os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Markup Fixes:

Browse source 
Place some terms in <varname>
Change <emphasis> -> <varname> in some intstances
Place commands in <command> or man entitiy
Place applications in <application>
Place filenames in <filename>
Place hostnames in <hostid>
One instance of <quote> -> <errorname>

Spelling/Terminology Fixes:
ip -> IP address
IPs/ips -> IP addresses
cfg -> config
Unice -> Unix systems

Reviewed by:	murray
This commit is contained in:
Chern Lee 2001-07-19 18:38:43 +00:00
parent d0343abca1
commit 474756bf03
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=9976
1 changed files with 101 additions and 94 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

195
en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.59 2001/07/17 22:20:47 chern Exp $
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.60 2001/07/17 23:33:25 chern Exp $
-->
<chapter id="advanced-networking">
@ -106,7 +106,7 @@ host2.foobar.com link#1 UC 0 0
rather than sending it out over the Ethernet interface.</para>
<para>The two <literal>host2</literal> lines are an example of what
happens when we use an ifconfig alias (see the section of Ethernet for
happens when we use an &man.ifconfig.8; alias (see the section of Ethernet for
reasons why we would do this). The <literal>=&gt;</literal> symbol
after the <devicename>lo0</devicename> interface says that not only
are we using the loopback (since this is address also refers to the
@ -272,7 +272,7 @@ Local1 (10.20.30.1, 10.9.9.30) --&gt; T1-GW (10.9.9.1)
<para>In one case, the machine as two Ethernet cards, each having an
address on the separate subnets. Alternately, the machine may only
have one Ethernet card, and be using ifconfig aliasing. The former is
have one Ethernet card, and be using &man.ifconfig.8; aliasing. The former is
used if two physically separate Ethernet networks are in use, the
latter if there is one physical network segment, but two logically
separate subnets.</para>
@ -449,7 +449,7 @@ Local1 (10.20.30.1, 10.9.9.30) --&gt; T1-GW (10.9.9.1)
<title>Firewall support</title>
<indexterm><primary>firewall</primary></indexterm>
<para>If you are planning to use the bridge as a firewall, you will
need to add the IPFIREWALL option as well. Read <xref
need to add the <varname>IPFIREWALL</varname> option as well. Read <xref
linkend="firewalls"> for general information on configuring the
bridge as a firewall.</para>
@ -480,8 +480,8 @@ Local1 (10.20.30.1, 10.9.9.30) --&gt; T1-GW (10.9.9.1)
<programlisting>net.link.ether.bridge=1</programlisting>
<para>to <filename>/etc/sysctl.conf</filename> to enable the bridge at
runtime. If you want the bridged packets to be filtered by ipfw, you
should also add</para>
runtime. If you want the bridged packets to be filtered by &man.ipfw.8;,
you should also add</para>
<programlisting>net.link.ether.bridge_ipfw=1</programlisting>
@ -580,13 +580,14 @@ Local1 (10.20.30.1, 10.9.9.30) --&gt; T1-GW (10.9.9.1)
<listitem>
<para><command>mountd</command> - The NFS Mount Daemon which
actually carries out requests that nfsd passes on to
actually carries out requests that &man.nfsd.8; passes on to
it.</para>
</listitem>
<listitem>
<para><command>portmap</command> - The portmapper daemon which
allows NFS clients to find out which port the NFS server is
<para><command>portmap</command> - The
<command>portmapper</command> daemon which allows NFS
clients to find out which port the NFS server is
using.</para>
</listitem>
</itemizedlist>
@ -688,10 +689,10 @@ nfs_client_flags="-n 4"</programlisting>
have permission to do so. Make sure your client is listed in your
<filename>/etc/exports</filename> file.</para>
<para>It's important to remember that you must restart mountd
<para>It's important to remember that you must restart <command>mountd</command>
whenever you modify <filename>/etc/exports</filename> so that
your changes take effect. This can be accomplished by sending
the hangup signal to the mountd process :</para>
the hangup signal to the <command>mountd</command> process :</para>
<screen>&prompt.root; <userinput>kill -HUP `cat /var/run/mountd.pid`</userinput></screen>
@ -924,7 +925,7 @@ nfs_client_flags="-n 4"</programlisting>
</step>
<step>
<para>Set up a bootp server to provide the client with IP, gateway,
<para>Set up a bootp server to provide the client with IP address, gateway,
netmask.</para>
<programlisting>diskless:\
@ -1030,14 +1031,14 @@ nfs_client_flags="-n 4"</programlisting>
</tgroup>
</informaltable>
