From 4becf1ccee2f50106ac6c4e77191a8a81c26c391 Mon Sep 17 00:00:00 2001 From: Giorgos Keramidas Date: Sat, 31 Aug 2002 04:09:33 +0000 Subject: [PATCH] Kill EOL spaces. --- .../handbook/advanced-networking/chapter.sgml | 574 +++++++++--------- 1 file changed, 287 insertions(+), 287 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml index 1fcbdce726..803d0c921b 100644 --- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml @@ -64,7 +64,7 @@ How to connect two computers via PLIP. - + How to setup IPv6 on a FreeBSD machine. @@ -98,7 +98,7 @@ routing gateway subnet - For one machine to be able to find another over a network, there + For one machine to be able to find another over a network, there must be a mechanism in place to describe how to get from one to the other. This is called routing. A route is a defined pair of addresses: a @@ -115,7 +115,7 @@ An Example - + To illustrate different aspects of routing, we will use the following example from netstat: @@ -127,18 +127,18 @@ Destination Gateway Flags Refs Use Netif Expire default outside-gw UGSc 37 418 ppp0 localhost localhost UH 0 181 lo0 test0 0:e0:b5:36:cf:4f UHLW 5 63288 ed0 77 -10.20.30.255 link#1 UHLW 1 2421 -example.com link#1 UC 0 0 +10.20.30.255 link#1 UHLW 1 2421 +example.com link#1 UC 0 0 host1 0:e0:a8:37:8:1e UHLW 3 4601 lo0 host2 0:e0:a8:37:8:1e UHLW 0 5 lo0 => host2.example.com link#1 UC 0 0 224 link#1 UC 0 0 - + default route The first two lines specify the default route (which we will cover in the next section) and the localhost route. - + loopback device The interface (Netif column) that this routing table specifies to use for localhost is @@ -146,7 +146,7 @@ host2.example.com link#1 UC 0 0 says to keep all traffic for this destination internal, rather than sending it out over the LAN, since it will only end up back where it started. - + Ethernet MAC address @@ -165,7 +165,7 @@ host2.example.com link#1 UC 0 0 Information Protocol), which figures out routes to local hosts based upon a shortest path determination. - subnet + subnet FreeBSD will also add subnet routes for the local subnet (10.20.30.255 is the broadcast address for the subnet 10.20.30, and link#1 refers to the first Ethernet card in the machine. You will notice no additional interface is specified for those. - + Both of these groups (local network hosts and local subnets) have their routes automatically configured by a daemon called - routed. If this is not run, then only + routed. If this is not run, then only routes which are statically defined (i.e. entered explicitly) will exist. - + The host1 line refers to our host, which it knows by Ethernet address. Since we are the sending host, FreeBSD knows to use the loopback interface (lo0) rather than sending it out over the Ethernet interface. - + The two host2 lines are an example of what happens when we use an &man.ifconfig.8; alias (see the section on Ethernet for reasons why we would do this). The => symbol @@ -194,14 +194,14 @@ host2.example.com link#1 UC 0 0 up on the host that supports the alias; all other hosts on the local network will simply have a link#1 line for such. - + The final line (destination subnet 224) deals with multicasting, which will be covered in another section. - + Finally, various attributes of each route can be seen in the Flags column. Below is a short table of some of these flags and their meanings: - + @@ -209,38 +209,38 @@ host2.example.com link#1 UC 0 0 U Up: The route is active. - + H Host: The route destination is a single host. - + G Gateway: Send anything for this destination on to this remote system, which will figure out from there where to send it. - + S Static: This route was configured manually, not automatically generated by the system. - + C Clone: Generates a new route based upon this route for machines we connect to. This type of route is normally used for local networks. - + W WasCloned: Indicated a route that was auto-configured based upon a local area network (Clone) route. - + L Link: Route involves references to Ethernet @@ -250,17 +250,17 @@ host2.example.com link#1 UC 0 0 - + Default Routes - - default route + + default route When the local system needs to make a connection to a remote host, it checks the routing table to determine if a known path exists. If the remote host falls into a subnet that we know how to reach (Cloned routes), then the system checks to see if it can connect along that interface. - + If all known paths fail, the system has one last option: the default route. This route is a special type of gateway route (usually the only one present in the system), and is always @@ -268,28 +268,28 @@ host2.example.com link#1 UC 0 0 local area network, this gateway is set to whatever machine has a direct connection to the outside world (whether via PPP link, DSL, cable modem, T1, or another network interface). - + If you are configuring the default route for a machine which itself is functioning as the gateway to the outside world, then the default route will be the gateway machine at your Internet Service Provider's (ISP) site. - + Let us look at an example of default routes. This is a common configuration: - + [Local2] <--ether--> [Local1] <--PPP--> [ISP-Serv] <--ether--> [T1-GW] - + The hosts Local1 and Local2 are at your site. Local1 is connected to an ISP via a dial up PPP connection. This PPP server computer is connected through a local area network to another gateway computer with an external interface to the ISPs Internet feed. - + The default routes for each of your machines will be: - + @@ -299,14 +299,14 @@ host2.example.com link#1 UC 0 0 Interface - + Local2 Local1 Ethernet - + Local1 T1-GW @@ -315,18 +315,18 @@ host2.example.com link#1 UC 0 0 - + A common question is Why (or how) would we set the T1-GW to be the default gateway for Local1, rather than the ISP server it is connected to?. - + Remember, since the PPP interface is using an address on the ISP's local network for your side of the connection, routes for any other machines on the ISP's local network will be automatically generated. Hence, you will already know how to reach the T1-GW machine, so there is no need for the intermediate step of sending traffic to the ISP server. - + As a final note, it is common to use the address X.X.X.1 as the gateway address for your local network. So (using the same example), if your local class-C address @@ -355,24 +355,24 @@ host2.example.com link#1 UC 0 0 - + Dual Homed Hosts - dual homed hosts + dual homed hosts There is one other type of configuration that we should cover, and that is a host that sits on two different networks. Technically, any