Initial shuffle of the DHCP section. This patch does the following:
- fixes acronym tags for DHCP, IP, and UDP - removes superfluous headings - shuffles existing content to organize it into a client section and a server section - replaces deprecated dhcp.org address Subsequent patches will clean up the white space and then move on to review and clarify the content in this section.
This commit is contained in:
parent
28378719d4
commit
7f49336cd6
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=42976
1 changed files with 126 additions and 182 deletions
|
@ -200,7 +200,7 @@
|
||||||
<literal>inetd_flags</literal> is set to
|
<literal>inetd_flags</literal> is set to
|
||||||
<literal>-wW -C 60</literal>, which turns on TCP wrapping for
|
<literal>-wW -C 60</literal>, which turns on TCP wrapping for
|
||||||
<application>inetd</application>'s services, and prevents any
|
<application>inetd</application>'s services, and prevents any
|
||||||
single IP address from requesting any service more than 60
|
single <acronym>IP</acronym> address from requesting any service more than 60
|
||||||
times in any given minute.</para>
|
times in any given minute.</para>
|
||||||
|
|
||||||
<para>Although we mention rate-limiting options below, novice
|
<para>Although we mention rate-limiting options below, novice
|
||||||
|
@ -227,7 +227,7 @@
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Specify the default maximum number of times a
|
<para>Specify the default maximum number of times a
|
||||||
service can be invoked from a single IP address in one
|
service can be invoked from a single <acronym>IP</acronym> address in one
|
||||||
minute; the default is unlimited. May be overridden on
|
minute; the default is unlimited. May be overridden on
|
||||||
a per-service basis with the
|
a per-service basis with the
|
||||||
<option>max-connections-per-ip-per-minute</option>
|
<option>max-connections-per-ip-per-minute</option>
|
||||||
|
@ -250,7 +250,7 @@
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Specify the maximum number of times a service can be
|
<para>Specify the maximum number of times a service can be
|
||||||
invoked from a single IP address at any one time; the
|
invoked from a single <acronym>IP</acronym> address at any one time; the
|
||||||
default is unlimited. May be overridden on a
|
default is unlimited. May be overridden on a
|
||||||
per-service basis with the
|
per-service basis with the
|
||||||
<option>max-child-per-ip</option> parameter.</para>
|
<option>max-child-per-ip</option> parameter.</para>
|
||||||
|
@ -347,7 +347,7 @@ server-program-arguments</programlisting>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>udp, udp4</entry>
|
<entry>udp, udp4</entry>
|
||||||
<entry>UDP IPv4</entry>
|
<entry><acronym>UDP</acronym> IPv4</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
|
@ -357,7 +357,7 @@ server-program-arguments</programlisting>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>udp6</entry>
|
<entry>udp6</entry>
|
||||||
<entry>UDP IPv6</entry>
|
<entry><acronym>UDP</acronym> IPv6</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
|
@ -367,7 +367,7 @@ server-program-arguments</programlisting>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>udp46</entry>
|
<entry>udp46</entry>
|
||||||
<entry>Both UDP IPv4 and v6</entry>
|
<entry>Both <acronym>UDP</acronym> IPv4 and v6</entry>
|
||||||
</row>
|
</row>
|
||||||
</tbody>
|
</tbody>
|
||||||
</tgroup>
|
</tgroup>
|
||||||
|
@ -403,12 +403,12 @@ server-program-arguments</programlisting>
|
||||||
options which limit the maximum connections from a
|
options which limit the maximum connections from a
|
||||||
single place to a particular daemon can be enabled.
|
single place to a particular daemon can be enabled.
|
||||||
<option>max-connections-per-ip-per-minute</option>
|
<option>max-connections-per-ip-per-minute</option>
|
||||||
limits the number of connections from any particular IP
|
limits the number of connections from any particular <acronym>IP</acronym>
|
||||||
address per minutes, e.g., a value of ten would limit
|
address per minutes, e.g., a value of ten would limit
|
||||||
any particular IP address connecting to a particular
|
any particular <acronym>IP</acronym> address connecting to a particular
|
||||||
service to ten attempts per minute.
|
service to ten attempts per minute.
|
||||||
<option>max-child-per-ip</option> limits the number of
|
<option>max-child-per-ip</option> limits the number of
|
||||||
children that can be started on behalf on any single IP
|
children that can be started on behalf on any single <acronym>IP</acronym>
|
||||||
address at any moment. These options are useful to
|
address at any moment. These options are useful to
|
||||||
prevent intentional or unintentional excessive resource
|
prevent intentional or unintentional excessive resource
|
||||||
consumption and Denial of Service (DoS) attacks to a
|
consumption and Denial of Service (DoS) attacks to a
|
||||||
|
@ -430,7 +430,7 @@ server-program-arguments</programlisting>
|
||||||
would read: <literal>nowait/10</literal>.</para>
|
would read: <literal>nowait/10</literal>.</para>
|
||||||
|
|
||||||
<para>The same setup with a limit of twenty connections
|
<para>The same setup with a limit of twenty connections
|
||||||
per IP address per minute and a maximum total limit of
|
per <acronym>IP</acronym> address per minute and a maximum total limit of
|
||||||
ten child daemons would read:
|
ten child daemons would read:
|
||||||
<literal>nowait/10/20</literal>.</para>
|
<literal>nowait/10/20</literal>.</para>
|
||||||
|
|
||||||
|
@ -442,7 +442,7 @@ server-program-arguments</programlisting>
|
||||||
|
|
||||||
<para>Finally, an example of this field with a maximum of
|
<para>Finally, an example of this field with a maximum of
|
||||||
100 children in total, with a maximum of 5 for any one
|
100 children in total, with a maximum of 5 for any one
|
||||||
IP address would read:
|
<acronym>IP</acronym> address would read:
|
||||||
<literal>nowait/100/0/5</literal>.</para>
|
<literal>nowait/100/0/5</literal>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -723,7 +723,7 @@ mountd_flags="-r"</programlisting>
|
||||||
|
|
||||||
<para>The next example exports
|
<para>The next example exports
|
||||||
<filename class="directory">/home</filename> to three clients
|
<filename class="directory">/home</filename> to three clients
|
||||||
by IP address. This can be useful for networks without
|
by <acronym>IP</acronym> address. This can be useful for networks without
|
||||||
<acronym>DNS</acronym>. Optionally,
|
<acronym>DNS</acronym>. Optionally,
|
||||||
<filename>/etc/hosts</filename> could be configured for
|
<filename>/etc/hosts</filename> could be configured for
|
||||||
internal hostnames; please review &man.hosts.5; for more
|
internal hostnames; please review &man.hosts.5; for more
|
||||||
|
@ -953,7 +953,7 @@ rpc_statd_enable="YES"</programlisting>
|
||||||
<application>amd</application> looks up the corresponding
|
<application>amd</application> looks up the corresponding
|
||||||
remote mount and automatically mounts it.