<para>A typical completely diskless cfg file might contain:</para>
<para>A typical completely diskless config file might contain:</para>
<programlisting>rootfs 192.1.2.3:/rootfs/myclient
swapfs 192.1.2.3:/swapfs
swapsize 20000
hostname myclient.mydomain</programlisting>
<para>A cfg file for a machine with local swap might contain:</para>
<para>A config file for a machine with local swap might contain:</para>
<programlisting>rootfs 192.1.2.3:/rootfs/myclient
hostname myclient.mydomain</programlisting>
@ -1066,12 +1067,13 @@ hostname myclient.mydomain</programlisting>
</indexterm>
<para>If you are swapping over NFS (completely diskless
configuration) create a swap file for your client using
<command>dd</command>. If your <command>swapfs</command> command
has the arguments <filename>/swapfs</filename> and the size 20000
as in the example above, the swapfile for myclient will be called
<command>dd</command>. If your <command>swapfs</command>
command has the arguments <filename>/swapfs</filename> and
the size 20000 as in the example above, the swapfile for
<hostid>myclient</hostid> will be called
<filename>/swapfs/swap.<replaceable>X.X.X.X</replaceable></filename>
where <replaceable>X.X.X.X</replaceable> is the client's IP addr,
e.g.:</para>
where <replaceable>X.X.X.X</replaceable> is the client's IP
address, e.g.:</para>
<screen>&prompt.root; <userinput>dd if=/dev/zero of=/swapfs/swap.192.1.2.4 bs=1k count=20000</userinput></screen>
@ -1446,7 +1448,7 @@ ISDN BRI line</literallayout>
<para>NIS, which stands for Network Information Services, was
developed by Sun Microsystems to centralize administration of Unix
(originally SunOS) systems. It has now essentially become an
industry standard; all major Unices (Solaris, HP-UX, AIX, Linux,
industry standard; all major Unix systems (Solaris, HP-UX, AIX, Linux,
NetBSD, OpenBSD, FreeBSD, etc) support NIS.</para>
<indexterm><primary>yellow pages (see NIS)</primary></indexterm>
@ -1507,7 +1509,7 @@ ISDN BRI line</literallayout>
<listitem>
<para><emphasis>ypserv</emphasis>. <command>ypserv</command>,
which should only be running on NIS servers, is the NIS server
process itself. If ypserv dies, then the server will no longer be
process itself. If &man.ypserv.8; dies, then the server will no longer be
able to respond to NIS requests (hopefully, there is a slave
server to take over for it).</para>
@ -2045,11 +2047,11 @@ nis_client_enable="YES"</programlisting>
<sect2>
<title>NIS Security</title>
<para>In general, any remote user can issue an RPC to ypserv and
<para>In general, any remote user can issue an RPC to &man.ypserv.8; and
retrieve the contents of your NIS maps, provided the remote user
knows your domainname. To prevent such unauthorized transactions,
ypserv supports a feature called securenets which can be used to
restrict access to a given set of hosts. At startup, ypserv will
&man.ypserv.8; supports a feature called securenets which can be used to
restrict access to a given set of hosts. At startup, &man.ypserv.8; will
attempt to load the securenets information from a file called
<filename>/var/yp/securenets</filename>.</para>
@ -2072,7 +2074,7 @@ nis_client_enable="YES"</programlisting>
# this includes the machines in the testlab
10.0.0.0 255.255.240.0</programlisting>
<para>If ypserv receives a request from an address that matches one
<para>If &man.ypserv.8; receives a request from an address that matches one
of these rules, it will process the request normally. If the
address fails to match a rule, the request will be ignored and a
warning message will be logged. If the
@ -2081,8 +2083,9 @@ nis_client_enable="YES"</programlisting>
<para>The ypserv program also has support for Wietse Venema's
<application>tcpwrapper</application> package. This allows the
administrator to use the tcpwrapper configuration files for access
control instead of <filename>/var/yp/securenets</filename>.</para>
administrator to use the <application>tcpwrapper</application> configuration
files for access control instead of
<filename>/var/yp/securenets</filename>.</para>
<note>
<para>While both of these access control mechanisms provide some
@ -2283,7 +2286,8 @@ basie&prompt.root;</screen>
<para>If you tried to implement these restrictions by separately
blocking each user, you would have to add one
-<replaceable>user</replaceable> line to each system's passwd
-<replaceable>user</replaceable> line to each system's
<filename>passwd</filename>
for each user who is not allowed to login onto that system.