machine functioning as a gateway (in the example above, using a PPP connection) counts as a dual-homed host. But the term is really only used to refer to a machine that sits on two local-area networks. - + In one case, the machine has two Ethernet cards, each having an address on the separate subnets. Alternately, the machine may only have one Ethernet card, and be using &man.ifconfig.8; aliasing. The former is used if two physically separate Ethernet networks are in use, the latter if there is one physical network segment, but two logically separate subnets. - + Either way, routing tables are set up so that each subnet knows that this machine is the defined gateway (inbound route) to the other subnet. This configuration, with the machine acting as a router @@ -416,23 +416,23 @@ host2.example.com link#1 UC 0 0 routers. It comes close enough for ordinary use, however. - + Routing Propagation routing propagation We have already talked about how we define our routes to the outside world, but not about how the outside world finds us. - + We already know that routing tables can be set up so that all traffic for a particular address space (in our examples, a class-C subnet) can be sent to a particular host on that network, which will forward the packets inbound. - + When you get an address space assigned to your site, your service provider will set up their routing tables so that all traffic for your subnet will be sent down your PPP link to your site. But how do sites across the country know to send to your ISP? - + There is a system (much like the distributed DNS information) that keeps track of all assigned address-spaces, and defines their point of connection to the Internet Backbone. The Backbone are @@ -441,30 +441,30 @@ host2.example.com link#1 UC 0 0 set of tables, which direct traffic for a particular network to a specific backbone carrier, and from there down the chain of service providers until it reaches your network. - + It is the task of your service provider to advertise to the backbone sites that they are the point of connection (and thus the path inward) for your site. This is known as route propagation. - + Troubleshooting traceroute - + Sometimes, there is a problem with routing propagation, and some sites are unable to connect to you. Perhaps the most useful command for trying to figure out where routing is breaking down is the &man.traceroute.8; command. It is equally useful if you cannot seem to make a connection to a remote machine (i.e. &man.ping.8; fails). - + The &man.traceroute.8; command is run with the name of the remote host you are trying to connect to. It will show the gateway hosts along the path of the attempt, eventually either reaching the target host, or terminating because of a lack of connection. - + For more information, see the manual page for &man.traceroute.8;. @@ -493,7 +493,7 @@ host2.example.com link#1 UC 0 0 fashion is called a bridge. A FreeBSD system with two network interface cards can act as a bridge. - The bridge works by learning the MAC layer addresses + The bridge works by learning the MAC layer addresses (Ethernet addresses) of the devices on each of its network interfaces. It forwards traffic between two networks only when its source and destination are on different networks. @@ -507,7 +507,7 @@ host2.example.com link#1 UC 0 0 There are two common situations in which a bridge is used today. - + High Traffic on a Segment @@ -622,7 +622,7 @@ host2.example.com link#1 UC 0 0 net.link.ether.bridge_cfg=if1,if2 - to enable bridging on the specified interfaces (replace if1 and + to enable bridging on the specified interfaces (replace if1 and if2 with the names of your two network interfaces). If you want the bridged packets to be filtered by &man.ipfw.8;, you should add: @@ -655,7 +655,7 @@ host2.example.com link#1 UC 0 0 that there is no support for spanning tree link management. - + @@ -738,7 +738,7 @@ host2.example.com link#1 UC 0 0 - nfsd + nfsd The NFS daemon which services requests from the NFS clients. @@ -1027,19 +1027,19 @@ mountd_flags="-r" Exports list on foobar: /usr 10.10.10.0 /a 10.10.10.0 -&prompt.user; cd /host/foobar/usr +&prompt.user; cd /host/foobar/usr As seen in the example, the showmount shows /usr as an export. When changing directories to /host/foobar/usr, amd - attempts to resolve the hostname foobar and + attempts to resolve the hostname foobar and automatically mount the desired export. amd can be started through the rc.conf system by placing the following lines in /etc/rc.conf: - + amd_enable="YES" Additionally, custom flags can be passed to @@ -1126,9 +1126,9 @@ Exports list on foobar: fastws:/sharedfs /project nfs rw,-r=1024 0 0 As a manual mount command on freebox: - + &prompt.root; mount -t nfs -o -r=1024 fastws:/sharedfs /project - + Examples for the FreeBSD system as the server in /etc/fstab on fastws: @@ -1137,7 +1137,7 @@ Exports list on foobar: As a manual mount command on fastws: &prompt.root; mount -t nfs -o -w=1024 freebox:/sharedfs /project - + Nearly any 16-bit Ethernet adapter will allow operation without the above restrictions on the read or write size. @@ -1184,7 +1184,7 @@ Exports list on foobar: Diskless Operation - + diskless workstation diskless operation @@ -1227,7 +1227,7 @@ Exports list on foobar: Standard system startup files exist in /etc to detect and support a diskless system startup. - + Swapping, if needed, can be done either to an NFS file or to a local disk. @@ -1282,7 +1282,7 @@ Exports list on foobar: find the kernel. (PXE uses DHCP). The kernel uses BOOTP to locate the NFS - root. + root. @@ -1348,17 +1348,17 @@ Exports list on foobar: margaux inside the host declarations. - + The next-server directive designates the TFTP server (the default is to use the same host as the DHCP server). - + The filename directive defines the file that etherboot will load as a - kernel. + kernel. PXE appears to prefer a relative file name, and it loads pxeboot, not the kernel (option filename @@ -1366,7 +1366,7 @@ Exports list on foobar: - + The root-path option defines the path to the root filesystem, in usual NFS notation. @@ -1404,7 +1404,7 @@ Exports list on foobar: Preparing a Boot Program with - <application>Etherboot</application> + Etherboot Etherboot's Web site contains @@ -1419,19 +1419,19 @@ Exports list on foobar: etherboot port can normally be found in /usr/ports/net/etherboot. If the ports tree is installed on your system, just typing make in - this directory should take care of everything. Else refer to + this directory should take care of everything. Else refer to for information about ports and - packages. + packages. For our setup, we shall use a boot floppy. For other methods (PROM, or dos program), please refer to the - etherboot documentation. + etherboot documentation. To make a boot floppy, insert a floppy in the drive on the machine where you installed etherboot, then change your current directory to the src directory in the etherboot tree and - type: + type: &prompt.root; gmake bin32/devicetype.fd0 @@ -1446,7 +1446,7 @@ Exports list on foobar: - Configuring the TFTP and NFS Servers + Configuring the TFTP and NFS Servers You need to enable tftpd on the TFTP server: @@ -1455,17 +1455,17 @@ Exports list on foobar: Create a directory from which tftpd will serve the files, i.e.: /tftpboot - + Add this line to your - /etc/inetd.conf: - + /etc/inetd.conf: + tftp dgram udp wait nobody /usr/libexec/tftpd tftpd /tftpboot It appears that at least some PXE versions want the TCP version of TFTP. In this case, add a second line, replacing dgram udp with stream - tcp. + tcp. @@ -1482,13 +1482,13 @@ Exports list on foobar: You also need to enable NFS service and export the appropriate filesystem on the NFS server. - + Add this to /etc/rc.conf: nfs_server_enable="YES" - + Export the filesystem where the diskless root directory is located by adding the following to @@ -1526,7 +1526,7 @@ Exports list on foobar: and copy it to the tftp directory, under the name listed in dhcpd.conf. - + @@ -1549,9 +1549,9 @@ Exports list on foobar: to diskless operation, to a subnetwork, or to an individual workstation. They also give examples for the diskless /etc/fstab and - /etc/rc.conf. + /etc/rc.conf. - The README files in + The README files in /usr/share/examples/diskless contain a lot of interesting background information, but, together with the other examples in the diskless directory, @@ -1565,15 +1565,15 @@ Exports list on foobar: As of FreeBSD version 4.4-RELEASE, there is a small incompatibility between the clone_root script and the /etc/rc.diskless1 - script. Please refer to PR - + script. Please refer to PR + conf/31200 for the small adjustment needed in clone_root. - Also see PR + Also see PR conf/29870 about a small adjustment needed in /etc/rc.diskless2. - + @@ -1587,7 +1587,7 @@ Exports list on foobar: using isc-dhcp 3.0rc11. Add the following lines to - dhcpd.conf: + dhcpd.conf: # Global section option swap-path code 128 = string; @@ -1629,9 +1629,9 @@ Exports list on foobar: On the NFS swap file server, add the following line to /etc/exports: - /netswapvolume -maproot=0:10 -alldirs margaux + /netswapvolume -maproot=0:10 -alldirs margaux - Then tell mountd to reread the + Then tell mountd to reread the exports file, as above. @@ -1641,11 +1641,11 @@ Exports list on foobar: Miscellaneous Issues - + Running with a read-only <filename>/usr</filename>If the diskless workstation is configured to run X, you - will have to adjust the xdm configuration file, which puts + will have to adjust the xdm configuration file, which puts the error log on /usr by default. @@ -1655,7 +1655,7 @@ Exports list on foobar: you will have to create the root filesystem on a FreeBSD machine, then copy it to its destination, using tar or cpio. - In this situation, there are sometimes + In this situation, there are sometimes problems with the special files in /dev, due to differing major/minor integer sizes. A solution to this problem is to export a directory from the non-FreeBSD server, @@ -1669,22 +1669,22 @@ Exports list on foobar: - + ISDN - + A good resource for information on ISDN technology and hardware is Dan Kegel's ISDN Page. A quick simple road map to ISDN follows: - + If you live in Europe you might want to investigate the ISDN card section. - + If you are planning to use ISDN primarily to connect to the Internet with an Internet Provider on a dial-up non-dedicated basis, @@ -1692,18 +1692,18 @@ Exports list on foobar: most flexibility, with the fewest problems, if you change providers. - + If you are connecting two LANs together, or connecting to the Internet with a dedicated ISDN connection, you might consider the stand alone router/bridge option. - + Cost is a significant factor in determining what solution you will choose. The following options are listed from least expensive to most expensive. - + @@ -1715,7 +1715,7 @@ Exports list on foobar: ISDN Cards - + ISDN cards @@ -1774,7 +1774,7 @@ Exports list on foobar: in the body of your message. - + ISDN Terminal Adapters @@ -1783,31 +1783,31 @@ Exports list on foobar: modem Most TA's use the standard hayes modem AT command set, and can be used as a drop in replacement for a modem. - + A TA will operate basically the same as a modem except connection and throughput speeds will be much faster than your old modem. You will need to configure PPP exactly the same as for a modem setup. Make sure you set your serial speed as high as possible. - PPP + PPP The main advantage of using a TA to connect to an Internet Provider is that you can do Dynamic PPP. As IP address space becomes more and more scarce, most providers are not willing to provide you with a static IP anymore. Most stand-alone routers are not able to accommodate dynamic IP allocation. - + TA's completely rely on the PPP daemon that you are running for their features and stability of connection. This allows you to upgrade easily from using a modem to ISDN on a FreeBSD machine, if you already have PPP setup. However, at the same time any problems you experienced with the PPP program and are going to persist. - + If you want maximum stability, use the kernel PPP option, not the user-land iijPPP. - + The following TA's are known to work with FreeBSD. - + Motorola BitSurfer and Bitsurfer Pro @@ -1817,87 +1817,87 @@ Exports list on foobar: Adtran - + Most other TA's will probably work as well, TA vendors try to make sure their product can accept most of the standard modem AT command set. - + The real problem with external TA's is that, like modems, you need a good serial card in your computer. - + You should read the FreeBSD Serial Hardware tutorial for a detailed understanding of serial devices, and the differences between asynchronous and synchronous serial ports. - + A TA running off a standard PC serial port (asynchronous) limits you to 115.2Kbs, even though you have a 128Kbs connection. To fully utilize the 128Kbs that ISDN is capable of, you must move the TA to a synchronous serial card. - + Do not be fooled into buying an internal TA and thinking you have avoided the synchronous/asynchronous issue. Internal TA's simply have a standard PC serial port chip built into them. All this will do is save you having to buy