From e05926f3742ca500a6b5a65055aef13bf5164ede Mon Sep 17 00:00:00 2001
From: Glen Barber <gjb@FreeBSD.org>
Date: Sun, 23 Jun 2013 22:37:08 +0000
Subject: [PATCH] MF ISBN: Merged
/projects/print2013/en_US.ISO8859-1:r40693-40726 Merged
/projects/ISBN_1-57176-407-0/en_US.ISO8859-1:r40727-41455,
41457-41469,41472-41477,41479-41513,41515-41521,41523-41577,
41579-41581,41583-42013
Notes: This merge entirely excludes the en_US/books/handbook/ppp-and-slip/
changes. They will need to be looked at a bit more closely.
Note to translators: I am very, very sorry. There was no *clean* way
to merge this as separate commits. Trust me, I tried.
The revision logs for the ISBN branch should provide some insight to what
content has changed. I am more than happy to help out here. Sorry :(
Approved by: doceng (implicit)
---
.../handbook/advanced-networking/chapter.xml | 4726 ++++++++---------
.../books/handbook/audit/chapter.xml | 172 +-
.../books/handbook/basics/chapter.xml | 523 +-
.../books/handbook/boot/chapter.xml | 197 +-
.../books/handbook/config/chapter.xml | 2418 +++++----
.../books/handbook/disks/chapter.xml | 57 +-
.../books/handbook/eresources/chapter.xml | 370 +-
.../books/handbook/install/chapter.xml | 2609 +++++----
.../books/handbook/kernelconfig/chapter.xml | 27 +-
.../books/handbook/mac/chapter.xml | 234 +-
.../books/handbook/mail/chapter.xml | 1650 +++---
.../books/handbook/multimedia/chapter.xml | 1508 +++---
.../handbook/network-servers/chapter.xml | 1261 +++--
.../books/handbook/ports/chapter.xml | 98 +-
.../books/handbook/security/chapter.xml | 3429 ++++++------
.../books/handbook/users/chapter.xml | 45 +
16 files changed, 9363 insertions(+), 9961 deletions(-)
diff --git a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml
index d402890e50..26dba92958 100644
--- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml
@@ -11,7 +11,7 @@
<sect1 id="advanced-networking-synopsis">
<title>Synopsis</title>
- <para>This chapter will cover a number of advanced networking
+ <para>This chapter covers a number of advanced networking
topics.</para>
<para>After reading this chapter, you will know:</para>
@@ -27,7 +27,7 @@
</listitem>
<listitem>
- <para>How to make FreeBSD act as a bridge.</para>
+ <para>How to make &os; act as a bridge.</para>
</listitem>
<listitem>
@@ -36,8 +36,9 @@
</listitem>
<listitem>
- <para>How to set up network PXE booting with an NFS root file
- system.</para>
+ <para>How to set up network <acronym>PXE</acronym> booting
+ with an
+ <acronym>NFS</acronym> root file system.</para>
</listitem>
<listitem>
@@ -45,16 +46,18 @@
</listitem>
<listitem>
- <para>How to set up IPv6 on a FreeBSD machine.</para>
+ <para>How to set up <acronym>IPv6</acronym> on a &os;
+ machine.</para>
</listitem>
<listitem>
- <para>How to configure ATM.</para>
+ <para>How to configure <acronym>ATM</acronym>.</para>
</listitem>
<listitem>
- <para>How to enable and utilize the features of CARP, the
- Common Address Redundancy Protocol in &os;</para>
+ <para>How to enable and utilize the features of the Common
+ Address Redundancy Protocol (<acronym>CARP</acronym>) in
+ &os;.</para>
</listitem>
</itemizedlist>
@@ -71,13 +74,13 @@
</listitem>
<listitem>
- <para>Know how to configure and install a new FreeBSD kernel
+ <para>Know how to configure and install a new &os; kernel
(<xref linkend="kernelconfig"/>).</para>
</listitem>
<listitem>
- <para>Know how to install additional third-party
- software (<xref linkend="ports"/>).</para>
+ <para>Know how to install additional third-party software
+ (<xref linkend="ports"/>).</para>
</listitem>
</itemizedlist>
@@ -105,22 +108,21 @@
one to the other. This is called
<firstterm>routing</firstterm>. A <quote>route</quote> is a
defined pair of addresses: a <quote>destination</quote> and a
- <quote>gateway</quote>. The pair indicates that if you are
- trying to get to this <emphasis>destination</emphasis>,
- communicate through this <emphasis>gateway</emphasis>. There
- are three types of destinations: individual hosts, subnets, and
+ <quote>gateway</quote>. The pair indicates that when trying
+ to get to this <emphasis>destination</emphasis>, communicate
+ through this <emphasis>gateway</emphasis>. There are three
+ types of destinations: individual hosts, subnets, and
<quote>default</quote>. The <quote>default route</quote> is
- used if none of the other routes apply. We will talk a little
- bit more about default routes later on. There are also three
+ used if none of the other routes apply. There are also three
types of gateways: individual hosts, interfaces (also called
- <quote>links</quote>), and Ethernet hardware addresses (MAC
- addresses).</para>
+ <quote>links</quote>), and Ethernet hardware
+ (<acronym>MAC</acronym>) addresses.</para>
<sect2>
<title>An Example</title>
- <para>To illustrate different aspects of routing, we will use
- the following example from <command>netstat</command>:</para>
+ <para>This example &man.netstat.1; output illustrates several
+ aspects of routing:</para>
<screen>&prompt.user; <userinput>netstat -r</userinput>
Routing tables
@@ -138,9 +140,8 @@ host2.example.com link#1 UC 0 0
224 link#1 UC 0 0</screen>
<indexterm><primary>default route</primary></indexterm>
- <para>The first two lines specify the default route (which we
- will cover in the
- <link linkend="network-routing-default">next section</link>)
+ <para>The first two lines specify the default route, described
+ in more detail in <xref linkend="network-routing-default"/>,
and the <hostid>localhost</hostid> route.</para>
<indexterm><primary>loopback device</primary></indexterm>
@@ -149,66 +150,60 @@ host2.example.com link#1 UC 0 0
<literal>localhost</literal> is <devicename>lo0</devicename>,
also known as the loopback device. This says to keep all
traffic for this destination internal, rather than sending it
- out over the LAN, since it will only end up back where it
- started.</para>
+ out over the network.</para>
<indexterm>
<primary>Ethernet</primary>
<secondary>MAC address</secondary>
</indexterm>
- <para>The next thing that stands out are the addresses beginning
- with <hostid role="mac">0:e0:</hostid>. These are Ethernet
- hardware addresses, which are also known as MAC addresses.