|
remote mount and automatically mounts it.
|
||||||
<filename class="directory">/net</filename> is used to mount
|
<filename class="directory">/net</filename> is used to mount
|
||||||
an exported file system from an IP address, while
|
an exported file system from an <acronym>IP</acronym> address, while
|
||||||
<filename class="directory">/host</filename> is used to mount
|
<filename class="directory">/host</filename> is used to mount
|
||||||
an export from a remote hostname.</para>
|
an export from a remote hostname.</para>
|
||||||
|
|
||||||
|
@ -1251,7 +1251,7 @@ Exports list on foobar:
|
||||||
<thead>
|
<thead>
|
||||||
<row>
|
<row>
|
||||||
<entry>Machine name</entry>
|
<entry>Machine name</entry>
|
||||||
<entry>IP address</entry>
|
<entry><acronym>IP</acronym> address</entry>
|
||||||
<entry>Machine role</entry>
|
<entry>Machine role</entry>
|
||||||
</row>
|
</row>
|
||||||
</thead>
|
</thead>
|
||||||
|
@ -1768,7 +1768,7 @@ nis_client_enable="YES"</programlisting>
|
||||||
for providing access control instead of
|
for providing access control instead of
|
||||||
<filename>securenets</filename>. While either access control
|
<filename>securenets</filename>. While either access control
|
||||||
mechanism adds some security, they are both vulnerable to
|
mechanism adds some security, they are both vulnerable to
|
||||||
<quote>IP spoofing</quote> attacks. All
|
<quote><acronym>IP</acronym> spoofing</quote> attacks. All
|
||||||
<acronym>NIS</acronym>-related traffic should be blocked at
|
<acronym>NIS</acronym>-related traffic should be blocked at
|
||||||
the firewall.</para>
|
the firewall.</para>
|
||||||
|
|
||||||
|
@ -2617,92 +2617,55 @@ result: 0 Success
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
</sect1info>
|
</sect1info>
|
||||||
-->
|
-->
|
||||||
<title>Automatic Network Configuration (DHCP)</title>
|
<title>Dynamic Host Configuration Protocol (<acronym>DHCP</acronym>)</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>Dynamic Host Configuration Protocol</primary>
|
<primary>Dynamic Host Configuration Protocol</primary>
|
||||||
<see>DHCP</see>
|
<see><acronym>DHCP</acronym></see>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>Internet Systems Consortium (ISC)</primary>
|
<primary>Internet Systems Consortium (ISC)</primary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para>DHCP, the Dynamic Host Configuration Protocol, describes
|
<para>The Dynamic Host Configuration Protocol (<acronym>DHCP</acronym>) allows
|
||||||
the means by which a system can connect to a network and
|
a system to connect to a network in order to be assigned
|
||||||
obtain the necessary information for communication upon that
|
the necessary addressing information for communication on that
|
||||||
network. &os; uses the OpenBSD <command>dhclient</command>
|
network. &os; includes the OpenBSD version of <command>dhclient</command>
|
||||||
taken from OpenBSD 3.7. All information here regarding
|
which is used by the client to obtain the addressing information.
|
||||||
<command>dhclient</command> is for use with either of the ISC
|
&os; does not install a <acronym>DHCP</acronym> server, but several
|
||||||
or OpenBSD DHCP clients. The DHCP server is the one included
|
servers are available in the &os; Ports Collection.
|
||||||
in the ISC distribution.</para>
|
The <acronym>DHCP</acronym> protocol is fully described in
|
||||||
|
<ulink url="http://www.freesoft.org/CIE/RFC/2131/">RFC
|
||||||
|
2131</ulink>. Informational resources are also available at
|
||||||
|
<ulink url="http://www.isc.org/downloads/dhcp/">isc.org/downloads/dhcp/</ulink>.</para>
|
||||||
|
|
||||||
<para>This section describes both the client-side components of
|
<para>This section describes how to use the built-in <acronym>DHCP</acronym> client.