another serial cable and find another empty electrical socket. - + A synchronous card with a TA is at least as fast as a stand-alone router, and with a simple 386 FreeBSD box driving it, probably more flexible. - + The choice of sync/TA v.s. stand-alone router is largely a religious issue. There has been some discussion of this in the mailing lists. I suggest you search the archives for the complete discussion. - + Stand-alone ISDN Bridges/Routers ISDN stand-alone bridges/routers - + ISDN bridges or routers are not at all specific to FreeBSD or any other operating system. For a more complete description of routing and bridging technology, please refer to a Networking reference book. - + In the context of this page, the terms router and bridge will be used interchangeably. - + As the cost of low end ISDN routers/bridges comes down, it will likely become a more and more popular choice. An ISDN router is a small box that plugs directly into your local Ethernet network, and manages its own connection to the other bridge/router. It has built in software to communicate via PPP and other popular protocols. - + A router will allow you much faster throughput than a standard TA, since it will be using a full synchronous ISDN connection. - + The main problem with ISDN routers and bridges is that interoperability between manufacturers can still be a problem. If you are planning to connect to an Internet provider, you should discuss your needs with them. - + If you are planning to connect two LAN segments together, - such as your home LAN to the office LAN, this is the simplest + such as your home LAN to the office LAN, this is the simplest lowest maintenance solution. Since you are buying the equipment for both sides of the connection you can be assured that the link will work. - + For example to connect a home computer or branch office network to a head office network the following setup could be used. - + Branch Office or Home Network - 10 base 2 + 10 base 2 Network uses a bus based topology with 10 base 2 Ethernet (thinnet). Connect router to network cable with AUI/10BT transceiver, if necessary. @@ -1908,7 +1908,7 @@ Exports list on foobar: - ---Sun workstation + ---Sun workstation | ---FreeBSD box | @@ -1928,7 +1928,7 @@ ISDN BRI line twisted pair crossover cable to connect to the stand-alone router directly. - + Head Office or Other LAN @@ -1944,7 +1944,7 @@ ISDN BRI line -------Novell Server | H | - | ---Sun + | ---Sun | | | U ---FreeBSD | | @@ -1960,15 +1960,15 @@ ISDN BRI line - + One large advantage of most routers/bridges is that they allow you to have 2 separate independent PPP connections to 2 separate sites at the same time. This is not supported on most TA's, except for specific (usually expensive) models that - have two serial ports. Do not confuse this with channel bonding, MPP, + have two serial ports. Do not confuse this with channel bonding, MPP, etc. - + This can be a very useful feature if, for example, you have an dedicated ISDN connection at your office and would like to tap into it, but do not want to get another ISDN line at work. A router @@ -1978,7 +1978,7 @@ ISDN BRI line dial-in, dial-out or dynamically bonding (MPP, etc.) with the first B channel for more bandwidth. - IPX/SPX + IPX/SPX An Ethernet bridge will also allow you to transmit more than just IP traffic. You can also send IPX/SPX or whatever other protocols you use. @@ -2010,13 +2010,13 @@ ISDN BRI line What Is It? - NIS - Solaris - HP-UX - AIX - Linux - NetBSD - OpenBSD + NIS + Solaris + HP-UX + AIX + Linux + NetBSD + OpenBSD NIS, which stands for Network Information Services, was developed by Sun Microsystems to centralize administration of Unix (originally SunOS) systems. It has now essentially become an @@ -2044,7 +2044,7 @@ ISDN BRI line internal implementation of the two are not at all similar, the basic functionality can be compared. - + Terms/Processes You Should Know @@ -2124,7 +2124,7 @@ ISDN BRI line How Does It Work? - + There are three types of hosts in an NIS environment: master servers, slave servers, and clients. Servers act as a central repository for host configuration information. Master servers @@ -2154,7 +2154,7 @@ ISDN BRI line of the NIS clients. The passwd, group, and other various files used by the NIS clients live on the master server. - + It is possible for one machine to be an NIS master server for more than one NIS domain. However, this will not be covered in this introduction, which assumes a relatively @@ -2186,7 +2186,7 @@ ISDN BRI line - + Using NIS/YP @@ -2199,10 +2199,10 @@ ISDN BRI line than 3.0, but there are no guarantees that this is true. - + Planning - + Let us assume that you are the administrator of a small university lab. This lab, which consists of 15 FreeBSD machines, currently has no centralized point of administration; each machine @@ -2260,14 +2260,14 @@ ISDN BRI line is a good idea to think through how you want to go about it. No matter what the size of your network, there are a few decisions that need to be made. - + Choosing a NIS Domain Name NIS domainname - + This might not be the domainname that you are used to. It is more accurately called the NIS domainname. When a client broadcasts its @@ -2276,7 +2276,7 @@ ISDN BRI line network can tell which server should answer which request. Think of the NIS domainname as the name for a group of hosts that are related in some way. - + Some organizations choose to use their Internet domainname for their NIS domainname. This is not recommended as it can cause confusion when trying to debug network problems. The @@ -2293,10 +2293,10 @@ ISDN BRI line you must use the Internet domain name as your NIS domain name. - + Physical Server Requirements - + There are several things to keep in mind when choosing a machine to use as a NIS server. One of the unfortunate things about NIS is the level of dependency the clients have on the @@ -2492,7 +2492,7 @@ Questions will all be asked at the beginning of the procedure. Do you want this procedure to quit on non-fatal errors? [y/n: n] n Ok, please remember to go back and redo manually whatever fails. -If you don't, something might not work. +If you don't, something might not work. There will be no further questions. The remainder of the procedure should take a few minutes, to copy the databases from ellington. Transferring netgroup... @@ -2536,14 +2536,14 @@ ypxfr: Exiting: Map successfully transferred Transferring hosts.byname... ypxfr: Exiting: Map successfully transferred -coltrane has been setup as an YP slave server without any errors. +coltrane has been setup as an YP slave server without