application will
obviously be different. However, if you have just installed a new
application and are wondering What now? these tips might
help:Use &man.pkg.info.1; to find out which files were installed,
and where. For example, if you have just
installed FooPackage version 1.0.0, then this command&prompt.root; pkg_info -L foopackage-1.0.0 | lesswill show all the files installed by the package. Pay special
attention to files in man/ directories, which
will be manual pages, etc/ directories, which
will be configuration files, and doc/, which will be
more comprehensive documentation.If you are not sure which version of the application was just
installed, a command like this&prompt.root; pkg_info | grep foopackagewill find all the installed packages that have
foopackage in the package name. Replace
foopackage in your command line as
necessary.Once you have identified where the application's manual pages
have been installed, review them using &man.man.1;. Similarly,
look over the sample configuration files, and any additional
documentation that may have been provided.If the application has a web site, check it for additional
documentation, frequently asked questions, and so forth. If
you are not sure of the web site address it may be listed in the
output from&prompt.root; pkg_info foopackage-1.0.0A WWW: line, if present, should provide a URL
for the application's web site.TroubleshootingThe following sections cover some of the more frequently asked
questions about the ports collection and some basic troubleshooting
techniques, and what do to if a port is broken.Some Questions and AnswersI thought this was going to be a discussion about
modems??!Ah, you must be thinking of the serial ports on the back
of your computer. We are using port here to
mean the result of porting a program from one
operating system to another.What is a patch?A patch is a small file that specifies how to go from
one version of a file to another. It contains plain text,
and basically says things like delete line 23,
add these two lines after line 468, and
change line 197 to this. They are also known
as diffs because they are generated by the
&man.diff.1; program.tarballWhat is all this about
tarballs?It is a file ending in .tar, or
with variations such as .tar.gz,
.tar.Z, .tar.bz2,
and even .tgz.Basically, it is a directory tree that has been archived
into a single file (.tar) and
optionally compressed (.gz). This
technique was originally used for Tape
ARchives (hence the name
tar), but it is a widely used way of
distributing program source code around the Internet.You can see what files are in them, or even extract
them yourself by using the standard Unix
&man.tar.1; program, which comes with the base
FreeBSD system, like this:&prompt.user; tar tvzf foobar.tar.gz
&prompt.user; tar xzvf foobar.tar.gz
&prompt.user; tar tvf foobar.tar
&prompt.user; tar xvf foobar.tarchecksumAnd checksums?It is a number generated by adding up all the data in
the file you want to check. If any of the characters
change, the checksum will no longer be equal to the total,
so a simple comparison will allow you to spot the
difference.I did what you said for compiling ports from a CDROM and
it worked great until I tried to install the Kermit
port.&prompt.root; make install
>> cku190.tar.gz doesn't seem to exist on this system.
>> Attempting to fetch from ftp://kermit.columbia.edu/kermit/archives/.Why can it not be found? Have I got a dud CDROM?As explained in the installing ports from CDROM
section, some ports cannot be put on the CDROM set
due to licensing restrictions. Kermit is an example of
that. The licensing terms for Kermit do not allow us to put
the tarball for it on the CDROM, so you will have to fetch
it by hand—sorry!The reason why you got all those error messages was
because you were not connected to the Internet at the time.
Once you have downloaded it from any of the MASTER_SITES
(listed in the Makefile), you can restart the install
process.I did that, but when I tried to put it into
/usr/ports/distfiles I got some error
about not having permission.The ports mechanism will download distribution
tarballs into /usr/ports/distfiles,
but many system administrators will symlink this directory
to a remote file server or local read-only CD-ROM media.
If this is the case, then you should specify a different
directory to be used for storing distfiles with the
following command:&prompt.root; make DISTDIR=/local/dir/with/write/permission installDoes the ports scheme only work if you have everything
in /usr/ports? My system administrator
says I must put everything under
/u/people/guests/wurzburger, but it
does not seem to work.You can use the PORTSDIR and
PREFIX variables to tell the ports
mechanism to use different directories. For
instance,&prompt.root; make PORTSDIR=/u/people/guests/wurzburger/ports installwill compile the port in
/u/people/guests/wurzburger/ports and
install everything under
/usr/local.&prompt.root; make PREFIX=/u/people/guests/wurzburger/local installwill compile it in /usr/ports and
install it in
/u/people/guests/wurzburger/local.And of course,&prompt.root; make PORTSDIR=../ports PREFIX=../local installwill combine the two (it is too long to write fully on
the page, but it should give you the general idea).imakeSome ports that use &man.imake.1; (a part of the X Windows
System) do not work well with PREFIX, and will insist on
installing under /usr/X11R6. Similarly, some Perl ports
ignore PREFIX and install in the Perl tree. Making these
ports respect PREFIX is a difficult or impossible
job.If you do not fancy typing all that in every time you
install a port, you can put these variables
into your environment. Read the manual page for your shell for
instructions on doing so.I do not have a FreeBSD CD-ROM, but I would like to have
all the tarballs handy on my system so I do not have to wait
for a download every time I install a port. Is there any
way to get them all at once?To get every single tarball for the ports collection,
do:&prompt.root; cd /usr/ports
&prompt.root; make fetchFor all the tarballs for a single ports directory,
do:&prompt.root; cd /usr/ports/directory
&prompt.root; make fetchand for just one port—well, you have probably
guessed already.I know it is probably faster to fetch the tarballs from
one of the FreeBSD mirror sites close by. Is there any way
to tell the port to fetch them from servers other than the
ones listed in the MASTER_SITES?Yes. If you know, for example, that ftp.FreeBSD.org is much closer to you
than the sites listed in MASTER_SITES,
do as follows:&prompt.root; cd /usr/ports/directory
&prompt.root; make MASTER_SITE_OVERRIDE= \
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/ fetchI want to know what files make is
going to need before it tries to pull them down.make fetch-list will display a list
of the files needed for a port.Is there any way to stop the port from compiling? I
want to do some hacking on the source before I install it,
but it is a bit tiresome to watch it and hit
CtrlC
every time.Doing make extract will stop it
after it has fetched and extracted the source code.I am trying to make my own port and I want to be able
to stop it compiling until I have had a chance to see if my
patches worked properly. Is there something like
make extract, but for patches?Yes, make patch is what you want.
You will probably find the PATCH_DEBUG
option useful as well. And by the way, thank you for your
efforts!I have heard that some compiler options can cause bugs.
Is this true? How can I make sure that I compile ports
with the right settings?Yes, with version 2.6.3 of gcc (the
version shipped with FreeBSD 2.1.0 and 2.1.5), the
option could result in buggy code
unless you used the
option as well. (Most of the ports do not use
). You should be
able to specify compiler options with something
like:&prompt.root; make CFLAGS='-O2 -fno-strength-reduce' installor by editing /etc/make.conf, but
unfortunately not all ports respect this. The surest way
is to do make configure, then go into
the source directory and inspect the Makefiles by hand, but
this can get tedious if the source has lots of
sub-directories, each with their own Makefiles.The default FreeBSD compiler options are quite conservative,
so if you have not changed them you should not have any
problems.There are so many ports it is hard to find the one I
want. Is there a list anywhere of what ports are
available?Look in the INDEX file in
/usr/ports. If you would like to
search the ports collection for a keyword, you can do that
too. For example, you can find ports relevant to the LISP
programming language using:&prompt.user; cd /usr/ports
&prompt.user; make search key=lispI tried to install the foo port but
the system suddenly stopped compiling it and starting
compiling the bar port. What is going
on?The foo port needs something that is
supplied with bar — for instance,
if foo uses graphics,
bar might have a library with useful
graphics processing routines. Or bar
might be a tool that is needed to compile the
foo port. Once bar is finished, your system should automatically resume building foo. I installed the
grizzle program from the ports and
frankly it is a complete waste of disk space. I want to
delete it but I do not know where it put all the files.
Any clues?No problem, just type:&prompt.root; pkg_delete grizzle-6.5Alternatively, you can type:&prompt.root; cd /usr/ports/somewhere/grizzle
&prompt.root; make deinstallHang on a minute, you have to know the version number
to use that command. You do not seriously expect me to
remember that, do you?Not at all, you can find it out by doing:&prompt.root; pkg_info -I 'grizzle*'
Information for grizzle-6.5:
grizzle-6.5 - the combined piano tutorial, LOGO interpreter and shoot 'em up
arcade game.The version number can be found either by using the
pkg_info or by typing:
ls /var/db/pkgSpeaking of disk space, the ports directory seems to be
taking up an awful lot of room. Is it safe to go in there
and delete things?Yes, if you have installed a program and are fairly
certain you will not need the source again, there is no
point in keeping it hanging around. The surest way to do
this is:&prompt.root; cd /usr/ports
&prompt.root; make cleanwhich will go through all the ports subdirectories and
delete everything except the skeletons for each
port.It is possible to achieve the same effect without
recursively calling each Makefile. For example, you
can delete all of the work/ subdirectories directly
with the following command:
&prompt.root; find /usr/ports -depth -name work -exec rm -rf {} \;I tried that and it still left all those tarballs or
whatever you called them in the
distfiles directory. Can I delete
those as well?Yes, if you are sure you have finished with them,
those can go as well. They can be removed manually, or by
using make distclean.I like having lots and lots of programs to play with.
Is there any way of installing all the ports in one
go?Just do:&prompt.root; cd /usr/ports
&prompt.root; make installBe careful, as some ports may install files with the same
name. If you install two graphics ports and they both install
/usr/local/bin/plot then you will obviously
have problems.OK, I tried that, but I thought it would take a very
long time so I went to bed and left it to get on with it.
When I looked at the computer this morning, it had only
done three and a half ports. Did something go
wrong?No, the problem is that some of the ports need to ask
you questions that we cannot answer for you (e.g., Do
you want to print on A4 or US letter sized paper?)
and they need to have someone on hand to answer
them.I really do not want to spend all day staring at the
monitor. Any better ideas?OK, do this before you go to bed/work/the local
park:&prompt.root; cd /usr/ports
&prompt.root; make -DBATCH installThis will install every port that does
not require user input. Then, when
you come back, do:&prompt.root; cd /usr/ports
&prompt.root; make -DINTERACTIVE installto finish the job.At work, we are using frobble, which
is in your ports collection, but we have altered it quite a
bit to get it to do what we need. Is there any way of making
our own package, so we can distribute it more easily around
our sites?No problem, assuming you know how to make patches for
your changes:&prompt.root; cd /usr/ports/somewhere/frobble
&prompt.root; make extract
&prompt.root; cd work/frobble-2.8
[Apply your patches]
&prompt.root; cd ../..
&prompt.root; make packageThis ports stuff is really clever. I am desperate to
find out how you did it. What is the secret?Nothing secret about it at all, just look at the
bsd.port.mk and
bsd.port.subdir.mk files in
/usr/ports/Mk/.(Readers with an aversion to intricate shell-scripts are
advised not to look at the files in this directory.)Help! This Port Is Broken!If you come across a port that does not work for you, there are
a few things you can do, including:Fix it! The Porter's
Handbook includes detailed information on the
"Ports" infrastructure so that you can fix the occasional
broken port or even submit your own!Gripe—by email only! Send
email to the maintainer of the port first. Type make
maintainer or read the Makefile
to find the maintainer's email address. Remember to include
the name and version of the port (send the
$FreeBSD: line from the
Makefile) and the output leading up to the
error when you email the maintainer. If you do not get a
response from the maintainer, you can use
&man.send-pr.1; to submit a bug report.Grab the package from an FTP site near you. The
master package collection is on ftp.FreeBSD.org in the packages
directory, but be sure to check your local mirror
first! These are more likely to work
than trying to compile from source and are a lot faster as
well. Use the &man.pkg.add.1; program to install the package
on your system.
diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
index 6a260aeb16..8754cf4c8e 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@@ -1,3822 +1,3822 @@
MatthewDillonMuch of this chapter has been taken from the
security(7) manual page by SecuritysecuritySynopsisThis chapter will provide a basic introduction to system security
concepts, some general good rules of thumb, and some advanced topics
under FreeBSD. A lot of the topics covered here can be applied
to system and Internet security in general as well. The Internet
is no longer a friendly place in which everyone
wants to be your kind neighbor. Securing your system is imperative
to protect your data, intellectual property, time, and much more
from the hands of hackers and the like.FreeBSD provides an array of utilities and mechanisms to
ensure the integrity and security of your system and
network.After reading this chapter, you will know:Basic system security concepts, in respect to FreeBSD.About the various crypt mechanisms available in FreeBSD,
such as DES and MD5.How to setup S/Key, an alternative, one-time password
authentication system.How to setup Kerberos, another alternative
authentication system.How to create firewalls using IPFW.How to configure IPsec.How to configure and use OpenSSH, FreeBSD's SSH
implementation.How to configure and load access control extension
modules using the TrustedBSD MAC Framework.Before reading this chapter, you should:Understand basic FreeBSD and Internet concepts.IntroductionSecurity is a function that begins and ends with the system
administrator. While all BSD Unix multi-user systems have some
inherent security, the job of building and maintaining additional
security mechanisms to keep those users honest is
probably one of the single largest undertakings of the sysadmin.