If you forget just one entry, you could be in trouble. It may
be feasible to do this correctly during the initial setup,
@ -2304,7 +2308,7 @@ basie&prompt.root;</screen>
configuration file to grant or deny access to machines.</para>
<para>The first step is the initialization of the NIS map
netgroup. FreeBSD's ypinit does not create this map by
netgroup. FreeBSD's &man.ypinit.8; does not create this map by
default, but its NIS implementation will support it once it has
been created. To create an empty map, simply type</para>
@ -2413,15 +2417,15 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
these users are allowed to login.</para>
<para>Unfortunately, this limitation also applies to the ~
function of the shell and all routines converting between user
names and numerical user ids. In other words, cd
~<replaceable>user</replaceable> will not work, <command>ls
-l</command> will show the numerical id instead of the
username and <command>find . -user joe -print</command> will
fail with <quote>No such user</quote>. To fix this, you will
have to import all user entries <emphasis>without
allowing them to login onto your servers</emphasis>.</para>
function of the shell and all routines converting between user
names and numerical user ids. In other words,
<command>cd ~<replaceable>user</replaceable></command> will not work,
<command>ls -l</command> will show the numerical id instead of
the username and <command>find . -user joe -print</command> will
fail with <errorname>No such user</errorname>. To fix this, you will
have to import all user entries <emphasis>without allowing them
to login onto your servers</emphasis>.</para>
<para>This can be achieved by adding another line to
<filename>/etc/master.passwd</filename>. This line should
contain <literal>+:::::::::/sbin/nologin</literal>, meaning
@ -2884,10 +2888,10 @@ dhcp_flags=""</programlisting>
<para>FreeBSD utilizes, by default, a version of BIND (Berkeley
Internet Name Domain), which is the most common implementation of the
DNS protocol. DNS is the protocol through which names are mapped to
IPs, and vice versa. For example, a query for www.freebsd.org
IP addresses, and vice versa. For example, a query for www.freebsd.org
will send back a reply for the IP address of The FreeBSD Project's
webpage, whereas, a query for ftp.freebsd.org will return the IP
of the corresponding FTP machine. Likewise, the opposite can
webpage, whereas, a query for ftp.freebsd.org will return the IP
address of the corresponding FTP machine. Likewise, the opposite can
happen. A query for an IP address can resolve its hostname.
</para>
@ -2929,20 +2933,20 @@ dhcp_flags=""</programlisting>
<para>. is the root zone</para>
</listitem>
<listitem>
<para>org. is a zone under the root zone</para>
<para><hostid>org.</hostid> is a zone under the root zone</para>
</listitem>
<listitem>
<para>foobardomain.org is a zone under the org. zone</para>
<para><hostid>foobardomain.org</hostid> is a zone under the org. zone</para>
</listitem>
<listitem>
<para>foo.foobardomain.org. is a subdomain, a zone under the
foobardomain.org. zone
<para><hostid>foo.foobardomain.org.</hostid> is a subdomain, a zone under the
<hostid>foobardomain.org.</hostid> zone
</para>
</listitem>
<listitem>
<para>
1.2.3.in-addr.arpa is a zone referencing all ips which fall
under the 3.2.1.* ip space.