any errors. Don't forget to update map ypservers on ellington. - - You should now have a directory called + + You should now have a directory called /var/yp/test-domain. Copies of the NIS master server's maps should be in this directory. You will need to make sure that these stay updated. The following - /etc/crontab entries on your slave + /etc/crontab entries on your slave servers should do the job: 20 * * * * root /usr/libexec/ypxfr passwd.byname @@ -2565,7 +2565,7 @@ Don't forget to update map ypservers on ellington. NIS Clients - + An NIS client establishes what is called a binding to a particular NIS server using the ypbind daemon. @@ -2597,7 +2597,7 @@ Don't forget to update map ypservers on ellington. Setting up a FreeBSD machine to be a NIS client is fairly straightforward. - + Edit the file /etc/rc.conf and @@ -2665,7 +2665,7 @@ nis_client_enable="YES" restrict access to a given set of hosts. At startup, &man.ypserv.8; will attempt to load the securenets information from a file called /var/yp/securenets. - + This path varies depending on the path specified with the option. This file contains entries that @@ -2695,8 +2695,8 @@ nis_client_enable="YES" The ypserv program also has support for Wietse Venema's tcpwrapper package. This allows the - administrator to use the tcpwrapper configuration - files for access control instead of + administrator to use the tcpwrapper configuration + files for access control instead of /var/yp/securenets. @@ -2836,23 +2836,23 @@ basie&prompt.root; Description - + alpha, beta Normal employees of the IT department - + charlie, delta The new apprentices of the IT department - + echo, foxtrott, golf, ... Ordinary employees - + able, baker, ... The current interns @@ -2869,11 +2869,11 @@ basie&prompt.root; Description - + + Pratchett. Many thanks for a brilliant book. --> war, death, famine, pollution Your most important servers. Only the IT employees are allowed to log onto these @@ -2885,14 +2885,14 @@ basie&prompt.root; Less important servers. All members of the IT department are allowed to login onto these machines. - + one, two, three, four, ... Ordinary workstations. Only the real employees are allowed to use these machines. - + trashcan A very old machine without any critical data. @@ -2904,7 +2904,7 @@ basie&prompt.root; If you tried to implement these restrictions by separately blocking each user, you would have to add one - -user line to each system's + -user line to each system's passwd for each user who is not allowed to login onto that system. If you forget just one entry, you could be in trouble. It may @@ -2924,7 +2924,7 @@ basie&prompt.root; of user and machine do... If your NIS setup is planned carefully, you will only have to modify exactly one central configuration file to grant or deny access to machines. - + The first step is the initialization of the NIS map netgroup. FreeBSD's &man.ypinit.8; does not create this map by default, but its NIS implementation will support it once it has @@ -2946,8 +2946,8 @@ INTERNS (,able,test-domain) (,baker,test-domain) are the names of the netgroups. Each bracketed group adds one or more user accounts to it. The three fields inside a group are: - - + + The name of the host(s) where the following items are valid. If you do not specify a hostname, the entry is @@ -2970,7 +2970,7 @@ INTERNS (,able,test-domain) (,baker,test-domain) Each of these fields can contain wildcards. See &man.netgroup.5; for details. - + netgroups Netgroup names longer than 8 characters should not be @@ -3022,9 +3022,9 @@ ellington&prompt.user; ypcat -k netgroup.byuser The client setup is quite simple. To configure the server war, you only have to start &man.vipw.8; and replace the line - + +::::::::: - + with +@IT_EMP::::::::: @@ -3036,15 +3036,15 @@ ellington&prompt.user; ypcat -k netgroup.byuser Unfortunately, this limitation also applies to the ~ function of the shell and all routines converting between user - names and numerical user ids. In other words, + names and numerical user ids. In other words, cd ~user will not work, ls -l will show the numerical id instead of the username and find . -user joe -print will fail with No such user. To fix this, you will have to import all user entries without allowing them to login onto your servers. - - This can be achieved by adding another line to + + This can be achieved by adding another line to /etc/master.passwd. This line should contain: @@ -3058,7 +3058,7 @@ ellington&prompt.user; ypcat -k netgroup.byuser Make sure that the line - +:::::::::/sbin/nologin is placed after + +:::::::::/sbin/nologin is placed after +@IT_EMP:::::::::. Otherwise, all user accounts imported from NIS will have /sbin/nologin as their login shell. @@ -3353,7 +3353,7 @@ lrwxr-xr-x 1 root wheel 14 Nov 8 14:27 libscrypt.so@ -> libscrypt.so.2 What this Section Covers This section attempts to describe only the parts - of the DHCP system that are integrated with FreeBSD; + of the DHCP system that are integrated with FreeBSD; consequently, the server portions are not described. The DHCP manual pages, in addition to the references below, are useful resources. @@ -3362,7 +3362,7 @@ lrwxr-xr-x 1 root wheel 14 Nov 8 14:27 libscrypt.so@ -> libscrypt.so.2 How It Works UDP - When dhclient, the DHCP client, is executed on + When dhclient, the DHCP client, is executed on the client machine, it begins broadcasting requests for configuration information. By default, these requests are on UDP port 68. The @@ -3374,7 +3374,7 @@ lrwxr-xr-x 1 root wheel 14 Nov 8 14:27 libscrypt.so@ -> libscrypt.so.2 clients no longer connected to the network can be automatically reclaimed. - DHCP clients can obtain a great deal of information from + DHCP clients can obtain a great deal of information from the server. An exhaustive list may be found in &man.dhcp-options.5;. @@ -3383,19 +3383,19 @@ lrwxr-xr-x 1 root wheel 14 Nov 8 14:27 libscrypt.so@ -> libscrypt.so.2 FreeBSD Integration FreeBSD fully integrates the ISC DHCP client, - dhclient. DHCP client support is provided + dhclient. DHCP client support is provided within both the installer and the base system, obviating the need - for detailed knowledge of network configurations on any network + for detailed knowledge of network configurations on any network that runs a DHCP server. dhclient has been included in all FreeBSD distributions since 3.2. sysinstall DHCP is supported by sysinstall. - When configuring a network interface within sysinstall, + When configuring a network interface within sysinstall, the first question asked is, Do you want to try DHCP configuration of this interface? Answering