|
||||||
the ISC and OpenBSD DHCP client and server-side components of
|
It then describes how to install and configure a
|
||||||
the ISC DHCP system. The client-side program,
|
<acronym>DHCP</acronym> server.</para>
|
||||||
<command>dhclient</command>, comes integrated within &os;,
|
|
||||||
and the server-side portion is available from the <filename
|
|
||||||
role="package">net/isc-dhcp42-server</filename> port. Refer to
|
|
||||||
&man.dhclient.8;, &man.dhcp-options.5;, and
|
|
||||||
&man.dhclient.conf.5;, in addition to the
|
|
||||||
references below, for more information.</para>
|
|
||||||
|
|
||||||
<sect2>
|
<sect2>
|
||||||
<title>How It Works</title>
|
<title>Configuring a <acronym>DHCP</acronym> Client</title>
|
||||||
|
|
||||||
<indexterm><primary>UDP</primary></indexterm>
|
<para><acronym>DHCP</acronym> client support is included in the &os;
|
||||||
<para>When <command>dhclient</command>, the DHCP client, is
|
installer, making it easy to configure a system to automatically
|
||||||
executed on the client machine, it begins broadcasting
|
receive its networking addressing information from an existing
|
||||||
requests for configuration information. By default, these
|
<acronym>DHCP</acronym> server.</para>
|
||||||
requests are on UDP port 68. The server replies on UDP 67,
|
|
||||||
giving the client an IP address and other relevant network
|
<indexterm><primary><acronym>UDP</acronym></primary></indexterm>
|
||||||
information such as netmask, router, and DNS servers. All of
|
<para>When <command>dhclient</command> is
|
||||||
this information comes in the form of a DHCP
|
executed on the client machine, it begins broadcasting
|
||||||
<quote>lease</quote> and is only valid for a certain time
|
requests for configuration information. By default, these
|
||||||
(configured by the DHCP server maintainer). In this manner,
|
requests use <acronym>UDP</acronym> port 68. The server replies on <acronym>UDP</acronym> port 67,
|
||||||
stale IP addresses for clients no longer connected to the
|
giving the client an <acronym>IP</acronym> address and other relevant network
|
||||||
network can be automatically reclaimed.</para>
|
information such as a subnet mask, default gateway, and <acronym>DNS</acronym> server addresses.
|
||||||
|
This information is in the form of a <acronym>DHCP</acronym>
|
||||||
|
<quote>lease</quote> and is valid for a configurable time. This allows
|
||||||
|
stale <acronym>IP</acronym> addresses for clients no longer connected to the
|
||||||
|
network to automatically be reused.</para>
|
||||||
|
|
||||||
<para>DHCP clients can obtain a great deal of information from
|
<para><acronym>DHCP</acronym> clients can obtain a great deal of information from
|
||||||
the server. An exhaustive list may be found in
|
the server. An exhaustive list may be found in
|
||||||
&man.dhcp-options.5;.</para>
|
&man.dhcp-options.5;.</para>
|
||||||
</sect2>
|
|
||||||
|
|
||||||
<sect2>
|
|
||||||
<title>&os; Integration</title>
|
|
||||||
|
|
||||||
<para>&os; fully integrates the OpenBSD DHCP client,
|
|
||||||
<command>dhclient</command>. DHCP client support is provided
|
|
||||||
within both the installer and the base system, obviating the
|
|
||||||
need for detailed knowledge of network configurations on any
|
|
||||||
network that runs a DHCP server.</para>
|
|
||||||
|
|
||||||
<indexterm>
|
|
||||||
<primary><application>sysinstall</application></primary>
|
|
||||||
</indexterm>
|
|
||||||
|
|
||||||
<para>DHCP is supported by
|
|
||||||
<application>sysinstall</application>. When configuring a
|
|
||||||
network interface within
|
|
||||||
<application>sysinstall</application>, the second question
|
|
||||||
asked is: <quote>Do you want to try DHCP configuration of the
|
|
||||||
interface?</quote>. Answering affirmatively will execute
|
|
||||||
<command>dhclient</command>, and if successful, will fill in
|
|
||||||
the network configuration information automatically.</para>
|
|
||||||
|
|
||||||
<para>There are two things required to have the system use
|
|
||||||
DHCP upon startup:</para>
|
|
||||||
<indexterm>
|
|
||||||
<primary>DHCP</primary>
|
|
||||||
<secondary>requirements</secondary>
|
|
||||||
</indexterm>
|
|
||||||
<itemizedlist>
|
|
||||||
<listitem>
|
|
||||||
<para>Make sure that the <devicename>bpf</devicename> device
|
|
||||||
is compiled into the kernel. To do this, add
|
|
||||||
<literal>device bpf</literal> to the kernel configuration
|
|
||||||
file, and rebuild the kernel. For more information about
|
|
||||||
building kernels, see
|
|
||||||
<xref linkend="kernelconfig"/>.</para>
|
|
||||||
|
|
||||||
<para>The <devicename>bpf</devicename> device is already
|
<para>The <devicename>bpf</devicename> device is already
|
||||||
part of the <filename>GENERIC</filename> kernel that is
|
part of the <filename>GENERIC</filename> kernel that is
|
||||||
|
@ -2719,37 +2682,35 @@ result: 0 Success
|
||||||
(although they still have to be run as
|
(although they still have to be run as
|
||||||
<username>root</username>).
|
<username>root</username>).
|
||||||
<devicename>bpf</devicename> <emphasis>is</emphasis>
|
<devicename>bpf</devicename> <emphasis>is</emphasis>
|
||||||
required to use DHCP; however, the security sensitive
|
required to use <acronym>DHCP</acronym>; however, the security sensitive
|
||||||
types should probably not add
|
types should probably not add
|
||||||
<devicename>bpf</devicename> to the kernel in the
|
<devicename>bpf</devicename> to the kernel in the
|
||||||
expectation that at some point in the future the system
|
expectation that at some point in the future the system
|
||||||
will be using DHCP.</para>
|
will be using <acronym>DHCP</acronym>.</para>
|
||||||
</note>
|
</note>
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
<para>By default, <acronym>DHCP</acronym> configuration on &os; runs in the
|
||||||
<para>By default, DHCP configuration on &os; runs in the
|
|
||||||
background, or <firstterm>asynchronously</firstterm>.