- FreeBSD will automatically identify any hosts
- (<hostid>test0</hostid> in the example) on the local Ethernet
- and add a route for that host, directly to it over the
- Ethernet interface, <devicename>ed0</devicename>. There is
- also a timeout (<literal>Expire</literal> column) associated
- with this type of route, which is used if we fail to hear from
- the host in a specific amount of time. When this happens, the
- route to this host will be automatically deleted. These hosts
- are identified using a mechanism known as RIP (Routing
- Information Protocol), which figures out routes to local hosts
- based upon a shortest path determination.</para>
+ <para>The addresses beginning with <hostid
+ role="mac">0:e0:</hostid> are Ethernet hardware addresses,
+ also known as <acronym>MAC</acronym> addresses. &os; will
+ automatically identify any hosts, <hostid>test0</hostid> in
+ the example, on the local Ethernet and add a route for that
+ host over the Ethernet interface,
+ <devicename>ed0</devicename>. This type of route has a
+ timeout, seen in the <literal>Expire</literal> column, which
+ is used if the host does not respond in a specific amount of
+ time. When this happens, the route to this host will be
+ automatically deleted. These hosts are identified using the
+ Routing Information Protocol (<acronym>RIP</acronym>), which
+ calculates routes to local hosts based upon a shortest path
+ determination.</para>
<indexterm><primary>subnet</primary></indexterm>
- <para>FreeBSD will also add subnet routes for the local subnet
- (<hostid role="ipaddr">10.20.30.255</hostid> is the broadcast
- address for the subnet
- <hostid role="ipaddr">10.20.30</hostid>, and
- <hostid role="domainname">example.com</hostid> is the domain
- name associated with that subnet). The designation
+ <para>&os; will add subnet routes for the local subnet.
+ <hostid role="ipaddr">10.20.30.255</hostid> is the broadcast
+ address for the subnet <hostid role="ipaddr">10.20.30</hostid>
+ and <hostid role="domainname">example.com</hostid> is the
+ domain name associated with that subnet. The designation
<literal>link#1</literal> refers to the first Ethernet card in
- the machine. You will notice no additional interface is
- specified for those.</para>
+ the machine.</para>
- <para>Both of these groups (local network hosts and local
- subnets) have their routes automatically configured by a
- daemon called <application>routed</application>. If this is
- not run, then only routes which are statically defined (i.e.,
- entered explicitly) will exist.</para>
+ <para>Local network hosts and local subnets have their routes
+ automatically configured by a daemon called &man.routed.8;.
+ If it is not running, only routes which are statically defined
+ by the administrator will exist.</para>
- <para>The <literal>host1</literal> line refers to our host,
- which it knows by Ethernet address. Since we are the sending
- host, FreeBSD knows to use the loopback interface
- (<devicename>lo0</devicename>) rather than sending it out over
- the Ethernet interface.</para>
+ <para>The <literal>host1</literal> line refers to the host
+ by its Ethernet address. Since it is the sending host, &os;
+ knows to use the loopback interface
+ (<devicename>lo0</devicename>) rather than the Ethernet
+ interface.</para>
- <para>The two <literal>host2</literal> lines are an example of
- what happens when we use an &man.ifconfig.8; alias (see the
- section on Ethernet for reasons why we would do this). The
+ <para>The two <literal>host2</literal> lines represent aliases
+ which were created using &man.ifconfig.8;. The
<literal>=></literal> symbol after the
- <devicename>lo0</devicename> interface says that not only are
- we using the loopback (since this address also refers to the
- local host), but specifically it is an alias. Such routes
+ <devicename>lo0</devicename> interface says that an alias
+ has been set in addition to the loopback address. Such routes
only show up on the host that supports the alias; all other
- hosts on the local network will simply have a
+ hosts on the local network will have a
<literal>link#1</literal> line for such routes.</para>
- <para>The final line (destination subnet
- <hostid role="ipaddr">224</hostid>) deals with multicasting,
- which will be covered in another section.</para>
+ <para>The final line (destination subnet <hostid
+ role="ipaddr">224</hostid>) deals with
+ multicasting.</para>
<para>Finally, various attributes of each route can be seen in
the <literal>Flags</literal> column. Below is a short table
@@ -247,7 +242,7 @@ host2.example.com link#1 UC 0 0
<row>
<entry>C</entry>
<entry>Clone: Generates a new route based upon this
- route for machines we connect to. This type of route
+ route for machines to connect to. This type of route
is normally used for local networks.</entry>
</row>
@@ -276,25 +271,24 @@ host2.example.com link#1 UC 0 0
<para>When the local system needs to make a connection to a
remote host, it checks the routing table to determine if a
known path exists. If the remote host falls into a subnet
- that we know how to reach (Cloned routes), then the system
- checks to see if it can connect along that interface.</para>
+ that it knows how to reach, the system checks to see if it
+ can connect using that interface.</para>
<para>If all known paths fail, the system has one last option:
the <quote>default</quote> route. This route is a special
type of gateway route (usually the only one present in the
system), and is always marked with a <literal>c</literal> in
the flags field. For hosts on a local area network, this
- gateway is set to whatever machine has a direct connection to
- the outside world (whether via PPP link, DSL, cable modem, T1,
- or another network interface).</para>
+ gateway is set to the system which has a direct connection to
+ the Internet.</para>
- <para>If you are configuring the default route for a machine
- which itself is functioning as the gateway to the outside
- world, then the default route will be the gateway machine at
- your Internet Service Provider's (ISP) site.</para>
+ <para>The default route for a machine which itself is
+ functioning as the gateway to the outside world, will be the
+ gateway machine at the Internet Service Provider
+ (<acronym>ISP</acronym>).</para>
- <para>Let us look at an example of default routes. This is a
- common configuration:</para>
+ <para>This example is a common configuration for a default
+ route:</para>
<mediaobject>
<imageobject>
@@ -308,14 +302,15 @@ host2.example.com link#1 UC 0 0
</mediaobject>
<para>The hosts <hostid>Local1</hostid> and
- <hostid>Local2</hostid> are at your site.
- <hostid>Local1</hostid> is connected to an ISP via a dial up
- PPP connection. This PPP server computer is connected through
- a local area network to another gateway computer through an
- external interface to the ISPs Internet feed.</para>
+ <hostid>Local2</hostid> are on the local network.
+ <hostid>Local1</hostid> is connected to an
+ <acronym>ISP</acronym> using a
+ <acronym>PPP</acronym> connection. This
+ <acronym>PPP</acronym> server is connected through a local
+ area network to another gateway computer through an external
+ interface to the <acronym>ISP</acronym>.</para>
- <para>The default routes for each of your machines will
- be:</para>
+ <para>The default routes for each machine will be:</para>
<informaltable frame="none" pgwide="1">
<tgroup cols="3">
@@ -343,26 +338,28 @@ host2.example.com link#1 UC 0 0
</tgroup>
</informaltable>
- <para>A common question is <quote>Why (or how) would we set
- the <hostid>T1-GW</hostid> to be the default gateway for
- <hostid>Local1</hostid>, rather than the ISP server it is
- connected to?</quote>.</para>
+ <para>A common question is <quote>Why is
+ <hostid>T1-GW</hostid> configured as the default gateway for
+ <hostid>Local1</hostid>, rather than the
+ <acronym>ISP</acronym> server it is connected
+ to?</quote>.</para>
- <para>Remember, since the PPP interface is using an address on
- the ISP's local network for your side of the connection,
- routes for any other machines on the ISP's local network will
- be automatically generated. Hence, you will already know how
+ <para>Since the <acronym>PPP</acronym> interface is using an
+ address on the <acronym>ISP</acronym>'s local network for
+ the local side of the connection, routes for any other
+ machines on the <acronym>ISP</acronym>'s local network will
+ be automatically generated. The system already knows how
to reach the <hostid>T1-GW</hostid> machine, so there is no
- need for the intermediate step of sending traffic to the ISP
- server.</para>
+ need for the intermediate step of sending traffic to the
+ <acronym>ISP</acronym>'s server.</para>
- <para>It is common to use the address
- <hostid role="ipaddr">X.X.X.1</hostid> as the gateway address
- for your local network. So (using the same example), if your
- local class-C address space was
- <hostid role="ipaddr">10.20.30</hostid> and your ISP was using
- <hostid role="ipaddr">10.9.9</hostid> then the default routes
- would be:</para>
+ <para>It is common to use the address <hostid
+ role="ipaddr">X.X.X.1</hostid> as the gateway address for
+ the local network. So, if the local class C address space is
+ <hostid role="ipaddr">10.20.30</hostid> and the
+ <acronym>ISP</acronym> is using <hostid
+ role="ipaddr">10.9.9</hostid>, the default routes would
+ be:</para>
<informaltable frame="none" pgwide="1">
<tgroup cols="2">
@@ -387,19 +384,19 @@ host2.example.com link#1 UC 0 0
</informaltable>
<para>The default route can be easily defined in
- <filename>/etc/rc.conf</filename>. In our example, on
- the <hostid>Local2</hostid> machine, we added the following
- line in <filename>/etc/rc.conf</filename>:</para>
+ <filename>/etc/rc.conf</filename>. In this example, on
+ <hostid>Local2</hostid>, add the following line to
+ <filename>/etc/rc.conf</filename>:</para>
<programlisting>defaultrouter="10.20.30.1"</programlisting>
- <para>It is also possible to do it directly from the command
- line with the &man.route.8; command:</para>
+ <para>It is also possible to add the route directly using
+ &man.route.8;:</para>
<screen>&prompt.root; <userinput>route add default 10.20.30.1</userinput></screen>
<para>For more information on manual manipulation of network
- routing tables, consult the &man.route.8; manual page.</para>
+ routing tables, refer to &man.route.8;.</para>
</sect2>
<sect2 id="network-dual-homed-hosts">
@@ -407,32 +404,27 @@ host2.example.com link#1 UC 0 0
<indexterm><primary>dual homed hosts</primary></indexterm>
- <para>There is one other type of configuration that we should
- cover, and that is a host that sits on two different networks.