<hostid>1.2.3.in-addr.arpa</hostid> is a zone referencing all IP addresses
which fall under the 3.2.1.* IP space.
</para>
</listitem>
</itemizedlist>
@ -2967,12 +2971,12 @@ dhcp_flags=""</programlisting>
the particular zone
</para>
<para><emphasis>forward dns</emphasis> - mapping of hostnames to ip
<para><emphasis>forward dns</emphasis> - mapping of hostnames to IP
addresses
</para>
<indexterm><primary>reverse DNS</primary></indexterm>
<para><emphasis>reverse dns</emphasis> - the opposite, mapping of ip
<para><emphasis>reverse dns</emphasis> - the opposite, mapping of IP
addresses to hostnames
</para>
</sect2>
@ -2991,8 +2995,8 @@ dhcp_flags=""</programlisting>
</para>
</listitem>
<listitem>
<para>For example, you register foobardomain.org and wish
to assign hostnames to the proper IP addresses.
<para>For example, you register <hostid>foobardomain.org</hostid>
and wish to assign hostnames to the proper IP addresses.
</para>
</listitem>
<listitem>
@ -3109,7 +3113,7 @@ dhcp_flags=""</programlisting>
<sect3>
<title><filename>/etc/namedb/named.conf</filename></title>
<programlisting>// $FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.59 2001/07/17 22:20:47 chern Exp $
<programlisting>// $FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.60 2001/07/17 23:33:25 chern Exp $
//
// Refer to the named(8) man page for details. If you are ever going
// to setup a primary server, make sure you've understood the hairy
@ -3327,13 +3331,13 @@ www IN CNAME @
<para>
The most commonly used DNS records:
</para>
<para><emphasis>SOA</emphasis> - start of zone authority</para>
<para><emphasis>NS</emphasis> - an authoritative nameserver</para>
<para><emphasis>A</emphasis> - A host address</para>
<para><emphasis>CNAME</emphasis> - the canonical name for an
<para><varname>SOA</varname> - start of zone authority</para>
<para><varname>NS</varname> - an authoritative nameserver</para>
<para><varname>A</varname> - A host address</para>
<para><varname>CNAME</varname> - the canonical name for an
alias</para>
<para><emphasis>MX</emphasis> - mail exchange</para>
<para><emphasis>PTR</emphasis> - a domain name pointer (used in
<para><varname>MX</varname> - mail exchange</para>
<para><varname>PTR</varname> - a domain name pointer (used in
reverse dns)</para>
<programlisting>
foobardomain.org. IN SOA ns1.foobardomain.org. admin.foobardomain.org. (
@ -3344,21 +3348,23 @@ foobardomain.org. IN SOA ns1.foobardomain.org. admin.foobardomain.org. (
86400 ) ; Minimum TTL of 1 day
</programlisting>
<para>
<emphasis>foobardomain.org.</emphasis> - the domain name, also
<hostid>foobardomain.org.</hostid> - the domain name, also
the origin for this zone file.
</para>
<para><emphasis>ns1.foobardomain.org.</emphasis> - the
<para><hostid>ns1.foobardomain.org.</hostid> - the
primary/authoritative nameserver for this zone
</para>
<para><emphasis>admin.foobardomain.org.</emphasis> - the
<para><email>admin.foobardomain.org.</email> - the
responsible person for this zone, e-mail address with @
replaced. (admin@foobardomain.org becomes admin.foobardomain.org)
replaced. (<email>admin@foobardomain.org</email> becomes
<email>admin.foobardomain.org</email>)
</para>
<para>
<emphasis>5</emphasis> - the serial number of the file. this
must
be incremented each time the zone file is modified. Nowadays,
many admins prefer a yyyymmddrr format for the serial number.
many admins prefer a <literal>yyyymmddrr</literal> format for the serial
number.