|
background, or <firstterm>asynchronously</firstterm>.
|
||||||
Other startup scripts continue to run while DHCP
|
Other startup scripts continue to run while <acronym>DHCP</acronym>
|
||||||
completes, speeding up system startup.</para>
|
completes, speeding up system startup.</para>
|
||||||
|
|
||||||
<para>Background DHCP works well when the DHCP server
|
<para>Background <acronym>DHCP</acronym> works well when the <acronym>DHCP</acronym> server
|
||||||
responds quickly to requests and the DHCP configuration
|
responds quickly to requests and the <acronym>DHCP</acronym> configuration
|
||||||
process goes quickly. However, DHCP may take a long time
|
process goes quickly. However, <acronym>DHCP</acronym> may take a long time
|
||||||
to complete on some systems. If network services attempt
|
to complete on some systems. If network services attempt
|
||||||
to run before DHCP has completed, they will fail. Using
|
to run before <acronym>DHCP</acronym> has completed, they will fail. Using
|
||||||
DHCP in <firstterm>synchronous</firstterm> mode prevents
|
<acronym>DHCP</acronym> in <firstterm>synchronous</firstterm> mode prevents
|
||||||
the problem, pausing startup until DHCP configuration has
|
the problem, pausing startup until <acronym>DHCP</acronym> configuration has
|
||||||
completed.</para>
|
completed.</para>
|
||||||
|
|
||||||
<para>To connect to a DHCP server in the background while
|
<para>To connect to a <acronym>DHCP</acronym> server in the background while
|
||||||
other startup continues (asynchronous mode), use the
|
other startup continues (asynchronous mode), use the
|
||||||
<quote><literal>DHCP</literal></quote> value in
|
<quote><literal>DHCP</literal></quote> value in
|
||||||
<filename>/etc/rc.conf</filename>:</para>
|
<filename>/etc/rc.conf</filename>:</para>
|
||||||
|
|
||||||
<programlisting>ifconfig_<replaceable>fxp0</replaceable>="DHCP"</programlisting>
|
<programlisting>ifconfig_<replaceable>fxp0</replaceable>="DHCP"</programlisting>
|
||||||
|
|
||||||
<para>To pause startup while DHCP completes, use
|
<para>To pause startup while <acronym>DHCP</acronym> completes, use
|
||||||
synchronous mode with the
|
synchronous mode with the
|
||||||
<quote><literal>SYNCDHCP</literal></quote> value:</para>
|
<quote><literal>SYNCDHCP</literal></quote> value:</para>
|
||||||
|
|
||||||
|
@ -2769,27 +2730,14 @@ result: 0 Success
|
||||||
|
|
||||||
<programlisting>dhclient_program="/sbin/dhclient"
|
<programlisting>dhclient_program="/sbin/dhclient"
|
||||||
dhclient_flags=""</programlisting>
|
dhclient_flags=""</programlisting>
|
||||||
</listitem>
|
|
||||||
</itemizedlist>
|
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>DHCP</primary>
|
<primary><acronym>DHCP</acronym></primary>
|
||||||
<secondary>server</secondary>
|
|
||||||
</indexterm>
|
|
||||||
<para>The DHCP server, <application>dhcpd</application>, is
|
|
||||||
included as part of the
|
|
||||||
<filename role="package">net/isc-dhcp42-server</filename> port
|
|
||||||
in the ports collection. This port contains the ISC DHCP
|
|
||||||
server and documentation.</para>
|
|
||||||
</sect2>
|
|
||||||
|
|
||||||
<sect2>
|
|
||||||
<title>Files</title>
|
|
||||||
|
|
||||||
<indexterm>
|
|
||||||
<primary>DHCP</primary>
|
|
||||||
<secondary>configuration files</secondary>
|
<secondary>configuration files</secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
|
<para>The <acronym>DHCP</acronym> client uses the following files:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><filename>/etc/dhclient.conf</filename></para>
|
<para><filename>/etc/dhclient.conf</filename></para>
|
||||||
|
@ -2812,7 +2760,7 @@ dhclient_flags=""</programlisting>
|
||||||
<para><filename>/sbin/dhclient-script</filename></para>
|
<para><filename>/sbin/dhclient-script</filename></para>
|
||||||
|
|
||||||
<para><command>dhclient-script</command> is the
|
<para><command>dhclient-script</command> is the
|
||||||
&os;-specific DHCP client configuration script. It
|
&os;-specific <acronym>DHCP</acronym> client configuration script. It
|
||||||
is described in &man.dhclient-script.8;, but should not
|
is described in &man.dhclient-script.8;, but should not
|
||||||
need any user modification to function properly.</para>
|
need any user modification to function properly.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -2820,50 +2768,47 @@ dhclient_flags=""</programlisting>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><filename>/var/db/dhclient.leases.<replaceable>interface</replaceable></filename></para>
|
<para><filename>/var/db/dhclient.leases.<replaceable>interface</replaceable></filename></para>
|
||||||
|
|
||||||
<para>The DHCP client keeps a database of valid leases in
|
<para>The <acronym>DHCP</acronym> client keeps a database of valid leases in
|
||||||
this file, which is written as a log.
|
this file, which is written as a log.