affirmatively will - execute dhclient, and if successful, will fill + execute dhclient, and if successful, will fill in the network configuration information automatically. There are two things you must do to have your system use @@ -3438,7 +3438,7 @@ lrwxr-xr-x 1 root wheel 14 Nov 8 14:27 libscrypt.so@ -> libscrypt.so.2 Be sure to replace fxp0 with the - designation for the interface that you wish to dynamically + designation for the interface that you wish to dynamically configure. @@ -3468,7 +3468,7 @@ dhcp_flags="" DHCP configuration files - + /etc/dhclient.conf dhclient requires a configuration file, @@ -3523,22 +3523,22 @@ dhcp_flags="" Installing And Configuring A DHCP Server - + What this Section Covers - + This section provides information on how to configure a FreeBSD system to act as a DHCP server using the ISC (Internet Software Consortium) implementation of the DHCP suite. - + The server portion of the suite is not provided as part of FreeBSD, and so you will need to install the net/isc-dhcp3 port to provide this service. See for more information on using the ports collection. - + DHCP Server Installation @@ -3552,12 +3552,12 @@ dhcp_flags="" configuration file, and rebuild the kernel. For more information about building kernels, see . - + The bpf device is already part of the GENERIC kernel that is supplied with FreeBSD, so you do not need to create a custom kernel in order to get DHCP working. - + Those who are particularly security conscious should note that bpf @@ -3570,7 +3570,7 @@ dhcp_flags="" kernel purely because you expect to use DHCP at some point in the future. - + The next thing that you will need to do is edit the sample dhcpd.conf which was installed by the net/isc-dhcp3 port. @@ -3590,7 +3590,7 @@ dhcp_flags="" dhcpd.conf is comprised of declarations regarding subnets and hosts, and is perhaps most easily explained using an example : - + option domain-name "example.com"; option domain-name-servers 192.168.4.100; option subnet-mask 255.255.255.0; @@ -3608,7 +3608,7 @@ host mailhost { hardware ethernet 02:03:04:05:06:07; fixed-address mailhost.example.com; } - + This option specifies the domain that will be provided @@ -3616,7 +3616,7 @@ host mailhost { &man.resolv.conf.5; for more information on what this means. - + This option specifies a comma separated list of DNS servers that the client should use. @@ -3625,43 +3625,43 @@ host mailhost { The netmask that will be provided to clients. - + A client may request a specific length of time that a lease will be valid. Otherwise the server will assign a lease with this expiry value (in seconds). - + This is the maximum length of time that the server will lease for. Should a client request a longer lease, a lease will be issued, although it will only be valid for max-lease-time seconds. - + This option specifies whether the DHCP server should attempt to update DNS when a lease is accepted or released. In the ISC implementation, this option is required. - + This denotes which IP addresses should be used in the pool reserved for allocating to clients. IP addresses between, and including, the ones stated are handed out to clients. - + Declares the default gateway that will be provided to clients. - + The hardware MAC address of a host (so that the DHCP server can recognise a host when it makes a request). - + Specifies that the host should always be given the same IP address. Note that a hostname is OK here, since the DHCP @@ -3669,15 +3669,15 @@ host mailhost { lease information. - + Once you have finished writing your dhcpd.conf, you can proceed to start the server by issuing the following command: - + &prompt.root; /usr/local/etc/rc.d/isc-dhcpd.sh start - + Should you need to make changes to the configuration of your - server in the future, it is important to note that sending a + server in the future, it is important to note that sending a SIGHUP signal to dhcpd does not result in the configuration being reloaded, as it does with most @@ -3685,22 +3685,22 @@ host mailhost { signal to stop the process, and then restart it using the command above. - + Files DHCP configuration files - + /usr/local/sbin/dhcpd dhcpd is statically linked and - resides in /usr/local/sbin. The + resides in /usr/local/sbin. The dhcpd(8) manual page installed with the port gives more information about dhcpd. - + /usr/local/etc/dhcpd.conf dhcpd requires a configuration file, /usr/local/etc/dhcpd.conf before it @@ -3711,14 +3711,14 @@ host mailhost { by the dhcpd.conf(5) manual page installed by the port. - + /var/db/dhcpd.leases The DHCP server keeps a database of leases it has issued in this file, which is written as a log. The manual page dhcpd.leases(5), installed by the port gives a slightly longer description. - + /usr/local/sbin/dhcrelay dhcrelay is used in advanced environments where one DHCP server forwards a request from a @@ -3728,7 +3728,7 @@ host mailhost { - + @@ -3749,28 +3749,28 @@ host mailhost { Overview BIND - FreeBSD utilizes, by default, a version of BIND (Berkeley - Internet Name Domain), which is the most common implementation of the - DNS protocol. DNS is the protocol through which names are mapped to - IP addresses, and vice versa. For example, a query for + FreeBSD utilizes, by default, a version of BIND (Berkeley + Internet Name Domain), which is the most common implementation of the + DNS protocol. DNS is the protocol through which names are mapped to + IP addresses, and vice versa. For example, a query for www.FreeBSD.org - will receive a reply with the IP address of The FreeBSD Project's - web server, whereas, a query for ftp.FreeBSD.org + will receive a reply with the IP address of The FreeBSD Project's + web server, whereas, a query for ftp.FreeBSD.org will return the IP - address of the corresponding FTP machine. Likewise, the opposite can + address of the corresponding FTP machine. Likewise, the opposite can happen. A query for an IP address can resolve its hostname. It is not necessary to run a name server to perform DNS lookups on a system. DNS - DNS is coordinated across the Internet through a somewhat - complex system of authoritative root name servers, and other - smaller-scale name servers who host and cache individual domain + DNS is coordinated across the Internet through a somewhat + complex system of authoritative root name servers, and other + smaller-scale name servers who host and cache individual domain information. - This document refers to BIND 8.x, as it is the stable version + This document refers to BIND 8.x, as it is the stable version used in FreeBSD. BIND 9.x in FreeBSD can be installed through the