Introducing new "security" chapter of the FAQ, with a few questions

moved from elsewhere.

-security seems to have a high number of Qs that are FA'd.  I'll be
documenting them here (although other people are certainly welcome to
pitch in!).

More existing questions could arguably be moved here, and probably
will be in the near future.  Security information is scattered badly
through the FAQ.  I'm being gentle to avoid tripping on other people's
toes.

en_US.ISO8859-1/books/faq/book.sgml

@@ -7017,41 +7017,6 @@ define(`confDELIVERY_MODE',`deferred')dnl</programlisting>
         </answer>
       </qandaentry>
 
-      <qandaentry>
-        <question id="toor-account">
-          <para>What is this UID 0 <username>toor</username> account? Have I
-            been compromised?</para>
-        </question>
-
-        <answer>
-          <para>Do not worry. <username>toor</username> is an
-            <quote>alternative</quote> superuser account (toor is root
-            spelt backwards). Previously it was created when the
-            &man.bash.1; shell was installed but now it is created by
-            default. It is intended to be used with a non-standard shell so
-            you do not have to change <username>root</username>'s default
-            shell. This is important as shells which are not part of the
-            base distribution (for example a shell installed from ports or
-            packages) are likely be to be installed in
-            <filename>/usr/local/bin</filename> which, by default, resides
-            on a different filesystem. If <username>root</username>'s shell
-            is located in <filename>/usr/local/bin</filename> and
-            <filename>/usr</filename> (or whatever filesystem contains
-            <filename>/usr/local/bin</filename>) is not mounted for some
-            reason, <username>root</username> will not be able to log in to
-            fix a problem (although if you reboot into single user mode
-            you will be prompted for the path to a shell).</para>
-
-          <para>Some people use <username>toor</username> for
-            day-to-day root tasks with a non-standard shell, leaving
-            <username>root</username>, with a standard shell, for
-            single user mode or emergencies. By default you cannot log
-            in using <username>toor</username> as it does not have a
-            password, so log in as <username>root</username> and set a password for
-            <username>toor</username> if you want to use it.</para>
-        </answer>
-      </qandaentry>
-
       <qandaentry>
         <question id="forgot-root-pw">
           <para>I have forgotten the root password!  What do I do?</para>
@@ -9498,47 +9463,6 @@ round-trip min/avg/max/stddev = 2.530/2.643/2.774/0.103 ms</screen>
         </answer>
       </qandaentry>
 
-      <qandaentry>
-        <question id="extra-named-port">
-	  <para>BIND (<command>named</command>) is listening on port 53 and
-	    some other high-numbered port.  What is going on?</para>
-	</question>
-
-	<answer>
-	  <para>FreeBSD 3.0 and later use a version of BIND
-	    that uses a random high-numbered port for outgoing queries.  If
-	    you want to use port 53 for outgoing queries, either to get
-	    past a firewall or to make yourself feel better, you can try
-	    the following in
-	    <filename>/etc/namedb/named.conf</filename>:</para>
-
-	  <programlisting>options {
-        query-source address * port 53;
-};</programlisting>
-
-	  <para>You can replace the <literal>*</literal> with a single IP
-	    address if you want to tighten things further.</para>
-
-	  <para>Congratulations, by the way.  It is good practice to read
-	    your &man.sockstat.1; output and notice odd
-	    things!</para>
-	</answer>
-      </qandaentry>
-
-      <qandaentry>
-        <question id="sendmail-port-587">
-          <para>Sendmail is listening on port 587 as well as the
-            standard port 25! What is going on?</para>
-        </question>
-
-        <answer>
-          <para>Recent versions of Sendmail support a
-            mail submission feature that runs over port 587.  This is
-            not yet widely supported, but is growing in
-            popularity.</para>
-        </answer>
-      </qandaentry>
-
       <qandaentry>
         <question id="bpf-not-configured">
           <para>Why do I get <literal>/dev/bpf0: device not
@@ -9659,6 +9583,87 @@ round-trip min/avg/max/stddev = 2.530/2.643/2.774/0.103 ms</screen>
     </qandaset>
   </chapter>
 
+  <chapter>
+    <title>Security</title>
+    <qandaset>
+      <qandaentry>
+        <question id="extra-named-port">
+	  <para>BIND (<command>named</command>) is listening on port 53 and
+	    some other high-numbered port.  What is going on?</para>
+	</question>
+
+	<answer>
+	  <para>FreeBSD 3.0 and later use a version of BIND
+	    that uses a random high-numbered port for outgoing queries.  If
+	    you want to use port 53 for outgoing queries, either to get
+	    past a firewall or to make yourself feel better, you can try
+	    the following in
+	    <filename>/etc/namedb/named.conf</filename>:</para>
+
+	  <programlisting>options {
+        query-source address * port 53;
+};</programlisting>
+
+	  <para>You can replace the <literal>*</literal> with a single IP
+	    address if you want to tighten things further.</para>
+
+	  <para>Congratulations, by the way.  It is good practice to read
+	    your &man.sockstat.1; output and notice odd
+	    things!</para>
+	</answer>
+      </qandaentry>
+
+      <qandaentry>
+        <question id="sendmail-port-587">
+          <para>Sendmail is listening on port 587 as well as the
+            standard port 25! What is going on?</para>
+        </question>
+
+        <answer>
+          <para>Recent versions of Sendmail support a
+            mail submission feature that runs over port 587.  This is
+            not yet widely supported, but is growing in
+            popularity.</para>
+        </answer>
+      </qandaentry>
+
+      <qandaentry>
+        <question id="toor-account">
+          <para>What is this UID 0 <username>toor</username> account? Have I
+            been compromised?</para>
+        </question>
+
+        <answer>
+          <para>Do not worry. <username>toor</username> is an
+            <quote>alternative</quote> superuser account (toor is root
+            spelt backwards). Previously it was created when the
+            &man.bash.1; shell was installed but now it is created by
+            default. It is intended to be used with a non-standard shell so
+            you do not have to change <username>root</username>'s default
+            shell. This is important as shells which are not part of the
+            base distribution (for example a shell installed from ports or
+            packages) are likely be to be installed in
+            <filename>/usr/local/bin</filename> which, by default, resides
+            on a different filesystem. If <username>root</username>'s shell
+            is located in <filename>/usr/local/bin</filename> and
+            <filename>/usr</filename> (or whatever filesystem contains
+            <filename>/usr/local/bin</filename>) is not mounted for some
+            reason, <username>root</username> will not be able to log in to
+            fix a problem (although if you reboot into single user mode
+            you will be prompted for the path to a shell).</para>
+
+          <para>Some people use <username>toor</username> for
+            day-to-day root tasks with a non-standard shell, leaving
+            <username>root</username>, with a standard shell, for
+            single user mode or emergencies. By default you cannot log
+            in using <username>toor</username> as it does not have a
+            password, so log in as <username>root</username> and set a password for
+            <username>toor</username> if you want to use it.</para>
+        </answer>
+      </qandaentry>
+    </qandaset>
+  </chapter>
+
   <chapter id="ppp">
     <title>PPP</title>