Machines are only as secure as you make them, and security concerns
are ever competing with the human necessity for convenience. Unix
systems, in general, are capable of running a huge number of
simultaneous processes and many of these processes operate as
servers – meaning that external entities can connect and talk
to them. As yesterday's mini-computers and mainframes become
today's desktops, and as computers become networked and
internetworked, security becomes an even bigger issue.Security is best implemented through a layered
onion approach. In a nutshell, what you want to do is
to create as many layers of security as are convenient and then
carefully monitor the system for intrusions. You do not want to
overbuild your security or you will interfere with the detection
side, and detection is one of the single most important aspects of
any security mechanism. For example, it makes little sense to set
the schg flags (see &man.chflags.1;) on every
system binary because
while this may temporarily protect the binaries, it prevents an
attacker who has broken in from making an easily detectable change
that may result in your security mechanisms not detecting the attacker
at all.System security also pertains to dealing with various forms of
attack, including attacks that attempt to crash, or otherwise make a
system unusable, but do not attempt to compromise the
root account (break root).
Security concerns
can be split up into several categories:Denial of service attacks.User account compromises.Root compromise through accessible servers.Root compromise via user accounts.Backdoor creation.DoS attacksDenial of Service (DoS)securityDoS attacksDenial of Service (DoS)Denial of Service (DoS)A denial of service attack is an action that deprives the
machine of needed resources. Typically, DoS attacks are
brute-force mechanisms that attempt to crash or otherwise make a
machine unusable by overwhelming its servers or network stack. Some
DoS attacks try to take advantage of bugs in the networking
stack to crash a machine with a single packet. The latter can only
be fixed by applying a bug fix to the kernel. Attacks on servers
can often be fixed by properly specifying options to limit the load
the servers incur on the system under adverse conditions.
Brute-force network attacks are harder to deal with. A
spoofed-packet attack, for example, is nearly impossible to stop,
short of cutting your system off from the Internet. It may not be
able to take your machine down, but it can saturate your
Internet connection.securityaccount compromisesA user account compromise is even more common than a DoS
attack. Many sysadmins still run standard
telnetd, rlogind,
rshd,
and ftpd servers on their machines.
These servers, by default, do
not operate over encrypted connections. The result is that if you
have any moderate-sized user base, one or more of your users logging
into your system from a remote location (which is the most common
and convenient way to login to a system) will have his or her
password sniffed. The attentive system admin will analyze his
remote access logs looking for suspicious source addresses even for
successful logins.One must always assume that once an attacker has access to a
user account, the attacker can break root.
However, the reality is that in a well secured and maintained system,
access to a user account does not necessarily give the attacker
access to root. The distinction is important
because without access to root the attacker
cannot generally hide his tracks and may, at best, be able to do
nothing more than mess with the user's files, or crash the machine.
User account compromises are very common because users tend not to
take the precautions that sysadmins take.securitybackdoorsSystem administrators must keep in mind that there are
potentially many ways to break root on a machine.
The attacker may know the root password,
the attacker may find a bug in a root-run server and be able
to break root over a network
connection to that server, or the attacker may know of a bug in
a suid-root program that allows the attacker to break
root once he has broken into a user's account.
If an attacker has found a way to break root
on a machine, the attacker may not have a need
to install a backdoor. Many of the root holes
found and closed to date involve a considerable amount of work
by the attacker to cleanup after himself, so most attackers install
backdoors. A backdoor provides the attacker with a way to easily
regain root access to the system, but it
also gives the smart system administrator a convenient way
to detect the intrusion.
Making it impossible for an attacker to install a backdoor may
actually be detrimental to your security, because it will not
close off the hole the attacker found to break in the first
place.Security remedies should always be implemented with a
multi-layered onion peel approach and can be
categorized as follows:Securing root and staff accounts.Securing root – root-run servers
and suid/sgid binaries.Securing user accounts.Securing the password file.Securing the kernel core, raw devices, and
filesystems.Quick detection of inappropriate changes made to the
system.Paranoia.The next section of this chapter will cover the above bullet
items in greater depth.securitysecuringSecuring FreeBSDCommand vs. ProtocolThroughout this document, we will use
bold text to refer to a command or
application. This is used for instances such as ssh, since it is
a protocol as well as command.The sections that follow will cover the methods of securing your
FreeBSD system that were mentioned in the last section of this chapter.Securing the root Account and
Staff AccountssuFirst off, do not bother securing staff accounts if you have
not secured the root account.
Most systems have a password assigned to the root
account. The first thing you do is assume
that the password is always compromised.
This does not mean that you should remove the password. The
password is almost always necessary for console access to the
machine. What it does mean is that you should not make it
possible to use the password outside of the console or possibly
even with the &man.su.1; command. For example, make sure that
your pty's are specified as being insecure in the
/etc/ttys file so that direct
root logins
via telnet or rlogin are
disallowed. If using other login services such as
sshd, make sure that direct
root logins are disabled there as well.
You can do this by editing
your /etc/ssh/sshd_config file, and making
sure that PermitRootLogin is set to
NO. Consider every access method –
services such as FTP often fall through the cracks.
Direct root logins should only be allowed
via the system console.wheelOf course, as a sysadmin you have to be able to get to
root, so we open up a few holes.
But we make sure these holes require additional password
verification to operate. One way to make root
accessible is to add appropriate staff accounts to the
wheel group (in
/etc/group). The staff members placed in the
wheel group are allowed to
su to root.
You should never give staff
members native wheel access by putting them in the
wheel group in their password entry. Staff
accounts should be placed in a staff group, and
then added to the wheel group via the
/etc/group file. Only those staff members
who actually need to have root access
should be placed in the
wheel group. It is also possible, when using
an authentication method such as Kerberos, to use Kerberos'
.k5login file in the root
account to allow a &man.ksu.1; to root
without having to place anyone at all in the
wheel group. This may be the better solution
since the wheel mechanism still allows an
intruder to break root if the intruder
has gotten hold of your
password file and can break into a staff account. While having
the wheel mechanism is better than having
nothing at all, it is not necessarily the safest option.An indirect way to secure staff accounts, and ultimately
root access is to use an alternative
login access method and
do what is known as starring out the encrypted
password for the staff accounts. Using the &man.vipw.8;
command, one can replace each instance of an encrypted password
with a single * character.
This command will update the /etc/master.passwd
file and user/password database to disable password-authenticated
logins.A staff account entry such as:foobar:R9DT/Fa1/LV9U:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcshShould be changed to this:foobar:*:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcshThis change will prevent normal logins from occurring,
since the encrypted password will never match
*. With this done,
staff members must use
another mechanism to authenticate themselves such as
&man.kerberos.1; or &man.ssh.1; using a public/private key
pair. When using something like Kerberos, one generally must
secure the machines which run the Kerberos servers and your
desktop workstation. When using a public/private key pair
with ssh, one must generally secure
the machine used to login from (typically
one's workstation). An additional layer of protection can be
added to the key pair by password protecting the key pair when
creating it with &man.ssh-keygen.1;. Being able to
star out the passwords for staff accounts also
guarantees that staff members can only login through secure
access methods that you have setup. This forces all staff
members to use secure, encrypted connections for all of their
sessions, which closes an important hole used by many
intruders: sniffing the network from an unrelated,
less secure machine.The more indirect security mechanisms also assume that you are
logging in from a more restrictive server to a less restrictive
server. For example, if your main box is running all sorts of
servers, your workstation should not be running any. In order for
your workstation to be reasonably secure you should run as few
servers as possible, up to and including no servers at all, and
you should run a password-protected screen blanker. Of course,
given physical access to a workstation an attacker can break any
sort of security you put on it. This is definitely a problem that
you should consider, but you should also consider the fact that the
vast majority of break-ins occur remotely, over a network, from
people who do not have physical access to your workstation or
servers.KerberosUsing something like Kerberos also gives you the ability to
disable or change the password for a staff account in one place,
and have it immediately effect all the machines on which the staff
member may have an account. If a staff member's account gets
compromised, the ability to instantly change his password on all
machines should not be underrated. With discrete passwords,
changing a password on N machines can be a mess. You can also
impose re-passwording restrictions with Kerberos: not only can a
Kerberos ticket be made to timeout after a while, but the Kerberos
system can require that the user choose a new password after a
certain period of time (say, once a month).Securing Root-run Servers and SUID/SGID BinariesntalkcomsatfingersandboxessshdtelnetdrshdrlogindThe prudent sysadmin only runs the servers he needs to, no
more, no less. Be aware that third party servers are often the
most bug-prone. For example, running an old version of
imapd or
popper is like giving a universal
root ticket out to the entire world.
Never run a server that you have not checked out carefully.
Many servers do not need to be run as root.
For example, the ntalk,
comsat, and
finger daemons can be run in special
user sandboxes. A sandbox is not perfect,
unless you go through a large amount of trouble, but the onion
approach to security still stands: If someone is able to break
in through a server running in a sandbox, they still have to
break out of the sandbox. The more layers the attacker must
break through, the lower the likelihood of his success. Root
holes have historically been found in virtually every server
ever run as root, including basic system servers.
If you are running a machine through which people only login via
sshd and never login via
telnetd or
rshd or
rlogind, then turn off those
services!FreeBSD now defaults to running
ntalkd,
comsat, and
finger in a sandbox. Another program
which may be a candidate for running in a sandbox is &man.named.8;.
/etc/defaults/rc.conf includes the arguments
necessary to run named in a sandbox in a
commented-out form. Depending on whether you are installing a new
system or upgrading an existing system, the special user accounts
used by these sandboxes may not be installed. The prudent
sysadmin would research and implement sandboxes for servers
whenever possible.sendmailThere are a number of other servers that typically do not run
in sandboxes: sendmail,
popper,
imapd, ftpd,
and others. There are alternatives to some of these, but
installing them may require more work than you are willing to
perform (the convenience factor strikes again). You may have to
run these servers as root and rely on other
mechanisms to detect break-ins that might occur through them.The other big potential root holes in a
system are the
suid-root and sgid binaries installed on the system. Most of
these binaries, such as rlogin, reside
in /bin, /sbin,
/usr/bin, or /usr/sbin.
While nothing is 100% safe, the system-default suid and sgid
binaries can be considered reasonably safe. Still,
root holes are occasionally found in these
binaries. A root hole was found in
Xlib in 1998 that made
xterm (which is typically suid)
vulnerable. It is better to be safe than sorry and the prudent
sysadmin will restrict suid binaries, that only staff should run,
to a special group that only staff can access, and get rid of
(chmod 000) any suid binaries that nobody uses.
A server with no display generally does not need an
xterm binary. Sgid binaries can be
almost as dangerous. If an intruder can break an sgid-kmem binary,
the intruder might be able to read /dev/kmem
and thus read the encrypted password file, potentially compromising
any passworded account. Alternatively an intruder who breaks
group kmem can monitor keystrokes sent through
pty's, including pty's used by users who login through secure
methods. An intruder that breaks the tty
group can write to
almost any user's tty. If a user is running a terminal program or
emulator with a keyboard-simulation feature, the intruder can
potentially generate a data stream that causes the user's terminal
to echo a command, which is then run as that user.Securing User AccountsUser accounts are usually the most difficult to secure. While
you can impose Draconian access restrictions on your staff and
star out their passwords, you may not be able to
do so with any general user accounts you might have. If you do
have sufficient control, then you may win out and be able to secure
the user accounts properly. If not, you simply have to be more
vigilant in your monitoring of those accounts. Use of
ssh and Kerberos for user accounts is
more problematic, due to the extra administration and technical
support required, but still a very good solution compared to a
crypted password file.Securing the Password FileThe only sure fire way is to * out as many
passwords as you can and use ssh or
Kerberos for access to those accounts. Even though the encrypted
password file (/etc/spwd.db) can only be read
by root, it may be possible for an intruder
to obtain read access to that file even if the attacker cannot
obtain root-write access.Your security scripts should always check for and report
changes to the password file (see the Checking file integrity section
below).Securing the Kernel Core, Raw Devices, and
FilesystemsIf an attacker breaks root he can do
just about anything, but
there are certain conveniences. For example, most modern kernels
have a packet sniffing device driver built in. Under FreeBSD it
is called the bpf device. An intruder
will commonly attempt to run a packet sniffer on a compromised
machine. You do not need to give the intruder the capability and
most systems do not have the need for the
bpf device compiled in.sysctlBut even if you turn off the bpf
device, you still have
/dev/mem and
/dev/kmem
to worry about. For that matter, the intruder can still write to
raw disk devices. Also, there is another kernel feature called
the module loader, &man.kldload.8;. An enterprising intruder can
use a KLD module to install his own bpf
device, or other sniffing
device, on a running kernel. To avoid these problems you have to
run the kernel at a higher secure level, at least securelevel 1.
