diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml index e1b1ca8abf..e6c968d525 100644 --- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml @@ -200,8 +200,8 @@ inetd_flags is set to -wW -C 60, which turns on TCP wrapping for inetd's services, and prevents any - single IP address from requesting any service more than 60 - times in any given minute. + single IP address from requesting any + service more than 60 times in any given minute. Although we mention rate-limiting options below, novice users may be pleased to note that these parameters usually do @@ -227,9 +227,10 @@ Specify the default maximum number of times a - service can be invoked from a single IP address in one - minute; the default is unlimited. May be overridden on - a per-service basis with the + service can be invoked from a single + IP address in one minute; the default + is unlimited. May be overridden on a per-service basis + with the parameter. @@ -250,9 +251,9 @@ Specify the maximum number of times a service can be - invoked from a single IP address at any one time; the - default is unlimited. May be overridden on a - per-service basis with the + invoked from a single IP address at + any one time; the default is unlimited. May be + overridden on a per-service basis with the parameter. @@ -403,14 +404,15 @@ server-program-arguments options which limit the maximum connections from a single place to a particular daemon can be enabled. - limits the number of connections from any particular IP - address per minutes, e.g., a value of ten would limit - any particular IP address connecting to a particular - service to ten attempts per minute. - limits the number of - children that can be started on behalf on any single IP - address at any moment. These options are useful to - prevent intentional or unintentional excessive resource + limits the number of connections from any particular + IP address per minutes, e.g., a value + of ten would limit any particular IP + address connecting to a particular service to ten + attempts per minute. + limits the number of children that can be started on + behalf on any single IP address at + any moment. These options are useful to prevent + intentional or unintentional excessive resource consumption and Denial of Service (DoS) attacks to a machine. @@ -430,8 +432,8 @@ server-program-arguments would read: nowait/10. The same setup with a limit of twenty connections - per IP address per minute and a maximum total limit of - ten child daemons would read: + per IP address per minute and a + maximum total limit of ten child daemons would read: nowait/10/20. These options are utilized by the default @@ -723,8 +725,8 @@ mountd_flags="-r" The next example exports /home to three clients - by IP address. This can be useful for networks without - DNS. Optionally, + by IP address. This can be useful for + networks without DNS. Optionally, /etc/hosts could be configured for internal hostnames; please review &man.hosts.5; for more information. The -alldirs flag allows @@ -951,11 +953,11 @@ rpc_statd_enable="YES" /net directories. When a file is accessed within one of these directories, amd looks up the corresponding - remote mount and automatically mounts it. - /net is used to mount - an exported file system from an IP address, while - /host is used to mount - an export from a remote hostname. + remote mount and automatically mounts it. /net is used to mount an + exported file system from an IP address, + while /host is used to + mount an export from a remote hostname. For instance, an attempt to access a file within /host/foobar/usr would @@ -2617,7 +2619,8 @@ result: 0 Success --> - Dynamic Host Configuration Protocol (<acronym>DHCP</acronym>) + Dynamic Host Configuration Protocol + (<acronym>DHCP</acronym>) Dynamic Host Configuration Protocol @@ -2627,108 +2630,115 @@ result: 0 Success Internet Systems Consortium (ISC) - The Dynamic Host Configuration Protocol (DHCP) allows - a system to connect to a network in order to be assigned - the necessary addressing information for communication on that - network. &os; includes the OpenBSD version of dhclient - which is used by the client to obtain the addressing information. - &os; does not install a DHCP server, but several - servers are available in the &os; Ports Collection. - The DHCP protocol is fully described in - RFC - 2131. Informational resources are also available at - isc.org/downloads/dhcp/. + The Dynamic Host Configuration Protocol + (DHCP) allows a system to connect to a + network in order to be assigned the necessary addressing + information for communication on that network. &os; includes + the OpenBSD version of dhclient which is used + by the client to obtain the addressing information. &os; does + not install a DHCP server, but several + servers are available in the &os; Ports Collection. The + DHCP protocol is fully described in RFC 2131. + Informational resources are also available at isc.org/downloads/dhcp/. - This section describes how to use the built-in DHCP client. - It then describes how to install and configure a - DHCP server. + This section describes how to use the built-in + DHCP client. It then describes how to + install and configure a DHCP server. - - Configuring a <acronym>DHCP</acronym> Client + + Configuring a <acronym>DHCP</acronym> Client - DHCP client support is included in the &os; - installer, making it easy to configure a system to automatically - receive its networking addressing information from an existing - DHCP server. - - UDP - When dhclient is - executed on the client machine, it begins broadcasting - requests for configuration information. By default, these - requests use UDP port 68. The server replies on UDP port 67, - giving the client an IP address and other relevant network - information such as a subnet mask, default gateway, and DNS server addresses. - This information is in the form of a DHCP - lease and is valid for a configurable time. This allows - stale IP addresses for clients no longer connected to the - network to automatically be reused. + DHCP client support is included in the + &os; installer, making it easy to configure a system to + automatically receive its networking addressing information + from an existing DHCP server. - DHCP clients can obtain a great deal of information from - the server. An exhaustive list may be found in - &man.dhcp-options.5;. + UDP + When dhclient is executed on the client + machine, it begins broadcasting requests for configuration + information. By default, these requests use + UDP port 68. The server replies on + UDP port 67, giving the client an + IP address and other relevant network + information such as a subnet mask, default gateway, and + DNS server addresses. This information is + in the form of a DHCP + lease and is valid for a configurable time. + This allows stale IP addresses for clients + no longer connected to the network to automatically be + reused. - The bpf device is already - part of the GENERIC kernel that is - supplied with &os;, thus there is no need to build a - custom kernel for DHCP. In the case of - a custom kernel configuration file, this device must be - present for DHCP to function - properly. + DHCP clients can obtain a great deal of + information from the server. An exhaustive list may be found + in &man.dhcp-options.5;. - - For those who are particularly security conscious, - take note that bpf is also the - device that allows packet sniffers to work correctly - (although they still have to be run as - root). - bpf is - required to use DHCP; however, the security sensitive - types should probably not add - bpf to the kernel in the - expectation that at some point in the future the system - will be using DHCP. - + The bpf device is already + part of the GENERIC kernel that is + supplied with &os;, thus there is no need to build a + custom kernel for DHCP. In the case of + a custom kernel configuration file, this device must be + present for DHCP to function + properly. - By default, DHCP configuration on &os; runs in the - background, or asynchronously. - Other startup scripts continue to run while DHCP - completes, speeding up system startup. + + For those who are particularly security conscious, + take note that bpf is also the + device that allows packet sniffers to work correctly + (although they still have to be run as + root). + bpf is + required to use DHCP; however, the + security sensitive types should probably not add + bpf to the kernel in the + expectation that at some point in the future the system + will be using DHCP. + - Background DHCP works well when the DHCP server - responds quickly to requests and the DHCP configuration - process goes quickly. However, DHCP may take a long time - to complete on some systems. If network services attempt - to run before DHCP has completed, they will fail. Using - DHCP in synchronous mode prevents - the problem, pausing startup until DHCP configuration has - completed. + By default, DHCP configuration on &os; + runs in the background, or + asynchronously. Other startup scripts + continue to run while DHCP completes, + speeding up system startup. - To connect to a DHCP server in the background while - other startup continues (asynchronous mode), use the - DHCP value in - /etc/rc.conf: + Background DHCP works well when the + DHCP server responds quickly to requests + and the DHCP configuration process goes + quickly. However, DHCP may take a long + time to complete on some systems. If network services attempt + to run before DHCP has completed, they will + fail. Using DHCP in + synchronous mode prevents the problem, + pausing startup until DHCP configuration + has completed. - ifconfig_fxp0="DHCP" + To connect to a DHCP server in the + background while other startup continues (asynchronous mode), + use the DHCP value in + /etc/rc.conf: - To pause startup while DHCP completes, use - synchronous mode with the - SYNCDHCP value: + ifconfig_fxp0="DHCP" - ifconfig_fxp0="SYNCDHCP" + To pause startup while DHCP completes, + use synchronous mode with the + SYNCDHCP value: - - Replace the fxp0 shown - in these examples with the name of the interface to be - dynamically configured, as described in - . - + ifconfig_fxp0="SYNCDHCP" - When using a different file system location for - dhclient, or if additional flags must - be passed to dhclient, include (editing - as necessary): + + Replace the fxp0 shown + in these examples with the name of the interface to be + dynamically configured, as described in + . + - dhclient_program="/sbin/dhclient" + When using a different file system location for + dhclient, or if additional flags must + be passed to dhclient, include (editing + as necessary): + + dhclient_program="/sbin/dhclient" dhclient_flags="" @@ -2736,7 +2746,8 @@ dhclient_flags="" configuration files - The DHCP client uses the following files: + The DHCP client uses the following + files: @@ -2760,86 +2771,90 @@ dhclient_flags="" /sbin/dhclient-script dhclient-script is the - &os;-specific DHCP client configuration script. It - is described in &man.dhclient-script.8;, but should not - need any user modification to function properly. + &os;-specific DHCP client configuration + script. It is described in &man.dhclient-script.8;, but + should not need any user modification to function + properly. /var/db/dhclient.leases.interface - The DHCP client keeps a database of valid leases in - this file, which is written as a log. + The DHCP client keeps a database of + valid leases in this file, which is written as a log. &man.dhclient.leases.5; gives a slightly longer - description. Refer to - &man.dhclient.8;, &man.dhcp-options.5;, and - &man.dhclient.conf.5;, in addition to the - references below, for more information. + description. Refer to &man.dhclient.8;, + &man.dhcp-options.5;, and &man.dhclient.conf.5;, in + addition to the references below, for more + information. - Installing and Configuring a <acronym>DHCP</acronym> Server + Installing and Configuring a <acronym>DHCP</acronym> + Server - This section provides information on how to configure a - &os; system to act as a DHCP server using the ISC - (Internet Systems Consortium) implementation of the DHCP - server. + This section provides information on how to configure a + &os; system to act as a DHCP server using + the ISC (Internet Systems Consortium) implementation of the + DHCP server. DHCP server - The DHCP server, dhcpd, is - included as part of the + The DHCP server, + dhcpd, is included as part of the net/isc-dhcp42-server port - in the ports collection. This port contains the ISC DHCP - server and documentation. - The server is not provided as part of &os;, and so the - net/isc-dhcp42-server - port must be installed to provide this service. See - for more information on using the - Ports Collection. + in the ports collection. This port contains the ISC + DHCP server and documentation. - - DHCP + The server is not provided as part of &os;, and so the + net/isc-dhcp42-server + port must be installed to provide this service. See + for more information on using the + Ports Collection. + + + DHCP installation - + - In order to configure the &os; system as a DHCP server, - first ensure that the &man.bpf.4; device is compiled into - the kernel. To do this, add device bpf - to the kernel configuration file, and rebuild the kernel. - For more information about building kernels, see - . + In order to configure the &os; system as a + DHCP server, first ensure that the + &man.bpf.4; device is compiled into the kernel. To do this, + add device bpf to the kernel configuration + file, and rebuild the kernel. For more information about + building kernels, see . - The bpf device is already part - of the GENERIC kernel that is supplied - with &os;, so there is no need to create a custom kernel in - order to get DHCP working. + The bpf device is already part + of the GENERIC kernel that is supplied + with &os;, so there is no need to create a custom kernel in + order to get DHCP working. - - Those who are particularly security conscious should - note that bpf is also the device - that allows packet sniffers to function correctly - (although such programs still need privileged access). - The bpf device - is required to use DHCP, but if the - sensitivity of the system's security is high, this device - should not be included in the kernel purely because the - use of DHCP may, at some point in the - future, be desired. - + + Those who are particularly security conscious should + note that bpf is also the device + that allows packet sniffers to function correctly + (although such programs still need privileged access). + The bpf device + is required to use + DHCP, but if the sensitivity of the + system's security is high, this device should not be + included in the kernel purely because the use of + DHCP may, at some point in the future, be + desired. + - An example configuration file is installed by the - net/isc-dhcp42-server - port. Copy the example - /usr/local/etc/dhcpd.conf.example - to the actual configuration file, - /usr/local/etc/dhcpd.conf. Edits - will be made to this new file. + An example configuration file is installed by the + net/isc-dhcp42-server + port. Copy the example + /usr/local/etc/dhcpd.conf.example + to the actual configuration file, + /usr/local/etc/dhcpd.conf. Edits + will be made to this new file. Configuring the <acronym>DHCP</acronym> Server @@ -2880,7 +2895,8 @@ host mailhost { This option specifies a comma separated list of - DNS servers that the client should use. + DNS servers that the client should + use. @@ -2904,17 +2920,19 @@ host mailhost { - This option specifies whether the DHCP server - should attempt to update DNS when a lease is accepted - or released. In the ISC implementation, this