- Technically, any machine functioning as a gateway (in the
- example above, using a PPP connection) counts as a dual-homed
- host. But the term is really only used to refer to a machine
- that sits on two local-area networks.</para>
+ <para>A a dual-homed system is a host which resides on two
+ different networks.</para>
- <para>In one case, the machine has two Ethernet cards, each
- having an address on the separate subnets. Alternately, the
- machine may only have one Ethernet card, and be using
- &man.ifconfig.8; aliasing. The former is used if two
- physically separate Ethernet networks are in use, the latter
- if there is one physical network segment, but two logically
- separate subnets.</para>
+ <para>The dual-homed machine might have two Ethernet cards, each
+ having an address on a separate subnet. Alternately, the
+ machine can have one Ethernet card and uses &man.ifconfig.8;
+ aliasing. The former is used if two physically separate
+ Ethernet networks are in use and the latter if there is one
+ physical network segment, but two logically separate
+ subnets.</para>
<para>Either way, routing tables are set up so that each subnet
knows that this machine is the defined gateway (inbound route)
to the other subnet. This configuration, with the machine
- acting as a router between the two subnets, is often used when
- we need to implement packet filtering or firewall security in
+ acting as a router between the two subnets, is often used
+ to implement packet filtering or firewall security in
either or both directions.</para>
- <para>If you want this machine to actually forward packets
- between the two interfaces, you need to tell FreeBSD to enable
- this ability. See the next section for more details on how
- to do this.</para>
+ <para>For this machine to forward packets between the two
+ interfaces, &os; must be configured as a router, as
+ demonstrated in the next section.</para>
</sect2>
<sect2 id="network-dedicated-router">
@@ -440,10 +432,10 @@ host2.example.com link#1 UC 0 0
<indexterm><primary>router</primary></indexterm>
- <para>A network router is simply a system that forwards packets
- from one interface to another. Internet standards and good
- engineering practice prevent the FreeBSD Project from enabling
- this by default in FreeBSD. You can enable this feature by
+ <para>A network router is a system that forwards packets from
+ one interface to another. Internet standards and good
+ engineering practice prevent the &os; Project from enabling
+ this by default in &os;. This feature can be enabled by
changing the following variable to <literal>YES</literal> in
&man.rc.conf.5;:</para>
@@ -451,23 +443,21 @@ host2.example.com link#1 UC 0 0
<para>This option will set the &man.sysctl.8; variable
<varname>net.inet.ip.forwarding</varname> to
- <literal>1</literal>. If you should need to stop routing
- temporarily, you can reset this to <literal>0</literal>
- temporarily.</para>
+ <literal>1</literal>. To stop routing, reset this to
+ <literal>0</literal>.</para>
<indexterm><primary>BGP</primary></indexterm>
<indexterm><primary>RIP</primary></indexterm>
<indexterm><primary>OSPF</primary></indexterm>
- <para>Your new router will need routes to know where to send the
- traffic. If your network is simple enough you can use static
- routes. FreeBSD also comes with the standard BSD routing
- daemon &man.routed.8;, which speaks RIP (both version 1 and
- version 2) and IRDP. Support for BGP v4, OSPF v2, and other
+ <para>The new router will need routes to know where to send the
+ traffic. If the network is simple enough, static routes can
+ be used. &os; comes with the standard BSD routing daemon
+ &man.routed.8;, which speaks <acronym>RIP</acronym> versions
+ 1 and 2, and <acronym>IRDP</acronym>. Support for
+ <acronym>BGP</acronym>v4, <acronym>OSPF</acronym>v2, and other
sophisticated routing protocols is available with the
- <filename role="package">net/zebra</filename> package.
- Commercial products such as <application>&gated;</application>
- are also available for more complex network routing
- solutions.</para>
+ <filename role="package">net/zebra</filename> package or
+ port.</para>
</sect2>
<sect2 id="network-static-routes">
@@ -486,7 +476,7 @@ host2.example.com link#1 UC 0 0
<sect3>
<title>Manual Configuration</title>
- <para>Let us assume we have a network as follows:</para>
+ <para>Consider the following network:</para>
<mediaobject>
<imageobject>
@@ -520,21 +510,16 @@ host2.example.com link#1 UC 0 0
</textobject>
</mediaobject>
- <para>In this scenario, <hostid>RouterA</hostid> is our &os;
+ <para>In this scenario, <hostid>RouterA</hostid> is a &os;
machine that is acting as a router to the rest of the
- Internet. It has a default route set to
- <hostid role="ipaddr">10.0.0.1</hostid> which allows it to
- connect with the outside world. We will assume that
- <hostid>RouterB</hostid> is already configured properly and
- knows how to get wherever it needs to go. (This is simple
- in this picture. Just add a default route on
- <hostid>RouterB</hostid> using
- <hostid role="ipaddr">192.168.1.1</hostid> as the
- gateway.)</para>
+ Internet. It has a default route set to <hostid
+ role="ipaddr">10.0.0.1</hostid> which allows it to
+ connect with the outside world. <hostid>RouterB</hostid> is
+ already configured properly as it uses <hostid
+ role="ipaddr">192.168.1.1</hostid> as the gateway.</para>
- <para>If we look at the routing table for
- <hostid>RouterA</hostid> we would see something like the
- following:</para>
+ <para>The routing table on <hostid>RouterA</hostid> looks
+ something like this:</para>
<screen>&prompt.user; <userinput>netstat -nr</userinput>
Routing tables
@@ -546,14 +531,12 @@ default 10.0.0.1 UGS 0 49378 xl0
10.0.0.0/24 link#1 UC 0 0 xl0
192.168.1.0/24 link#2 UC 0 0 xl1</screen>
- <para>With the current routing table <hostid>RouterA</hostid>
- will not be able to reach our Internal Net 2. It does not
- have a route for
- <hostid role="ipaddr">192.168.2.0/24</hostid>. One way to
- alleviate this is to manually add the route. The following
- command would add the Internal Net 2 network to
- <hostid>RouterA</hostid>'s routing table using
- <hostid role="ipaddr">192.168.1.2</hostid> as the next
+ <para>With the current routing table, <hostid>RouterA</hostid>
+ cannot reach Internal Net 2 as it does not have a route for
+ <hostid role="ipaddr">192.168.2.0/24</hostid>. The
+ following command adds the Internal Net 2 network to
+ <hostid>RouterA</hostid>'s routing table using <hostid
+ role="ipaddr">192.168.1.2</hostid> as the next
hop:</para>
<screen>&prompt.root; <userinput>route add -net 192.168.2.0/24 192.168.1.2</userinput></screen>
@@ -566,39 +549,34 @@ default 10.0.0.1 UGS 0 49378 xl0
<sect3>
<title>Persistent Configuration</title>
- <para>The above example is perfect for configuring a static
- route on a running system. However, one problem is that the
- routing information will not persist if you reboot your &os;
- machine. Additional static routes can be
- entered in <filename>/etc/rc.conf</filename>:</para>
+ <para>The above example configures a static route on a
+ running system. However, the routing information will not
+ persist if the &os; system reboots. Persistent static
+ routes can be entered in
+ <filename>/etc/rc.conf</filename>:</para>
<programlisting># Add Internal Net 2 as a static route
static_routes="internalnet2"
route_internalnet2="-net 192.168.2.0/24 192.168.1.2"</programlisting>
<para>The <literal>static_routes</literal> configuration
- variable is a list of strings separated by a space. Each
- string references to a route name. In our above example we
- only have one string in <literal>static_routes</literal>.
