os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Break long lines introduced by adding hostid tags.

Browse source 
While I'm here insert two spaces at the end of sentences.

This is a whitespace change only, translators can ignore this commit.

Approved by:	alex (mentor)
This commit is contained in:
Martin Heinen 2002-10-14 08:13:47 +00:00
parent 11a3557156
commit be9730c884
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=14626
4 changed files with 291 additions and 251 deletions
Download patch file Download diff file Expand all files Collapse all files

291
en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
View file

@ -100,7 +100,7 @@
<indexterm><primary>subnet</primary></indexterm>
<para>For one machine to be able to find another over a network, there
must be a
mechanism in place to describe how to get from one to the other. This is
mechanism in place to describe how to get from one to the other. This is
called <firstterm>routing</firstterm>. A <quote>route</quote> is a defined pair of addresses: a
<quote>destination</quote> and a <quote>gateway</quote>. The pair
indicates that if you are trying to get to this
@ -231,7 +231,7 @@ host2.example.com link#1 UC 0 0
<row>
<entry>C</entry>
<entry>Clone: Generates a new route based upon this route for
machines we connect to. This type of route is normally used
machines we connect to. This type of route is normally used
for local networks.</entry>
</row>
@ -360,7 +360,7 @@ host2.example.com link#1 UC 0 0
<title>Dual Homed Hosts</title>
<indexterm><primary>dual homed hosts</primary></indexterm>
<para>There is one other type of configuration that we should cover, and
that is a host that sits on two different networks. Technically, any
that is a host that sits on two different networks. Technically, any
machine functioning as a gateway (in the example above, using a PPP
connection) counts as a dual-homed host. But the term is really only
used to refer to a machine that sits on two local-area
@ -593,7 +593,7 @@ host2.example.com link#1 UC 0 0
<para>If you need to allow non-IP packets (such as ARP) to flow
through the bridge, there is an undocumented firewall option that
must be set. This option is
must be set. This option is
<literal>IPFIREWALL_DEFAULT_TO_ACCEPT</literal>. Note that this
changes the default rule for the firewall to accept any packet.
Make sure you know how this changes the meaning of your ruleset
@ -679,7 +679,7 @@ host2.example.com link#1 UC 0 0
<para>Among the many different filesystems that FreeBSD supports is
the Network File System, also known as <acronym>NFS</acronym>.
<acronym>NFS</acronym> allows a system to share directories and files
with others over a network. By using <acronym>NFS</acronym>, users and
with others over a network. By using <acronym>NFS</acronym>, users and
programs can access files on remote systems almost as if they were local
files.</para>
@ -695,21 +695,24 @@ host2.example.com link#1 UC 0 0
<listitem>
<para>There is no need for users to have separate home directories
on every network machine. Home directories could be setup on the
<acronym>NFS</acronym> server and made available throughout the network.</para>
<acronym>NFS</acronym> server and made available throughout
the network.</para>
</listitem>
<listitem>
<para>Storage devices such as floppy disks, CDROM drives, and ZIP drives
can be used by other machines on the network. This may reduce the number
of removable media drives throughout the network.</para>
<para>Storage devices such as floppy disks, CDROM drives, and
ZIP drives can be used by other machines on the network.
This may reduce the number of removable media drives
throughout the network.</para>
</listitem>
</itemizedlist>
<sect2>
<title>How <acronym>NFS</acronym> Works</title>
<para><acronym>NFS</acronym> consists of at least two main parts: a server
and one or more clients. The client remotely accesses the data that is stored
<para><acronym>NFS</acronym> consists of at least two main parts:
a server and one or more clients. The client remotely accesses
the data that is stored
on the server machine. In order for this to function properly a few
processes have to be configured and running:</para>
@ -866,8 +869,8 @@ mountd_flags="-r"</programlisting>
<programlisting>/usr/src /usr/ports client</programlisting>
<para>The properties of one filesystem exported to a given host
must all occur on one line. Lines without a client specified
are treated as a single host. This limits how you can export
must all occur on one line. Lines without a client specified
are treated as a single host. This limits how you can export
filesystems, but for most people this is not an issue.</para>
<para>The following is an example of a valid export list, where
@ -954,7 +957,7 @@ mountd_flags="-r"</programlisting>
<listitem>
<para>On large networks, it might be more convenient to configure a
central <acronym>NFS</acronym> server in which to store all the user
home directories. These home directories can then be exported to
home directories. These home directories can then be exported to
the network so that users would always have the same home directory,
regardless of which workstation they log in to.</para>
</listitem>
@ -1189,7 +1192,7 @@ Exports list on foobar:
<indexterm><primary>diskless operation</primary></indexterm>
<para>A FreeBSD machine can boot over the network and operate without a
local disk, using filesystems mounted from an NFS server. No system
local disk, using filesystems mounted from an NFS server. No system
modification is necessary, beyond standard configuration files.
Such a system is easy to set up because all the necessary elements
are readily available:</para>
@ -1201,16 +1204,16 @@ Exports list on foobar:
<listitem>
<para><emphasis>PXE</emphasis>: Intel's Preboot Execution
Environment system is a form of smart boot ROM built into some
networking cards or motherboards. See &man.pxeboot.8; for more
networking cards or motherboards. See &man.pxeboot.8; for more
details.</para>
</listitem>
<listitem>
<para><emphasis>The <application>etherboot</application>
port</emphasis> (<filename role="package">net/etherboot</filename>)
produces ROM-able code to boot kernels over the network. The code
produces ROM-able code to boot kernels over the network. The code
can be either burnt into a boot PROM on a network card, or loaded
from a local floppy (or hard) disk drive, or from a running
MS-DOS system. Many network cards are supported.</para>
MS-DOS system. Many network cards are supported.</para>
</listitem>
</itemizedlist>
</listitem>
@ -1219,7 +1222,7 @@ Exports list on foobar:
<para>A sample script
(<filename>/usr/share/examples/diskless/clone_root</filename>) eases
the creation and maintenance of the workstation's root filesystem
on the server. The script will probably require a little
on the server. The script will probably require a little
customization but it will get you started very quickly.</para>
</listitem>
@ -1234,11 +1237,11 @@ Exports list on foobar:
</listitem>
</itemizedlist>
<para>There are many ways to set up diskless workstations. Many
<para>There are many ways to set up diskless workstations. Many
elements are involved, and most can be customized to suit local
taste. The following will describe the setup of a complete system,
taste. The following will describe the setup of a complete system,
emphasizing simplicity and compatibility with the
standard FreeBSD startup scripts. The system described has the
standard FreeBSD startup scripts. The system described has the
following characteristics:</para>
<itemizedlist>
@ -1251,7 +1254,7 @@ Exports list on foobar:
configuration files overridden by ones specific to diskless
operation or, possibly, to the workstation they belong to.</para>
<para>The parts of the <filename>root</filename> which have to be
writable are overlaid with &man.mfs.8; filesystems. Any changes
writable are overlaid with &man.mfs.8; filesystems. Any changes
will be lost when the system reboots.</para>
</listitem>
<listitem>
@ -1274,12 +1277,12 @@ Exports list on foobar:
<para>There are two protocols that are commonly used to boot a
workstation that retrieves its configuration over the network: BOOTP
and DHCP. They are used at several points in the workstation
and DHCP. They are used at several points in the workstation
bootstrap:</para>
<itemizedlist>
<listitem><para><application>etherboot</application> uses
DHCP (by default) or BOOTP (needs a configuration option) to
find the kernel. (PXE uses DHCP).</para>
find the kernel. (PXE uses DHCP).</para>
</listitem>
<listitem><para>The kernel uses BOOTP to locate the NFS
root.</para>
@ -1305,14 +1308,14 @@ Exports list on foobar:
<para>As of release 4.4, <application>isc-dhcp
3.0</application> is not part of the base
system. You will first need to install the
system. You will first need to install the
<filename role="package">net/isc-dhcp3</filename> port or the
corresponding package. Please refer to <xref linkend="ports">
corresponding package. Please refer to <xref linkend="ports">
for general information about ports and packages.</para>
<para>Once <application>isc-dhcp</application> is installed, it
needs a configuration file to run, (normally named
<filename>/usr/local/etc/dhcpd.conf</filename>). Here follows
<filename>/usr/local/etc/dhcpd.conf</filename>). Here follows
a commented example:</para>
<programlisting>
@ -1343,7 +1346,7 @@ Exports list on foobar:
<callout arearefs="co-dhcp-host-name"><para>This option tells
<command>dhcpd</command> to send the value in the
<literal>host</literal> declarations as the hostname for the
diskless host. An alternate way would be to add an
diskless host. An alternate way would be to add an
<literal>option host-name
<replaceable>margaux</replaceable></literal> inside the
host declarations.</para>
@ -1378,13 +1381,13 @@ Exports list on foobar:
<title>Configuration Using BOOTP</title>
<para>Here follows an equivalent <command>bootpd</command>
configuration. This would be found in
configuration. This would be found in
<filename>/etc/bootptab</filename>.</para>
<para>Please note that <application>etherboot</application> must
be compiled with the non-default option
<literal>NO_DHCP_SUPPORT</literal> in order to use BOOTP, and that PXE
<emphasis>needs</emphasis> DHCP. The only obvious advantage of
<emphasis>needs</emphasis> DHCP. The only obvious advantage of
<application>bootpd</application> is that it exists in the base system.</para>
<programlisting>
@ -1410,20 +1413,20 @@ Exports list on foobar:
site</ulink> contains
<ulink url="http://etherboot.sourceforge.net/doc/html/userman.html">
extensive documentation</ulink> mainly intended for Linux
systems, but nonetheless containing useful information. The following
systems, but nonetheless containing useful information. The following
will just outline how you would use