2001041002 would mean last modified 04/10/2001, the latter 02 being
the second time the zone file has been modified this day. The
serial number is important as it alerts slave nameservers for a zone
@ -3369,10 +3375,10 @@ foobardomain.org. IN SOA ns1.foobardomain.org. admin.foobardomain.org. (
@ IN NS ns1.foobardomain.org.
</programlisting>
<para>
This is an NS entry. Every nameserver that is going to reply
This is an <varname>NS</varname> entry. Every nameserver that is going to reply
authoritatively for the zone must have one of these entries.
The @ as seen here could have been 'foobardomain.org.' The @
translates to the origin.
The @ as seen here could have been <literal>foobardomain.org.</literal>
The @ translates to the origin.
</para>
<programlisting>
@ -3396,7 +3402,7 @@ www IN CNAME @
The canonical name record is usually used for giving aliases
to a machine. In the example, www is aliased to the machine
addressed to the origin, or foobardomain.org (3.2.1.30).
CNAMEs can be used to provide alias hostnames, or round
<varname>CNAME</varname>s can be used to provide alias hostnames, or round
robin one hostname among multiple machines.
</para>
@ -3405,7 +3411,7 @@ www IN CNAME @
</programlisting>
<para>
The MX record indicates which mail servers are responsible
The <varname>MX</varname> record indicates which mail servers are responsible
for handling incoming mail for the zone.
mail.foobardomain.org is the hostname of the mail server,
and 10 being the priority of that mailserver.
@ -3420,7 +3426,8 @@ www IN CNAME @
<para>
For in-addr.arpa zone files (reverse dns), the same format is
used, except with PTR entries instead of A or CNAME.
used, except with <varname>PTR</varname> entries instead of
<varname>A</varname> or <varname>CNAME</varname>.
</para>
<programlisting>$TTL 3600
@ -3440,7 +3447,7 @@ www IN CNAME @
10 IN PTR mail.foobardomain.org.
30 IN PTR foobardomain.org.</programlisting>
<para>
This file gives the proper IP to hostname mappings of our above
This file gives the proper IP address to hostname mappings of our above
fictitious domain.
</para>
</sect3>
@ -3540,7 +3547,7 @@ www IN CNAME @
<filename>sandbox/var/run</filename></para>
</listitem>
<listitem>
<para>When using the ndc utility you need to specify the
<para>When using the &man.ndc.8; utility you need to specify the
location of the Unix socket created in the sandbox, by
&man.named.8;, by using the -c switch:
<command>&prompt.root; ndc -c /etc/namedb/sandbox/var/run/ndc</command>
@ -3563,7 +3570,7 @@ www IN CNAME @
<para>If setup properly, the nameserver should be accessible through
the network and locally. <filename>/etc/resolv.conf</filename> must
contain a nameserver entry with the local ip so it will query the
contain a nameserver entry with the local IP address so it will query the
local name server first.