- This string is <replaceable>internalnet2</replaceable>. We
- then add a configuration variable called
+ variable is a list of strings separated by a space, where
+ each string references a route name. This example only
+ has one string in <literal>static_routes</literal>,
+ <replaceable>internalnet2</replaceable>. The variable
<literal>route_<replaceable>internalnet2</replaceable></literal>
- where we put all of the configuration parameters we would
- give to the &man.route.8; command. For our example above we
- would have used the command:</para>
+ contains all of the configuration parameters to
+ &man.route.8;. This example is equivalent to the
+ command:</para>
<screen>&prompt.root; <userinput>route add -net 192.168.2.0/24 192.168.1.2</userinput></screen>
- <para>so we need <literal>"-net 192.168.2.0/24
- 192.168.1.2"</literal>.</para>
-
- <para>As said above, we can have more than one string in
- <literal>static_routes</literal>. This allows us to create
- multiple static routes. The following lines shows an
- example of adding static routes for the
- <hostid role="ipaddr">192.168.0.0/24</hostid> and
- <hostid role="ipaddr">192.168.1.0/24</hostid> networks on an
- imaginary router:</para>
+ <para>Using more than one string in
+ <literal>static_routes</literal> creates multiple static
+ routes. The following shows an example of adding static
+ routes for the <hostid role="ipaddr">192.168.0.0/24</hostid>
+ and <hostid role="ipaddr">192.168.1.0/24</hostid>
+ networks:</para>
<programlisting>static_routes="net1 net2"
route_net1="-net 192.168.0.0/24 192.168.0.1"
@@ -609,36 +587,24 @@ route_net2="-net 192.168.1.0/24 192.168.1.1"</programlisting>
<sect2 id="network-routing-propagation">
<title>Routing Propagation</title>
- <indexterm><primary>routing propagation</primary></indexterm>
- <para>We have already talked about how we define our routes to
- the outside world, but not about how the outside world finds
- us.</para>
+ <para>When an address space is assigned to a network, the
+ service provider configures their routing tables so that all
+ traffic for the network will be sent to the link for the
+ site. But how do external sites know to send their packets
+ to the network's <acronym>ISP</acronym>?</para>
- <para>We already know that routing tables can be set up so that
- all traffic for a particular address space (in our examples, a
- class-C subnet) can be sent to a particular host on that
- network, which will forward the packets inbound.</para>
+ <para>There is a system that keeps track of all assigned
+ address spaces and defines their point of connection to the
+ Internet backbone, or the main trunk lines that carry Internet
+ traffic across the country and around the world. Each
+ backbone machine has a copy of a master set of tables, which
+ direct traffic for a particular network to a specific
+ backbone carrier, and from there down the chain of service
+ providers until it reaches your network.</para>
- <para>When you get an address space assigned to your site, your
- service provider will set up their routing tables so that all
- traffic for your subnet will be sent down your PPP link to
- your site. But how do sites across the country know to send
- to your ISP?</para>
-
- <para>There is a system (much like the distributed DNS
- information) that keeps track of all assigned address-spaces,
- and defines their point of connection to the Internet
- Backbone. The <quote>Backbone</quote> are the main trunk
- lines that carry Internet traffic across the country, and
- around the world. Each backbone machine has a copy of a
- master set of tables, which direct traffic for a particular
- network to a specific backbone carrier, and from there down
- the chain of service providers until it reaches your
- network.</para>
-
- <para>It is the task of your service provider to advertise to
- the backbone sites that they are the point of connection (and
- thus the path inward) for your site. This is known as route
+ <para>It is the task of the service provider to advertise to
+ the backbone sites that they are the point of connection, and
+ thus the path inward, for a site. This is known as route
propagation.</para>
</sect2>
@@ -646,24 +612,22 @@ route_net2="-net 192.168.1.0/24 192.168.1.1"</programlisting>
<title>Troubleshooting</title>
<indexterm>
- <primary><command>traceroute</command></primary>
+ <primary>&man.traceroute.8;</primary>
</indexterm>
- <para>Sometimes, there is a problem with routing propagation,
- and some sites are unable to connect to you. Perhaps the most
+ <para>Sometimes, there is a problem with routing propagation
+ and some sites are unable to connect. Perhaps the most
useful command for trying to figure out where routing is
- breaking down is the &man.traceroute.8; command. It is
- equally useful if you cannot seem to make a connection to a
- remote machine (i.e., &man.ping.8; fails).</para>
+ breaking down is &man.traceroute.8;. It is useful when
+ &man.ping.8; fails.</para>
- <para>The &man.traceroute.8; command is run with the name of the
- remote host you are trying to connect to. It will show the
- gateway hosts along the path of the attempt, eventually either
+ <para>When using &man.traceroute.8;, include the name of the
+ remote host to connect to. The output will show the gateway
+ hosts along the path of the attempt, eventually either
reaching the target host, or terminating because of a lack of
connection.</para>
- <para>For more information, see the manual page for
- &man.traceroute.8;.</para>
+ <para>For more information, refer to &man.traceroute.8;.</para>
</sect2>
<sect2 id="network-routing-multicast">
@@ -676,19 +640,18 @@ route_net2="-net 192.168.1.0/24 192.168.1.1"</programlisting>
<primary>kernel options</primary>
<secondary>MROUTING</secondary>
</indexterm>
- <para>FreeBSD supports both multicast applications and multicast
- routing natively. Multicast applications do not require any
- special configuration of FreeBSD; applications will generally
- run out of the box. Multicast routing
- requires that support be compiled into the kernel:</para>
+ <para>&os; natively supports both multicast applications and
+ multicast routing. Multicast applications do not require any
+ special configuration of &os;; as applications will generally
+ run out of the box. Multicast routing requires that support
+ be compiled into a custom kernel:</para>
<programlisting>options MROUTING</programlisting>
- <para>In addition, the multicast routing daemon, &man.mrouted.8;
- must be configured to set up tunnels and
- <acronym>DVMRP</acronym> via
+ <para>The multicast routing daemon, &man.mrouted.8;, must be
+ configured to set up tunnels and <acronym>DVMRP</acronym> via
<filename>/etc/mrouted.conf</filename>. More details on
- multicast configuration may be found in the manual page for