The securelevel can be set with a sysctl on
the kern.securelevel variable. Once you have
set the securelevel to 1, write access to raw devices will be
denied and special chflags flags,
such as schg,
will be enforced. You must also ensure that the
schg flag is set on critical startup binaries,
directories, and script files – everything that gets run up
to the point where the securelevel is set. This might be overdoing
it, and upgrading the system is much more difficult when you
operate at a higher secure level. You may compromise and run the
system at a higher secure level but not set the
schg flag for every system file and directory
under the sun. Another possibility is to simply mount
/ and /usr read-only.
It should be noted that being too Draconian in what you attempt to
protect may prevent the all-important detection of an
intrusion.Checking File Integrity: Binaries, Configuration Files,
Etc.When it comes right down to it, you can only protect your core
system configuration and control files so much before the
convenience factor rears its ugly head. For example, using
chflags to set the schg bit
on most of the files in / and
/usr is probably counterproductive, because
while it may protect the files, it also closes a detection window.
The last layer of your security onion is perhaps the most
important – detection. The rest of your security is pretty
much useless (or, worse, presents you with a false sense of
safety) if you cannot detect potential incursions. Half the job
of the onion is to slow down the attacker, rather than stop him, in
order to give the detection side of the equation a chance to catch
him in the act.The best way to detect an incursion is to look for modified,
missing, or unexpected files. The best way to look for modified
files is from another (often centralized) limited-access system.
Writing your security scripts on the extra-secure limited-access
system makes them mostly invisible to potential attackers, and this
is important. In order to take maximum advantage you generally
have to give the limited-access box significant access to the
other machines in the business, usually either by doing a
read-only NFS export of the other machines to the limited-access
box, or by setting up ssh key-pairs to
allow the limited-access box to ssh to
the other machines. Except for its network traffic, NFS is the
least visible method – allowing you to monitor the
filesystems on each client box virtually undetected. If your
limited-access server is connected to the client boxes through a
switch, the NFS method is often the better choice. If your
limited-access server is connected to the client boxes through a
hub, or through several layers of routing, the NFS method may be
too insecure (network-wise) and using
ssh may be the better choice even with
the audit-trail tracks that ssh
lays.Once you give a limited-access box, at least read access to the
client systems it is supposed to monitor, you must write scripts
to do the actual monitoring. Given an NFS mount, you can write
scripts out of simple system utilities such as &man.find.1; and
&man.md5.1;. It is best to physically md5 the client-box files
at least once a day, and to test control files such as those
found in /etc and
/usr/local/etc even more often. When
mismatches are found, relative to the base md5 information the
limited-access machine knows is valid, it should scream at a
sysadmin to go check it out. A good security script will also
check for inappropriate suid binaries and for new or deleted files
on system partitions such as / and
/usr.When using ssh rather than NFS,
writing the security script is much more difficult. You
essentially have to scp the scripts to the client
box in order to
run them, making them visible, and for safety you also need to
scp the binaries (such as find) that those
scripts use. The ssh client on the
client box may already be compromised. All in all, using
ssh may be necessary when running over
insecure links, but it is also a lot harder to deal with.A good security script will also check for changes to user and
staff members access configuration files:
.rhosts, .shosts,
.ssh/authorized_keys and so forth…
files that might fall outside the purview of the
MD5 check.If you have a huge amount of user disk space, it may take too
long to run through every file on those partitions. In this case,
setting mount flags to disallow suid binaries and devices on those
partitions is a good idea. The nodev and
nosuid options (see &man.mount.8;) are what you
want to look into. You should probably scan them anyway, at least
once a week, since the object of this layer is to detect a break-in
whether or not the break-in is effective.Process accounting (see &man.accton.8;) is a relatively
low-overhead feature of the operating system which might help
as a post-break-in evaluation mechanism. It is especially
useful in tracking down how an intruder has actually broken into
a system, assuming the file is still intact after the break-in
occurs.Finally, security scripts should process the log files, and the
logs themselves should be generated in as secure a manner as
possible – remote syslog can be very useful. An intruder
tries to cover his tracks, and log files are critical to the
sysadmin trying to track down the time and method of the initial
break-in. One way to keep a permanent record of the log files is
to run the system console to a serial port and collect the
information on a continuing basis through a secure machine
monitoring the consoles.ParanoiaA little paranoia never hurts. As a rule, a sysadmin can add
any number of security features, as long as they do not effect
convenience, and can add security features that
do effect convenience with some added thought.
Even more importantly, a security administrator should mix it up a
bit – if you use recommendations such as those given by this
document verbatim, you give away your methodologies to the
prospective attacker who also has access to this document.Denial of Service AttacksDenial of Service (DoS)This section covers Denial of Service attacks. A DoS attack
is typically a packet attack. While there is not much you can do
about modern spoofed packet attacks that saturate your network,
you can generally limit the damage by ensuring that the attacks
cannot take down your servers.Limiting server forks.Limiting springboard attacks (ICMP response attacks, ping
broadcast, etc.).Kernel Route Cache.A common DoS attack is against a forking server that attempts
to cause the server to eat processes, file descriptors, and memory,
until the machine dies. inetd
(see &man.inetd.8;) has several
options to limit this sort of attack. It should be noted that
while it is possible to prevent a machine from going down, it is
not generally possible to prevent a service from being disrupted
by the attack. Read the inetd manual
page carefully and pay
specific attention to the , ,
and options. Note that spoofed-IP attacks
will circumvent the option to
inetd, so
typically a combination of options must be used. Some standalone
servers have self-fork-limitation parameters.Sendmail has its
option, which tends to work
much better than trying to use sendmail's load limiting options
due to the load lag. You should specify a
MaxDaemonChildren parameter, when you start
sendmail, high enough to handle your
expected load, but not so high that the computer cannot handle that
number of sendmails without falling on
its face. It is also prudent to run sendmail in queued mode
() and to run the daemon
(sendmail -bd) separate from the queue-runs
(sendmail -q15m). If you still want real-time
delivery you can run the queue at a much lower interval, such as
, but be sure to specify a reasonable
MaxDaemonChildren option for
that sendmail to prevent cascade failures.Syslogd can be attacked directly
and it is strongly recommended that you use the
option whenever possible, and the option
otherwise.You should also be fairly careful with connect-back services
such as tcpwrapper's reverse-identd,
which can be attacked directly. You generally do not want to use
the reverse-ident feature of
tcpwrappers for this reason.It is a very good idea to protect internal services from
external access by firewalling them off at your border routers.
The idea here is to prevent saturation attacks from outside your
LAN, not so much to protect internal services from network-based
root compromise.
Always configure an exclusive firewall, i.e.,
firewall everything except ports A, B,
C, D, and M-Z. This way you can firewall off all of your
low ports except for certain specific services such as
named (if you are primary for a zone),
ntalkd,
sendmail, and other Internet-accessible
services. If you try to configure the firewall the other way
– as an inclusive or permissive firewall, there is a good
chance that you will forget to close a couple of
services, or that you will add a new internal service and forget
to update the firewall. You can still open up the high-numbered
port range on the firewall, to allow permissive-like operation,
without compromising your low ports. Also take note that FreeBSD
allows you to control the range of port numbers used for dynamic
binding, via the various net.inet.ip.portrangesysctl's (sysctl -a | fgrep
portrange), which can also ease the complexity of your
firewall's configuration. For example, you might use a normal
first/last range of 4000 to 5000, and a hiport range of 49152 to
65535, then block off everything under 4000 in your firewall
(except for certain specific Internet-accessible ports, of
course).ICMP_BANDLIMAnother common DoS attack is called a springboard attack
– to attack a server in a manner that causes the server to
generate responses which overloads the server, the local
network, or some other machine. The most common attack of this
nature is the ICMP ping broadcast attack.
The attacker spoofs ping packets sent to your LAN's broadcast
address with the source IP address set to the actual machine they
wish to attack. If your border routers are not configured to
stomp on ping's to broadcast addresses, your LAN winds up
generating sufficient responses to the spoofed source address to
saturate the victim, especially when the attacker uses the same
trick on several dozen broadcast addresses over several dozen
different networks at once. Broadcast attacks of over a hundred
and twenty megabits have been measured. A second common
springboard attack is against the ICMP error reporting system.
By constructing packets that generate ICMP error responses, an
attacker can saturate a server's incoming network and cause the
server to saturate its outgoing network with ICMP responses. This
type of attack can also crash the server by running it out of
mbuf's, especially if the server cannot drain the ICMP responses
it generates fast enough. The FreeBSD kernel has a new kernel
compile option called
which limits the effectiveness
of these sorts of attacks. The last major class of springboard
attacks is related to certain internal
inetd services such as the
udp echo service. An attacker simply spoofs a UDP packet with the
source address being server A's echo port, and the destination
address being server B's echo port, where server A and B are both
on your LAN. The two servers then bounce this one packet back and
forth between each other. The attacker can overload both servers
and their LANs simply by injecting a few packets in this manner.
Similar problems exist with the internal
chargen port. A
competent sysadmin will turn off all of these inetd-internal test
services.Spoofed packet attacks may also be used to overload the kernel
route cache. Refer to the net.inet.ip.rtexpire,
rtminexpire, and rtmaxcachesysctl parameters. A spoofed packet attack
that uses a random source IP will cause the kernel to generate a
temporary cached route in the route table, viewable with
netstat -rna | fgrep W3. These routes
typically timeout in 1600 seconds or so. If the kernel detects
that the cached route table has gotten too big it will dynamically
reduce the rtexpire but will never decrease it
to less than rtminexpire. There are two
problems:The kernel does not react quickly enough when a lightly
loaded server is suddenly attacked.The rtminexpire is not low enough for
the kernel to survive a sustained attack.If your servers are connected to the Internet via a T3 or
better, it may be prudent to manually override both
rtexpire and rtminexpire
via &man.sysctl.8;. Never set either parameter to zero (unless
you want to crash the machine). Setting both
parameters to 2 seconds should be sufficient to protect the route
table from attack.Access Issues with Kerberos and SSHsshKerberosThere are a few issues with both Kerberos and
ssh that need to be addressed if
you intend to use them. Kerberos V is an excellent
authentication protocol, but there are bugs in the kerberized
telnet and
rlogin applications that make them
unsuitable for dealing with binary streams. Also, by default
Kerberos does not encrypt a session unless you use the
option. ssh
encrypts everything by default.ssh works quite well in every
respect except that it forwards encryption keys by default. What
this means is that if you have a secure workstation holding keys
that give you access to the rest of the system, and you
ssh to an insecure machine, your keys
are usable. The actual keys themselves are not exposed, but
ssh installs a forwarding port for the
duration of your login, and if an attacker has broken
root on the
insecure machine he can utilize that port to use your keys to gain
access to any other machine that your keys unlock.We recommend that you use ssh in
combination with Kerberos whenever possible for staff logins.
ssh can be compiled with Kerberos
support. This reduces your reliance on potentially exposable
ssh keys while at the same time
protecting passwords via Kerberos. ssh
keys should only be used for automated tasks from secure machines
(something that Kerberos is unsuited to do). We also recommend that
you either turn off key-forwarding in the
ssh configuration, or that you make use
of the from=IP/DOMAIN option that
ssh allows in its
authorized_keys file to make the key only
usable to entities logging in from specific machines.BillSwingleParts rewritten and updated by DES, MD5, and CryptsecuritycryptcryptDESMD5Every user on a Unix system has a password associated with
their account. It seems obvious that these passwords need to be
known only to the user and the actual operating system. In
order to keep these passwords secret, they are encrypted with
what is known as a one-way hash, that is, they can
only be easily encrypted but not decrypted. In other words, what
we told you a moment ago was obvious is not even true: the
operating system itself does not really know
the password. It only knows the encrypted
form of the password. The only way to get the
plain-text password is by a brute force search of the
space of possible passwords.Unfortunately the only secure way to encrypt passwords when
Unix came into being was based on DES, the Data Encryption
Standard. This was not such a problem for users resident in
the US, but since the source code for DES could not be exported
outside the US, FreeBSD had to find a way to both comply with
US law and retain compatibility with all the other Unix
variants that still used DES.The solution was to divide up the encryption libraries
so that US users could install the DES libraries and use
DES but international users still had an encryption method
that could be exported abroad. This is how FreeBSD came to
use MD5 as its default encryption method. MD5 is believed to
be more secure than DES, so installing DES is offered primarily
for compatibility reasons.Recognizing Your Crypt MechanismBefore FreeBSD 4.4 libcrypt.a was a
symbolic link pointing to the library which was used for
encryption. FreeBSD 4.4 changed libcrypt.a to
provide a configurable password authentication hash library.