</para>
@ -3644,9 +3651,9 @@ www IN CNAME @
&man.natd.8; is a daemon that accepts incoming raw IP packets,
changes the source to the local machine and re-injects these packets
back into the outgoing IP packet stream. natd does this by changing
the source ip and port such that when data is received back, it is
the source IP address and port such that when data is received back, it is
able to determine the original location of the data and forward it
back to its original requestor.</para>
back to its original requester.</para>
<indexterm><primary>Internet connection sharing</primary></indexterm>
<indexterm><primary>IP masquerading</primary></indexterm>
<para>The most common use of NAT is to perform what is commonly known as
@ -3655,14 +3662,14 @@ www IN CNAME @
<sect2 id="setup">
<title>Setup</title>
<para>Due to the diminishing ip space in ipv4, and the increased number
<para>Due to the diminishing IP space in ipv4, and the increased number
of users on high-speed consumer lines such as cable or DSL, people are
in more and more need of an Internet Connection Sharing solution. The
ability to connect several computers online through one connection and
ip makes &man.natd.8; a reasonable choice.</para>
IP address makes &man.natd.8; a reasonable choice.</para>
<para>Most commonly, a user has a machine connected to a cable or DSL
line with one ip and wishes to use this one connected computer to
line with one IP address and wishes to use this one connected computer to
provide Internet access to several more over a LAN.</para>
<para>To do this, the FreeBSD machine on the Internet must act as a
@ -3759,13 +3766,13 @@ natd_flags=""</programlisting>
<command>natd -interface fxp0</command> at boot. This can also
be run manually.</para>
<para>Each machine and interface behind the LAN should be assigned ip
<para>Each machine and interface behind the LAN should be assigned IP address
numbers in the private network space as defined by
<ulink url="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1918.txt">RFC 1918</ulink>
and have a default gateway of the natd machine's internal ip.</para>
and have a default gateway of the natd machine's internal IP address.</para>
<para>For example, client a and b behind the LAN have ips of 192.168.0.2
and 192.168.0.3, while the natd machine's LAN interface has an ip of
<para>For example, client a and b behind the LAN have IP addresses of 192.168.0.2
and 192.168.0.3, while the natd machine's LAN interface has an IP address of
192.168.0.1. Client a and b's default gateway must be set to that of
the natd machine, 192.168.0.1. The natd machine's external, or
Internet interface does not require any special modification for natd
@ -3818,19 +3825,19 @@ natd_flags=""</programlisting>
<sect2 id="address-redirection">
<title>Address Redirection</title>
<indexterm><primary>address redirection</primary></indexterm>
<para>Address redirection is useful if several ips are available, yet
<para>Address redirection is useful if several IP addresses are available, yet
they must be on one machine. With this, &man.natd.8; can assign each
LAN client its own external ip. &man.natd.8; then rewrites outgoing
packets from the LAN clients with the proper external ip and redirects
all traffic incoming on that particular ip back to the specific LAN
client. This is also known as static NAT. For example, the ips
LAN client its own external IP address. &man.natd.8; then rewrites outgoing
packets from the LAN clients with the proper external IP address and redirects
all traffic incoming on that particular IP address back to the specific LAN
client. This is also known as static NAT. For example, the IP addresses
128.1.1.1, 128.1.1.2, and 128.1.1.3 belong to the natd gateway
machine. 128.1.1.1 can be used as the natd gateway machine's external
ip address, while 128.1.1.2 and 128.1.1.3 are forwarded back to LAN
IP address, while 128.1.1.2 and 128.1.1.3 are forwarded back to LAN
clients A and B.</para>
<para>The -redirect_address syntax is as follows:</para>
<para><programlisting> -redirect_address localIP publicIP</programlisting>
<para><option> -redirect_address localIP publicIP</option>
</para>
<informaltable frame="none">
@ -3838,26 +3845,26 @@ natd_flags=""</programlisting>
<tbody>
<row>
<entry>localIP</entry>
<entry>The internal ip of the LAN client.</entry>
<entry>The internal IP address of the LAN client.</entry>
</row>
<row>
<entry>publicIP</entry>
<entry>The external ip corresponding to the LAN client.</entry>
<entry>The external IP address corresponding to the LAN client.</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>In the example, this argument would read:</para>
<programlisting> -redirect_address 192.168.0.2 128.1.1.2
-redirect_address 192.168.0.3 128.1.1.3</programlisting>
<para><option> -redirect_address 192.168.0.2 128.1.1.2
-redirect_address 192.168.0.3 128.1.1.3</option></para>
<para>Like -redirect_port, these arguments are also placed within
natd_flags of <filename>/etc/rc.conf</filename>. With address
redirection, there is no need for port redirection since all data
received on a particular ip address is redirected.</para>
received on a particular IP address is redirected.</para>
<para>The external ips on the natd machine must be active and aliased
<para>The external IP addresses on the natd machine must be active and aliased
to the external interface. Look at &man.rc.conf.5; to do so.</para>
</sect2>