+ multicast configuration may be found in
&man.mrouted.8;.</para>
<note>
@@ -697,8 +660,8 @@ route_net2="-net 192.168.1.0/24 192.168.1.1"</programlisting>
which has largely been replaced by &man.pim.4; in many
multicast installations. &man.mrouted.8; and the related
&man.map-mbone.8; and &man.mrinfo.8; utilities are available
- in the &os; Ports Collection as
- <filename role="package">net/mrouted</filename>.</para>
+ in the &os; Ports Collection as <filename
+ role="package">net/mrouted</filename>.</para>
</note>
</sect2>
</sect1>
@@ -735,83 +698,92 @@ route_net2="-net 192.168.1.0/24 192.168.1.1"</programlisting>
<para>Most wireless networks are based on the &ieee; 802.11
standards. A basic wireless network consists of multiple
stations communicating with radios that broadcast in either
- the 2.4GHz or 5GHz band (though this varies according to the
+ the 2.4GHz or 5GHz band, though this varies according to the
locale and is also changing to enable communication in the
- 2.3GHz and 4.9GHz ranges).</para>
+ 2.3GHz and 4.9GHz ranges.</para>
- <para>802.11 networks are organized in two ways: in
- <emphasis>infrastructure mode</emphasis> one station acts as a
- master with all the other stations associating to it; the
- network is known as a BSS and the master station is termed an
- access point (AP). In a BSS all communication passes through
- the AP; even when one station wants to communicate with
- another wireless station messages must go through the AP. In
- the second form of network there is no master and stations
- communicate directly. This form of network is termed an IBSS
- and is commonly known as an
- <emphasis>ad-hoc network</emphasis>.</para>
+ <para>802.11 networks are organized in two ways. In
+ <emphasis>infrastructure mode</emphasis>, one station acts as
+ a
+ master with all the other stations associating to it, the
+ network is known as a <acronym>BSS</acronym>, and the master
+ station is termed an access point (<acronym>AP</acronym>).
+ In a <acronym>BSS</acronym>, all communication passes through
+ the <acronym>AP</acronym>; even when one station wants to
+ communicate with another wireless station, messages must go
+ through the <acronym>AP</acronym>. In the second form of
+ network, there is no master and stations communicate directly.
+ This form of network is termed an <acronym>IBSS</acronym>
+ and is commonly known as an <emphasis>ad-hoc
+ network</emphasis>.</para>
<para>802.11 networks were first deployed in the 2.4GHz band
using protocols defined by the &ieee; 802.11 and 802.11b
standard. These specifications include the operating
- frequencies, MAC layer characteristics including framing and
- transmission rates (communication can be done at various
- rates). Later the 802.11a standard defined operation in the
- 5GHz band, including different signalling mechanisms and
- higher transmission rates. Still later the 802.11g standard
- was defined to enable use of 802.11a signalling and
- transmission mechanisms in the 2.4GHz band in such a way as to
- be backwards compatible with 802.11b networks.</para>
+ frequencies and the <acronym>MAC</acronym> layer
+ characteristics, including framing and transmission rates,
+ as communication can occur at various rates. Later, the
+ 802.11a standard defined operation in the 5GHz band, including
+ different signaling mechanisms and higher transmission rates.
+ Still later, the 802.11g standard defined the use of 802.11a
+ signaling and transmission mechanisms in the 2.4GHz band in
+ such a way as to be backwards compatible with 802.11b
+ networks.</para>
- <para>Separate from the underlying transmission techniques
+ <para>Separate from the underlying transmission techniques,
802.11 networks have a variety of security mechanisms. The
original 802.11 specifications defined a simple security
- protocol called WEP. This protocol uses a fixed pre-shared key
- and the RC4 cryptographic cipher to encode data transmitted on
- a network. Stations must all agree on the fixed key in order
- to communicate. This scheme was shown to be easily broken and
- is now rarely used except to discourage transient users from
- joining networks. Current security practice is given by the
- &ieee; 802.11i specification that defines new cryptographic
- ciphers and an additional protocol to authenticate stations to
- an access point and exchange keys for doing data
- communication. Further, cryptographic keys are periodically
- refreshed and there are mechanisms for detecting intrusion
- attempts (and for countering intrusion attempts). Another
+ protocol called <acronym>WEP</acronym>. This protocol uses a
+ fixed pre-shared key and the RC4 cryptographic cipher to
+ encode data transmitted on a network. Stations must all
+ agree on the fixed key in order to communicate. This scheme
+ was shown to be easily broken and is now rarely used except
+ to discourage transient users from joining networks. Current
+ security practice is given by the &ieee; 802.11i specification
+ that defines new cryptographic ciphers and an additional
+ protocol to authenticate stations to an access point and
+ exchange keys for data communication. Cryptographic keys
+ are periodically refreshed and there are mechanisms for
+ detecting and countering intrusion attempts. Another
security protocol specification commonly used in wireless
- networks is termed WPA. This was a precursor to 802.11i
- defined by an industry group as an interim measure while
- waiting for 802.11i to be ratified. WPA specifies a subset of
- the requirements found in 802.11i and is designed for
- implementation on legacy hardware. Specifically WPA requires
- only the TKIP cipher that is derived from the original WEP
- cipher. 802.11i permits use of TKIP but also requires support
- for a stronger cipher, AES-CCM, for encrypting data. (The AES
- cipher was not required in WPA because it was deemed too
+ networks is termed <acronym>WPA</acronym>, which was a
+ precursor to 802.11i. <acronym>WPA</acronym> specifies a
+ subset of the requirements found in 802.11i and is designed
+ for implementation on legacy hardware. Specifically,
+ <acronym>WPA</acronym> requires only the
+ <acronym>TKIP</acronym> cipher that is derived from the
+ original <acronym>WEP</acronym> cipher. 802.11i permits use
+ of <acronym>TKIP</acronym> but also requires support for a
+ stronger cipher, AES-CCM, for encrypting data. The
+ <acronym>AES</acronym> cipher was not required in
+ <acronym>WPA</acronym> because it was deemed too
computationally costly to be implemented on legacy
- hardware.)</para>
+ hardware.</para>
- <para>Other than the above protocol standards the other
- important standard to be aware of is 802.11e. This defines
- protocols for deploying multi-media applications such as
- streaming video and voice over IP (VoIP) in an 802.11 network.