option - is required. + This option specifies whether the + DHCP server should attempt to update + DNS when a lease is accepted or + released. In the ISC implementation, this option is + required. - This denotes which IP addresses should be used in - the pool reserved for allocating to clients. IP - addresses between, and including, the ones stated are - handed out to clients. + This denotes which IP addresses + should be used in the pool reserved for allocating to + clients. IP addresses between, and + including, the ones stated are handed out to + clients. @@ -2924,14 +2942,15 @@ host mailhost { The hardware MAC address of a host (so that the - DHCP server can recognize a host when it makes a - request). + DHCP server can recognize a host when + it makes a request). Specifies that the host should always be given the - same IP address. Note that using a hostname is - correct here, since the DHCP server will resolve the + same IP address. Note that using a + hostname is correct here, since the + DHCP server will resolve the hostname itself before returning the lease information. @@ -2947,8 +2966,8 @@ dhcpd_ifaces="dc0" Replace the dc0 interface name with the interface (or interfaces, separated by whitespace) - that the DHCP server should listen on for DHCP client - requests. + that the DHCP server should listen on for + DHCP client requests. Proceed to start the server by issuing the following command: @@ -3000,20 +3019,20 @@ dhcpd_ifaces="dc0" /var/db/dhcpd.leases - The DHCP server keeps a database of leases it has - issued in this file, which is written as a log. The - port installs &man.dhcpd.leases.5;, which gives a - slightly longer description. + The DHCP server keeps a database + of leases it has issued in this file, which is written + as a log. The port installs &man.dhcpd.leases.5;, which + gives a slightly longer description. /usr/local/sbin/dhcrelay dhcrelay is used in - advanced environments where one DHCP server forwards a - request from a client to another DHCP server on a - separate network. If this functionality is required, - then install the + advanced environments where one DHCP + server forwards a request from a client to another + DHCP server on a separate network. + If this functionality is required, then install the net/isc-dhcp42-relay port. The port installs &man.dhcrelay.8;, which provides more detail. @@ -3094,7 +3113,8 @@ dhcpd_ifaces="dc0" DNS must be understood. resolver - reverse DNS + reverse + DNS root zone @@ -3112,7 +3132,8 @@ dhcpd_ifaces="dc0" Forward DNS - Mapping of hostnames to IP addresses. + Mapping of hostnames to IP + addresses. @@ -3765,7 +3786,8 @@ www IN CNAME example.org. records - The most commonly used DNS records: + The most commonly used DNS + records: @@ -3919,9 +3941,9 @@ mail IN A 192.168.1.5 priority number), then the second highest, etc, until the mail can be properly delivered. - For in-addr.arpa zone files (reverse DNS), the same - format is used, except with PTR entries instead of A or - CNAME. + For in-addr.arpa zone files (reverse + DNS), the same format is used, except + with PTR entries instead of A or CNAME. $TTL 3600 @@ -3941,8 +3963,8 @@ mail IN A 192.168.1.5 4 IN PTR mx.example.org. 5 IN PTR mail.example.org. - This file gives the proper IP address to hostname - mappings for the above fictitious domain. + This file gives the proper IP address + to hostname mappings for the above fictitious domain. It is worth noting that all names on the right side of a PTR record need to be fully qualified (i.e., end in @@ -3970,7 +3992,8 @@ mail IN A 192.168.1.5 BIND - DNS security extensions + DNS security + extensions Domain Name System Security Extensions, or Security - Although BIND is the most common implementation of DNS, - there is always the issue of security. Possible and - exploitable security holes are sometimes found. + Although BIND is the most common implementation of + DNS, there is always the issue of security. + Possible and exploitable security holes are sometimes + found. While &os; automatically drops named into a &man.chroot.8; @@ -4381,7 +4405,8 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK O'Reilly - DNS and BIND 5th Edition + DNS and BIND 5th + Edition @@ -4420,15 +4445,15 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK RFC4034 - - Resource Records for the DNS Security - Extensions + - Resource Records for the DNS + Security Extensions RFC4035 - - Protocol Modifications for the DNS Security - Extensions + - Protocol Modifications for the DNS + Security Extensions @@ -4630,7 +4655,8 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK types of Virtual Hosting. The first method is Name-based Virtual Hosting. Name-based virtual hosting uses the clients HTTP/1.1 headers to figure out the hostname. This allows many - different domains to share the same IP address. + different domains to share the same IP + address. To setup Apache to use Name-based Virtual Hosting add an entry like the following to @@ -5524,8 +5550,8 @@ driftfile /var/db/ntp.drift restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap instead, where - 192.168.1.0 is an IP address - on the network and + 192.168.1.0 is an + IP address on the network and 255.255.255.0 is the network's netmask.