Whitespace-only fixes. Translators, please ignore.

svn path=/head/; revision=42267
2013-07-13 03:51:22 +00:00 · 2013-07-13 03:51:22 +00:00 · 8c7eaba7a3 · 2020-12-08 03:00:23 +00:00
commit 8c7eaba7a3
parent 47786e5cf1
1 changed files with 146 additions and 144 deletions
--- a/en_US.ISO8859-1/books/handbook/security/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.xml
@ -2444,57 +2444,57 @@ device    crypto</screen>
 	</listitem>
      </itemizedlist>
-    <sect3>
+      <sect3>
-      <sect3info>
+	<sect3info>
-	<authorgroup>
+	  <authorgroup>
-	  <author>
+	    <author>
-	    <firstname>Tom</firstname>
+	      <firstname>Tom</firstname>
-	    <surname>Rhodes</surname>
+	      <surname>Rhodes</surname>
-	    <affiliation>
+	      <affiliation>
-	      <address><email>trhodes@FreeBSD.org</email></address>
+		<address><email>trhodes@FreeBSD.org</email></address>
-	    </affiliation>
+	      </affiliation>
-	    <contrib>Written by </contrib>
+	      <contrib>Written by </contrib>
-	  </author>
+	    </author>
-	</authorgroup>
+	  </authorgroup>
-      </sect3info>
+	</sect3info>
-      <title>Configuring IPsec on &os;</title>
+	<title>Configuring IPsec on &os;</title>
-      <para>To begin,
+	<para>To begin,
-	<filename role="package">security/ipsec-tools</filename>
+	  <filename role="package">security/ipsec-tools</filename>
-	must be installed from the Ports Collection.  This software
+	  must be installed from the Ports Collection.  This software
-	provides a number of applications which support the
+	  provides a number of applications which support the
-	configuration.</para>
+	  configuration.</para>
-      <para>The next requirement is to create two &man.gif.4;
+	<para>The next requirement is to create two &man.gif.4;
-	pseudo-devices which will be used to tunnel packets and
+	  pseudo-devices which will be used to tunnel packets and
-	allow both networks to communicate properly.  As
+	  allow both networks to communicate properly.  As
-	<username>root</username>, run the following commands,
+	  <username>root</username>, run the following commands,
-	replacing <replaceable>internal</replaceable> and
+	  replacing <replaceable>internal</replaceable> and
-	<replaceable>external</replaceable> with the real IP
+	  <replaceable>external</replaceable> with the real IP
-	addresses of the internal and external interfaces of the two
+	  addresses of the internal and external interfaces of the two
-	gateways:</para>
+	  gateways:</para>
-      <screen>&prompt.root; <userinput>ifconfig gif0 create</userinput></screen>
+	<screen>&prompt.root; <userinput>ifconfig gif0 create</userinput></screen>
-      <screen>&prompt.root; <userinput>ifconfig gif0 <replaceable>internal1 internal2</replaceable></userinput></screen>
+	<screen>&prompt.root; <userinput>ifconfig gif0 <replaceable>internal1 internal2</replaceable></userinput></screen>
-      <screen>&prompt.root; <userinput>ifconfig gif0 tunnel <replaceable>external1 external2</replaceable></userinput></screen>
+	<screen>&prompt.root; <userinput>ifconfig gif0 tunnel <replaceable>external1 external2</replaceable></userinput></screen>
-      <para>In this example, the corporate <acronym>LAN</acronym>'s
+	<para>In this example, the corporate <acronym>LAN</acronym>'s
-	external <acronym>IP</acronym> address is <hostid
+	  external <acronym>IP</acronym> address is
-	  role="ipaddr">172.16.5.4</hostid> and its internal
+	  <hostid role="ipaddr">172.16.5.4</hostid> and its internal
-	<acronym>IP</acronym> address is <hostid
+	  <acronym>IP</acronym> address is
-	  role="ipaddr">10.246.38.1</hostid>.  The home
+	  <hostid role="ipaddr">10.246.38.1</hostid>.  The home
-	<acronym>LAN</acronym>'s external <acronym>IP</acronym>
+	  <acronym>LAN</acronym>'s external <acronym>IP</acronym>
-	address is <hostid role="ipaddr">192.168.1.12</hostid> and its