- Like 802.11i, 802.11e also has a precursor specification
- termed WME (later renamed WMM) that has been defined by an
+ <para>The other standard to be aware of is 802.11e. It defines
+ protocols for deploying multimedia applications, such as
+ streaming video and voice over IP (<acronym>VoIP</acronym>),
+ in an 802.11 network. Like 802.11i, 802.11e also has a
+ precursor specification termed <acronym>WME</acronym> (later
+ renamed <acronym>WMM</acronym>) that has been defined by an
industry group as a subset of 802.11e that can be deployed now
- to enable multi-media applications while waiting for the final
+ to enable multimedia applications while waiting for the final
ratification of 802.11e. The most important thing to know
- about 802.11e and WME/WMM is that it enables prioritized
- traffic use of a wireless network through Quality of Service
- (QoS) protocols and enhanced media access protocols. Proper
- implementation of these protocols enable high speed bursting
- of data and prioritized traffic flow.</para>
+ about 802.11e and
+ <acronym>WME</acronym>/<acronym>WMM</acronym> is that it
+ enables prioritized traffic over a wireless network through
+ Quality of Service (<acronym>QoS</acronym>) protocols and
+ enhanced media access protocols. Proper implementation of
+ these protocols enables high speed bursting of data and
+ prioritized traffic flow.</para>
- <para>&os; supports networks that operate
- using 802.11a, 802.11b, and 802.11g. The WPA and 802.11i
+ <para>&os; supports networks that operate using 802.11a,
+ 802.11b, and 802.11g. The <acronym>WPA</acronym> and 802.11i
security protocols are likewise supported (in conjunction with
- any of 11a, 11b, and 11g) and QoS and traffic prioritization
- required by the WME/WMM protocols are supported for a limited
- set of wireless devices.</para>
+ any of 11a, 11b, and 11g) and <acronym>QoS</acronym> and
+ traffic prioritization required by the
+ <acronym>WME</acronym>/<acronym>WMM</acronym> protocols are
+ supported for a limited set of wireless devices.</para>
</sect2>
<sect2 id="network-wireless-basic">
@@ -820,63 +792,59 @@ route_net2="-net 192.168.1.0/24 192.168.1.1"</programlisting>
<sect3>
<title>Kernel Configuration</title>
- <para>To use wireless networking, you need a wireless
- networking card and to configure the kernel with the
- appropriate wireless networking support. The latter is
- separated into multiple modules so that you only need to
- configure the software you are actually going to use.</para>
+ <para>To use wireless networking, a wireless networking card
+ is needed and the kernel needs to be configured with the
+ appropriate wireless networking support. The kernel is
+ separated into multiple modules so that only the required
+ support needs to be configured.</para>
- <para>The first thing you need is a wireless device. The most
- commonly used devices are those that use parts made by
- Atheros. These devices are supported by the &man.ath.4;
- driver and require the following line to be added to
+ <para>The most
+ commonly used wireless devices are those that use parts made
+ by Atheros. These devices are supported by &man.ath.4;
+ and require the following line to be added to
<filename>/boot/loader.conf</filename>:</para>
<programlisting>if_ath_load="YES"</programlisting>
<para>The Atheros driver is split up into three separate
- pieces: the proper driver (&man.ath.4;), the hardware
- support layer that handles chip-specific functions
- (&man.ath.hal.4;), and an algorithm for selecting which of
- several possible rates for transmitting frames
- (ath_rate_sample here). When this support is loaded as
- kernel modules, these dependencies are automatically handled
- for you. If, instead of an Atheros device, you had another
- device you would select the module for that device;
- e.g.:</para>
+ pieces: the driver (&man.ath.4;), the hardware support
+ layer that handles chip-specific functions
+ (&man.ath.hal.4;), and an algorithm for selecting the
+ rate for transmitting frames. When this support is loaded
+ as kernel modules, any dependencies are automatically
+ handled. To load support for a different type of wireless
+ device, specify the module for that device. This example
+ is for devices based on the Intersil Prism parts
+ (&man.wi.4;) driver:</para>
<programlisting>if_wi_load="YES"</programlisting>
- <para>for devices based on the Intersil Prism parts
- (&man.wi.4; driver).</para>
-
<note>
- <para>In the rest of this document, we will use an
- &man.ath.4; device, the device name in the examples must
- be changed according to your configuration. A list of
+ <para>The examples in this section use an &man.ath.4;
+ device and the device name in the examples must be
+ changed according to the configuration. A list of
available wireless drivers and supported adapters can be
- found in the &os; Hardware Notes. Copies of these notes
- for various releases and architectures are available on
+ found in the &os; Hardware Notes, available on
the <ulink
url="http://www.FreeBSD.org/releases/index.html">Release
- Information</ulink> page of the &os; Web site. If a
- native &os; driver for your wireless device does not
- exist, it may be possible to directly use the &windows;
- driver with the help of the
- <link linkend="config-network-ndis">NDIS</link> driver
+ Information</ulink> page of the &os; website. If a
+ native &os; driver for the wireless device does not
+ exist, it may be possible to use the &windows; driver
+ with the help of the <link
+ linkend="config-network-ndis">NDIS</link> driver
wrapper.</para>
</note>
- <para>With that, you will need the modules that implement
- cryptographic support for the security protocols you intend
- to use. These are intended to be dynamically loaded on
- demand by the &man.wlan.4; module but for now they must be
- manually configured. The following modules are available:
- &man.wlan.wep.4;, &man.wlan.ccmp.4; and &man.wlan.tkip.4;.
- Both &man.wlan.ccmp.4; and &man.wlan.tkip.4; drivers are
- only needed if you intend to use the WPA and/or 802.11i
- security protocols. If your network does not use
- encryption, you will not need &man.wlan.wep.4; support. To
+ <para>In addition, the modules that implement cryptographic
+ support for the security protocols to use must be loaded.
+ These are intended to be dynamically loaded on demand by
+ the &man.wlan.4; module, but for now they must be manually
+ configured. The following modules are available:
+ &man.wlan.wep.4;, &man.wlan.ccmp.4;, and &man.wlan.tkip.4;.
+ The &man.wlan.ccmp.4; and &man.wlan.tkip.4; drivers are
+ only needed when using the <acronym>WPA</acronym> or
+ 802.11i security protocols. If the network does not use
+ encryption, &man.wlan.wep.4; support is not needed. To
load these modules at boot time, add the following lines to
<filename>/boot/loader.conf</filename>:</para>
@@ -884,17 +852,16 @@ route_net2="-net 192.168.1.0/24 192.168.1.1"</programlisting>
wlan_ccmp_load="YES"
wlan_tkip_load="YES"</programlisting>
- <para>With this information in the system bootstrap
- configuration file (i.e.,
- <filename>/boot/loader.conf</filename>), you have to reboot
- your &os; box. If you do not want to reboot your machine
- for the moment, you can load the modules by hand using
+ <para>Once this information has been added to
+ <filename>/boot/loader.conf</filename>, reboot the &os;
+ box. Alternately, load the modules by hand using
&man.kldload.8;.</para>
<note>
- <para>If you do not want to use modules, it is possible to
- compile these drivers into the kernel by adding the
- following lines to your kernel configuration file:</para>
+ <para>For users who do not want to use modules, it is
+ possible to compile these drivers into the kernel by
+ adding the following lines to a custom kernel
+ configuration file:</para>
<programlisting>device wlan # 802.11 support
device wlan_wep # 802.11 WEP support
@@ -907,13 +874,12 @@ options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors
device ath_rate_sample # SampleRate tx rate control for ath</programlisting>
<para>With this information in the kernel configuration
- file, recompile the kernel and reboot your &os;
+ file, recompile the kernel and reboot the &os;
machine.</para>
</note>
- <para>When the system is up, we could find some information
- about the wireless device in the boot messages, like
- this:</para>
+ <para>Information about the wireless device should appear
+ in the boot messages, like this:</para>
<screen>ath0: <Atheros 5212> mem 0x88000000-0x8800ffff irq 11 at device 0.0 on cardbus1
ath0: [ITHREAD]
@@ -924,12 +890,12 @@ ath0: AR2413 mac 7.9 RF2413 phy 4.5</screen>
<sect2>
<title>Infrastructure Mode</title>
- <para>The infrastructure mode or BSS mode is the mode that is
- typically used. In this mode, a number of wireless access
- points are connected to a wired network. Each wireless
- network has its own name, this name is called the SSID of the
- network. Wireless clients connect to the wireless access
- points.</para>
+ <para>Infrastructure (<acronym>BSS</acronym>) mode is the
+ mode that is typically used. In this mode, a number of
+ wireless access points are connected to a wired network.