Currently the library supports DES, MD5 and Blowfish hash
functions. By default FreeBSD uses MD5 to encrypt
passwords.It is pretty easy to identify which encryption method
FreeBSD is set up to use. Examining the encrypted passwords in
the /etc/master.passwd file is one way.
Passwords encrypted with the MD5 hash are longer than those
encrypted with the DES hash and also begin with the characters
$1$. Passwords starting with
$2$ are encrypted with the
Blowfish hash function. DES password strings do not
have any particular identifying characteristics, but they are
shorter than MD5 passwords, and are coded in a 64-character
alphabet which does not include the $
character, so a relatively short string which does not begin with
a dollar sign is very likely a DES password.The password format used for new passwords is controlled
by the passwd_format login capability in
/etc/login.conf, which takes values of
des or md5 or
blf. See the &man.login.conf.5; manual page
for more information about login capabilities.S/KeyS/KeysecurityS/KeyS/Key is a one-time password scheme based on a one-way hash
function. FreeBSD uses the MD4 hash for compatibility but other
systems have used MD5 and DES-MAC. S/Key has been part of the
FreeBSD base system since version 1.1.5 and is also used on a
growing number of other operating systems. S/Key is a registered
trademark of Bell Communications Research, Inc.From version 5.0 of FreeBSD, S/Key has been replaced with
the functionally equivalent OPIE (Onetime Passwords In
Everything). OPIE uses the MD5 hash by default.There are three different sorts of passwords which we will talk
about in the discussion below. The first is your usual Unix-style or
Kerberos password; we will call this a Unix password.
The second sort is the one-time password which is generated by the
S/Key key program or the OPIE
opiekey program and accepted by the
keyinit or opiepasswd programs
and the login prompt; we will
call this a one-time password. The final sort of
password is the secret password which you give to the
key/opiekey programs (and
sometimes the
keyinit/opiepasswd programs)
which it uses to generate
one-time passwords; we will call it a secret password
or just unqualified password.The secret password does not have anything to do with your Unix
password; they can be the same but this is not recommended. S/Key
and OPIE secret passwords are not limited to 8 characters like Unix
passwords, they can be as long as you like. Passwords of six or
seven word long phrases are fairly common. For the most part, the
S/Key or OPIE system operates completely independently of the Unix
password system.Besides the password, there are two other pieces of data that
are important to S/Key and OPIE. One is what is known as the
seed or key, consisting of two letters
and five digits. The other is what is called the iteration
count, a number between 1 and 100. S/Key creates the
one-time password by concatenating the seed and the secret password,
then applying the MD4/MD5 hash as many times as specified by the
iteration count and turning the result into six short English words.
These six English words are your one-time password. The
authentication system (primarily PAM) keeps
track of the last one-time password used, and the user is
authenticated if the hash of the user-provided password is equal to
the previous password. Because a one-way hash is used it is
impossible to generate future one-time passwords if a successfully
used password is captured; the iteration count is decremented after
each successful login to keep the user and the login program in
sync. When the iteration count gets down to 1, S/Key and OPIE must be
reinitialized.There are three programs involved in each system
which we will discuss below. The key and
opiekey programs accept an iteration
count, a seed, and a secret password, and generate a one-time
password or a consecutive list of one-time passwords. The
keyinit and opiepasswd
programs are used to initialize S/Key and OPIE respectively,
and to change passwords, iteration counts, or seeds; they
take either a secret passphrase, or an iteration count,
seed, and one-time password. The keyinfo
and opieinfo programs examine the
relevant credentials files (/etc/skeykeys or
/etc/opiekeys) and print out the invoking user's
current iteration count and seed.There are four different sorts of operations we will cover. The
first is using keyinit or
opiepasswd over a secure connection to set up
one-time-passwords for the first time, or to change your password
or seed. The second operation is using keyinit
or opiepasswd over an insecure connection, in
conjunction with key or opiekey
over a secure connection, to do the same. The third is using
key/opiekey to log in over
an insecure connection. The fourth is using key
or opiekey to generate a number of keys which
can be written down or printed out to carry with you when going to
some location without secure connections to anywhere.Secure Connection InitializationTo initialize S/Key for the first time, change your password,
or change your seed while logged in over a secure connection
(e.g., on the console of a machine or via ssh), use the
keyinit command without any parameters while
logged in as yourself:&prompt.user; keyinit
Adding unfurl:
Reminder - Only use this method if you are directly connected.
If you are using telnet or rlogin exit with no password and use keyinit -s.
Enter secret password:
Again secret password:
ID unfurl s/key is 99 to17757
DEFY CLUB PRO NASH LACE SOFTFor OPIE, opiepasswd is used instead:&prompt.user; opiepasswd -c
[grimreaper] ~ $ opiepasswd -f -c
Adding unfurl:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase:
Again new secret pass phrase:
ID unfurl OTP key is 499 to4268
MOS MALL GOAT ARM AVID COED
At the Enter new secret pass phrase: or
Enter secret password: prompts, you
should enter a password or phrase. Remember, this is not the
password that you will use to login with, this is used to generate
your one-time login keys. The ID line gives the
parameters of your particular instance; your login name, the
iteration count, and seed. When logging in the system
will remember these parameters and present them back to you so you
do not have to remember them. The last line gives the particular
one-time password which corresponds to those parameters and your
secret password; if you were to re-login immediately, this
one-time password is the one you would use.Insecure Connection InitializationTo initialize or change your secret password over an
insecure connection, you will need to already have a secure
connection to some place where you can run key
or opiekey; this might be in the form of a
desk accessory on a Macintosh, or a shell prompt on a machine you
trust. You will also need to make up an iteration count (100 is
probably a good value), and you may make up your own seed or use a
randomly-generated one. Over on the insecure connection (to the
machine you are initializing), use the keyinit
-s command:&prompt.user; keyinit -s
Updating unfurl:
Old key: to17758
Reminder you need the 6 English words from the key command.
Enter sequence count from 1 to 9999: 100
Enter new key [default to17759]:
s/key 100 to 17759
s/key access password:
s/key access password:CURE MIKE BANE HIM RACY GOREFor OPIE, you need to use opiepasswd:&prompt.user; opiepasswd
Updating unfurl:
You need the response from an OTP generator.
Old secret pass phrase:
otp-md5 498 to4268 ext
Response: GAME GAG WELT OUT DOWN CHAT
New secret pass phrase:
otp-md5 499 to4269
Response: LINE PAP MILK NELL BUOY TROY
ID mark OTP key is 499 gr4269
LINE PAP MILK NELL BUOY TROY
To accept the default seed (which the
keyinit program confusingly calls a
key), press Return.
Then before entering an
access password, move over to your secure connection or S/Key desk
accessory, and give it the same parameters:&prompt.user; key 100 to17759
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <secret password>
CURE MIKE BANE HIM RACY GOREOr for OPIE:&prompt.user; opiekey 498 to4268
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
GAME GAG WELT OUT DOWN CHAT
Now switch back over to the insecure connection, and copy the
one-time password generated over to the relevant program.Generating a Single one-time PasswordOnce you have initialized S/Key or OPIE, when you login you will be
presented with a prompt like this:&prompt.user; telnet example.com
Trying 10.0.0.1...
Connected to example.com
Escape character is '^]'.
FreeBSD/i386 (example.com) (ttypa)
login: <username>
s/key 97 fw13894
Password: Or for OPIE:&prompt.user; telnet example.com
Trying 10.0.0.1...
Connected to example.com
Escape character is '^]'.
FreeBSD/i386 (example.com) (ttypa)
login: <username>
otp-md5 498 gr4269 ext
Password: As a side note, the S/Key and OPIE prompts have a useful feature
(not shown here): if you press Return
at the password prompt, the
prompter will turn echo on, so you can see what you are
typing. This can be extremely useful if you are attempting to
type in a password by hand, such as from a printout.MS-DOSWindowsMacOSAt this point you need to generate your one-time password to
answer this login prompt. This must be done on a trusted system
that you can run key or
opiekey on. (There are versions of these for DOS,
Windows and MacOS as well.) They need both the iteration count and
the seed as command line options. You can cut-and-paste these
right from the login prompt on the machine that you are logging
in to.On the trusted system:&prompt.user; key 97 fw13894
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
WELD LIP ACTS ENDS ME HAAGFor OPIE:&prompt.user; opiekey 498 to4268
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
GAME GAG WELT OUT DOWN CHATNow that you have your one-time password you can continue
logging in:login: <username>
s/key 97 fw13894
Password: <return to enable echo>
s/key 97 fw13894
Password [echo on]: WELD LIP ACTS ENDS ME HAAG
Last login: Tue Mar 21 11:56:41 from 10.0.0.2 ... Generating Multiple one-time PasswordsSometimes you have to go places where you do not have
access to a trusted machine or secure connection. In this case,
it is possible to use the key command to
generate a number of one-time passwords before hand to be printed
out and taken with you. For example:&prompt.user; key -n 5 30 zz99999
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <secret password>
26: SODA RUDE LEA LIND BUDD SILT
27: JILT SPY DUTY GLOW COWL ROT
28: THEM OW COLA RUNT BONG SCOT
29: COT MASH BARR BRIM NAN FLAG
30: CAN KNEE CAST NAME FOLK BILKThe requests five keys in sequence, the
specifies what the last iteration number
should be. Note that these are printed out in
reverse order of eventual use. If you are
really paranoid, you might want to write the results down by hand;
otherwise you can cut-and-paste into lpr. Note
that each line shows both the iteration count and the one-time
password; you may still find it handy to scratch off passwords as
you use them.Restricting Use of Unix PasswordsRestrictions can be placed on the use of Unix passwords based
on the host name, user name, terminal port, or IP address of a
login session. These restrictions can be found in the
configuration file /etc/skey.access. The
&man.skey.access.5; manual page has more information on the complete
format of the file and also details some security cautions to be
aware of before depending on this file for security.If there is no /etc/skey.access file
(this is the FreeBSD default), then all users will be allowed to
use Unix passwords. If the file exists, however, then all users
will be required to use S/Key unless explicitly permitted to do
otherwise by configuration statements in the
skey.access file. In all cases, Unix
passwords are permitted on the console.Here is a sample configuration file which illustrates the
three most common sorts of configuration statements:permit internet 192.168.0.0 255.255.0.0
permit user fnord
permit port ttyd0The first line (permit internet) allows
users whose IP source address (which is vulnerable to spoofing)
matches the specified value and mask, to use Unix passwords. This
should not be considered a security mechanism, but rather, a means
to remind authorized users that they are using an insecure network
and need to use S/Key for authentication.The second line (permit user) allows the
specified username, in this case fnord, to use
Unix passwords at any time. Generally speaking, this should only
be used for people who are either unable to use the
key program, like those with dumb terminals, or
those who are uneducable.The third line (permit port) allows all
users logging in on the specified terminal line to use Unix
passwords; this would be used for dial-ups.MarkMurrayContributed by MarkDapozBased on a contribution by KerberosKerberosKerberos is a network add-on system/protocol that allows users to
authenticate themselves through the services of a secure server.