<application>etherboot</application> on a FreeBSD system.</para>
<para>You must first install the
<filename role="package">net/etherboot</filename> package or port. The
<application>etherboot</application> port can normally be found in
<filename>/usr/ports/net/etherboot</filename>. If the ports tree is
<filename>/usr/ports/net/etherboot</filename>. If the ports tree is
installed on your system, just typing <literal>make</literal> in
this directory should take care of everything. Else refer to
this directory should take care of everything. Else refer to
<xref linkend="ports"> for information about ports and
packages.</para>
<para>For our setup, we shall use a boot floppy. For other methods
<para>For our setup, we shall use a boot floppy. For other methods
(PROM, or dos program), please refer to the
<application>etherboot</application> documentation.</para>
@ -1438,7 +1441,7 @@ Exports list on foobar:
</screen>
<para><replaceable>devicetype</replaceable> depends on the type of
the Ethernet card in the diskless workstation. Refer to the
the Ethernet card in the diskless workstation. Refer to the
<filename>NIC</filename> file in the same directory to determine the
right <replaceable>devicetype</replaceable>.</para>
@ -1463,7 +1466,7 @@ Exports list on foobar:
<programlisting>tftp dgram udp wait nobody /usr/libexec/tftpd tftpd /tftpboot</programlisting>
<note><para>It appears that at least some PXE versions want
the TCP version of TFTP. In this case, add a second line,
the TCP version of TFTP. In this case, add a second line,
replacing <literal>dgram udp</literal> with <literal>stream
tcp</literal>.</para>
</note>
@ -1476,7 +1479,7 @@ Exports list on foobar:
</procedure>
<para>You can place the <filename>tftpboot</filename>
directory anywhere on the server. Make sure that the
directory anywhere on the server. Make sure that the
location is set in both <filename>inetd.conf</filename> and
<filename>dhcpd.conf</filename>.</para>
@ -1493,12 +1496,15 @@ Exports list on foobar:
<para>Export the filesystem where the diskless root directory
is located by adding the following to
<filename>/etc/exports</filename> (adjust the volume mount
point and replace <replaceable>margaux</replaceable> with the name of the diskless workstation):</para>
point and replace <replaceable>margaux</replaceable>
with the name of the diskless workstation):</para>
<programlisting><replaceable>/data/misc</replaceable> -alldirs -ro <replaceable>margaux</replaceable></programlisting>
</step>
<step>
<para>Tell <command>mountd</command> to reread its configuration
file. If you actually needed to enable NFS in <filename>/etc/rc.conf</filename>
file. If you actually needed to enable NFS in
<filename>/etc/rc.conf</filename>
at the first step, you probably want to reboot instead.</para>
<screen>&prompt.root; <userinput>kill -HUP `cat /var/run/mountd.pid`</userinput></screen>
</step>
@ -1539,15 +1545,15 @@ Exports list on foobar:
<para>The easiest way to do this is to use the
<filename>/usr/share/examples/diskless/clone_root</filename>
shell script. This script needs customization, at least to adjust the
place where the filesystem will be created (the
shell script. This script needs customization, at least to adjust
the place where the filesystem will be created (the
<literal>DEST</literal> variable).
<para>Refer to the comments at the top of the script for
instructions. They explain how the base filesystem is built,
instructions. They explain how the base filesystem is built,
and how files may be selectively overridden by versions specific
to diskless operation, to a subnetwork, or to an individual
workstation. They also give examples for the diskless
workstation. They also give examples for the diskless
<filename>/etc/fstab</filename> and <filename>
/etc/rc.conf</filename> files.</para>
@ -1558,7 +1564,7 @@ Exports list on foobar:
they actually document a configuration method which is distinct
from the one used by <filename>clone_root</filename> and
<filename>/etc/rc.diskless[12]</filename>, which is a little
confusing. Use them for reference only, except if you prefer
confusing. Use them for reference only, except if you prefer
the method that they describe, in which case you will need
customized <filename>rc</filename> scripts.</para>
</sect3>
@ -1588,7 +1594,7 @@ Exports list on foobar:
</programlisting>
<para>The idea is that, at least for a FreeBSD client,
DHCP/BOOTP option code 128 is the path to the NFS swap file,
and option code 129 is the swap size in kilobytes. Older
and option code 129 is the swap size in kilobytes. Older
versions of <command>dhcpd</command> allowed a syntax of
<literal>option option-128 "...</literal>, which does not
seem to work any more.</para>
@ -1644,7 +1650,7 @@ Exports list on foobar:
<command>tar</command> or <command>cpio</command>.</para>
<para>In this situation, there are sometimes
problems with the special files in <filename>/dev</filename>,
due to differing major/minor integer sizes. A solution to this
due to differing major/minor integer sizes. A solution to this
problem is to export a directory from the non-FreeBSD server,
mount this directory onto a FreeBSD machine, and run
<command>MAKEDEV</command> on the FreeBSD machine
@ -1709,7 +1715,7 @@ Exports list on foobar:
</indexterm>
<para>FreeBSD's ISDN implementation supports only the DSS1/Q.931
(or Euro-ISDN) standard using passive cards. Starting with
(or Euro-ISDN) standard using passive cards. Starting with
FreeBSD&nbsp;4.4, some active cards are supported where the firmware
also supports other signaling protocols; this also includes the
first supported Primary Rate (PRI) ISDN card.</para>
@ -1717,7 +1723,7 @@ Exports list on foobar:
<para><application>Isdn4bsd</application> allows you to connect
to other ISDN routers using either IP over raw HDLC or by using
synchronous PPP: either by using kernel PPP with isppp, a
modified sppp driver, or by using userland &man.ppp.8;. By using
modified sppp driver, or by using userland &man.ppp.8;. By using
userland &man.ppp.8;, channel bonding of two or more ISDN
B-channels is possible. A telephone answering machine
application is also available as well as many utilities such as
@ -1754,7 +1760,7 @@ Exports list on foobar:
<para>For questions regarding the installation, configuration
and troubleshooting <application>isdn4bsd</application>, a
majordomo maintained mailing list is available. To join, send
majordomo maintained mailing list is available. To join, send
mail to &a.majordomo; and specify:</para>
<para><literal>subscribe freebsd-isdn</literal></para>
@ -1819,9 +1825,9 @@ Exports list on foobar:
synchronous serial ports.</para>
<para>A TA running off a standard PC serial port (asynchronous) limits
you to 115.2&nbsp;Kbs, even though you have a 128&nbsp;Kbs connection. To fully
utilize the 128&nbsp;Kbs that ISDN is capable of, you must move the TA to a
synchronous serial card.</para>
you to 115.2&nbsp;Kbs, even though you have a 128&nbsp;Kbs connection.
To fully utilize the 128&nbsp;Kbs that ISDN is capable of,
you must move the TA to a synchronous serial card.</para>
<para>Do not be fooled into buying an internal TA and thinking you have
avoided the synchronous/asynchronous issue. Internal TA's simply have
@ -1953,12 +1959,12 @@ ISDN BRI line</literallayout>
2 separate sites at the <emphasis>same</emphasis> time. This is not
supported on most TA's, except for specific (usually expensive) models
that
have two serial ports. Do not confuse this with channel bonding, MPP,
have two serial ports. Do not confuse this with channel bonding, MPP,
etc.</para>
<para>This can be a very useful feature if, for example, you have an
dedicated ISDN connection at your office and would like to
tap into it, but do not want to get another ISDN line at work. A router
tap into it, but do not want to get another ISDN line at work. A router
at the office location can manage a dedicated B channel connection
(64&nbsp;Kbps) to the Internet and use the other B channel for a
separate data connection. The second B channel can be used for
@ -2057,13 +2063,13 @@ ISDN BRI line</literallayout>
<entry>NIS domainname</entry>
<entry>An NIS master server and all of its clients
(including its slave servers) have a NIS
domainname. Similar to an NT domain name, the NIS
domainname. Similar to an NT domain name, the NIS
domainname does not have anything to do with DNS.</entry>
</row>
<row>
<entry>portmap</entry>
<entry>Must be running in order to enable RPC (Remote
Procedure Call, a network protocol used by NIS). If
Procedure Call, a network protocol used by NIS). If
<command>portmap</command> is not running, it will be
impossible to run an NIS server, or to act as an NIS
client.</entry>
@ -2074,7 +2080,7 @@ ISDN BRI line</literallayout>
<entry><quote>binds</quote> an NIS client to its NIS
server. It will take the NIS domainname from the
system, and using RPC, connect to the
server. <command>ypbind</command> is the core of
server. <command>ypbind</command> is the core of
client-server communication in an NIS environment; if
<command>ypbind</command> dies on a client machine, it
will not be able to access the NIS server.</entry>
@ -2082,7 +2088,7 @@ ISDN BRI line</literallayout>
<row>
<entry>ypserv</entry>
<entry>Should only be running on NIS servers, is the NIS
server process itself. If &man.ypserv.8; dies, then the
server process itself. If &man.ypserv.8; dies, then the
server will no longer be able to respond to NIS requests
(hopefully, there is a slave server to take over for
it). There are some implementations of NIS (but not the
@ -2156,7 +2162,7 @@ ISDN BRI line</literallayout>
Similar to NT's backup domain
controllers, NIS slave servers maintain copies of the NIS
master's data files. NIS slave servers provide the redundancy,
which is needed in important environments. They also help
which is needed in important environments. They also help
to balance the load of the master server: NIS Clients always
attach to the NIS server whose response they get first, and
this includes slave-server-replies.</para>
@ -2166,7 +2172,7 @@ ISDN BRI line</literallayout>
<secondary>client</secondary>
</indexterm>
<listitem>
<para><emphasis>NIS clients</emphasis>. NIS clients, like most
<para><emphasis>NIS clients</emphasis>. NIS clients, like most
NT workstations, authenticate against the NIS server (or the NT
domain controller in the NT Workstation case) to log on.</para>
</listitem>
@ -2265,7 +2271,7 @@ ISDN BRI line</literallayout>
that are related in some way.</para>
<para>Some organizations choose to use their Internet domainname
for their NIS domainname. This is not recommended as it can
for their NIS domainname. This is not recommended as it can
cause confusion when trying to debug network problems. The
NIS domainname should be unique within your network and it is
helpful if it describes the group of machines it represents.