|
||||||
&man.dhclient.leases.5; gives a slightly longer
|
&man.dhclient.leases.5; gives a slightly longer
|
||||||
description.</para>
|
description. Refer to
|
||||||
|
&man.dhclient.8;, &man.dhcp-options.5;, and
|
||||||
|
&man.dhclient.conf.5;, in addition to the
|
||||||
|
references below, for more information.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
<sect2>
|
|
||||||
<title>Further Reading</title>
|
|
||||||
|
|
||||||
<para>The DHCP protocol is fully described in
|
|
||||||
<ulink url="http://www.freesoft.org/CIE/RFC/2131/">RFC
|
|
||||||
2131</ulink>. An informational resource has also been set
|
|
||||||
up at <ulink url="http://www.dhcp.org/"></ulink>.</para>
|
|
||||||
</sect2>
|
|
||||||
|
|
||||||
<sect2 id="network-dhcp-server">
|
<sect2 id="network-dhcp-server">
|
||||||
<title>Installing and Configuring a DHCP Server</title>
|
<title>Installing and Configuring a <acronym>DHCP</acronym> Server</title>
|
||||||
|
|
||||||
<sect3>
|
|
||||||
<title>What This Section Covers</title>
|
|
||||||
|
|
||||||
<para>This section provides information on how to configure a
|
<para>This section provides information on how to configure a
|
||||||
&os; system to act as a DHCP server using the ISC
|
&os; system to act as a <acronym>DHCP</acronym> server using the ISC
|
||||||
(Internet Systems Consortium) implementation of the DHCP
|
(Internet Systems Consortium) implementation of the <acronym>DHCP</acronym>
|
||||||
server.</para>
|
server.</para>
|
||||||
|
|
||||||
|
<indexterm>
|
||||||
|
<primary><acronym>DHCP</acronym></primary>
|
||||||
|
<secondary>server</secondary>
|
||||||
|
</indexterm>
|
||||||
|
|
||||||
|
<para>The <acronym>DHCP</acronym> server, <application>dhcpd</application>, is
|
||||||
|
included as part of the
|
||||||
|
<filename role="package">net/isc-dhcp42-server</filename> port
|
||||||
|
in the ports collection. This port contains the ISC <acronym>DHCP</acronym>
|
||||||
|
server and documentation.</para>
|
||||||
<para>The server is not provided as part of &os;, and so the
|
<para>The server is not provided as part of &os;, and so the
|
||||||
<filename role="package">net/isc-dhcp42-server</filename>
|
<filename role="package">net/isc-dhcp42-server</filename>
|
||||||
port must be installed to provide this service. See
|
port must be installed to provide this service. See
|
||||||
<xref linkend="ports"/> for more information on using the
|
<xref linkend="ports"/> for more information on using the
|
||||||
Ports Collection.</para>
|
Ports Collection.</para>
|
||||||
</sect3>
|
|
||||||
|
|
||||||
<sect3>
|
|
||||||
<title>DHCP Server Installation</title>
|
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>DHCP</primary>
|
<primary><acronym>DHCP</acronym></primary>
|
||||||
<secondary>installation</secondary>
|
<secondary>installation</secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para>In order to configure the &os; system as a DHCP server,
|
<para>In order to configure the &os; system as a <acronym>DHCP</acronym> server,
|
||||||
first ensure that the &man.bpf.4; device is compiled into
|
first ensure that the &man.bpf.4; device is compiled into
|
||||||
the kernel. To do this, add <literal>device bpf</literal>
|
the kernel. To do this, add <literal>device bpf</literal>
|
||||||
to the kernel configuration file, and rebuild the kernel.
|
to the kernel configuration file, and rebuild the kernel.
|
||||||
|
@ -2881,7 +2826,7 @@ dhclient_flags=""</programlisting>
|
||||||
that allows packet sniffers to function correctly
|
that allows packet sniffers to function correctly
|
||||||
(although such programs still need privileged access).
|
(although such programs still need privileged access).
|
||||||
The <devicename>bpf</devicename> device
|
The <devicename>bpf</devicename> device
|
||||||
<emphasis>is</emphasis> required to use DHCP, but if the
|
<emphasis>is</emphasis> required to use <acronym>DHCP</acronym>, but if the
|
||||||
sensitivity of the system's security is high, this device
|
sensitivity of the system's security is high, this device
|
||||||
should not be included in the kernel purely because the
|
should not be included in the kernel purely because the
|
||||||
use of <acronym>DHCP</acronym> may, at some point in the
|
use of <acronym>DHCP</acronym> may, at some point in the
|
||||||
|
@ -2895,13 +2840,12 @@ dhclient_flags=""</programlisting>
|
||||||
to the actual configuration file,
|
to the actual configuration file,
|
||||||
<filename>/usr/local/etc/dhcpd.conf</filename>. Edits
|
<filename>/usr/local/etc/dhcpd.conf</filename>. Edits