Services such as remote login, remote copy, secure inter-system file
copying and other high-risk tasks are made considerably safer and more
controllable.The following instructions can be used as a guide on how to set up
Kerberos as distributed for FreeBSD. However, you should refer to the
relevant manual pages for a complete description.Installing KerberosMITKerberosinstallingKerberos is an optional component of FreeBSD. The easiest
way to install this software is by selecting the 'krb4' or
'krb5' distribution in sysinstall
during the initial installation of FreeBSD. This will install
the 'eBones' (KerberosIV) or 'Heimdal' (Kerberos5)
implementation of Kerberos. These implementations are
included because they are developed outside the USA/Canada and
were thus available to system owners outside those countries
during the era of restrictive export controls on cryptographic
code from the USA.Alternatively, the MIT implementation of Kerberos is
available from the ports collection as
security/krb5.Creating the Initial DatabaseThis is done on the Kerberos server only. First make sure that
you do not have any old Kerberos databases around. You should change
to the directory /etc/kerberosIV and check that
only the following files are present:&prompt.root; cd /etc/kerberosIV
&prompt.root; ls
README krb.conf krb.realmsIf any additional files (such as principal.*
or master_key) exist, then use the
kdb_destroy command to destroy the old Kerberos
database, or if Kerberos is not running, simply delete the extra
files.You should now edit the krb.conf and
krb.realms files to define your Kerberos realm.
In this case the realm will be EXAMPLE.COM and the
server is grunt.example.com. We edit
or create the krb.conf file:&prompt.root; cat krb.conf
EXAMPLE.COM
EXAMPLE.COM grunt.example.com admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.govIn this case, the other realms do not need to be there. They are
here as an example of how a machine may be made aware of multiple
realms. You may wish to not include them for simplicity.The first line names the realm in which this system works. The
other lines contain realm/host entries. The first item on a line is a
realm, and the second is a host in that realm that is acting as a
key distribution center. The words admin
server following a host's name means that host also
provides an administrative database server. For further explanation
of these terms, please consult the Kerberos manual pages.Now we have to add grunt.example.com
to the EXAMPLE.COM realm and also add an entry to
put all hosts in the .example.com
domain in the EXAMPLE.COM realm. The
krb.realms file would be updated as
follows:&prompt.root; cat krb.realms
grunt.example.com EXAMPLE.COM
.example.com EXAMPLE.COM
.berkeley.edu CS.BERKELEY.EDU
.MIT.EDU ATHENA.MIT.EDU
.mit.edu ATHENA.MIT.EDUAgain, the other realms do not need to be there. They are here as
an example of how a machine may be made aware of multiple realms. You
may wish to remove them to simplify things.The first line puts the specific system into
the named realm. The rest of the lines show how to default systems of
a particular subdomain to a named realm.Now we are ready to create the database. This only needs to run
on the Kerberos server (or Key Distribution Center). Issue the
kdb_init command to do this:&prompt.root; kdb_initRealm name [default ATHENA.MIT.EDU ]:EXAMPLE.COM
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter Kerberos master key:Now we have to save the key so that servers on the local machine
can pick it up. Use the kstash command to do
this.&prompt.root; kstashEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!This saves the encrypted master password in
/etc/kerberosIV/master_key.Making It All RunTwo principals need to be added to the database for
each system that will be secured with Kerberos.
Their names are kpasswd and rcmd
These two principals are made for each system, with the instance being
the name of the individual system.These daemons, kpasswd and
rcmd allow other systems to change Kerberos
passwords and run commands like rcp,
rlogin and rsh.Now let us add these entries:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:passwdInstance:grunt
<Not found>, Create [y] ?y
Principal: passwd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?y
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name:rcmdInstance:grunt
<Not found>, Create [y] ?
Principal: rcmd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitCreating the Server FileWe now have to extract all the instances which define the
services on each machine. For this we use the
ext_srvtab command. This will create a file
which must be copied or moved by secure
means to each Kerberos client's
/etc/kerberosIV directory. This file must
be present on each server and client, and is crucial to the
operation of Kerberos.&prompt.root; ext_srvtab gruntEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Generating 'grunt-new-srvtab'....Now, this command only generates a temporary file which must be
renamed to srvtab so that all the servers can pick
it up. Use the mv command to move it into place on
the original system:&prompt.root; mv grunt-new-srvtab srvtabIf the file is for a client system, and the network is not deemed
safe, then copy the
client-new-srvtab to
removable media and transport it by secure physical means. Be sure to
rename it to srvtab in the client's
/etc/kerberosIV directory, and make sure it is
mode 600:&prompt.root; mv grumble-new-srvtab srvtab
&prompt.root; chmod 600 srvtabPopulating the DatabaseWe now have to add some user entries into the database. First
let us create an entry for the user jane. Use the
kdb_edit command to do this:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:
<Not found>, Create [y] ?y
Principal: jane, Instance: , kdc_key_ver: 1
New Password: <---- enter a secure password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitTesting It All OutFirst we have to start the Kerberos daemons. NOTE that if you
have correctly edited your /etc/rc.conf then this
will happen automatically when you reboot. This is only necessary on
the Kerberos server. Kerberos clients will automagically get what
they need from the /etc/kerberosIV
directory.&prompt.root; kerberos &
Kerberos server starting
Sleep forever on error
Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Current Kerberos master key version is 1
Local realm: EXAMPLE.COM
&prompt.root; kadmind -n &
KADM Server KADM0.0A initializing
Please do not use 'kill -9' to kill this job, use a
regular kill instead
Current Kerberos master key version is 1.
Master key entered. BEWARE!Now we can try using the kinit command to get a
ticket for the id jane that we created
above:&prompt.user; kinit jane
MIT Project Athena (grunt.example.com)
Kerberos Initialization for "jane"
Password:Try listing the tokens using klist to see if we
really have them:&prompt.user; klist
Ticket file: /tmp/tkt245
Principal: jane@EXAMPLE.COM
Issued Expires Principal
Apr 30 11:23:22 Apr 30 19:23:22 krbtgt.EXAMPLE.COM@EXAMPLE.COMNow try changing the password using passwd to
check if the kpasswd daemon can get
authorization to the Kerberos database:&prompt.user; passwd
realm EXAMPLE.COM
Old password for jane:New Password for jane:
Verifying password
New Password for jane:
Password changed.Adding su PrivilegesKerberos allows us to give each user
who needs root privileges their own
separatesu password.
We could now add an id which is authorized to
su to root. This is
controlled by having an instance of root
associated with a principal. Using kdb_edit
we can create the entry jane.root in the
Kerberos database:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:root
<Not found>, Create [y] ? y
Principal: jane, Instance: root, kdc_key_ver: 1
New Password: <---- enter a SECURE password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?12 <--- Keep this short!
Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitNow try getting tokens for it to make sure it works:&prompt.root; kinit jane.root
MIT Project Athena (grunt.example.com)
Kerberos Initialization for "jane.root"
Password:Now we need to add the user to root's
.klogin file:&prompt.root; cat /root/.klogin
jane.root@EXAMPLE.COMNow try doing the su:&prompt.user; suPassword:and take a look at what tokens we have:&prompt.root; klist
Ticket file: /tmp/tkt_root_245
Principal: jane.root@EXAMPLE.COM
Issued Expires Principal
May 2 20:43:12 May 3 04:43:12 krbtgt.EXAMPLE.COM@EXAMPLE.COMUsing Other CommandsIn an earlier example, we created a principal called
jane with an instance root.
This was based on a user with the same name as the principal, and this
is a Kerberos default; that a
<principal>.<instance> of the form
<username>.root will allow
that <username> to su to
root if the necessary entries are in the
.klogin file in root's
home directory:&prompt.root; cat /root/.klogin
jane.root@EXAMPLE.COMLikewise, if a user has in their own home directory lines of the
form:&prompt.user; cat ~/.klogin
jane@EXAMPLE.COM
jack@EXAMPLE.COMThis allows anyone in the EXAMPLE.COM realm
who has authenticated themselves to jane or
jack (via kinit, see above)
access to rlogin to jane's
account or files on this system (grunt) via
rlogin, rsh or
rcp.For example, jane now logs into another system using
Kerberos:&prompt.user; kinit
MIT Project Athena (grunt.example.com)
Password:
&prompt.user; rlogin grunt
Last login: Mon May 1 21:14:47 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995Or Jack logs into Jane's account on the same machine
(jane having
set up the .klogin file as above, and the person
in charge of Kerberos having set up principal
jack with a null instance:&prompt.user; kinit
&prompt.user; rlogin grunt -l jane
MIT Project Athena (grunt.example.com)
Password:
Last login: Mon May 1 21:16:55 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995GaryPalmerContributed by AlexNashFirewallsfirewallsecurityfirewallsFirewalls are an area of increasing interest for people who are
connected to the Internet, and are even finding applications on private
networks to provide enhanced security. This section will hopefully
explain what firewalls are, how to use them, and how to use the
facilities provided in the FreeBSD kernel to implement them.People often think that having a firewall between your
internal network and the Big Bad Internet will solve all
your security problems. It may help, but a poorly setup firewall
system is more of a security risk than not having one at all. A
firewall can add another layer of security to your systems, but it
cannot stop a really determined cracker from penetrating your internal
network. If you let internal security lapse because you believe your
firewall to be impenetrable, you have just made the crackers job that
much easier.What Is a Firewall?There are currently two distinct types of firewalls in common use
on the Internet today. The first type is more properly called a
packet filtering router. This type of
firewall utilizes a multi-homed machine and a set of rules to
determine whether to forward or block individual packets. A
multi-homed machine is simply a device with multiple network
interfaces.
The second type, known as a proxy
server, relies on daemons to provide authentication and to
forward packets, possibly on a multi-homed machine which has kernel
packet forwarding disabled.Sometimes sites combine the two types of firewalls, so that only a
certain machine (known as a bastion host) is
allowed to send packets through a packet filtering router onto an
internal network. Proxy services are run on the bastion host, which
are generally more secure than normal authentication
mechanisms.FreeBSD comes with a kernel packet filter (known as
IPFW), which is what the rest of this
section will concentrate on. Proxy servers can be built on FreeBSD
from third party software, but there is such a variety of proxy
servers available that it would be impossible to cover them in this
section.Packet Filtering RoutersA router is a machine which forwards packets between two or more
networks. A packet filtering router is programmed to
compare each packet to a list of rules before
deciding if it should be forwarded or not. Most modern IP routing
software includes packet filtering functionality that defaults to
forwarding all packets. To enable the filters, you need to define a
set of rules.To decide whether a packet should be passed on, the firewall looks
through its set of rules for a rule which matches the contents of
the packet's headers. Once a match is found, the rule action is
obeyed. The rule action could be to drop the packet, to forward the
packet, or even to send an ICMP message back to the originator.
Only the first match counts, as the rules are searched in order.
Hence, the list of rules can be referred to as a rule
chain.The packet-matching criteria varies depending on the software
used, but typically you can specify rules which depend on the source
IP address of the packet, the destination IP address, the source
port number, the destination port number (for protocols which
support ports), or even the packet type (UDP, TCP, ICMP,
etc).Proxy ServersProxy servers are machines which have had the normal system
daemons (telnetd,
ftpd, etc) replaced with special servers.
These
servers are called proxy servers, as they
normally only allow onward connections to be made. This enables you
to run (for example) a proxy telnet server on your firewall host,
and people can telnet in to your firewall from the outside, go
through some authentication mechanism, and then gain access to the
internal network (alternatively, proxy servers can be used for
signals coming from the internal network and heading out).Proxy servers are normally more secure than normal servers, and
often have a wider variety of authentication mechanisms available,
including one-shot password systems so that even if
someone manages to discover what password you used, they will not be
able to use it to gain access to your systems as the password
expires immediately after the first use. As they do not actually give users access to the
host machine, it becomes a lot more difficult for someone to install
backdoors around your security system.Proxy servers often have ways of restricting access further, so
that only certain hosts can gain access to the servers.
Most will also allow the administrator to specify which
users can talk to which destination machines.
Again, what facilities are available
depends largely on what proxy software you choose.What Does IPFW Allow Me to Do?ipfwIPFW, the software supplied with
FreeBSD, is a packet filtering and accounting system which resides in
the kernel, and has a user-land control utility,
&man.ipfw.8;. Together, they allow you to define and query the
rules used by the kernel in its routing decisions.There are two related parts to IPFW.