@ -2723,23 +2729,23 @@ nis_client_enable="YES"</programlisting>
<title>Barring Some Users from Logging On</title>
<para>In our lab, there is a machine <hostid>basie</hostid> that is
supposed to be a faculty only workstation. We do not want to take this
supposed to be a faculty only workstation. We do not want to take this
machine out of the NIS domain, yet the <filename>passwd</filename>
file on the master NIS server contains accounts for both faculty and
students. What can we do?</para>
students. What can we do?</para>
<para>There is a way to bar specific users from logging on to a
machine, even if they are present in the NIS database. To do this,
machine, even if they are present in the NIS database. To do this,
all you must do is add
<emphasis>-<replaceable>username</replaceable></emphasis> to the end of
the <filename>/etc/master.passwd</filename> file on the client
machine, where <replaceable>username</replaceable> is the username of
the user you wish to bar from logging in. This should preferably be
the user you wish to bar from logging in. This should preferably be
done using <command>vipw</command>, since <command>vipw</command>
will sanity check your changes to
<filename>/etc/master.passwd</filename>, as well as
automatically rebuild the password database when you
finish editing. For example, if we wanted to bar user
finish editing. For example, if we wanted to bar user
<emphasis>bill</emphasis> from logging on to <hostid>basie</hostid>
we would:</para>
@ -3197,7 +3203,7 @@ TWO (,hotel,test-domain)
</listitem>
<listitem>
<para><emphasis>Keep the administration accounts out of the NIS
maps</emphasis>. You do not want to be propagating administrative
maps</emphasis>. You do not want to be propagating administrative
accounts and passwords to machines that will have users that
should not have access to those accounts.</para>
</listitem>
@ -3209,7 +3215,7 @@ TWO (,hotel,test-domain)
the ability to login to the lab.</para>
<para>This is the chief weakness of any centralized administration
system, and it is probably the most important weakness. If you do
system, and it is probably the most important weakness. If you do
not protect your NIS servers, you will have a lot of angry
users!</para>
</listitem>
@ -3270,7 +3276,7 @@ nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</
<para>One of the most common issues that people run into when trying
to implement NIS is crypt library compatibility. If your NIS
server is using the DES crypt libraries, it will only support
clients that are using DES as well. To check which one your server
clients that are using DES as well. To check which one your server
and clients are using look at the symlinks in
<filename>/usr/lib</filename>. If the machine is configured to
use the DES libraries, it will look something like this:</para>
@ -3330,7 +3336,7 @@ lrwxr-xr-x 1 root wheel 14 Nov 8 14:27 libscrypt.so@ -> libscrypt.so.2
<para>DHCP, the Dynamic Host Configuration Protocol, describes
the means by which a system can connect to a network and obtain the
necessary information for communication upon that network. FreeBSD
necessary information for communication upon that network. FreeBSD
uses the ISC (Internet Software Consortium) DHCP implementation, so
all implementation-specific information here is for use with the ISC
distribution.</para>
@ -3355,12 +3361,12 @@ lrwxr-xr-x 1 root wheel 14 Nov 8 14:27 libscrypt.so@ -> libscrypt.so.2
<para>When <command>dhclient</command>, the DHCP client, is executed on
the client
machine, it begins broadcasting requests for configuration
information. By default, these requests are on UDP port 68. The
information. By default, these requests are on UDP port 68. The
server replies on UDP 67, giving the client an IP address and
other relevant network information such as netmask, router, and
DNS servers. All of this information comes in the form of a DHCP
DNS servers. All of this information comes in the form of a DHCP
<quote>lease</quote> and is only valid for a certain time (configured by the
DHCP server maintainer). In this manner, stale IP addresses for
DHCP server maintainer). In this manner, stale IP addresses for
clients no longer connected to the network can be automatically
reclaimed.</para>
@ -3462,8 +3468,8 @@ dhcp_flags=""</programlisting>
<itemizedlist>
<listitem><para><filename>/etc/dhclient.conf</filename></para>
<para><command>dhclient</command> requires a configuration file,
<filename>/etc/dhclient.conf</filename>. Typically the file
contains only comments, the defaults being reasonably sane. This
<filename>/etc/dhclient.conf</filename>. Typically the file
contains only comments, the defaults being reasonably sane. This
configuration file is described by the &man.dhclient.conf.5;
manual page.</para>
</listitem>
@ -3618,7 +3624,7 @@ host mailhost {
<callout arearefs="default-lease-time">
<para>A client may request a specific length of time that a
lease will be valid. Otherwise the server will assign
lease will be valid. Otherwise the server will assign
a lease with this expiry value (in seconds).</para>
</callout>
@ -3671,7 +3677,7 @@ host mailhost {
<literal>SIGHUP</literal> signal to
<application>dhcpd</application> does <emphasis>not</emphasis>
result in the configuration being reloaded, as it does with most
daemons. You will need to send a <literal>SIGTERM</literal>
daemons. You will need to send a <literal>SIGTERM</literal>
signal to stop the process, and then restart it using the command
above.</para>
</sect3>
@ -3697,7 +3703,7 @@ host mailhost {
will start providing service to clients. This file needs to
contain all the information that should be provided to clients
that are being serviced, along with information regarding the
operation of the server. This configuration file is described
operation of the server. This configuration file is described
by the dhcpd.conf(5) manual page installed
by the port.</para>
</listitem>
@ -3712,7 +3718,7 @@ host mailhost {
<listitem><para><filename>/usr/local/sbin/dhcrelay</filename></para>
<para><application>dhcrelay</application> is used in advanced
environments where one DHCP server forwards a request from a
client to another DHCP server on a separate network. The
client to another DHCP server on a separate network. The
dhcrelay(8) manual page provided with the
port contains more detail.</para>
</listitem>
@ -4056,7 +4062,8 @@ Internet.
trafficked, fast name server, enabling this may be worthwhile.
</para>
<warning><para><hostid role="ipaddr">127.0.0.1</hostid> will <emphasis>not</emphasis> work here.
<warning><para><hostid role="ipaddr">127.0.0.1</hostid>
will <emphasis>not</emphasis> work here.
Change this IP address to a name server at your uplink.</para>
</warning>
@ -4162,8 +4169,8 @@ zone "0.168.192.in-addr.arpa" {
<para>For each new zone served, a new zone entry must be added to
<filename>named.conf</filename></para>
<para>For example, the simplest zone entry for <hostid role="domainname">example.org</hostid> can
look like:</para>
<para>For example, the simplest zone entry for
<hostid role="domainname">example.org</hostid> can look like:</para>
<programlisting>zone "example.org" {
type master;
@ -4314,7 +4321,7 @@ example.org. IN SOA ns1.example.org. admin.example.org. (
<listitem><para>the responsible person for this zone,
email address with @
replaced. (<email>admin@example.org</email> becomes
replaced. (<email>admin@example.org</email> becomes
<literal>admin.example.org</literal>)</para>
</listitem>
</varlistentry>
@ -4356,7 +4363,8 @@ mail IN A 3.2.1.10
<para>
The A record indicates machine names. As seen above,
<hostid>ns1.example.org</hostid> would resolve to
<hostid role="ipaddr">3.2.1.2</hostid>. Again, the origin symbol, <literal>@</literal>, is
<hostid role="ipaddr">3.2.1.2</hostid>. Again,
the origin symbol, <literal>@</literal>, is
used here, thus meaning <hostid>example.org</hostid>
would resolve to <hostid role="ipaddr">3.2.1.30</hostid>.
</para>
@ -4368,7 +4376,8 @@ www IN CNAME @</programlisting>
The canonical name record is usually used for giving aliases
to a machine. In the example, <hostid>www</hostid> is
aliased to the machine addressed to the origin, or
<hostid>example.org</hostid> (<hostid role="ipaddr">3.2.1.30</hostid>).
<hostid>example.org</hostid>
(<hostid role="ipaddr">3.2.1.30</hostid>).
<varname>CNAME</varname>s can be used to provide alias
hostnames, or round robin one hostname among multiple
machines.