+	  address is <hostid role="ipaddr">192.168.1.12</hostid> and
-	internal private <acronym>IP</acronym> address is <hostid
+	  its internal private <acronym>IP</acronym> address is
-	  role="ipaddr">10.0.0.5</hostid>.</para>
+	  <hostid role="ipaddr">10.0.0.5</hostid>.</para>
-      <para>If this is confusing, review the following example output
+	<para>If this is confusing, review the following example
-	from &man.ifconfig.8;:</para>
+	  output from &man.ifconfig.8;:</para>
-      <programlisting>Gateway 1:
+	<programlisting>Gateway 1:
 gif0: flags=8051 mtu 1280
 tunnel inet 172.16.5.4 --&gt; 192.168.1.12
@ -2508,10 +2508,10 @@ tunnel inet 192.168.1.12 --&gt; 172.16.5.4
 inet 10.0.0.5 --&gt; 10.246.38.1 netmask 0xffffff00
 inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4</programlisting>
-      <para>Once complete, both internal <acronym>IP</acronym>
+	<para>Once complete, both internal <acronym>IP</acronym>
-	addresses should be reachable using &man.ping.8;:</para>
+	  addresses should be reachable using &man.ping.8;:</para>
-      <programlisting>priv-net# ping 10.0.0.5
+	<programlisting>priv-net# ping 10.0.0.5
 PING 10.0.0.5 (10.0.0.5): 56 data bytes
 64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms
 64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms
@ -2532,26 +2532,26 @@ PING 10.246.38.1 (10.246.38.1): 56 data bytes
 5 packets transmitted, 5 packets received, 0% packet loss
 round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms</programlisting>
-      <para>As expected, both sides have the ability to send and
+	<para>As expected, both sides have the ability to send and
-	receive <acronym>ICMP</acronym> packets from the privately
+	  receive <acronym>ICMP</acronym> packets from the privately
-	configured addresses.  Next, both gateways must be told how
+	  configured addresses.  Next, both gateways must be told how
-	to route packets in order to correctly send traffic from
+	  to route packets in order to correctly send traffic from
-	either network.  The following command will achieve this
+	  either network.  The following command will achieve this
-	goal:</para>
+	  goal:</para>
-      <screen>&prompt.root; <userinput>corp-net# route add <replaceable>10.0.0.0 10.0.0.5 255.255.255.0</replaceable></userinput></screen>
+	<screen>&prompt.root; <userinput>corp-net# route add <replaceable>10.0.0.0 10.0.0.5 255.255.255.0</replaceable></userinput></screen>
-      <screen>&prompt.root; <userinput>corp-net# route add net <replaceable>10.0.0.0: gateway 10.0.0.5</replaceable></userinput></screen>
+	<screen>&prompt.root; <userinput>corp-net# route add net <replaceable>10.0.0.0: gateway 10.0.0.5</replaceable></userinput></screen>
-      <screen>&prompt.root; <userinput>priv-net# route add <replaceable>10.246.38.0 10.246.38.1 255.255.255.0</replaceable></userinput></screen>
+	<screen>&prompt.root; <userinput>priv-net# route add <replaceable>10.246.38.0 10.246.38.1 255.255.255.0</replaceable></userinput></screen>
-      <screen>&prompt.root; <userinput>priv-net# route add host <replaceable>10.246.38.0: gateway 10.246.38.1</replaceable></userinput></screen>
+	<screen>&prompt.root; <userinput>priv-net# route add host <replaceable>10.246.38.0: gateway 10.246.38.1</replaceable></userinput></screen>
-      <para>At this point, internal machines should be reachable
+	<para>At this point, internal machines should be reachable
-	from each gateway as well as from machines behind the
+	  from each gateway as well as from machines behind the
-	gateways.  Again, use &man.ping.8; to confirm:</para>
+	  gateways.  Again, use &man.ping.8; to confirm:</para>
-      <programlisting>corp-net# ping 10.0.0.8
+	<programlisting>corp-net# ping 10.0.0.8
 PING 10.0.0.8 (10.0.0.8): 56 data bytes
 64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms
 64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms
@ -2573,15 +2573,15 @@ PING 10.246.38.1 (10.246.38.107): 56 data bytes
 5 packets transmitted, 5 packets received, 0% packet loss
 round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms</programlisting>
-      <para>Setting up the tunnels is the easy part.  Configuring a
+	<para>Setting up the tunnels is the easy part.  Configuring a
-	secure link is a more in depth process.  The following
+	  secure link is a more in depth process.  The following
-	configuration uses pre-shared (<acronym>PSK</acronym>)
+	  configuration uses pre-shared (<acronym>PSK</acronym>)
-	<acronym>RSA</acronym> keys.  Other than the
+	  <acronym>RSA</acronym> keys.  Other than the
-	<acronym>IP</acronym> addresses, the
+	  <acronym>IP</acronym> addresses, the
-	<filename>/usr/local/etc/racoon/racoon.conf</filename> on
+	  <filename>/usr/local/etc/racoon/racoon.conf</filename> on
-	both gateways will be identical and look similar to:</para>
+	  both gateways will be identical and look similar to:</para>
-      <programlisting>path    pre_shared_key  "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
+	<programlisting>path    pre_shared_key  "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
 log     debug;	#log verbosity setting: set to 'notify' when testing and debugging is complete
 padding	# options are not to be changed
@ -2639,33 +2639,33 @@ sainfo  (address 10.246.38.0/24 any address 10.0.0.0/24 any)	# address $network/
        compression_algorithm   deflate;
 }</programlisting>
-      <para>For descriptions of each available option, refer to the
+	<para>For descriptions of each available option, refer to the
-	manual page for <filename>racoon.conf</filename>.</para>
+	  manual page for <filename>racoon.conf</filename>.</para>
-      <para>The Security Policy Database (<acronym>SPD</acronym>)
+	<para>The Security Policy Database (<acronym>SPD</acronym>)
-	needs to be configured so that &os; and
+	  needs to be configured so that &os; and
-	<application>racoon</application> are able to encrypt and
+	  <application>racoon</application> are able to encrypt and
-	decrypt network traffic between the hosts.</para>
+	  decrypt network traffic between the hosts.</para>
-      <para>This can be achieved with a shell script, similar to the
+	<para>This can be achieved with a shell script, similar to the
-	following, on the corporate gateway.  This file will be used
+	  following, on the corporate gateway.  This file will be used
-	during system initialization and should be saved as
+	  during system initialization and should be saved as
-	<filename>/usr/local/etc/racoon/setkey.conf</filename>.</para>
+	  <filename>/usr/local/etc/racoon/setkey.conf</filename>.</para>
-      <programlisting>flush;
+	<programlisting>flush;
 spdflush;
 # To the home network
 spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use;
 spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use;</programlisting>
-      <para>Once in place, <application>racoon</application> may be
+	<para>Once in place, <application>racoon</application> may be
-	started on both gateways using the following command:</para>
+	  started on both gateways using the following command:</para>
-      <screen>&prompt.root; <userinput>/usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log</userinput></screen>
+	<screen>&prompt.root; <userinput>/usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log</userinput></screen>
-      <para>The output should be similar to the following:</para>
+	<para>The output should be similar to the following:</para>
-      <programlisting>corp-net# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
+	<programlisting>corp-net# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
 Foreground mode.
 2006-01-30 01:35:47: INFO: begin Identity Protection mode.
 2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon
@ -2678,43 +2678,43 @@ Foreground mode.