net/bind9 port. @@ -3780,7 +3780,7 @@ host mailhost { - Currently, BIND is maintained by the Internet Software Consortium (www.isc.org) @@ -3815,7 +3815,7 @@ host mailhost { named, bind, name server - common names for the BIND name server package within + common names for the BIND name server package within FreeBSD @@ -3845,7 +3845,7 @@ host mailhost { zone - Each individual domain, subdomain, or area dictated by + Each individual domain, subdomain, or area dictated by DNS @@ -3870,7 +3870,7 @@ host mailhost { example.org is a zone under the org. zone - foo.example.org. is a subdomain, a zone under the + foo.example.org. is a subdomain, a zone under the example.org. zone @@ -3882,7 +3882,7 @@ host mailhost { - As one can see, the more specific part of a hostname appears to + As one can see, the more specific part of a hostname appears to its left. For example, example.org. is more specific than org., as org. is more specific than the root zone. The layout of each part of @@ -3902,7 +3902,7 @@ host mailhost { - one wants to serve DNS information to the + one wants to serve DNS information to the world, replying authoritatively to queries. @@ -3911,7 +3911,7 @@ host mailhost { under it. - an IP address block requires reverse DNS entries (IP to + an IP address block requires reverse DNS entries (IP to hostname). @@ -3945,7 +3945,7 @@ host mailhost { How It Works - In FreeBSD, the BIND daemon is called + In FreeBSD, the BIND daemon is called named for obvious reasons. @@ -3982,7 +3982,7 @@ host mailhost { - Zone files are usually contained within the + Zone files are usually contained within the /etc/namedb directory, and contain the DNS zone information served by the name server. @@ -3996,7 +3996,7 @@ host mailhost { starting - Since BIND is installed by default, configuring it all is + Since BIND is installed by default, configuring it all is relatively simple. @@ -4019,7 +4019,7 @@ host mailhost { Be sure to: &prompt.root; cd /etc/namedb -&prompt.root; sh make-localhost +&prompt.root; sh make-localhost to properly create the local reverse DNS zone file in /etc/namedb/localhost.rev. @@ -4181,7 +4181,7 @@ zone "0.168.192.in-addr.arpa" { }; The zone is a master, as indicated by the - statement, holding its zone information in + statement, holding its zone information in /etc/namedb/example.org indicated by the statement. @@ -4192,13 +4192,13 @@ zone "0.168.192.in-addr.arpa" { In the slave case, the zone information is transferred from the master name server for the particular zone, and saved in the - file specified. If and when the master server dies or is - unreachable, the slave name server will have the transferred + file specified. If and when the master server dies or is + unreachable, the slave name server will have the transferred zone information and will be able to serve it. - Zone Files + Zone Files An example master zone file for example.org (existing within /etc/namedb/example.org) @@ -4315,7 +4315,7 @@ example.org. IN SOA ns1.example.org. admin.example.org. ( ns1.example.org. - the primary/authoritative name server for this + the primary/authoritative name server for this zone @@ -4324,7 +4324,7 @@ example.org. IN SOA ns1.example.org. admin.example.org. ( the responsible person for this zone, email address with @ - replaced. (admin@example.org becomes + replaced. (admin@example.org becomes admin.example.org) @@ -4350,7 +4350,7 @@ example.org. IN SOA ns1.example.org. admin.example.org. ( This is an NS entry. Every name server that is going to reply - authoritatively for the zone must have one of these entries. + authoritatively for the zone must have one of these entries. The @ as seen here could have been example.org. The @ translates to the origin. @@ -4364,7 +4364,7 @@ mail IN A 3.2.1.10 @ IN A 3.2.1.30 - The A record indicates machine names. As seen above, + The A record indicates machine names. As seen above, ns1.example.org would resolve to 3.2.1.2. Again, the origin symbol, @, is used here, thus meaning example.org @@ -4402,8 +4402,8 @@ www IN CNAME @ - For in-addr.arpa zone files (reverse DNS), the same format is - used, except with PTR entries instead of + For in-addr.arpa zone files (reverse DNS), the same format is + used, except with PTR entries instead of A or CNAME. @@ -4437,9 +4437,9 @@ www IN CNAME @ caching name server - A caching name server is a name server that is not - authoritative for any zones. It simply asks queries of its own, - and remembers them for later use. To set one up, just configure + A caching name server is a name server that is not + authoritative for any zones. It simply asks queries of its own, + and remembers them for later use. To set one up, just configure the name server as usual, omitting any inclusions of zones. @@ -4470,7 +4470,7 @@ www IN CNAME @ inaccessible to the named daemon. Should named be compromised, this will help to reduce the damage that can be caused. By default, FreeBSD has a user - and a group called bind, intended for this + and a group called bind, intended for this use. Various people would recommend that instead of configuring @@ -4602,7 +4602,7 @@ $TTL 6h named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf" - Note that the configuration file + Note that the configuration file /etc/named.conf is denoted by a full pathname relative to the sandbox, i.e. in the line above, the file referred to is actually @@ -4715,14 +4715,14 @@ zone "10.168.192.in-addr.arpa" in { - It is a good idea to subscribe to CERT and freebsd-security-notifications - to stay up to date with the current Internet and FreeBSD security + to stay up to date with the current Internet and FreeBSD security issues. - If a problem arises, keeping sources up to date and having a + If a problem arises, keeping sources up to date and having a fresh build of named would not hurt. @@ -4786,7 +4786,7 @@ zone "10.168.192.in-addr.arpa" in { passes, the computer's clock becomes less accurate. NTP (Network Time Protocol) is one way to ensure your clock is right. - + Many Internet services rely on, or greatly benefit from, computers' clocks being accurate. For example, a Web server may receive requests to send a file if it has modified since a @@ -4892,7 +4892,7 @@ driftfile /var/db/ntp.drift prefer argument is normally used for NTP servers that are known to be highly accurate, such as those with special time monitoring hardware. - + The driftfile option specifies which file is used to store the system clock's frequency offset. &man.ntpd.8; uses this to automatically compensate for the @@ -5013,9 +5013,9 @@ driftfile /var/db/ntp.drift FreeBSD's Network Address Translation