|
||||||
will be made to this new file.</para>
|
will be made to this new file.</para>
|
||||||
</sect3>
|
|
||||||
|
|
||||||
<sect3>
|
<sect3>
|
||||||
<title>Configuring the DHCP Server</title>
|
<title>Configuring the <acronym>DHCP</acronym> Server</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>DHCP</primary>
|
<primary><acronym>DHCP</acronym></primary>
|
||||||
<secondary>dhcpd.conf</secondary>
|
<secondary>dhcpd.conf</secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
<para><filename>dhcpd.conf</filename> is comprised of
|
<para><filename>dhcpd.conf</filename> is comprised of
|
||||||
|
@ -2936,7 +2880,7 @@ host mailhost {
|
||||||
|
|
||||||
<callout arearefs="domain-name-servers">
|
<callout arearefs="domain-name-servers">
|
||||||
<para>This option specifies a comma separated list of
|
<para>This option specifies a comma separated list of
|
||||||
DNS servers that the client should use.</para>
|
<acronym>DNS</acronym> servers that the client should use.</para>
|
||||||
</callout>
|
</callout>
|
||||||
|
|
||||||
<callout arearefs="subnet-mask">
|
<callout arearefs="subnet-mask">
|
||||||
|
@ -2960,15 +2904,15 @@ host mailhost {
|
||||||
</callout>
|
</callout>
|
||||||
|
|
||||||
<callout arearefs="ddns-update-style">
|
<callout arearefs="ddns-update-style">
|
||||||
<para>This option specifies whether the DHCP server
|
<para>This option specifies whether the <acronym>DHCP</acronym> server
|
||||||
should attempt to update DNS when a lease is accepted
|
should attempt to update <acronym>DNS</acronym> when a lease is accepted
|
||||||
or released. In the ISC implementation, this option
|
or released. In the ISC implementation, this option
|
||||||
is <emphasis>required</emphasis>.</para>
|
is <emphasis>required</emphasis>.</para>
|
||||||
</callout>
|
</callout>
|
||||||
|
|
||||||
<callout arearefs="range">
|
<callout arearefs="range">
|
||||||
<para>This denotes which IP addresses should be used in
|
<para>This denotes which <acronym>IP</acronym> addresses should be used in
|
||||||
the pool reserved for allocating to clients. IP
|
the pool reserved for allocating to clients. <acronym>IP</acronym>
|
||||||
addresses between, and including, the ones stated are
|
addresses between, and including, the ones stated are
|
||||||
handed out to clients.</para>
|
handed out to clients.</para>
|
||||||
</callout>
|
</callout>
|
||||||
|
@ -2980,14 +2924,14 @@ host mailhost {
|
||||||
|
|
||||||
<callout arearefs="hardware">
|
<callout arearefs="hardware">
|
||||||
<para>The hardware MAC address of a host (so that the
|
<para>The hardware MAC address of a host (so that the
|
||||||
DHCP server can recognize a host when it makes a
|
<acronym>DHCP</acronym> server can recognize a host when it makes a
|
||||||
request).</para>
|
request).</para>
|
||||||
</callout>
|
</callout>
|
||||||
|
|
||||||
<callout arearefs="fixed-address">
|
<callout arearefs="fixed-address">
|
||||||
<para>Specifies that the host should always be given the
|
<para>Specifies that the host should always be given the
|
||||||
same IP address. Note that using a hostname is
|
same <acronym>IP</acronym> address. Note that using a hostname is
|
||||||
correct here, since the DHCP server will resolve the
|
correct here, since the <acronym>DHCP</acronym> server will resolve the
|
||||||
hostname itself before returning the lease
|
hostname itself before returning the lease
|
||||||
information.</para>
|
information.</para>
|
||||||
</callout>
|
</callout>
|
||||||
|
@ -2995,7 +2939,7 @@ host mailhost {
|
||||||
|
|
||||||
<para>Once the configuration of
|
<para>Once the configuration of
|
||||||
<filename>dhcpd.conf</filename> has been completed,
|
<filename>dhcpd.conf</filename> has been completed,
|
||||||
enable the DHCP server in
|
enable the <acronym>DHCP</acronym> server in
|
||||||
<filename>/etc/rc.conf</filename>, i.e., by adding:</para>
|
<filename>/etc/rc.conf</filename>, i.e., by adding:</para>
|
||||||
|
|
||||||
<programlisting>dhcpd_enable="YES"
|
<programlisting>dhcpd_enable="YES"
|
||||||
|
@ -3003,7 +2947,7 @@ dhcpd_ifaces="dc0"</programlisting>
|
||||||
|
|
||||||
<para>Replace the <literal>dc0</literal> interface name with
|
<para>Replace the <literal>dc0</literal> interface name with
|
||||||
the interface (or interfaces, separated by whitespace)
|
the interface (or interfaces, separated by whitespace)
|
||||||
that the DHCP server should listen on for DHCP client
|
that the <acronym>DHCP</acronym> server should listen on for <acronym>DHCP</acronym> client
|
||||||
requests.</para>
|
requests.</para>