The firewall section performs packet filtering. There is
also an IP accounting section which tracks usage of the
router, based on rules similar to those used in the firewall
section. This allows
the administrator to monitor how much traffic the router is
getting from a certain machine, or how much WWW traffic it is
forwarding, for example.As a result of the way that IPFW is
designed, you can use IPFW on non-router
machines to perform packet filtering on incoming and outgoing
connections. This is a special case of the more general use of
IPFW, and the same commands and techniques
should be used in this situation.Enabling IPFW on FreeBSDipfwenablingAs the main part of the IPFW system
lives in the kernel, you will need to add one or more options to your
kernel configuration file, depending on what facilities you want, and
recompile your kernel. See "Reconfiguring your Kernel" ()
for more details on how to recompile your
kernel.IPFW defaults to a policy of deny ip from any to
any. If you do not add other rules during startup to
allow access, you will lock yourself out of the
server upon rebooting into a firewall-enabled kernel. We suggest
that you set firewall_type=open in your
/etc/rc.conf file when first enabling this
feature, then refining the firewall rules in
/etc/rc.firewall after you have tested that the
new kernel feature works properly. To be on the safe side, you may
wish to consider performing the initial firewall configuration from
the local console rather than via
ssh. Another option is to build a kernel
using both the IPFIREWALL and
IPFIREWALL_DEFAULT_TO_ACCEPT options. This will
change the default rule of IPFW to allow ip from any to
any and avoid the possibility of a lockout.There are currently four kernel configuration options relevant to
IPFW:options IPFIREWALLCompiles into the kernel the code for packet
filtering.options IPFIREWALL_VERBOSEEnables code to allow logging of packets through
&man.syslogd.8;. Without this option, even if you specify
that packets should be logged in the filter rules, nothing will
happen.options IPFIREWALL_VERBOSE_LIMIT=10Limits the number of packets logged through
&man.syslogd.8; on a per entry basis. You may wish to use
this option in hostile environments in which you want to log
firewall activity, but do not want to be open to a denial of
service attack via syslog flooding.When a chain entry reaches the packet limit specified,
logging is turned off for that particular entry. To resume
logging, you will need to reset the associated counter using the
&man.ipfw.8; utility:&prompt.root; ipfw zero 4500Where 4500 is the chain entry you wish to continue
logging.options IPFIREWALL_DEFAULT_TO_ACCEPTThis changes the default rule action from deny
to allow. This avoids the possibility of locking
yourself out if you happen to boot a kernel with
IPFIREWALL support but have not configured
your firewall yet. It is also very useful if you often use
&man.ipfw.8; as a filter for specific problems as they arise.
Use with care though, as this opens up the firewall and changes
the way it works.Previous versions of FreeBSD contained an
IPFIREWALL_ACCT option. This is now obsolete as
the firewall code automatically includes accounting
facilities.Configuring IPFWipfwconfiguringThe configuration of the IPFW software
is done through the &man.ipfw.8; utility. The syntax for this
command looks quite complicated, but it is relatively simple once you
understand its structure.There are currently four different command categories used by the
utility: addition/deletion, listing, flushing, and clearing.
Addition/deletion is used to build the rules that control how packets
are accepted, rejected, and logged. Listing is used to examine the
contents of your rule set (otherwise known as the chain) and packet
counters (accounting). Flushing is used to remove all entries from
the chain. Clearing is used to zero out one or more accounting
entries.Altering the IPFW RulesThe syntax for this form of the command is:
ipfw-NcommandindexactionlogprotocoladdressesoptionsThere is one valid flag when using this form of the
command:-NResolve addresses and service names in output.The command given can be shortened to the
shortest unique form. The valid commands
are:addAdd an entry to the firewall/accounting rule listdeleteDelete an entry from the firewall/accounting rule
listPrevious versions of IPFW used
separate firewall and accounting entries. The present version
provides packet accounting with each firewall entry.If an index value is supplied, it is used to
place the entry at a specific point in the chain. Otherwise, the
entry is placed at the end of the chain at an index 100 greater than
the last chain entry (this does not include the default policy, rule
65535, deny).The log option causes matching rules to be
output to the system console if the kernel was compiled with
IPFIREWALL_VERBOSE.Valid actions are:rejectDrop the packet, and send an ICMP host or port unreachable
(as appropriate) packet to the source.allowPass the packet on as normal. (aliases:
pass, permit, and
accept)denyDrop the packet. The source is not notified via an
ICMP message (thus it appears that the packet never
arrived at the destination).countUpdate packet counters but do not allow/deny the packet
based on this rule. The search continues with the next chain
entry.Each action will be recognized by the
shortest unambiguous prefix.The protocols which can be specified
are:allMatches any IP packeticmpMatches ICMP packetstcpMatches TCP packetsudpMatches UDP packetsThe address specification is:fromaddress/maskporttoaddress/maskportvia interfaceYou can only specify port in
conjunction with protocols which support ports
(UDP and TCP).The is optional and may specify the IP
address or domain name of a local IP interface, or an interface name
(e.g. ed0) to match only packets coming
through this interface. Interface unit numbers can be specified
with an optional wildcard. For example, ppp*
would match all kernel PPP interfaces.The syntax used to specify an
address/mask is:
address
or
address/mask-bits
or
address:mask-patternA valid hostname may be specified in place of the IP address.
is a decimal
number representing how many bits in the address mask should be set.
e.g. specifying 192.216.222.1/24
will create a
mask which will allow any address in a class C subnet (in this case,
192.216.222) to be matched.
is an IP
address which will be logically AND'ed with the address given. The
keyword any may be used to specify any IP
address.The port numbers to be blocked are specified as:
port,port,port…
to specify either a single port or a list of ports, or
port-port
to specify a range of ports. You may also combine a single range
with a list, but the range must always be specified first.The options available are:fragMatches if the packet is not the first fragment of the
datagram.inMatches if the packet is on the way in.outMatches if the packet is on the way out.ipoptions specMatches if the IP header contains the comma separated list
of options specified in spec. The
supported IP options are: ssrr
(strict source route), lsrr (loose source
route), rr (record packet route), and
ts (time stamp). The absence of a
particular option may be specified with a leading
!.establishedMatches if the packet is part of an already established
TCP connection (i.e. it has the RST or ACK bits set). You can
optimize the performance of the firewall by placing
established rules early in the
chain.setupMatches if the packet is an attempt to establish a TCP
connection (the SYN bit is set but the ACK bit is
not).tcpflags flagsMatches if the TCP header contains the comma separated
list of flags. The supported flags
are fin, syn,
rst, psh,
ack, and urg. The
absence of a particular flag may be indicated by a leading
!.icmptypes typesMatches if the ICMP type is present in the list
types. The list may be specified
as any combination of ranges and/or individual types separated
by commas. Commonly used ICMP types are: 0
echo reply (ping reply), 3 destination
unreachable, 5 redirect,
8 echo request (ping request), and
11 time exceeded (used to indicate TTL
expiration as with &man.traceroute.8;).Listing the IPFW RulesThe syntax for this form of the command is:
ipfw-a-c-d-e-t-N-SlistThere are seven valid flags when using this form of the
command:-aWhile listing, show counter values. This option is the
only way to see accounting counters.-cList rules in compact form.-dShow dynamic rules in addition to static rules.-eIf was specified, also show expired
dynamic rules.-tDisplay the last match times for each chain entry. The
time listing is incompatible with the input syntax used by the
&man.ipfw.8; utility.-NAttempt to resolve given addresses and service
names.-SShow the set each rule belongs to. If this flag is not
specified, disabled rules will not be listed.Flushing the IPFW RulesThe syntax for flushing the chain is:
ipfwflushThis causes all entries in the firewall chain to be removed
except the fixed default policy enforced by the kernel (index
65535). Use caution when flushing rules; the default deny policy
will leave your system cut off from the network until allow entries
are added to the chain.Clearing the IPFW Packet CountersThe syntax for clearing one or more packet counters is:
ipfwzeroindexWhen used without an index argument,
all packet counters are cleared. If an
index is supplied, the clearing operation
only affects a specific chain entry.Example Commands for ipfwThis command will deny all packets from the host evil.crackers.org to the telnet port of the
host nice.people.org:&prompt.root; ipfw add deny tcp from evil.crackers.org to nice.people.org 23The next example denies and logs any TCP traffic from the entire
crackers.org network (a class C) to
the nice.people.org machine (any
port).&prompt.root; ipfw add deny log tcp from evil.crackers.org/24 to nice.people.orgIf you do not want people sending X sessions to your internal
network (a subnet of a class C), the following command will do the
necessary filtering:&prompt.root; ipfw add deny tcp from any to my.org/28 6000 setupTo see the accounting records:
&prompt.root; ipfw -a list
or in the short form
&prompt.root; ipfw -a lYou can also see the last time a chain entry was matched
with:&prompt.root; ipfw -at lBuilding a Packet Filtering FirewallThe following suggestions are just that: suggestions. The
requirements of each firewall are different and we cannot tell you
how to build a firewall to meet your particular requirements.When initially setting up your firewall, unless you have a test
bench setup where you can configure your firewall host in a controlled
environment, it is strongly recommend you use the logging version of the
commands and enable logging in the kernel. This will allow you to
quickly identify problem areas and cure them without too much
disruption. Even after the initial setup phase is complete, I
recommend using the logging for `deny' as it allows tracing of
possible attacks and also modification of the firewall rules if your
requirements alter.If you use the logging versions of the accept
command, be aware that it can generate
large amounts of log data. One log
entry will be generated for every packet that passes
through the firewall, so large FTP/http transfers, etc, will really
slow the system down. It also increases the latencies on those
packets as it requires more work to be done by the kernel before the
packet can be passed on. syslogd will
also start using up a lot
more processor time as it logs all the extra data to disk, and it
could quite easily fill the partition /var/log
is located on.You should enable your firewall from
/etc/rc.conf.local or
/etc/rc.conf. The associated manual page explains
which knobs to fiddle and lists some preset firewall configurations.
If you do not use a preset configuration, ipfw list
will output the current ruleset into a file that you can
pass to rc.conf. If you do not use
/etc/rc.conf.local or
/etc/rc.conf to enable your firewall,
it is important to make sure your firewall is enabled before
any IP interfaces are configured.The next problem is what your firewall should actually
do! This is largely dependent on what access to
your network you want to allow from the outside, and how much access
to the outside world you want to allow from the inside. Some general
rules are:Block all incoming access to ports below 1024 for TCP. This is
where most of the security sensitive services are, like finger,
SMTP (mail) and telnet.Block all incoming UDP traffic. There
are very few useful services that travel over UDP, and what useful
traffic there is, is normally a security threat (e.g. Suns RPC and
NFS protocols). This has its disadvantages also, since UDP is a
connectionless protocol, denying incoming UDP traffic also blocks
the replies to outgoing UDP traffic. This can cause a problem for
people (on the inside) using external archie (prospero) servers.
If you want to allow access to archie, you will have to allow
packets coming from ports 191 and 1525 to any internal UDP port
through the firewall. ntp is another
service you may consider allowing through, which comes from port
123.Block traffic to port 6000 from the outside. Port 6000 is the
port used for access to X11 servers, and can be a security threat
(especially if people are in the habit of doing xhost
+ on their workstations). X11 can actually use a
range of ports starting at 6000, the upper limit being how many X
displays you can run on the machine. The upper limit as defined
by RFC 1700 (Assigned Numbers) is 6063.Check what ports any internal servers use (e.g. SQL servers,
etc). It is probably a good idea to block those as well, as they
normally fall outside the 1-1024 range specified above.Another checklist for firewall configuration is available from
CERT at http://www.cert.org/tech_tips/packet_filtering.html
+ url="http://www.cert.org/tech_tips/packet_filtering.html">
As stated above, these are only guidelines.