 2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]-&gt;172.16.5.4[0] spi=124397467(0x76a279b)
 2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]-&gt;192.168.1.12[0] spi=175852902(0xa7b4d66)</programlisting>
-      <para>To ensure the tunnel is working properly, switch to
+	<para>To ensure the tunnel is working properly, switch to
-	another console and use &man.tcpdump.1; to view network
+	  another console and use &man.tcpdump.1; to view network
-	traffic using the following command.  Replace
+	  traffic using the following command.  Replace
-	<literal>em0</literal> with the network interface card as
+	  <literal>em0</literal> with the network interface card as
-	required:</para>
+	  required:</para>
-      <screen>&prompt.root; <userinput>tcpdump -i em0 host <replaceable>172.16.5.4 and dst 192.168.1.12</replaceable></userinput></screen>
+	<screen>&prompt.root; <userinput>tcpdump -i em0 host <replaceable>172.16.5.4 and dst 192.168.1.12</replaceable></userinput></screen>
-      <para>Data similar to the following should appear on the
+	<para>Data similar to the following should appear on the
-	console.  If not, there is an issue and debugging the
+	  console.  If not, there is an issue and debugging the
-	returned data will be required.</para>
+	  returned data will be required.</para>
-      <programlisting>01:47:32.021683 IP corporatenetwork.com &gt; 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa)
+	<programlisting>01:47:32.021683 IP corporatenetwork.com &gt; 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa)
 01:47:33.022442 IP corporatenetwork.com &gt; 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xb)
 01:47:34.024218 IP corporatenetwork.com &gt; 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xc)</programlisting>
-      <para>At this point, both networks should be available and
+	<para>At this point, both networks should be available and
-	seem to be part of the same network.  Most likely both
+	  seem to be part of the same network.  Most likely both
-	networks are protected by a firewall.  To allow traffic to
+	  networks are protected by a firewall.  To allow traffic to
-	flow between them, rules need to be added to pass packets.
+	  flow between them, rules need to be added to pass packets.
-	For the &man.ipfw.8; firewall, add the following lines to the
+	  For the &man.ipfw.8; firewall, add the following lines to
-	firewall configuration file:</para>
+	  the firewall configuration file:</para>
-      <programlisting>ipfw add 00201 allow log esp from any to any
+	<programlisting>ipfw add 00201 allow log esp from any to any
 ipfw add 00202 allow log ah from any to any
 ipfw add 00203 allow log ipencap from any to any
 ipfw add 00204 allow log udp from any 500 to any</programlisting>
-      <note>
+	<note>
-	<para>The rule numbers may need to be altered depending on
+	  <para>The rule numbers may need to be altered depending on
-	  the current host configuration.</para>
+	    the current host configuration.</para>
-      </note>
+	</note>
-      <para>For users of &man.pf.4; or &man.ipf.8;, the following
+	<para>For users of &man.pf.4; or &man.ipf.8;, the following
-	rules should do the trick:</para>
+	  rules should do the trick:</para>
-      <programlisting>pass in quick proto esp from any to any
+	<programlisting>pass in quick proto esp from any to any
 pass in quick proto ah from any to any
 pass in quick proto ipencap from any to any
 pass in quick proto udp from any port = 500 to any port = 500
@ -2725,16 +2725,16 @@ pass out quick proto ipencap from any to any
 pass out quick proto udp from any port = 500 to any port = 500
 pass out quick on gif0 from any to any</programlisting>
-      <para>Finally, to allow the machine to start support for the
+	<para>Finally, to allow the machine to start support for the
-	<acronym>VPN</acronym> during system initialization, add the
+	  <acronym>VPN</acronym> during system initialization, add the
-	following lines to <filename>/etc/rc.conf</filename>:</para>
+	  following lines to <filename>/etc/rc.conf</filename>:</para>
-      <programlisting>ipsec_enable="YES"
+	<programlisting>ipsec_enable="YES"
 ipsec_program="/usr/local/sbin/setkey"
 ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
 racoon_enable="yes"</programlisting>
-    </sect3>
+      </sect3>
-  </sect2>
+    </sect2>
  </sect1>
  <sect1 id="openssh">
@ -3719,11 +3719,11 @@ VII. References <co id="co-ref"/></programlisting>
  <sect1 id="security-resourcelimits">
    <sect1info>
      <authorgroup>
-       <author>
+	<author>
-         <firstname>Tom</firstname>
+	  <firstname>Tom</firstname>
-         <surname>Rhodes</surname>
+	  <surname>Rhodes</surname>
-         <contrib>Contributed by </contrib>
+	  <contrib>Contributed by </contrib>
-       </author>
+	</author>
      </authorgroup>
    </sect1info>
@ -3767,35 +3767,37 @@ VII. References <co id="co-ref"/></programlisting>
    <programlisting>options         RACCT
 options         RCTL</programlisting>
-    <para>The entire system will need rebuilt.  See <xref
+    <para>The entire system will need rebuilt.  See
-        linkend="kernelconfig"/>, which will provide instructions for
+      <xref linkend="kernelconfig"/>, which will provide instructions
-      the process.  Once this is complete, the <command>rctl</command>
+      for the process.  Once this is complete, the
-      may be used to set rules for the system.</para>
+      <command>rctl</command> may be used to set rules for the
      system.</para>
    <para>Rule syntax is simple, controlled through the use of
-      a <emphasis>subject</emphasis>, a <emphasis>subject-id</emphasis>,
+      a <emphasis>subject</emphasis>, a
-      <emphasis>resource</emphasis>, and <emphasis>action</emphasis>.