@ -4456,27 +4465,27 @@ www IN CNAME @</programlisting>
</indexterm>
<para>For added security you may want to run &man.named.8; as an
unprivileged user, and configure it to &man.chroot.8; into a
sandbox directory. This makes everything outside of the sandbox
inaccessible to the <application>named</application> daemon. Should
sandbox directory. This makes everything outside of the sandbox
inaccessible to the <application>named</application> daemon. Should
<application>named</application> be compromised, this will help to
reduce the damage that can be caused. By default, FreeBSD has a user
reduce the damage that can be caused. By default, FreeBSD has a user
and a group called <groupname>bind</groupname>, intended for this
use.</para>
<note><para>Various people would recommend that instead of configuring
<application>named</application> to <command>chroot</command>, you
should run <application>named</application> inside a &man.jail.8;. This
section does not attempt to cover this situation.</para>
should run <application>named</application> inside a &man.jail.8;.
This section does not attempt to cover this situation.</para>
</note>
<para>Since <application>named</application> will not be able to
access anything outside of the sandbox (such as shared
libraries, log sockets, and so on), there are a number of steps
that need to be followed in order to allow
<application>named</application> to function correctly. In the
<application>named</application> to function correctly. In the
following checklist, it is assumed that the path to the sandbox
is <filename>/etc/namedb</filename> and that you have made no
prior modifications to the contents of this directory. Perform
prior modifications to the contents of this directory. Perform
the following steps as <username>root</username>.</para>
<itemizedlist>
@ -4567,7 +4576,7 @@ $TTL 6h
run it. Since the contents of /var/run are deleted on boot,
if this is something that you find useful you
may wish to add this command to root's crontab, making use
of the <option>@reboot</option> option. See
of the <option>@reboot</option> option. See
&man.crontab.5; for more information regarding
this.</para>
</note>
@ -4577,7 +4586,7 @@ $TTL 6h
<listitem>
<para>Configure &man.syslogd.8; to create an extra
<devicename>log</devicename> socket that
<application>named</application> can write to. To do this,
<application>named</application> can write to. To do this,
add <literal>-l /etc/namedb/dev/log</literal> to the
<varname>syslogd_flags</varname> variable in
<filename>/etc/rc.conf</filename>.</para>
@ -4605,7 +4614,7 @@ named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf"</programlisting>
<para>The next step is to edit
<filename>/etc/namedb/etc/named.conf</filename> so that
<application>named</application> knows which zones to load and
where to find them on the disk. There follows a commented
where to find them on the disk. There follows a commented
example (anything not specifically commented here is no
different from the setup for a DNS server not running in a
sandbox):</para>
@ -4692,7 +4701,7 @@ zone "10.168.192.in-addr.arpa" in {
server or restart &man.syslogd.8; and start &man.named.8;, making
sure to use the new options specified in
<varname>syslogd_flags</varname> and
<varname>named_flags</varname>. You should now be running a
<varname>named_flags</varname>. You should now be running a
sandboxed copy of <application>named</application>!</para>
</sect2>
@ -5004,10 +5013,10 @@ driftfile /var/db/ntp.drift</programlisting>
<para>FreeBSD's Network Address Translation daemon, commonly known as
&man.natd.8; is a daemon that accepts incoming raw IP packets,
changes the source to the local machine and re-injects these packets
back into the outgoing IP packet stream. natd does this by changing
the source IP address and port such that when data is received back, it is
able to determine the original location of the data and forward it
back to its original requester.</para>
back into the outgoing IP packet stream. natd does this by changing
the source IP address and port such that when data is received back,
it is able to determine the original location of the data and forward
it back to its original requester.</para>
<indexterm><primary>Internet connection sharing</primary></indexterm>
<indexterm><primary>IP masquerading</primary></indexterm>
<para>The most common use of NAT is to perform what is commonly known as
@ -5127,10 +5136,14 @@ natd_flags=""</programlisting>
<ulink url="ftp://ftp.isi.edu/in-notes/rfc1918.txt">RFC 1918</ulink>
and have a default gateway of the natd machine's internal IP address.</para>
<para>For example, client a and b behind the LAN have IP addresses of <hostid role="ipaddr">192.168.0.2</hostid>
and <hostid role="ipaddr">192.168.0.3</hostid>, while the natd machine's LAN interface has an IP address of
<hostid role="ipaddr">192.168.0.1</hostid>. Client a and b's default gateway must be set to that of
the natd machine, <hostid role="ipaddr">192.168.0.1</hostid>. The natd machine's external, or
<para>For example, client a and b behind the LAN have IP addresses
of <hostid role="ipaddr">192.168.0.2</hostid> and
<hostid role="ipaddr">192.168.0.3</hostid>, while the natd
machine's LAN interface has an IP address of
<hostid role="ipaddr">192.168.0.1</hostid>. Client a and b's
default gateway must be set to that of the natd machine,
<hostid role="ipaddr">192.168.0.1</hostid>.
The natd machine's external, or
Internet interface does not require any special modification for natd
to work.</para>
</sect2>
@ -5139,7 +5152,7 @@ natd_flags=""</programlisting>
<title>Port Redirection</title>
<para>The drawback with natd is that the LAN clients are not accessible
from the Internet. Clients on the LAN can make outgoing connections to
from the Internet. Clients on the LAN can make outgoing connections to
the world but cannot receive incoming ones. This presents a problem
if trying to run Internet services on one of the LAN client machines.
A simple way around this is to redirect selected Internet ports on the
@ -5181,15 +5194,20 @@ natd_flags=""</programlisting>
<sect2 id="address-redirection">
<title>Address Redirection</title>
<indexterm><primary>address redirection</primary></indexterm>
<para>Address redirection is useful if several IP addresses are available, yet
they must be on one machine. With this, &man.natd.8; can assign each
LAN client its own external IP address. &man.natd.8; then rewrites outgoing
packets from the LAN clients with the proper external IP address and redirects
all traffic incoming on that particular IP address back to the specific LAN
client. This is also known as static NAT. For example, the IP addresses
<hostid role="ipaddr">128.1.1.1</hostid>, <hostid role="ipaddr">128.1.1.2</hostid>, and <hostid role="ipaddr">128.1.1.3</hostid> belong to the natd gateway
machine. <hostid role="ipaddr">128.1.1.1</hostid> can be used as the natd gateway machine's external
IP address, while <hostid role="ipaddr">128.1.1.2</hostid> and <hostid role="ipaddr">128.1.1.3</hostid> are forwarded back to LAN
<para>Address redirection is useful if several IP addresses are
available, yet they must be on one machine. With this,
&man.natd.8; can assign each LAN client its own external IP address.
&man.natd.8; then rewrites outgoing packets from the LAN clients
with the proper external IP address and redirects
all traffic incoming on that particular IP address back to
the specific LAN client. This is also known as static NAT.
For example, the IP addresses <hostid role="ipaddr">128.1.1.1</hostid>,
<hostid role="ipaddr">128.1.1.2</hostid>, and
<hostid role="ipaddr">128.1.1.3</hostid> belong to the natd gateway
machine. <hostid role="ipaddr">128.1.1.1</hostid> can be used
as the natd gateway machine's external IP address, while
<hostid role="ipaddr">128.1.1.2</hostid> and
<hostid role="ipaddr">128.1.1.3</hostid> are forwarded back to LAN
clients A and B.</para>
<para>The -redirect_address syntax is as follows:</para>
@ -5832,7 +5850,7 @@ lp0: TCP/IP capable interface</screen>
both computers.</para>
<para>Configure the network interface parameters for lp0 on both
sites as <username>root</username>. For example, if you want connect
sites as <username>root</username>. For example, if you want connect
the host host1 with host2</para>
<programlisting> host1 &lt;-----&gt; host2
@ -5847,7 +5865,7 @@ IP Address 10.0.0.1 10.0.0.2</programlisting>
<screen>&prompt.root; <userinput>ifconfig lp0 10.0.0.2 10.0.0.1</userinput></screen>
<para>You now should have a working connection. Please read the
<para>You now should have a working connection. Please read the
manual pages &man.lp.4; and &man.lpt.4; for more details.</para>
<para>You should also add both hosts to
@ -5916,13 +5934,15 @@ round-trip min/avg/max/stddev = 2.530/2.643/2.774/0.103 ms</screen>
<itemizedlist>
<listitem>
<para>Running out of addresses. Today this is not so much of a concern
anymore since private address spaces (<hostid role="ipaddr">10.0.0.0/8</hostid>, <hostid role="ipaddr">192.168.0.0/24</hostid>,
anymore since private address spaces
(<hostid role="ipaddr">10.0.0.0/8</hostid>,
<hostid role="ipaddr">192.168.0.0/24</hostid>,
etc.) and natd address translation are being employed.</para>
</listitem>
<listitem>
<para>Router table entries were getting to large. This is still a concern
today.</para>
<para>Router table entries were getting to large. This is
still a concern today.</para>
</listitem>
</itemizedlist>
@ -5930,10 +5950,10 @@ round-trip min/avg/max/stddev = 2.530/2.643/2.774/0.103 ms</screen>
<itemizedlist>
<listitem>
<para>128 bit address space. In other words theoretically there are
<para>128 bit address space. In other words theoretically there are
340,282,366,920,938,463,463,374,607,431,768,211,456 addresses
available. This means there are approximately. 6.67 * 10^27 IPv6 addresses
per square meter on our planet.</para>
available. This means there are approximately.
6.67 * 10^27 IPv6 addresses per square meter on our planet.</para>
</listitem>
<listitem>
@ -6047,14 +6067,19 @@ round-trip min/avg/max/stddev = 2.530/2.643/2.774/0.103 ms</screen>
<quote>x</quote> being a 16 Bit hex value. For example
<hostid role="ip6addr">FEBC:A574:382B:23C1:AA49:4592:4EFE:9982</hostid></para>
<para>Often an address will have long substrings of all zeros therefore each
such substring can be abbreviated by <quote>::</quote>. For example <hostid role="ip6addr">fe80::1</hostid>
corresponds to the canonical form <hostid role="ip6addr">fe80:0000:0000:0000:0000:0000:0000:0001</hostid></para>
<para>Often an address will have long substrings of all zeros
therefore each such substring can be abbreviated by <quote>::</quote>.