daemon, commonly known as &man.natd.8; is a daemon that accepts incoming raw IP packets, changes the source to the local machine and re-injects these packets - back into the outgoing IP packet stream. natd does this by changing - the source IP address and port such that when data is received back, it is - able to determine the original location of the data and forward it + back into the outgoing IP packet stream. natd does this by changing + the source IP address and port such that when data is received back, it is + able to determine the original location of the data and forward it back to its original requester. Internet connection sharing IP masquerading @@ -5035,7 +5035,7 @@ driftfile /var/db/ntp.drift line with one IP address and wishes to use this one connected computer to provide Internet access to several more over a LAN. - To do this, the FreeBSD machine on the Internet must act as a + To do this, the FreeBSD machine on the Internet must act as a gateway. This gateway machine must have two NICs--one for connecting to the Internet router, the other connecting to a LAN. All the machines on the LAN are connected through a hub or switch. @@ -5103,7 +5103,7 @@ natd_flags="" would have the same effect. firewall_enable="YES" - Enables the firewall rules in + Enables the firewall rules in /etc/rc.firewall at boot. firewall_type="OPEN" @@ -5119,19 +5119,19 @@ natd_flags="" natd_flags="" - Any additional configuration options passed to + Any additional configuration options passed to &man.natd.8; on boot. - Having the previous options defined in - /etc/rc.conf would run - natd -interface fxp0 at boot. This can also + Having the previous options defined in + /etc/rc.conf would run + natd -interface fxp0 at boot. This can also be run manually. - Each machine and interface behind the LAN should be assigned IP address + Each machine and interface behind the LAN should be assigned IP address numbers in the private network space as defined by RFC 1918 and have a default gateway of the natd machine's internal IP address. @@ -5139,7 +5139,7 @@ natd_flags="" For example, client a and b behind the LAN have IP addresses of 192.168.0.2 and 192.168.0.3, while the natd machine's LAN interface has an IP address of 192.168.0.1. Client a and b's default gateway must be set to that of - the natd machine, 192.168.0.1. The natd machine's external, or + the natd machine, 192.168.0.1. The natd machine's external, or Internet interface does not require any special modification for natd to work. @@ -5149,7 +5149,7 @@ natd_flags="" The drawback with natd is that the LAN clients are not accessible from the Internet. Clients on the LAN can make outgoing connections to - the world but cannot receive incoming ones. This presents a problem + the world but cannot receive incoming ones. This presents a problem if trying to run Internet services on one of the LAN client machines. A simple way around this is to redirect selected Internet ports on the natd machine to a LAN client. @@ -5160,7 +5160,7 @@ natd_flags="" 6667 (irc) and 80 (web) must be redirected to the respective machines. - The -redirect_port must be passed to + The -redirect_port must be passed to &man.natd.8; with the proper options. The syntax is as follows: -redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] @@ -5169,7 +5169,7 @@ natd_flags="" In the above example, the argument should be: -redirect_port tcp 192.168.0.2:6667 6667 -redirect_port tcp 192.168.0.3:80 80 - This will redirect the proper tcp ports to the + This will redirect the proper tcp ports to the LAN client machines. @@ -5179,9 +5179,9 @@ natd_flags="" all connections received on ports 2000 to 3000 to ports 2000 to 3000 on Client A. - These options can be used when directly running + These options can be used when directly running &man.natd.8; or placed within the - natd_flags="" option in + natd_flags="" option in /etc/rc.conf. For further configuration options, consult &man.natd.8; @@ -5194,11 +5194,11 @@ natd_flags="" they must be on one machine. With this, &man.natd.8; can assign each LAN client its own external IP address. &man.natd.8; then rewrites outgoing packets from the LAN clients with the proper external IP address and redirects - all traffic incoming on that particular IP address back to the specific LAN - client. This is also known as static NAT. For example, the IP addresses - 128.1.1.1, 128.1.1.2, and 128.1.1.3 belong to the natd gateway + all traffic incoming on that particular IP address back to the specific LAN + client. This is also known as static NAT. For example, the IP addresses + 128.1.1.1, 128.1.1.2, and 128.1.1.3 belong to the natd gateway machine. 128.1.1.1 can be used as the natd gateway machine's external - IP address, while 128.1.1.2 and 128.1.1.3 are forwarded back to LAN + IP address, while 128.1.1.2 and 128.1.1.3 are forwarded back to LAN clients A and B. The -redirect_address syntax is as follows: @@ -5224,12 +5224,12 @@ natd_flags="" - Like -redirect_port, these arguments are also placed within - natd_flags of /etc/rc.conf. With address - redirection, there is no need for port redirection since all data + Like -redirect_port, these arguments are also placed within + natd_flags of /etc/rc.conf. With address + redirection, there is no need for port redirection since all data received on a particular IP address is redirected. - The external IP addresses on the natd machine must be active and aliased + The external IP addresses on the natd machine must be active and aliased to the external interface. Look at &man.rc.conf.5; to do so. @@ -5250,7 +5250,7 @@ natd_flags="" Overview - + &man.inetd.8; is referred to as the Internet Super-Server because it manages connections for several daemons. Programs that provide network service are commonly @@ -5364,7 +5364,7 @@ natd_flags="" -R rate - + Specify the maximum number of times a service can be invoked in one minute; the default is 256. A rate of 0 @@ -5409,7 +5409,7 @@ natd_flags="" inetd_flags option in /etc/rc.conf. By default, inetd_flags is set to -wW, - which turns on TCP wrapping for + which turns on TCP wrapping for inetd's internal and external services. For novice users, these parameters usually do not need to be modified or even entered in @@ -5642,7 +5642,7 @@ server-program-arguments of inetd's daemons may be enabled by default. If there is no apparent need for a particular daemon, disable it! Place a # in front of the daemon in - question, and send a hangup signal + question, and send a hangup signal to inetd. Some daemons, such as fingerd, may not be desired at all because they provide an attacker with too