|
||||||
|
|
||||||
<para>Proceed to start the server by issuing
|
<para>Proceed to start the server by issuing
|
||||||
|
@ -3023,7 +2967,7 @@ dhcpd_ifaces="dc0"</programlisting>
|
||||||
<title>Files</title>
|
<title>Files</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>DHCP</primary>
|
<primary><acronym>DHCP</acronym></primary>
|
||||||
<secondary>configuration files</secondary>
|
<secondary>configuration files</secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
|
@ -3056,7 +3000,7 @@ dhcpd_ifaces="dc0"</programlisting>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><filename>/var/db/dhcpd.leases</filename></para>
|
<para><filename>/var/db/dhcpd.leases</filename></para>
|
||||||
|
|
||||||
<para>The DHCP server keeps a database of leases it has
|
<para>The <acronym>DHCP</acronym> server keeps a database of leases it has
|
||||||
issued in this file, which is written as a log. The
|
issued in this file, which is written as a log. The
|
||||||
port installs &man.dhcpd.leases.5;, which gives a
|
port installs &man.dhcpd.leases.5;, which gives a
|
||||||
slightly longer description.</para>
|
slightly longer description.</para>
|
||||||
|
@ -3066,8 +3010,8 @@ dhcpd_ifaces="dc0"</programlisting>
|
||||||
<para><filename>/usr/local/sbin/dhcrelay</filename></para>
|
<para><filename>/usr/local/sbin/dhcrelay</filename></para>
|
||||||
|
|
||||||
<para><application>dhcrelay</application> is used in
|
<para><application>dhcrelay</application> is used in
|
||||||
advanced environments where one DHCP server forwards a
|
advanced environments where one <acronym>DHCP</acronym> server forwards a
|
||||||
request from a client to another DHCP server on a
|
request from a client to another <acronym>DHCP</acronym> server on a
|
||||||
separate network. If this functionality is required,
|
separate network. If this functionality is required,
|
||||||
then install the
|
then install the
|
||||||
<filename role="package">net/isc-dhcp42-relay</filename>
|
<filename role="package">net/isc-dhcp42-relay</filename>
|
||||||
|
@ -3150,7 +3094,7 @@ dhcpd_ifaces="dc0"</programlisting>
|
||||||
<acronym>DNS</acronym> must be understood.</para>
|
<acronym>DNS</acronym> must be understood.</para>
|
||||||
|
|
||||||
<indexterm><primary>resolver</primary></indexterm>
|
<indexterm><primary>resolver</primary></indexterm>
|
||||||
<indexterm><primary>reverse DNS</primary></indexterm>
|
<indexterm><primary>reverse <acronym>DNS</acronym></primary></indexterm>
|
||||||
<indexterm><primary>root zone</primary></indexterm>
|
<indexterm><primary>root zone</primary></indexterm>
|
||||||
|
|
||||||
<informaltable frame="none" pgwide="1">
|
<informaltable frame="none" pgwide="1">
|
||||||
|
@ -3168,7 +3112,7 @@ dhcpd_ifaces="dc0"</programlisting>
|
||||||
<tbody>
|
<tbody>
|
||||||
<row>
|
<row>
|
||||||
<entry>Forward <acronym>DNS</acronym></entry>
|
<entry>Forward <acronym>DNS</acronym></entry>
|
||||||
<entry>Mapping of hostnames to IP addresses.</entry>
|
<entry>Mapping of hostnames to <acronym>IP</acronym> addresses.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
|
@ -3492,7 +3436,7 @@ options {
|
||||||
</warning>
|
</warning>
|
||||||
|
|
||||||
<programlisting> /*
|
<programlisting> /*
|
||||||
Modern versions of BIND use a random UDP port for each outgoing
|
Modern versions of BIND use a random <acronym>UDP</acronym> port for each outgoing
|
||||||
query by default in order to dramatically reduce the possibility
|
query by default in order to dramatically reduce the possibility
|
||||||
of cache poisoning. All users are strongly encouraged to utilize
|
of cache poisoning. All users are strongly encouraged to utilize
|
||||||
this feature, and to configure their firewalls to accommodate it.
|
this feature, and to configure their firewalls to accommodate it.
|
||||||
|
@ -3817,11 +3761,11 @@ www IN CNAME example.org.</programlisting>
|
||||||
<programlisting>recordname IN recordtype value</programlisting>
|
<programlisting>recordname IN recordtype value</programlisting>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>DNS</primary>
|
<primary><acronym>DNS</acronym></primary>
|
||||||
<secondary>records</secondary>
|
<secondary>records</secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para>The most commonly used DNS records:</para>
|
<para>The most commonly used <acronym>DNS</acronym> records:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
@ -3861,7 +3805,7 @@ www IN CNAME example.org.</programlisting>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>a domain name pointer (used in reverse