For example <hostid role="ip6addr">fe80::1</hostid>
corresponds to the canonical form
<hostid role="ip6addr">fe80:0000:0000:0000:0000:0000:0000:0001</hostid></para>
<para>A third form is to write the last 32 Bit part in the well known (decimal)
IPv4 style with dots <quote>.</quote> as separators. For example <hostid role="ip6addr">2002::10.0.0.1</hostid>
<para>A third form is to write the last 32 Bit part in the
well known (decimal) IPv4 style with dots <quote>.</quote>
as separators. For example
<hostid role="ip6addr">2002::10.0.0.1</hostid>
corresponds to the (hexadecimal) canonical representation
<hostid role="ip6addr">2002:0000:0000:0000:0000:0000:000a:0001</hostid> which in turn is equivalent to
<hostid role="ip6addr">2002:0000:0000:0000:0000:0000:000a:0001</hostid>
which in turn is equivalent to
writing <hostid role="ip6addr">2002::a:1</hostid></para>
<para>By now the reader should be able to understand the following:</para>
@ -6068,10 +6093,12 @@ round-trip min/avg/max/stddev = 2.530/2.643/2.774/0.103 ms</screen>
media: Ethernet autoselect (100baseTX )
status: active</programlisting>
<para><hostid role="ip6addr">fe80::200:21ff:fe03:8e1%rl0</hostid> is an auto configured link-local address. It
includes the enscrambled Ethernet MAC as part of the auto configuration.</para>
<para><hostid role="ip6addr">fe80::200:21ff:fe03:8e1%rl0</hostid>
is an auto configured link-local address. It includes the
enscrambled Ethernet MAC as part of the auto configuration.</para>
<para>For further information on the structure of IPv6 addresses see RFC2373</para>
<para>For further information on the structure of IPv6 addresses
see RFC2373</para>
</sect2>
<sect2>

32
en_US.ISO8859-1/books/handbook/config/chapter.sgml
View file

@ -133,7 +133,7 @@
<para>The <filename>/usr</filename> partition holds much
of the files required to support the system, the &man.ports.7;
collection (recommended) and the source code (optional). Both
collection (recommended) and the source code (optional). Both
of which are optional at install time.
At least 2 gigabytes would be recommended for this partition.
@ -157,10 +157,10 @@
<indexterm><primary>swap partition</primary></indexterm>
<para>As a rule of thumb, the swap partition should be
about double the size of system memory (RAM). For example, if the machine
has 128&nbsp;megabytes of memory, the swap file should be
256&nbsp;megabytes. Systems with less memory may perform better with
more swap.
about double the size of system memory (RAM). For example,
if the machine has 128&nbsp;megabytes of memory,
the swap file should be 256&nbsp;megabytes. Systems with
less memory may perform better with more swap.
Less than 256&nbsp;megabytes of swap is not recommended and
memory expansion should be considered.
The kernel's VM paging algorithms are tuned to
@ -227,7 +227,7 @@
<para>The principal location for system configuration information
is within <filename>/etc/rc.conf</filename>. This file
contains a wide range of configuration information, principally
used at system startup to configure the system. Its name
used at system startup to configure the system. Its name
directly implies this; it is configuration information for the
<filename>rc*</filename> files.</para>
@ -582,12 +582,14 @@ tun0: flags=8010&lt;POINTOPOINT,MULTICAST&gt; mtu 1500</screen>
<listitem>
<para>The card has an Internet (<literal>inet</literal>)
address (in this case <hostid role="ipaddr">192.168.1.3</hostid>).</para>
address (in this case
<hostid role="ipaddr">192.168.1.3</hostid>).</para>
</listitem>
<listitem>
<para>It has a valid subnet mask (<literal>netmask</literal>;
<hostid role="netmask">0xffffff00</hostid> is the same as <hostid role="netmask">255.255.255.0</hostid>).</para>
<hostid role="netmask">0xffffff00</hostid> is the same as
<hostid role="netmask">255.255.255.0</hostid>).</para>
</listitem>
<listitem>
@ -863,10 +865,14 @@ round-trip min/avg/max/stddev = 0.700/0.729/0.766/0.025 ms</screen>
<para>For example, consider the case where the
<devicename>fxp0</devicename> interface is
connected to two networks, the <hostid role="ipaddr">10.1.1.0</hostid> network with a netmask
of <hostid role="netmask">255.255.255.0</hostid> and the <hostid role="ipaddr">202.0.75.16</hostid> network with a netmask of
<hostid role="netmask">255.255.255.240</hostid>. We want the system to appear at <hostid role="ipaddr">10.1.1.1</hostid>
through <hostid role="ipaddr">10.1.1.5</hostid> and at <hostid role="ipaddr">202.0.75.17</hostid> through <hostid role="ipaddr">202.0.75.20</hostid>.</para>
connected to two networks, the <hostid role="ipaddr">10.1.1.0</hostid>
network with a netmask of <hostid role="netmask">255.255.255.0</hostid>
and the <hostid role="ipaddr">202.0.75.16</hostid> network with
a netmask of <hostid role="netmask">255.255.255.240</hostid>.
We want the system to appear at <hostid role="ipaddr">10.1.1.1</hostid>
through <hostid role="ipaddr">10.1.1.5</hostid> and at
<hostid role="ipaddr">202.0.75.17</hostid> through
<hostid role="ipaddr">202.0.75.20</hostid>.</para>
<para>The following entries configure the adapter correctly for
this arrangement:</para>
@ -1515,7 +1521,7 @@ kern.maxfiles: 2088 -> 5000</screen>
approximately 2&nbsp;K of memory, so a value of 1024 represents 2
megabytes of kernel memory reserved for network buffers. A
simple calculation can be done to figure out how many are
needed. If you have a web server which maxes out at 1000
needed. If you have a web server which maxes out at 1000
simultaneous connections, and each connection eats a 16&nbsp;K receive
and 16&nbsp;K send buffer, you need approximately 32&nbsp;MB worth of
network buffers to cover the web server. A good rule of thumb is

142
en_US.ISO8859-1/books/handbook/install/chapter.sgml
View file

@ -228,7 +228,7 @@
extended partition.</para>
<para>Each partition has a <firstterm>partition ID</firstterm>, which is
a number used to identify the type of data on the partition. FreeBSD
a number used to identify the type of data on the partition. FreeBSD
partitions have the partition ID <literal>165</literal>.</para>
<para>In general, each operating system that you use will identify
@ -240,7 +240,7 @@
<para>FreeBSD must be installed into a primary partition. FreeBSD can
keep all its data, including any files that you create, on this one
partition. However, if you have multiple disks, then you can create a
FreeBSD partition on all, or some, of them. When you install FreeBSD,
FreeBSD partition on all, or some, of them. When you install FreeBSD,
you must have one partition available. This might be a blank
partition that you have prepared, or it might be an existing partition
that contains data that you no longer care about.</para>
@ -325,14 +325,14 @@
<indexterm><primary>Alpha</primary></indexterm>
<para>You will need a dedicated disk for FreeBSD on the
Alpha. It is not possible to share a disk with another
Alpha. It is not possible to share a disk with another
operating system at this time. Depending on the specific
Alpha machine you have, this disk can either be a SCSI disk
or an IDE disk, as long as your machine is capable of
booting from it.</para>
<para>Following the conventions of the Digital / Compaq
manuals all SRM input is shown in uppercase. SRM is case
manuals all SRM input is shown in uppercase. SRM is case
insensitive.</para>
<para>To find the names and types of disks in your machine, use
@ -350,18 +350,18 @@ pqa0.0.0.4.0 PQA0 PCI EIDE
pqb0.0.1.4.0 PQB0 PCI EIDE</screen>
<para>This example is from a Digital Personal Workstation
433au and shows three disks attached to the machine. The
433au and shows three disks attached to the machine. The
first is a CDROM drive called <devicename>DKA0</devicename> and
the other two are disks and are called
<devicename>DKC0</devicename> and
<devicename>DKC100</devicename> respectively.</para>
<para>Disks with names of the form <devicename>DKx</devicename>
are SCSI disks. For example <devicename>DKA100</devicename>
are SCSI disks. For example <devicename>DKA100</devicename>
refers to a SCSI with SCSI target ID 1 on the first SCSI bus (A),
whereas <devicename>DKC300</devicename> refers to a SCSI disk
with SCSI ID 3 on the third SCSI bus (C). Devicename <devicename>
PKx</devicename> refers to the SCSI host bus adapter. As
with SCSI ID 3 on the third SCSI bus (C). Devicename <devicename>
PKx</devicename> refers to the SCSI host bus adapter. As
seen in the <literal>SHOW DEVICE</literal> output SCSI
CDROM drives are treated as any other SCSI hard disk drive.</para>
@ -526,7 +526,7 @@ pqb0.0.1.4.0 PQB0 PCI EIDE</screen>
<para>If you have FreeBSD on CDROM or DVD (either one you purchased,
or you prepared yourself), and your computer allows you to boot from
the CDROM or DVD (typically a BIOS option called <quote>Boot
Order</quote> or similar) then you can skip this section. The
Order</quote> or similar) then you can skip this section. The
FreeBSD CDROM and DVD images are bootable and can be used to install
FreeBSD without any other special preparation.</para>
</tip>
@ -954,7 +954,7 @@ Booting [kernel] in 9 seconds... _</screen>
</listitem>
<listitem>
<para>Drivers that have been marked inactive. They remain in the
<para>Drivers that have been marked inactive. They remain in the
kernel, but they will not probe for their device when the kernel
starts. These are subdivided into groups in the same way as the
active driver list.</para>
@ -1119,8 +1119,8 @@ Booting [kernel] in 9 seconds... _</screen>
<para>The last few hundred lines that have been displayed on screen are
stored and can be reviewed.</para>
<para>To review the buffer, press <keycap>Scroll Lock</keycap>. This
turns on scrolling in the display. You can then use the arrow keys, or
<para>To review the buffer, press <keycap>Scroll Lock</keycap>. This
turns on scrolling in the display. You can then use the arrow keys, or
<keycap>PageUp</keycap> and <keycap>PageDown</keycap> to view the
results. Press <keycap>Scroll Lock</keycap> again to stop
scrolling.</para>
@ -1331,9 +1331,8 @@ Mounting root from ufs:/dev/md0c
<para>A different keyboard mapping may be chosen by selecting the
menu item using up/down arrow keys and pressing <keycap>Space</keycap>.