+ Each wireless network has its own name, called the
+ <acronym>SSID</acronym>. Wireless clients connect to the
+ wireless access points.</para>
<sect3>
<title>&os; Clients</title>
@@ -937,12 +903,11 @@ ath0: AR2413 mac 7.9 RF2413 phy 4.5</screen>
<sect4>
<title>How to Find Access Points</title>
- <para>To scan for networks, use the
- <command>ifconfig</command> command. This request may
- take a few moments to complete as it requires that the
- system switches to each available wireless frequency and
- probes for available access points. Only the super-user
- can initiate such a scan:</para>
+ <para>To scan for available networks, use &man.ifconfig.8;.
+ This request may take a few moments to complete as it
+ requires the system to switch to each available wireless
+ frequency and probe for available access points. Only
+ the superuser can initiate a scan:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> create wlandev <replaceable>ath0</replaceable></userinput>
&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> up scan</userinput>
@@ -951,18 +916,20 @@ dlinkap 00:13:46:49:41:76 11 54M -90:96 100 EPS WPA WME
freebsdap 00:11:95:c3:0d:ac 1 54M -83:96 100 EPS WPA</screen>
<note>
- <para>You must mark the interface <option>up</option>
- before you can scan. Subsequent scan requests do not
- require you to mark the interface up again.</para>
+ <para>The interface must be <option>up</option> before
+ it can scan. Subsequent scan requests do not require
+ the interface to be marked as up again.</para>
</note>
- <para>The output of a scan request lists each BSS/IBSS
- network found. Beside the name of the network,
- <literal>SSID</literal>, we find the
- <literal>BSSID</literal> which is the MAC address of the
- access point. The <literal>CAPS</literal> field
- identifies the type of each network and the capabilities
- of the stations operating there:</para>
+ <para>The output of a scan request lists each
+ <acronym>BSS</acronym>/<acronym>IBSS</acronym> network
+ found. Besides listing the name of the network, the
+ <literal>SSID</literal>, the output also shows the
+ <literal>BSSID</literal>, which is the
+ <acronym>MAC</acronym> address of the access point. The
+ <literal>CAPS</literal> field identifies the type of
+ each network and the capabilities of the stations
+ operating there:</para>
<table frame="none" pgwide="0">
<title>Station Capability Codes</title>
@@ -978,35 +945,38 @@ freebsdap 00:11:95:c3:0d:ac 1 54M -83:96 100 EPS WPA</screen>
<tbody>
<row>
<entry><literal>E</literal></entry>
- <entry>Extended Service Set (ESS). Indicates that
+ <entry>Extended Service Set
+ (<acronym>ESS</acronym>). Indicates that
the station is part of an infrastructure network
- (in contrast to an IBSS/ad-hoc network).</entry>
+ rather than an <acronym>IBSS</acronym>/ad-hoc
+ network.</entry>
</row>
<row>
<entry><literal>I</literal></entry>
- <entry>IBSS/ad-hoc network. Indicates that the
- station is part of an ad-hoc network (in contrast
- to an ESS network).</entry>
+ <entry><acronym>IBSS</acronym>/ad-hoc network.
+ Indicates that the station is part of an ad-hoc
+ network rather than an <acronym>ESS</acronym>
+ network.</entry>
</row>
<row>
<entry><literal>P</literal></entry>
- <entry>Privacy. Data confidentiality is required
- for all data frames exchanged within the BSS.
- This means that this BSS requires the station to
- use cryptographic means such as WEP, TKIP or
- AES-CCMP to encrypt/decrypt data frames being
- exchanged with others.</entry>
+ <entry>Privacy. Encryption is required for all
+ data frames exchanged within the
+ <acronym>BSS</acronym> using cryptographic means
+ such as <acronym>WEP</acronym>,
+ <acronym>TKIP</acronym> or
+ <acronym>AES</acronym>-<acronym>CCMP</acronym>.</entry>
</row>
<row>
<entry><literal>S</literal></entry>
<entry>Short Preamble. Indicates that the network
- is using short preambles (defined in 802.11b High
- Rate/DSSS PHY, short preamble utilizes a 56 bit
- sync field in contrast to a 128 bit field used in
- long preamble mode).</entry>
+ is using short preambles, defined in 802.11b High
+ Rate/DSSS PHY, and utilizes a 56 bit sync field
+ rather than the 128 bit field used in long
+ preamble mode.</entry>
</row>
<row>
@@ -1036,132 +1006,138 @@ freebsdap 00:11:95:c3:0d:ac 1 54M -83:96 100 EPS WPA</screen>
<para>This section provides a simple example of how to make
the wireless network adapter work in &os; without
- encryption. After you are familiar with these concepts,
- we strongly recommend using
- <link linkend="network-wireless-wpa">WPA</link> to set up
- your wireless network.</para>
+ encryption. Once familiar with these concepts, it is
+ strongly recommend to use <link
+ linkend="network-wireless-wpa">WPA</link> to set up
+ the wireless network.</para>
<para>There are three basic steps to configure a wireless
- network: selecting an access point, authenticating your
- station, and configuring an IP address. The following
- sections discuss each step.</para>
+ network: select an access point, authenticate the
+ station, and configure an <acronym>IP</acronym> address.
+ The following sections discuss each step.</para>
<sect5>
<title>Selecting an Access Point</title>
- <para>Most of time it is sufficient to let the system
+ <para>Most of the time, it is sufficient to let the system
choose an access point using the builtin heuristics.