|
<para>a domain name pointer (used in reverse
|
||||||
DNS)</para>
|
<acronym>DNS</acronym>)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
@ -3940,7 +3884,7 @@ mail IN A 192.168.1.5</programlisting>
|
||||||
|
|
||||||
<programlisting> IN A 192.168.1.1</programlisting>
|
<programlisting> IN A 192.168.1.1</programlisting>
|
||||||
|
|
||||||
<para>This line assigns IP address
|
<para>This line assigns <acronym>IP</acronym> address
|
||||||
<hostid role="ipaddr">192.168.1.1</hostid> to the current
|
<hostid role="ipaddr">192.168.1.1</hostid> to the current
|
||||||
origin, in this case
|
origin, in this case
|
||||||
<hostid role="domainname">example.org</hostid>.</para>
|
<hostid role="domainname">example.org</hostid>.</para>
|
||||||
|
@ -3975,7 +3919,7 @@ mail IN A 192.168.1.5</programlisting>
|
||||||
priority number), then the second highest, etc, until the
|
priority number), then the second highest, etc, until the
|
||||||
mail can be properly delivered.</para>
|
mail can be properly delivered.</para>
|
||||||
|
|
||||||
<para>For in-addr.arpa zone files (reverse DNS), the same
|
<para>For in-addr.arpa zone files (reverse <acronym>DNS</acronym>), the same
|
||||||
format is used, except with PTR entries instead of A or
|
format is used, except with PTR entries instead of A or
|
||||||
CNAME.</para>
|
CNAME.</para>
|
||||||
|
|
||||||
|
@ -3997,7 +3941,7 @@ mail IN A 192.168.1.5</programlisting>
|
||||||
4 IN PTR mx.example.org.
|
4 IN PTR mx.example.org.
|
||||||
5 IN PTR mail.example.org.</programlisting>
|
5 IN PTR mail.example.org.</programlisting>
|
||||||
|
|
||||||
<para>This file gives the proper IP address to hostname
|
<para>This file gives the proper <acronym>IP</acronym> address to hostname
|
||||||
mappings for the above fictitious domain.</para>
|
mappings for the above fictitious domain.</para>
|
||||||
|
|
||||||
<para>It is worth noting that all names on the right side
|
<para>It is worth noting that all names on the right side
|
||||||
|
@ -4026,7 +3970,7 @@ mail IN A 192.168.1.5</programlisting>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>BIND</primary>
|
<primary>BIND</primary>
|
||||||
<secondary>DNS security extensions</secondary>
|
<secondary><acronym>DNS</acronym> security extensions</secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para>Domain Name System Security Extensions, or <acronym
|
<para>Domain Name System Security Extensions, or <acronym
|
||||||
|
@ -4391,7 +4335,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
|
||||||
<sect2>
|
<sect2>
|
||||||
<title>Security</title>
|
<title>Security</title>
|
||||||
|
|
||||||
<para>Although BIND is the most common implementation of DNS,
|
<para>Although BIND is the most common implementation of <acronym>DNS</acronym>,
|
||||||
there is always the issue of security. Possible and
|
there is always the issue of security. Possible and
|
||||||
exploitable security holes are sometimes found.</para>
|
exploitable security holes are sometimes found.</para>
|
||||||
|
|
||||||
|
@ -4437,7 +4381,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://www.oreilly.com/catalog/dns5/">O'Reilly
|
url="http://www.oreilly.com/catalog/dns5/">O'Reilly
|
||||||
DNS and BIND 5th Edition</ulink></para>
|
<acronym>DNS</acronym> and BIND 5th Edition</ulink></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
@ -4469,21 +4413,21 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://tools.ietf.org/html/rfc4033">RFC4033
|
url="http://tools.ietf.org/html/rfc4033">RFC4033
|
||||||
- DNS Security Introduction and
|
- <acronym>DNS</acronym> Security Introduction and
|
||||||
Requirements</ulink></para>
|
Requirements</ulink></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://tools.ietf.org/html/rfc4034">RFC4034
|
url="http://tools.ietf.org/html/rfc4034">RFC4034
|
||||||
- Resource Records for the DNS Security
|
- Resource Records for the <acronym>DNS</acronym> Security
|
||||||
Extensions</ulink></para>
|
Extensions</ulink></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://tools.ietf.org/html/rfc4035">RFC4035
|
url="http://tools.ietf.org/html/rfc4035">RFC4035
|
||||||
- Protocol Modifications for the DNS Security
|
- Protocol Modifications for the <acronym>DNS</acronym> Security
|
||||||
Extensions</ulink></para>
|
Extensions</ulink></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
@ -4496,7 +4440,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://tools.ietf.org/html/rfc5011">RFC 5011
|
url="http://tools.ietf.org/html/rfc5011">RFC 5011
|
||||||
- Automated Updates of DNS Security
|
- Automated Updates of <acronym>DNS</acronym> Security
|
||||||
(<acronym>DNSSEC</acronym>
|
(<acronym>DNSSEC</acronym>
|
||||||
Trust Anchors</ulink></para>
|
Trust Anchors</ulink></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -4686,7 +4630,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
|
||||||
types of Virtual Hosting. The first method is Name-based
|
types of Virtual Hosting. The first method is Name-based
|
||||||
Virtual Hosting. Name-based virtual hosting uses the clients
|
Virtual Hosting. Name-based virtual hosting uses the clients
|
||||||
HTTP/1.1 headers to figure out the hostname. This allows many
|
HTTP/1.1 headers to figure out the hostname. This allows many
|
||||||
different domains to share the same IP address.</para>
|
different domains to share the same <acronym>IP</acronym> address.</para>
|
||||||
|
|
||||||
<para>To setup <application>Apache</application> to use
|
<para>To setup <application>Apache</application> to use
|
||||||
Name-based Virtual Hosting add an entry like the following to
|
Name-based Virtual Hosting add an entry like the following to
|
||||||
|
@ -5252,7 +5196,7 @@ DocumentRoot /www/someotherdomain.tld
|
||||||
<para>This sets the NetBIOS name by which a
|
<para>This sets the NetBIOS name by which a
|
||||||
<application>Samba</application> server is known.
|
<application>Samba</application> server is known.
|
||||||
By default it is the same as the first component of
|
By default it is the same as the first component of
|
||||||
the host's DNS name.</para>
|
the host's <acronym>DNS</acronym> name.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -5580,7 +5524,7 @@ driftfile /var/db/ntp.drift</programlisting>
|
||||||
<programlisting>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap</programlisting>
|
<programlisting>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap</programlisting>
|
||||||
|
|
||||||
<para>instead, where
|
<para>instead, where
|
||||||
<hostid role="ipaddr">192.168.1.0</hostid> is an IP address
|
<hostid role="ipaddr">192.168.1.0</hostid> is an <acronym>IP</acronym> address
|
||||||
on the network and
|
on the network and
|
||||||
<hostid role="netmask">255.255.255.0</hostid> is the
|
<hostid role="netmask">255.255.255.0</hostid> is the
|
||||||
network's netmask.</para>
|
network's netmask.</para>
|
||||||
|
@ -6207,7 +6151,7 @@ iqn.2012-06.com.example:target0 10.10.10.10 Connected: da0</
|
||||||
iqn.2012-06.com.example:target0 10.10.10.10 Waiting for iscsid(8)</programlisting>
|
iqn.2012-06.com.example:target0 10.10.10.10 Waiting for iscsid(8)</programlisting>
|
||||||
|
|
||||||
<para>The following suggests network-level problem, such as
|
<para>The following suggests network-level problem, such as
|
||||||
wrong IP address or port:</para>
|
wrong <acronym>IP</acronym> address or port:</para>
|
||||||
|
|
||||||
<programlisting>Target name Target addr State
|
<programlisting>Target name Target addr State
|
||||||
iqn.2012-06.com.example:target0 10.10.10.11 Connection refused</programlisting>
|
iqn.2012-06.com.example:target0 10.10.10.11 Connection refused</programlisting>
|
||||||
|
|
Loading…
Reference in a new issue