You will have to decide what filter rules you want to use on your
firewall yourself. We cannot accept ANY responsibility if someone
breaks into your network, even if you follow the advice given
above.IPFW Overhead and OptimizationMany people want to know how much overhead IPFW adds to a
system. The answer to this depends mostly on your rule set and
processor speed. For most applications dealing with Ethernet
and small rule sets, the answer is
negligible. For those of you that need actual
measurements to satisfy your curiosity, read on.The following measurements were made using 2.2.5-STABLE on
a 486-66. (While IPFW has changed slightly in later releases
of FreeBSD, it still performs with similar speed.) IPFW was
modified to measure the time spent within the
ip_fw_chk routine, displaying the results
to the console every 1000 packets.Two rule sets, each with 1000 rules, were tested. The
first set was designed to demonstrate a worst case scenario by
repeating the rule:&prompt.root; ipfw add deny tcp from any to any 55555This demonstrates a worst case scenario by causing most of IPFW's
packet check routine to be executed before finally deciding
that the packet does not match the rule (by virtue of the port
number). Following the 999th iteration of this rule was an
allow ip from any to any.The second set of rules were designed to abort the rule
check quickly:&prompt.root; ipfw add deny ip from 1.2.3.4 to 1.2.3.4The non-matching source IP address for the above rule
causes these rules to be skipped very quickly. As before, the
1000th rule was an allow ip from any to
any.The per-packet processing overhead in the former case was
approximately 2.703 ms/packet, or roughly 2.7 microseconds per
rule. Thus the theoretical packet processing limit with these
rules is around 370 packets per second. Assuming 10 Mbps
Ethernet and a ~1500 byte packet size, we would only be able
to achieve 55.5% bandwidth utilization.For the latter case each packet was processed in
approximately 1.172 ms, or roughly 1.2 microseconds per rule.
The theoretical packet processing limit here would be about
853 packets per second, which could consume 10 Mbps Ethernet
bandwidth.The excessive number of rules tested and the nature of
those rules do not provide a real-world scenario -- they were
used only to generate the timing information presented here.
Here are a few things to keep in mind when building an
efficient rule set:Place an established rule early on
to handle the majority of TCP traffic. Do not put any
allow tcp statements before this
rule.Place heavily triggered rules earlier in the rule set
than those rarely used (without changing the
permissiveness of the firewall, of course).
You can see which rules are used most often by examining
the packet counting statistics with ipfw -a
l.OpenSSLsecurityOpenSSLOpenSSLAs of FreeBSD 4.0, the OpenSSL toolkit is a part of the base
system. OpenSSL
provides a general-purpose cryptography library, as well as the
Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer
Security v1 (TLSv1) network security protocols.However, one of the algorithms (specifically IDEA)
included in OpenSSL is protected by patents in the USA and
elsewhere, and is not available for unrestricted use.
IDEA is included in the OpenSSL sources in FreeBSD, but it is not
built by default. If you wish to use it, and you comply with the
license terms, enable the MAKE_IDEA switch in
/etc/make.conf and
rebuild your sources using make world.Today, the RSA algorithm is free for use in USA and other
countries. In the past it was protected by a patent.OpenSSLinstallSource Code InstallationsOpenSSL is part of the src-crypto and
src-secure cvsup collections. See the Obtaining FreeBSD section for more
information about obtaining and updating FreeBSD source
code.YoshinobuInoueContributed by IPsecIPsecsecurityIPsecTerminating CharactersThroughout examples in this section, and other sections,
you will notice that there is a ^D at the end
of some examples. This means to hold down the Control
key and hit the D key. Another commonly used
character is ^C, which respectively means to hold
down Control and press C.For other HOWTOs detailing IPsec implementation in
FreeBSD, take a look at
and .The IPsec mechanism provides secure communication for IP
layer and socket layer communication. This section should
explain how to use them. For implementation details, please
refer to The
Developers' Handbook.The current IPsec implementation supports both transport mode
and tunnel mode. However, tunnel mode comes with some restrictions.
- http://www.kame.net/newsletter/
- has more comprehensive examples.
+
+ has more comprehensive examples.
Please be aware that in order to use this functionality, you
must have the following options compiled into your kernel:options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/IPSEC)Transport Mode Example with IPv4Let us setup security association to deploy a secure channel
between HOST A (10.2.3.4) and
HOST B (10.6.7.8).
Here we show a little
complicated example. From HOST A to HOST B, only old AH is used.
From HOST B to HOST A, new AH and new ESP are combined.Now we should choose an algorithm to be used corresponding to
AH/new AH/ESP/
new ESP. Please refer to the &man.setkey.8; man
page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1
for new AH, and new-DES-expIV with 8 byte IV for new ESP.Key length highly depends on each algorithm. For example, key
length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
and 8 for new-DES-expIV. Now we choose MYSECRETMYSECRET,
KAMEKAMEKAMEKAMEKAME, PASSWORD,
respectively.OK, let us assign SPI (Security Parameter Index) for each protocol.
Please note that we need 3 SPIs for this secure channel since three
security headers are produced (one for from HOST A to HOST B, two for
from HOST B to HOST A). Please also note that SPI MUST be greater
than or equal to 256. We choose, 1000, 2000, and 3000,
respectively.
(1)
HOST A ------> HOST B
(1)PROTO=AH
ALG=MD5(RFC1826)
KEY=MYSECRETMYSECRET
SPI=1000
(2.1)
HOST A <------ HOST B
<------
(2.2)
(2.1)
PROTO=AH
ALG=new-HMAC-SHA1(new AH)
KEY=KAMEKAMEKAMEKAMEKAME
SPI=2000
(2.2)
PROTO=ESP
ALG=new-DES-expIV(new ESP)
IV length = 8
KEY=PASSWORD
SPI=3000
Now, let us setup security association. Execute &man.setkey.8;
on both HOST A and B:&prompt.root; setkey -c
add 10.2.3.4 10.6.7.8 ah-old 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
^DActually, IPsec communication does not process until security policy
entries are defined. In this case, you must setup each host.
At A:
&prompt.root; setkey -c
spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
ah/transport/10.2.3.4-10.6.7.8/require ;
^D
At B:
&prompt.root; setkey -c
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
esp/transport/10.6.7.8-10.2.3.4/require ;
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
ah/transport/10.6.7.8-10.2.3.4/require ;
^D
HOST A --------------------------------------> HOST E
10.2.3.4 10.6.7.8
| |
========== old AH keyed-md5 ==========>
<========= new AH hmac-sha1 ===========
<========= new ESP des-cbc ============
Transport Mode Example with IPv6Another example using IPv6.ESP transport mode is recommended for TCP port number 110 between
Host-A and Host-B.
============ ESP ============
| |
Host-A Host-B
fec0::10 -------------------- fec0::11
Encryption algorithm is blowfish-cbc whose key is
kamekame, and authentication algorithm is hmac-sha1
whose key is this is the test key.
Configuration at Host-A:&prompt.root; setkey -c <<EOF
spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
esp/transport/fec0::10-fec0::11/use ;
spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
esp/transport/fec0::11-fec0::10/use ;
add fec0::10 fec0::11 esp 0x10001
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002
-m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
EOFand at Host-B:&prompt.root; setkey -c <<EOF
spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
esp/transport/fec0::11-fec0::10/use ;
spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
esp/transport/fec0::10-fec0::11/use ;
add fec0::10 fec0::11 esp 0x10001 -m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
add fec0::11 fec0::10 esp 0x10002 -m transport
-E blowfish-cbc "kamekame"
-A hmac-sha1 "this is the test key" ;
EOFNote the direction of SP.Tunnel Mode Example with IPv4Tunnel mode between two security gatewaysSecurity protocol is old AH tunnel mode, i.e. specified by
RFC1826, with keyed-md5 whose key is this is the test as
authentication algorithm.
======= AH =======
| |
Network-A Gateway-A Gateway-B Network-B
10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
Configuration at Gateway-A:&prompt.root; setkey -c <<EOF
spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-A keyed-md5 "this is the test" ;
EOFIf the port number field is omitted such as above then
[any] is employed. -m
specifies the mode of SA to be used. -m any means
wild-card of mode of security protocol. You can use this SA for both
tunnel and transport mode.and at Gateway-B:&prompt.root; setkey -c <<EOF
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
ah/tunnel/172.16.0.2-172.16.0.1/require ;
spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
ah/tunnel/172.16.0.1-172.16.0.2/require ;
add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
-A keyed-md5 "this is the test" ;
add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
-A keyed-md5 "this is the test" ;
EOFMaking SA bundle between two security gatewaysAH transport mode and ESP tunnel mode is required between
Gateway-A and Gateway-B. In this case, ESP tunnel mode is
applied first, and AH transport mode is next.
========== AH =========
| ======= ESP ===== |
| | | |
Network-A Gateway-A Gateway-B Network-B
fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
Tunnel Mode Example with IPv6Encryption algorithm is 3des-cbc, and authentication algorithm
for ESP is hmac-sha1. Authentication algorithm for AH is hmac-md5.
Configuration at Gateway-A:&prompt.root; setkey -c <<EOF
spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
-E 3des-cbc "kamekame12341234kame1234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
-A hmac-md5 "this is the test" ;
EOFMaking SAs with the different endESP tunnel mode is required between Host-A and Gateway-A.
Encryption algorithm is cast128-cbc, and authentication algorithm
for ESP is hmac-sha1. ESP transport mode is recommended between
Host-A and Host-B. Encryption algorithm is rc5-cbc, and
authentication algorithm for ESP is hmac-md5.
================== ESP =================
| ======= ESP ======= |
| | | |
Host-A Gateway-A Host-B
fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2
Configuration at Host-A:&prompt.root; setkey -c <<EOF
spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
-m transport
-E cast128-cbc "12341234"
-A hmac-sha1 "this is the test key" ;
add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
-E rc5-cbc "kamekame"
-A hmac-md5 "this is the test" ;
EOFChernLeeContributed by OpenSSHOpenSSHsecurityOpenSSHSecure shell is a set of network connectivity tools used to
access remote machines securely. It can be used as a direct
replacement for rlogin,
rsh, rcp, and
telnet. Additionally, any other TCP/IP
connections can be tunneled/forwarded securely through ssh.
ssh encrypts all traffic to effectively eliminate eavesdropping,
connection hijacking, and other network-level attacks.OpenSSH is maintained by the OpenBSD project, and is based
upon SSH v1.2.12 with all the recent bug fixes and updates. It
is compatible with both SSH protocols 1 and 2. OpenSSH has been
in the base system since FreeBSD 4.0.Advantages of Using OpenSSHNormally, when using &man.telnet.1; or &man.rlogin.1;,
data is sent over the network in an clear, un-encrypted form.
Network sniffers anywhere in between the client and server can
steal your user/password information or data transferred in
your session. OpenSSH offers a variety of authentication and
encryption methods to prevent this from happening.Enabling sshdOpenSSHenablingBe sure to make the following additions to your
rc.conf file:sshd_enable="YES"This will load the ssh daemon
the next time your system initializes. Alternatively, you can
simply run the sshd daemon.SSH ClientOpenSSHclientThe &man.ssh.1; utility works similarly to
&man.rlogin.1;.&prompt.root; ssh user@example.com
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'example.com' added to the list of known hosts.
user@example.com's password: *******The login will continue just as it would have if a session was
created using rlogin or
telnet. SSH utilizes a key fingerprint
system for verifying the authenticity of the server when the
client connects. The user is prompted to enter
yes only when
connecting for the first time. Future attempts to login are all
verified against the saved fingerprint key. The SSH client
will alert you if the saved fingerprint differs from the
received fingerprint on future login attempts. The fingerprints
are saved in ~/.ssh/known_hosts, or
~/.ssh/known_hosts2 for SSH v2
fingerprints.By default, OpenSSH servers are configured to accept both
SSH v1 and SSH v2 connections. The client, however, can choose
between the two. Version 2 is known to be more robust and
secure than its predecessor.ssh can be forced to use either protocol
by passing it the or argument
for v1 and v2, respectively.Secure CopyOpenSSHsecure copyscpThe scp command works similarly to
rcp; it copies a file to or from a remote machine,
except in a secure fashion.&prompt.root; scp user@example.com:/COPYRIGHT COPYRIGHT
user@example.com's password: *******
COPYRIGHT 100% |*****************************| 4735
00:00
&prompt.root;Since the fingerprint was already saved for this host in the
previous example, it is verified when using scp
here.The arguments passed to scp are similar
to cp, with the file or files in the first
argument, and the destination in the second. Since the file is
fetched over the network, through SSH, one or more of the file
arguments takes on the form
.ConfigurationOpenSSHconfigurationThe system-wide configuration files for both the OpenSSH
daemon and client reside within the /etc/ssh
directory.ssh_config configures the client
settings, while sshd_config configures the
daemon.Additionally, the
(/usr/sbin/sshd by default), and
rc.conf
options can provide more levels of configuration.ssh-keygenInstead of using passwords, &man.ssh-keygen.1; can
be used to generate RSA keys to authenticate a user.&prompt.user; ssh-keygen
Initializing random number generator...