+      <emphasis>subject-id</emphasis>, <emphasis>resource</emphasis>,
-      Take the following example rule:</para>
+      and <emphasis>action</emphasis>.  Take the following example
      rule:</para>
    <programlisting>user:trhodes:<literal>maxproc</literal>:<literal>deny</literal>=10/user</programlisting>
-    <para>This rule shows a basic premise of a rule, here the
+    <para>This rule shows a basic premise of a rule, here the subject
-      subject is <literal>user</literal> and the subject-id
+      is <literal>user</literal> and the subject-id is
-      is <literal>trhodes</literal>.  The maxproc is, of course,
+      <literal>trhodes</literal>.  The maxproc is, of course, max
-      max number of processes, which is considered the resource.
+      number of processes, which is considered the resource.  The
-      The action here is set to <literal>deny</literal>, which blocks
+      action here is set to <literal>deny</literal>, which blocks any
-      any new processes from being created.  In the previous example,
+      new processes from being created.  In the previous example, the
-      the user, <literal>trhodes</literal> will be constrained
+      user, <literal>trhodes</literal> will be constrained to
-      to <literal>10</literal> (ten) processes and no greater.
+      <literal>10</literal> (ten) processes and no greater.  Other
-      Other actions are available and could be log to the console,
+      actions are available and could be log to the console, pass a
-      pass a notification to &man.devd.8;, or
+      notification to &man.devd.8;, or send a sigterm to the
-      send a sigterm to the process.</para>
+      process.</para>
    <para>Some care must be taken while adding rules.  The one above
-      will unfortunately block my user from doing the most simple tasks
+      will unfortunately block my user from doing the most simple
-      after I have logged in and executed a <command>screen</command>
+      tasks after I have logged in and executed a
-      session.  When a resource limit has been hit, an error will
+      <command>screen</command> session.  When a resource limit has
-      be printed, as in this example:</para>
+      been hit, an error will be printed, as in this example:</para>
    <screen>&prompt.user; <userinput>man test</userinput>
    /usr/bin/man: Cannot fork: Resource temporarily unavailable
@ -3808,9 +3810,9 @@ eval: Cannot fork: Resource temporarily unavailable</screen>
    <screen>&prompt.root; <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput></screen>
    <para>Rules may also persist across reboots if they have been
-      added to <filename>/etc/rctl.conf</filename>.  The
+      added to <filename>/etc/rctl.conf</filename>.  The format is a
-      format is a rule, without the preceding command.  For example,
+      rule, without the preceding command.  For example, the previous
-      the previous rule could be added like the following:</para>
+      rule could be added like the following:</para>
    <programlisting># Block jail from using more than 2G memory:
 jail:httpd:memoryuse:deny=2G/jail</programlisting>
@ -3826,7 +3828,7 @@ jail:httpd:memoryuse:deny=2G/jail</programlisting>
    <screen>&prompt.root; <userinput>rctl -r user:trhodes</userinput></screen>
-    <para>Many other resources exist which can be used to excert
+    <para>Many other resources exist which can be used to exert
      additional control over various <literal>subjects</literal>.
      See &man.rctl.8; to learn about them.</para>
  </sect1>