Pressing <keycap>Space</keycap> again will unselect the item. When
finished, choose the &gui.ok; using the
arrow keys and press
Pressing <keycap>Space</keycap> again will unselect the item.
When finished, choose the &gui.ok; using the arrow keys and press
<keycap>Enter</keycap>.</para>
<para>Only a partial list is shown in this screen representation.
@ -1383,7 +1382,7 @@ Mounting root from ufs:/dev/md0c
to the version being installed.</para>
<para>The description of the selected item will appear at the
bottom of the screen highlighted in blue. Notice that one of the
bottom of the screen highlighted in blue. Notice that one of the
options is <guimenuitem>Use Defaults</guimenuitem> to reset all
values to startup defaults.</para>
@ -1444,7 +1443,7 @@ Mounting root from ufs:/dev/md0c
. Then, if the
first drive fails, or is attacked by a virus, or is scribbled upon by an
operating system defect, he can easily recover by instructing the BIOS
to logically swap the drives. It is like switching the cables on the
to logically swap the drives. It is like switching the cables on the
drives, but without having to open the case.</para>
<indexterm><primary>SCSI</primary></indexterm>
@ -1470,7 +1469,7 @@ Mounting root from ufs:/dev/md0c
Adventures:</title>
<para>Bill breaks-down an older Wintel box to make another FreeBSD box
for Fred. Bill installs a single SCSI drive as SCSI unit zero and
for Fred. Bill installs a single SCSI drive as SCSI unit zero and
installs FreeBSD on it.</para>
<para>Fred begins using the system, but after several days notices that
@ -1507,9 +1506,9 @@ Mounting root from ufs:/dev/md0c
<para>When Bill made an image copy of the original SCSI unit zero onto
SCSI unit four, unit four became the <quote>new clone</quote>.
When Bill
re-ordered the SCSI BIOS so that he could boot from SCSI unit four, he
was only fooling himself. FreeBSD was still running on SCSI unit zero.
When Bill re-ordered the SCSI BIOS so that he could boot from
SCSI unit four, he was only fooling himself.
FreeBSD was still running on SCSI unit zero.
Making this kind of BIOS change will cause some or all of the Boot and
Loader code to be fetched from the selected BIOS drive, but when the
FreeBSD kernel drivers take-over, the BIOS drive numbering will be
@ -1780,7 +1779,7 @@ Mounting root from ufs:/dev/md0c
partition they are contained in.</para>
<para>FreeBSD also uses disk space for <firstterm>swap
space</firstterm>. Swap space provides FreeBSD with
space</firstterm>. Swap space provides FreeBSD with
<firstterm>virtual memory</firstterm>. This allows your computer to
behave as though it has much more memory than it actually does. When
FreeBSD runs out of memory it moves some of the data that is not
@ -1849,13 +1848,13 @@ Mounting root from ufs:/dev/md0c
<para>Slice numbers follow
the device name, prefixed with an <literal>s</literal>,
starting at 1. So <quote>da0<emphasis>s1</emphasis></quote>
is the first slice on the first SCSI drive. There can only be
starting at 1. So <quote>da0<emphasis>s1</emphasis></quote>
is the first slice on the first SCSI drive. There can only be
four physical slices on a disk, but you can have logical
slices inside physical slices of the appropriate type. These
slices inside physical slices of the appropriate type. These
extended slices are numbered starting at 5, so
<quote>ad0<emphasis>s5</emphasis></quote> is the first
extended slice on a disk. These devices are used by file
extended slice on a disk. These devices are used by file
systems that expect to occupy a slice.</para>
<para>Slices, <quote>dangerously dedicated</quote> physical
@ -1871,7 +1870,7 @@ Mounting root from ufs:/dev/md0c
<para>Finally, each disk on the system is identified. A disk name
starts with a code that indicates the type of disk, and then a number,
indicating which disk it is. Unlike slices, disk numbering starts at
0. Common codes that you will see are listed in
0. Common codes that you will see are listed in
<xref linkend="install-dev-codes">.</para>
<para>When referring to a partition FreeBSD requires that you also name
@ -2255,7 +2254,7 @@ Mounting root from ufs:/dev/md0c
<para>Certain applications can benefit from particular partition
schemes, especially if you are laying out partitions across more than
one disk. However, for this, your first FreeBSD installation, you do
one disk. However, for this, your first FreeBSD installation, you do
not need to give too much thought to how you partition the disk. It
is more important that you install FreeBSD and start learning how to
use it. You can always re-install FreeBSD to change your partition
@ -2575,7 +2574,7 @@ Mounting root from ufs:/dev/md0c
<para>Your final FreeBSD DiskLabel Editor screen will appear similar to
<xref linkend="sysinstall-label4">, although your values chosen may
be different. Press <keycap>Q</keycap> to finish.</para>
be different. Press <keycap>Q</keycap> to finish.</para>
<figure id="sysinstall-label4">
<title>Sysinstall Disklabel Editor</title>
@ -2999,8 +2998,8 @@ installation menus to try and retry whichever operations have failed.
<listitem>
<para>IP address of host forwarding packets to non-local
destinations. Fill this in only if the machine is a node
on the network. <emphasis>Leave this field blank</emphasis>
destinations. Fill this in only if the machine is a node
on the network. <emphasis>Leave this field blank</emphasis>
if the machine is the gateway to the Internet for the
network.</para>
</listitem>
@ -3010,10 +3009,10 @@ installation menus to try and retry whichever operations have failed.
<term>Name server</term>
<listitem>
<para>IP address of your local DNS server. There is no local
<para>IP address of your local DNS server. There is no local
DNS server on this private local area network so the IP
address of the provider's DNS server (<hostid role="ipaddr">208.163.10.2</hostid>) was
used.</para>
address of the provider's DNS server
(<hostid role="ipaddr">208.163.10.2</hostid>) was used.</para>
</listitem>
</varlistentry>
@ -3031,9 +3030,11 @@ installation menus to try and retry whichever operations have failed.
<listitem>
<para>The address block being used for this local area
network is a Class C block (<hostid role="ipaddr">192.168.0.0</hostid> -
<hostid role="ipaddr">192.168.255.255</hostid>). The default netmask is for a Class C
network (<hostid role="netmask">255.255.255.0</hostid>).</para>
network is a Class C block
(<hostid role="ipaddr">192.168.0.0</hostid> -
<hostid role="ipaddr">192.168.255.255</hostid>).
The default netmask is for a Class C network
(<hostid role="netmask">255.255.255.0</hostid>).</para>
</listitem>
</varlistentry>
@ -3042,7 +3043,7 @@ installation menus to try and retry whichever operations have failed.
<listitem>
<para>Any interface-specific options to <command>ifconfig</command>
you would like to add. There were none in this case.</para>
you would like to add. There were none in this case.</para>
</listitem>
</varlistentry>
@ -3168,7 +3169,7 @@ use the current settings.
<para>Anyone can access your machine if you elect to allow
anonymous FTP connections. The security implications should be
considered before enabling this option. For more information
considered before enabling this option. For more information
about security see <xref linkend="security">.</para>
<para>To allow anonymous FTP, use the arrow keys to select
@ -3670,7 +3671,7 @@ To change any of these settings later, edit /etc/rc.conf
<title>Mouse Settings</title>
<para>This option will allow you to cut and paste text in the
console and user programs with a 3-button mouse. If using a 2-button
console and user programs with a 3-button mouse. If using a 2-button
mouse, refer to manual page, &man.moused.8;, after installation for
details on emulating the 3-button style. This example depicts a
non-USB mouse configuration:</para>
@ -3778,8 +3779,11 @@ To change any of these settings later, edit /etc/rc.conf
or others, the X server will need to be configured.</para>
<note>
<para>In order to run <application>XFree86</application> as a non <username>root</username> user you will need to
have <filename role="package">x11/wrapper</filename> installed. This is installed by default beginning with FreeBSD 4.7. For earlier versions this can be added
<para>In order to run <application>XFree86</application> as a
non <username>root</username> user you will need to
have <filename role="package">x11/wrapper</filename> installed.