Generating p: .++ (distance 66)
Generating q: ..............................++ (distance 498)
Computing the keys...
Key generation complete.
Enter file in which to save the key (/home/user/.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/user/.ssh/identity.
...&man.ssh-keygen.1; will create a public and private
key pair for use in authentication. The private key is stored in
~/.ssh/identity, whereas the public key is
stored in ~/.ssh/identity.pub. The public
key must be placed in ~/.ssh/authorized_keys
of the remote machine in order for the setup to work.This will allow connection to the remote machine based upon
RSA authentication instead of passwords.If a passphrase is used in &man.ssh-keygen.1;, the user
will be prompted for a password each time in order to use the private
key.A SSH v2 DSA key can be created for the same purpose by using
the ssh-keygen -d command (or
ssh-keygen -t dsa for FreeBSD &os.current;).
This will
create a public/private DSA key for use in SSH v2 sessions only.
The public key is stored in ~/.ssh/id_dsa.pub,
while the private key is in ~/.ssh/id_dsa.DSA public keys are placed in
~/.ssh/authorized_keys2 on the remote
machine.&man.ssh-agent.1; and &man.ssh-add.1; are
utilities used in managing multiple passworded private keys.SSH TunnelingOpenSSHtunnelingOpenSSH has the ability to create a tunnel to encapsulate
another protocol in an encrypted session.The following command tells &man.ssh.1; to create a tunnel
for telnet.&prompt.user; ssh -2 -N -f -L 5023:localhost:23 user@foo.example.com
&prompt.user;The ssh command is used with the
following options:Forces ssh to use version 2 of
the protocol. (Do not use if you are working with older
ssh servers)Indicates no command, or tunnel only. If omitted,
ssh would initiate a normal
session.Forces ssh to run in the
background.Indicates a local tunnel in
localport:remotehost:remoteport
fashion.The remote SSH server.An SSH tunnel works by creating a listen socket on
localhost on the specified port.
It then forwards any connection received
on the local host/port via the SSH connection to the specified
remote host and port.In the example, port 5023 on
localhost is being forwarded to port
23 on localhost
of the remote machine. Since 23 is telnet,
this would create a secure telnet session through an SSH tunnel.This can be used to wrap any number of insecure TCP protocols
such as SMTP, POP3, FTP, etc.Using SSH to create a secure tunnel for SMTP&prompt.user; ssh -2 -N -f -L 5025:localhost:25 user@mailserver.example.com
user@mailserver.example.com's password: *****
&prompt.user; telnet localhost 5025
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mailserver.example.com ESMTPThis can be used in conjunction with an
&man.ssh-keygen.1; and additional user accounts to create a
more seamless/hassle-free SSH tunneling environment. Keys
can be used in place of typing a password, and the tunnels
can be run as a separate user.Practical SSH Tunneling ExamplesSecure Access of a POP3 serverAt work, there is an SSH server that accepts
connections from the outside. On the same office network
resides a mail server running a POP3 server. The network,
or network path between your home and office may or may not
be completely trustable. Because of this, you need to check
your e-mail in a secure manner. The solution is to create
an SSH connection to your office's SSH server, and tunnel
through to the mail server.&prompt.user; ssh -2 -N -f -L 2110:mail.example.com:110 user@ssh-server.example.com
user@ssh-server.example.com's password: ******When the tunnel is up and running, you can point your
mail client to send POP3 requests to localhost
port 2110. A connection here will be forwarded securely across
the tunnel to mail.example.com.Bypassing a Draconian FirewallSome network administrators impose extremely Draconian
firewall rules, filtering not only incoming connections,
but outgoing connections. You may be only given access
to contact remote machines on ports 22 and 80 for SSH
and web surfing.You may wish to access another (perhaps non-work
related) service, such as an Ogg Vorbis server to stream
music. If this Ogg Vorbis server is streaming on some other
port than 22 or 80, you will not be able to access it.The solution is to create an SSH connection to a machine
outside of your network's firewall, and use it to tunnel to
the Ogg Vorbis server.&prompt.user; ssh -2 -N -f -L 8888:music.example.com:8000 user@unfirewalled.myserver.com
user@unfirewalled.myserver.com's password: *******Your streaming client can now be pointed to
localhost port 8888, which will be
forwarded over to music.example.com port
8000, successfully evading the firewall.Further ReadingOpenSSH&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
&man.ssh-agent.1; &man.ssh-add.1;&man.sshd.8; &man.sftp-server.8;RobertWatsonSponsored by DARPA and Network Associates Laboratories.
Contributed by MACMandatory Access Control (MAC)FreeBSD 5.0 includes a new kernel security framework, the
TrustedBSD MAC Framework. The MAC Framework permits compile-time,
boot-time, and run-time extension of the kernel access control
policy, and can be used to load support for Mandatory Access
Control (MAC), and custom security modules
such as hardening modules. The MAC Framework is currently
considered to be an experimental feature, and should not yet
be used in production environments without careful consideration.
It is anticipated that the MAC Framework will be appropriate for
more widespread production use by FreeBSD 5.2.When configured into a kernel, the MAC Framework permits
security modules to augment the existing kernel access control
model, restricting access to system services and objects. For
example, the &man.mac.bsdextended.4; module augments file system
access control, permitting administrators to provide a
firewall-like ruleset constraining access to file system objects
based on user ids and group membership. Some modules require
little or no configuration, such as &man.mac.seeotheruids.4,
whereas others perform ubiquitous object labeling, such as
&man.mac.biba.4; and &man.mac.mls.4;, and require extensive
configuration.To enable the MAC Framework in your system kernel, you must
add the following entry to your kernel configuration:options MACSecurity policy modules shipped with the base system may
be loaded using &man.kldload.8; or in the boot &man.loader.8;
They may also be compiled directly into the kernel using the
following options, if the use of modules is not desired.Different MAC policies may be configured in different ways;
frequently, MAC policy modules export configuration parameters
using the &man.sysctl.8; MIB using the
security.mac namespace. Policies relying on
file system or other labels may require a configuration step
that involes assigning initial labels to system objects or
creating a policy configuration file. For information on how to
configure and use each policy module, see its man page.A variety of tools are available to configure the MAC Framework
and labels maintained by various policies. Extensions have been
made to the login and credential management mechanisms
(&man.setusercontext.3;) to support initial user labeling using
&man.login.conf.5;. In addition, modifications have been made
to &man.su.1;, &man.ps.1;, &man.ls.1;, and &man.ifconfig.8; to
inspect and set labels on processes, files, and interfaces. In
addition, several new tools have been added to manage labels
on objects, including &man.getfmac.8;, &man.setfmac.8;, and
&man.setfsmac.8; to manage labels on files, and &man.getpmac.8; and
&man.setpmac.8;.What follows is a list of policy modules shipped with FreeBSD
5.0.Biba Integrity Policy (mac_biba)Biba Integrity PolicyVendor: TrustedBSD ProjectModule name: mac_biba.koKernel option: MAC_BIBATCBThe Biba Integrity Policy (&man.mac.biba.4;) provides
for hierarchical and non-hierarchical labeling of all system
objects with integrity data, and the strict enforcement of
an information flow policy to prevent corruption of high
integrity subjects and data by low-integrity subjects.
Integrity is enforced by preventing high integrity
subjects (generally processes) from reading low integrity
objects (often files), and preventing low integrity
subjects from writing to high integrity objects.
This security policy is frequently used in commercial
trusted systems to provide strong protection for the
Trusted Code Base (TCB). Because it
provides ubiquitous labeling, the Biba integrity policy
must be compiled into the kernel or loaded at boot.File System Firewall Policy (mac_bsdextended)File System Firewall PolicyVendor: TrustedBSD ProjectModule name: mac_bsdextended.koKernel option: MAC_BSDEXTENDED The File System Firewall Policy (&man.mac.bsdextended.4;)
provides an extension to the BSD file system permission model,
permitting the administrator to define a set of firewall-like
rules for limiting access to file system objects owned by
other users and groups. Managed using &man.ugidfw.8;, rules
may limit access to files and directories based on the uid
and gids of the process attempting the access, and the owner
and group of the target of the access attempt. All rules
are restrictive, so they may be placed in any order. This policy
requires no prior configuration or labeling, and may be
appropriate in multi-user environments where mandatory limits
on inter-user data exchange are required. Caution should be
exercised in limiting access to files owned by the super-user or
other system user ids, as many useful programs and directories
are owned by these users. As with a network firewall,
improper application of file system firewall rules may render
the system unusable. New tools to manage the rule set may be
easily written using the &man.libugidfw.3; library.Interface Silencing Policy (mac_ifoff)Interface Silencing PolicyVendor: TrustedBSD ProjectModule name: mac_ifoff.koKernel option: MAC_IFOFFThe interface silencing policy (&man.mac.ifoff.4;)
prohibits the use of network interfaces during the boot
until explicitly enabled, preventing spurious stack output
stack response to incoming packets. This is appropriate
for use in environments where the monitoring of packets
is required, but no traffic may be generated.Low-Watermark Mandatory Access Control (LOMAC)
(mac_lomac)Low-Watermark Mandatory Access ControlLOMACVendor: Network Associates LaboratoriesModule name: mac_lomac.koKernel option: MAC_LOMACSimilar to the Biba Integrity Policy, the LOMAC
policy (&man.mac.lomac.4;) relies on the ubiquitous
labeling of all system objects with integrity labels.
Unlike Biba, LOMAC permits high integrity subjects to
read from low integrity objects, but then downgrades the
label on the subject to prevent future writes to high
integrity objects. This policy may provide for greater
compatibility, as well as require less initial
configuration than Biba. However, as with Biba, it
ubiquitously labels objects and must therefore be
compiled into the kernel or loaded at boot.Multi-Level Security Policy (MLS) (mac_mls)Multi-Level Security PolicyMLSVendor: TrustedBSD ProjectModule name: mac_mls.koKernel option: MAC_MLSMulti-Level Security (MLS)
(&man.mac.mls.4;) provides for hierarchical and non-hierarchical
labeling of all system objects with sensitivity data, and the
strict enforcement of an information flow policy to prevent
the leakage of confidential data to untrusted parties. The
logical conjugate of the Biba Integrity Policy,
MLS is frequently shipped in commercial
trusted operating systems to protect data secrecy in
multi-user environments. Hierarchal labels provide support
for the notion of clearances and classifications in
traditional parlance; non-hierarchical labels provide support
for need-to-know. As with Biba, ubiquitous
labeling of objects occurs, and it must therefore be compiled
into the kernel or loaded at boot. As with Biba, extensive
initial configuration may be required.MAC Stub Policy (mac_none)MAC Stub PolicyVendor: TrustedBSD ProjectModule name: mac_none.koKernel option: MAC_NONEThe None policy (&man.mac.none.4;) provides a stub
sample policy for developers, implementing all entry
points, but not changing the system access control
policy. Running this on a production system would
not be highly beneficial.Process Partition Policy (mac_partition)Process Partition PolicyVendor: TrustedBSD ProjectModule name: mac_partition.koKernel option: MAC_PARTITIONThe Partition policy (&man.mac.partition.4;) provides for a
simple process visibility limitation, assigning labels to
processes identifying what numeric system partition they
are present in. If none, all other processes are visible
using standard monitoring tools; if a partition identifier
is present, then only other processes in the same
partition are visible. This policy may be compiled into
the kernel, loaded at boot, or loaded at run-time.See Other Uids Policy (mac_seeotheruids)See Other Uids PolicyVendor: TrustedBSD ProjectModule name: mac_seeotheruids.koKernel option: MAC_SEEOTHERUIDSThe See Other Uids policy (&man.mac.seeotheruids.4;)
implements a similar process visibility model to
mac_partition, except that it relies on process credentials to
control visibility of processes, rather than partition labels.
This policy may be configured to exempt certain users and
groups, including permitting system operators to view all
processes without special privilege. This policy may be
compiled into the kernel, loaded at boot, or loaded at
run-time.MAC Framework Test Policy (mac_test)MAC Framework Test PolicyVendor: TrustedBSD ProjectModule name: mac_test.koKernel option: MAC_TESTThe Test policy (&man.mac.test.4;) provides a regression
test environment for the MAC Framework, and will cause a
fail-stop in the event that internal MAC Framework assertions
about proper data labeling fail. This module can be used to
detect failures to properly label system objects in the kernel
implementation. This policy may be compiled into the kernel,
loaded at boot, or loaded at run-time.