This is installed by default beginning with FreeBSD 4.7. For
earlier versions this can be added
from the Package Selection menu.</para>
</note>
@ -4291,9 +4295,9 @@ failed. Would you like to try again?
<application>xvidtune</application>.</para>
<para>There are warnings that improper settings can
damage your equipment. Heed them. If in doubt, do not do
it. Instead, use the monitor controls to adjust the display for
X Window. There may be some display differences when switching
damage your equipment. Heed them. If in doubt, do not do
it. Instead, use the monitor controls to adjust the display for
X Window. There may be some display differences when switching
back to text mode, but it is better than damaging equipment.</para>
<para>Read the &man.xvidtune.1; manual page before making
@ -4575,7 +4579,7 @@ failed. Would you like to try again?
</figure>
<para>Groups could also be added at this time if specific needs
are known. Otherwise, this may be accessed through using
are known. Otherwise, this may be accessed through using
<filename>/stand/sysinstall</filename> after installation is
completed.</para>
@ -4598,7 +4602,7 @@ failed. Would you like to try again?
<para>Press <keycap>Enter</keycap> to set the <username>root</username>
password.</para>
<para>The password will need to be typed in twice correctly. Needless to
<para>The password will need to be typed in twice correctly. Needless to
say, make sure you have a way of finding the password if you
forget.</para>
@ -4648,8 +4652,8 @@ failed. Would you like to try again?
[ Yes ] No</screen>
<para>Select <guibutton>[ Yes ]</guibutton> and remove the floppy if
booting from the floppy. The CDROM drive is locked until the machine
starts to reboot. The CDROM drive is then unlocked and the disk can
booting from the floppy. The CDROM drive is locked until the machine
starts to reboot. The CDROM drive is then unlocked and the disk can
be removed from drive (quickly).</para>
<para>The system will reboot so watch for any error messages that
@ -4848,8 +4852,8 @@ Password:</screen>
system. Do not just turn off power. First, become a superuser by
typing <command>su</command> at the command line and entering the
<username>root</username> password. This will work only if the user
is a member of the <groupname>wheel</groupname> group. Otherwise, login as
<username>root</username> and use
is a member of the <groupname>wheel</groupname> group.
Otherwise, login as <username>root</username> and use
<command>shutdown -h now</command>.</para>
<screen>The operating system has halted.
@ -4857,7 +4861,7 @@ Please press any key to reboot.</screen>
<para>It is safe to turn off the power after the shutdown command
has been issued and the message <quote>Please press any key to reboot</quote>
appears. If any key is pressed instead of turning off the power
appears. If any key is pressed instead of turning off the power
switch, the system will reboot.</para>
<para>You could also use the
@ -5019,7 +5023,7 @@ Please press any key to reboot.</screen>
free piece. You first defragment your MS-DOS partition using
the Windows <application>DEFRAG</application> utility (go into
Explorer, right-click on the hard drive, and choose to defrag
your hard drive), or Norton Disk Tools. You then must run
your hard drive), or Norton Disk Tools. You then must run
<application>FIPS</application>. It will prompt you for the
rest of the information it needs. Afterwards, you can reboot
and install FreeBSD on the new free slice. See the
@ -5032,7 +5036,7 @@ Please press any key to reboot.</screen>
</indexterm>
<para>There is also a <emphasis>very</emphasis> useful product
from <ulink url="http://www.powerquest.com/">PowerQuest</ulink>
called <application>Partition Magic</application>. This
called <application>Partition Magic</application>. This
application has far more functionality than
<application>FIPS</application>, and is highly recommended if
you plan to often add/remove operating systems (like me).
@ -5170,17 +5174,17 @@ Please press any key to reboot.</screen>
<para>This type of installation is called a <quote>headless
install</quote>, because the machine that you are trying to install
FreeBSD on either does not have a monitor attached to it, or does not
even have a VGA output. How is this possible you ask? Using a
serial console. A serial console is basically using another
even have a VGA output. How is this possible you ask? Using a
serial console. A serial console is basically using another
machine to act as the main display and keyboard for a
system. To do this, just follow these steps:</para>
system. To do this, just follow these steps:</para>
<procedure>
<step>
<title>Fetch the Right Boot Floppy Images</title>
<para>First you will need to get the right disk images so
that you can boot into the install program. The secret
that you can boot into the install program. The secret
with using a serial console is that you tell the boot
loader to send I/O through a serial port instead of
displaying console output to the VGA device and trying to
@ -5260,9 +5264,9 @@ Please press any key to reboot.</screen>
<primary><command>mount</command></primary>
</indexterm>
<para>If you were to boot into the floppies that you just
made, FreeBSD would boot into its normal install mode. We
made, FreeBSD would boot into its normal install mode. We
want FreeBSD to boot into a serial console for our
install. To do this, you have to mount the
install. To do this, you have to mount the
<filename>kern.flp</filename> floppy onto your FreeBSD
system using the &man.mount.8; command.</para>
@ -5274,7 +5278,7 @@ Please press any key to reboot.</screen>
<screen>&prompt.root; <userinput>cd /mnt</userinput></screen>
<para>Here is where you must set the floppy to boot into a
serial console. You have to make a file called
serial console. You have to make a file called
<filename>boot.config</filename> containing
<literal>/boot/loader -h</literal>. All this does is pass a flag to the bootloader to
boot into a serial console.</para>
@ -5297,8 +5301,8 @@ Please press any key to reboot.</screen>
<indexterm><primary>null modem cable</primary></indexterm>
<para>You now need to connect a null modem cable between
the two machines. Just connect the cable to the serial
ports of the 2 machines. <emphasis>A normal serial cable
the two machines. Just connect the cable to the serial
ports of the 2 machines. <emphasis>A normal serial cable
will not work here</emphasis>, you need a null modem
cable because it has some of the wires inside crossed
over.</para>
@ -5307,7 +5311,7 @@ Please press any key to reboot.</screen>
<step>
<title>Booting Up for the Install</title>
<para>It is now time to go ahead and start the install. Put
<para>It is now time to go ahead and start the install. Put
the <filename>kern.flp</filename> floppy in the floppy
drive of the machine you are doing the headless install
on, and power on the machine.</para>
@ -5328,7 +5332,7 @@ Please press any key to reboot.</screen>
<para>That's it! You should be able to control the headless machine
through your <command>cu</command> session now. It will ask you to
put in the <filename>mfsroot.flp</filename>, and then it will come up
with a selection of what kind of terminal to use. Just select the
with a selection of what kind of terminal to use. Just select the
FreeBSD color console and proceed with your install!</para>
</sect2>
@ -5458,7 +5462,7 @@ Please press any key to reboot.</screen>
</note>
<para>You <emphasis>must</emphasis> download one of either the mini
ISO image, or the image of disc one. Do not download both of them,
ISO image, or the image of disc one. Do not download both of them,
since the disc one image contains everything that the mini ISO
image contains.</para>
@ -5478,7 +5482,7 @@ Please press any key to reboot.</screen>
<step>
<title>Write the CDs</title>
<para>You must then write the CD images to disc. If you will be
<para>You must then write the CD images to disc. If you will be
doing this on another FreeBSD system then see
<xref linkend="creating-cds"> for more information (in
particular, <xref linkend="burncd"> and
@ -5719,10 +5723,10 @@ Please press any key to reboot.</screen>
<para>If you use PAP or CHAP to connect your ISP (in other words, if
you can connect to the ISP in Windows without using a script), then
all you will need to do is type in <command>dial</command> at the
<application>ppp</application> prompt. Otherwise, you will need to
<application>ppp</application> prompt. Otherwise, you will need to
know how to dial your ISP using the <quote>AT commands</quote>
specific to your modem, as the PPP dialer provides only a very
simple terminal emulator. Please refer to the user-ppp <link
simple terminal emulator. Please refer to the user-ppp <link
linkend="userppp">handbook</link> and <ulink
url="../faq/ppp.html">FAQ</ulink> entries for further information.
If you have problems, logging can be directed to the screen using

77
en_US.ISO8859-1/books/handbook/security/chapter.sgml
View file

@ -278,7 +278,7 @@
<title>Command vs. Protocol</title>
<para>Throughout this document, we will use
<application>bold</application> text to refer to a command or
application. This is used for instances such as ssh, since it is
application. This is used for instances such as ssh, since it is
a protocol as well as command.</para>
</note>
@ -327,7 +327,7 @@
verification to operate. One way to make <username>root</username>
accessible is to add appropriate staff accounts to the
<groupname>wheel</groupname> group (in
<filename>/etc/group</filename>). The staff members placed in the
<filename>/etc/group</filename>). The staff members placed in the
<groupname>wheel</groupname> group are allowed to
<command>su</command> to <username>root</username>.
You should never give staff
@ -355,7 +355,7 @@
<username>root</username> access is to use an alternative
login access method and
do what is known as <quote>starring</quote> out the encrypted
password for the staff accounts. Using the &man.vipw.8;
password for the staff accounts. Using the &man.vipw.8;
command, one can replace each instance of an encrypted password
with a single <quote><literal>*</literal></quote> character.
This command will update the <filename>/etc/master.passwd</filename>
@ -383,7 +383,7 @@
the machine used to login <emphasis>from</emphasis> (typically
one's workstation). An additional layer of protection can be
added to the key pair by password protecting the key pair when
creating it with &man.ssh-keygen.1;. Being able to
creating it with &man.ssh-keygen.1;. Being able to
<quote>star</quote> out the passwords for staff accounts also
guarantees that staff members can only login through secure
access methods that you have setup. This forces all staff
@ -496,7 +496,7 @@
<application>imapd</application>, <application>ftpd</application>,
and others. There are alternatives to some of these, but
installing them may require more work than you are willing to
perform (the convenience factor strikes again). You may have to
perform (the convenience factor strikes again). You may have to
run these servers as <username>root</username> and rely on other
mechanisms to detect break-ins that might occur through them.</para>
@ -780,7 +780,7 @@
its face. It is also prudent to run sendmail in queued mode
(<option>-ODeliveryMode=queued</option>) and to run the daemon
(<command>sendmail -bd</command>) separate from the queue-runs
(<command>sendmail -q15m</command>). If you still want real-time
(<command>sendmail -q15m</command>). If you still want real-time
delivery you can run the queue at a much lower interval, such as
<option>-q1m</option>, but be sure to specify a reasonable
<literal>MaxDaemonChildren</literal> option for
@ -1013,7 +1013,7 @@
encrypted with the DES hash and also begin with the characters
<literal>&dollar;1&dollar;</literal>. Passwords starting with
<literal>&dollar;2&dollar;</literal> are encrypted with the
Blowfish hash function. DES password strings do not
Blowfish hash function. DES password strings do not
have any particular identifying characteristics, but they are
shorter than MD5 passwords, and are coded in a 64-character
alphabet which does not include the <literal>&dollar;</literal>
@ -1047,7 +1047,7 @@
<para>From version 5.0 of FreeBSD, S/Key has been replaced with
the functionally equivalent OPIE (Onetime Passwords In
Everything). OPIE uses the MD5 hash by default.</para>
Everything). OPIE uses the MD5 hash by default.</para>
<para>There are three different sorts of passwords which we will talk
about in the discussion below. The first is your usual Unix-style or
@ -1094,15 +1094,15 @@
reinitialized.</para>
<para>There are three programs involved in each system
which we will discuss below. The <command>key</command> and
which we will discuss below. The <command>key</command> and
<command>opiekey</command> programs accept an iteration
count, a seed, and a secret password, and generate a one-time
password or a consecutive list of one-time passwords. The
password or a consecutive list of one-time passwords. The
<command>keyinit</command> and <command>opiepasswd</command>
programs are used to initialize S/Key and OPIE respectively,
and to change passwords, iteration counts, or seeds; they
take either a secret passphrase, or an iteration count,
seed, and one-time password. The <command>keyinfo</command>
seed, and one-time password. The <command>keyinfo</command>
and <command>opieinfo</command> programs examine the
relevant credentials files (<filename>/etc/skeykeys</filename> or
<filename>/etc/opiekeys</filename>) and print out the invoking user's
@ -2175,7 +2175,7 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
provides packet accounting with each firewall entry.</para>
<para>If an <emphasis>index</emphasis> value is supplied, it is used to
place the entry at a specific point in the chain. Otherwise, the
place the entry at a specific point in the chain. Otherwise, the
entry is placed at the end of the chain at an index 100 greater than
the last chain entry (this does not include the default policy, rule
65535, deny).</para>
@ -2305,11 +2305,12 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<para>A valid hostname may be specified in place of the IP address.
<option><replaceable>mask-bits</replaceable></option> is a decimal
number representing how many bits in the address mask should be set.
e.g. specifying <hostid role="netmask">192.216.222.1/24</hostid> will create a
e.g. specifying <hostid role="netmask">192.216.222.1/24</hostid>
will create a
mask which will allow any address in a class C subnet (in this case,
<hostid role="ipaddr">192.216.222</hostid>) to be matched.
<option><replaceable>mask-pattern</replaceable></option> is an IP
address which will be logically AND'ed with the address given. The
address which will be logically AND'ed with the address given. The
keyword <literal>any</literal> may be used to specify <quote>any IP
address</quote>.</para>
@ -2454,7 +2455,7 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<term>-t</term>
<listitem>
<para>Display the last match times for each chain entry. The
<para>Display the last match times for each chain entry. The
time listing is incompatible with the input syntax used by the
&man.ipfw.8; utility.</para>
</listitem>
@ -2589,12 +2590,12 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<para>The next problem is what your firewall should actually
<emphasis>do</emphasis>! This is largely dependent on what access to
your network you want to allow from the outside, and how much access
to the outside world you want to allow from the inside. Some general
to the outside world you want to allow from the inside. Some general
rules are:</para>
<itemizedlist>
<listitem>
<para>Block all incoming access to ports below 1024 for TCP. This is
<para>Block all incoming access to ports below 1024 for TCP. This is
where most of the security sensitive services are, like finger,
SMTP (mail) and telnet.</para>
</listitem>
@ -2646,10 +2647,10 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<title>IPFW Overhead and Optimization</title>
<para>Many people want to know how much overhead IPFW adds to a
system. The answer to this depends mostly on your rule set and
processor speed. For most applications dealing with Ethernet
system. The answer to this depends mostly on your rule set and
processor speed. For most applications dealing with Ethernet
and small rule sets, the answer is
<quote>negligible</quote>. For those of you that need actual
<quote>negligible</quote>. For those of you that need actual
measurements to satisfy your curiosity, read on.</para>
<para>The following measurements were made using 2.2.5-STABLE on
@ -2668,7 +2669,7 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<para>This demonstrates worst case by causing most of IPFW's
packet check routine to be executed before finally deciding
that the packet does not match the rule (by virtue of the port
number). Following the 999th iteration of this rule was an
number). Following the 999th iteration of this rule was an
<literal>allow ip from any to any</literal>.</para>
<para>The second set of rules were designed to abort the rule
@ -2683,8 +2684,8 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<para>The per-packet processing overhead in the former case was
approximately 2.703&nbsp;ms/packet, or roughly 2.7&nbsp;microseconds per
rule. Thus the theoretical packet processing limit with these
rules is around 370&nbsp;packets per second. Assuming 10&nbsp;Mbps
rule. Thus the theoretical packet processing limit with these
rules is around 370&nbsp;packets per second. Assuming 10&nbsp;Mbps
Ethernet and a ~1500&nbsp;byte packet size, we would only be able
to achieve a 55.5% bandwidth utilization.</para>
@ -2785,8 +2786,8 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<title>Terminating Characters</title>
<para>Throughout examples in this section, and other sections,
you will notice that there is a <quote>^D</quote> at the end
of some examples. This means to hold down the <keycap>Control</keycap>
key and hit the <keycap>D</keycap> key. Another commonly used
of some examples. This means to hold down the <keycap>Control</keycap>
key and hit the <keycap>D</keycap> key. Another commonly used
character is <quote>^C</quote>, which respectively means to hold
down <keycap>Control</keycap> and press <keycap>C</keycap>.</para>
</note>
@ -2821,7 +2822,9 @@ options IPSEC_ESP #IP security (crypto; define w/IPSEC)</progr
<title>Transport Mode Example with IPv4</title>
<para>Let us setup security association to deploy a secure channel
between HOST A (<hostid role="ipaddr">10.2.3.4</hostid>) and HOST B (<hostid role="ipaddr">10.6.7.8</hostid>). Here we show a little
between HOST A (<hostid role="ipaddr">10.2.3.4</hostid>) and
HOST B (<hostid role="ipaddr">10.6.7.8</hostid>).
Here we show a little
complicated example. From HOST A to HOST B, only old AH is used.
From HOST B to HOST A, new AH and new ESP are combined.</para>
@ -2996,9 +2999,9 @@ At B:
EOF</userinput></screen>
<para>If the port number field is omitted such as above then
<literal>[any]</literal> is employed. <literal>-m</literal>
specifies the mode of SA to be used. <literal>-m any</literal> means
wild-card of mode of security protocol. You can use this SA for both
<literal>[any]</literal> is employed. <literal>-m</literal>
specifies the mode of SA to be used. <literal>-m any</literal> means
wild-card of mode of security protocol. You can use this SA for both
tunnel and transport mode.</para>
<para>and at Gateway-B:</para>
@ -3018,8 +3021,8 @@ EOF</userinput></screen>
<para>Making SA bundle between two security gateways</para>
<para>AH transport mode and ESP tunnel mode is required between
Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first,
and AH transport mode is next.</para>
Gateway-A and Gateway-B. In this case, ESP tunnel mode is
applied first, and AH transport mode is next.</para>
<screen>
========== AH =========
@ -3059,11 +3062,11 @@ EOF</userinput></screen>
<para>Making SAs with the different end</para>
<para>ESP tunnel mode is required between Host-A and Gateway-A. Encryption
algorithm is cast128-cbc, and authentication algorithm for ESP is
hmac-sha1. ESP transport mode is recommended between Host-A and Host-B.
Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is
hmac-md5.</para>
<para>ESP tunnel mode is required between Host-A and Gateway-A.
Encryption algorithm is cast128-cbc, and authentication algorithm
for ESP is hmac-sha1. ESP transport mode is recommended between
Host-A and Host-B. Encryption algorithm is rc5-cbc, and
authentication algorithm for ESP is hmac-md5.</para>
<screen>
================== ESP =================
@ -3436,7 +3439,7 @@ user@ssh-server.example.com's password: <userinput>******</userinput></screen>
<para>You may wish to access another (perhaps non-work
related) service, such as an Ogg Vorbis server to stream
music. If this Ogg Vorbis server is streaming on some other
music. If this Ogg Vorbis server is streaming on some other
port than 22 or 80, you will not be able to access it.</para>
<para>The solution is to create an SSH connection to a machine