- This is the default behaviour when you mark an interface
- up or otherwise configure an interface by listing it in
- <filename>/etc/rc.conf</filename>, e.g.:</para>
+ This is the default behaviour when an interface is
+ marked as up or it is listed in
+ <filename>/etc/rc.conf</filename>:</para>
<programlisting>wlans_ath0="wlan0"
ifconfig_wlan0="DHCP"</programlisting>
- <para>If there are multiple access points and you want to
- select a specific one, you can select it by its
- SSID:</para>
+ <para>If there are multiple access points, a specific
+ one can be selected by its
+ <acronym>SSID</acronym>:</para>
<programlisting>wlans_ath0="wlan0"
ifconfig_wlan0="ssid <replaceable>your_ssid_here</replaceable> DHCP"</programlisting>
<para>In an environment where there are multiple access
- points with the same SSID (often done to simplify
- roaming) it may be necessary to associate to one
- specific device. In this case you can also specify the
- BSSID of the access point (you can also leave off the
- SSID):</para>
+ points with the same <acronym>SSID</acronym>, which
+ is often done to simplify roaming, it may be necessary
+ to associate to one specific device. In this case, the
+ <acronym>BSSID</acronym> of the access point can be
+ specified, with or without the
+ <acronym>SSID</acronym>:</para>
<programlisting>wlans_ath0="wlan0"
ifconfig_wlan0="ssid <replaceable>your_ssid_here</replaceable> bssid <replaceable>xx:xx:xx:xx:xx:xx</replaceable> DHCP"</programlisting>
<para>There are other ways to constrain the choice of an
- access point such as limiting the set of frequencies the
- system will scan on. This may be useful if you have a
+ access point, such as limiting the set of frequencies
+ the system will scan on. This may be useful for a
multi-band wireless card as scanning all the possible
channels can be time-consuming. To limit operation to a
- specific band you can use the <option>mode</option>
- parameter; e.g.:</para>
+ specific band, use the <option>mode</option>
+ parameter:</para>
<programlisting>wlans_ath0="wlan0"
ifconfig_wlan0="mode <replaceable>11g</replaceable> ssid <replaceable>your_ssid_here</replaceable> DHCP"</programlisting>
- <para>will force the card to operate in 802.11g which is
- defined only for 2.4GHz frequencies so any 5GHz channels
- will not be considered. Other ways to do this are the
- <option>channel</option> parameter, to lock operation to
- one specific frequency, and the
+ <para>This example will force the card to operate in
+ 802.11g, which is defined only for 2.4GHz frequencies
+ so any 5GHz channels will not be considered. This can
+ also be achieved with the
+ <option>channel</option> parameter, which locks
+ operation to one specific frequency, and the
<option>chanlist</option> parameter, to specify a list
of channels for scanning. More information about these
- parameters can be found in the &man.ifconfig.8; manual
- page.</para>
+ parameters can be found in &man.ifconfig.8;.</para>
</sect5>
<sect5>
<title>Authentication</title>
- <para>Once you have selected an access point your station
+ <para>Once an access point is selected, the station
needs to authenticate before it can pass data.
Authentication can happen in several ways. The most
- common scheme used is termed open authentication and
- allows any station to join the network and communicate.
- This is the authentication you should use for test
- purpose the first time you set up a wireless network.
- Other schemes require cryptographic handshakes be
- completed before data traffic can flow; either using
- pre-shared keys or secrets, or more complex schemes that
- involve backend services such as RADIUS. Most users
- will use open authentication which is the default
- setting. Next most common setup is WPA-PSK, also known
- as WPA Personal, which is described <link
- linkend="network-wireless-wpa-wpa-psk">below</link>.</para>
+ common scheme, open authentication, allows any station
+ to join the network and communicate. This is the
+ authentication to use for test purposes the first time
+ a wireless network is setup. Other schemes require
+ cryptographic handshakes to be completed before data
+ traffic can flow, either using pre-shared keys or
+ secrets, or more complex schemes that involve backend
+ services such as <acronym>RADIUS</acronym>. Open
+ authentication is the default setting. The next most
+ common setup is <acronym>WPA-PSK</acronym>, also
+ known as <acronym>WPA</acronym> Personal, which is
+ described in <xref
+ linkend="network-wireless-wpa-wpa-psk"/>.</para>
<note>
- <para>If you have an &apple; &airport; Extreme base
- station for an access point you may need to configure
- shared-key authentication together with a WEP key.
- This can be done in the
- <filename>/etc/rc.conf</filename> file or using the
- &man.wpa.supplicant.8; program. If you have a single
- &airport; base station you can setup access with
- something like:</para>
+ <para>If using an &apple; &airport; Extreme base
+ station for an access point, shared-key authentication
+ together with a <acronym>WEP</acronym> key needs to
+ be configured. This can be configured in
+ <filename>/etc/rc.conf</filename> or by using
+ &man.wpa.supplicant.8;. For a single &airport; base
+ station, access can be configured with:</para>
<programlisting>wlans_ath0="wlan0"
ifconfig_wlan0="authmode shared wepmode on weptxkey <replaceable>1</replaceable> wepkey <replaceable>01234567</replaceable> DHCP"</programlisting>
- <para>In general shared key authentication is to be
- avoided because it uses the WEP key material in a
- highly-constrained manner making it even easier to
- crack the key. If WEP must be used (e.g., for
- compatibility with legacy devices) it is better to use
- WEP with <literal>open</literal> authentication. More
- information regarding WEP can be found in the
- <xref linkend="network-wireless-wep"/>.</para>
+ <para>In general, shared key authentication should be
+ avoided because it uses the <acronym>WEP</acronym> key
+ material in a highly-constrained manner, making it
+ even easier to crack the key. If
+ <acronym>WEP</acronym> must be used for compatibility
+ with legacy devices, it is better to use
+ <acronym>WEP</acronym> with <literal>open</literal>
+ authentication. More information regarding
+ <acronym>WEP</acronym> can be found in <xref
+ linkend="network-wireless-wep"/>.</para>
</note>
</sect5>
<sect5>
- <title>Getting an IP Address with DHCP</title>
+ <title>Getting an <acronym>IP</acronym> Address with
+ <acronym>DHCP</acronym></title>
- <para>Once you have selected an access point and set the
- authentication parameters, you will have to get an IP
- address to communicate. Most of time you will obtain
- your wireless IP address via DHCP. To achieve that,
- edit <filename>/etc/rc.conf</filename> and add
- <literal>DHCP</literal> to the configuration for your
- device as shown in various examples above:</para>
+ <para>Once an access point is selected and the
+ authentication parameters are set, an
+ <acronym>IP</acronym> address must be obtained in
+ order to communicate. Most of the time, the
+ <acronym>IP</acronym> address is obtained via
+ <acronym>DHCP</acronym>. To achieve that, edit
+ <filename>/etc/rc.conf</filename> and add
+ <literal>DHCP</literal> to the configuration for the
+ device:</para>
<programlisting>wlans_ath0="wlan0"
ifconfig_wlan0="DHCP"</programlisting>
- <para>At this point, you are ready to bring up the
- wireless interface:</para>
+ <para>The
+ wireless interface is now ready to bring up:</para>
<screen>&prompt.root; <userinput>service netif start</userinput></screen>
- <para>Once the interface is running, use
- <command>ifconfig</command> to see the status of the
- interface <devicename>ath0</devicename>:</para>
+ <para>Once the interface is running, use &man.ifconfig.8;
+ to see the status of the interface
+ <devicename>ath0</devicename>:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable></userinput>
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
@@ -1174,24 +1150,23 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7
roam:rate 5 protmode CTS wme burst</screen>
- <para>The <literal>status: associated</literal> means you
- are connected to the wireless network (to the
- <literal>dlinkap</literal> network in our case). The
- <literal>bssid 00:13:46:49:41:76</literal> part is the
- MAC address of your access point; the
- <literal>authmode OPEN</literal> part informs you that
- the communication is not encrypted.</para>
+ <para>The <literal>status: associated</literal> line means
+ that it is connected to the wireless network. The
+ <literal>bssid 00:13:46:49:41:76</literal> is the
+ <acronym>MAC</acronym> address of the access point and
+ <literal>authmode OPEN</literal> indicates that the
+ communication is not encrypted.</para>
</sect5>
<sect5>
- <title>Static IP Address</title>
+ <title>Static <acronym>IP</acronym> Address</title>
- <para>In the case you cannot obtain an IP address from a
- DHCP server, you can set a fixed IP address. Replace
- the <literal>DHCP</literal> keyword shown above with the
+ <para>In an <acronym>IP</acronym> address cannot be
+ obtained from a <acronym>DHCP</acronym> server, set a
+ fixed <acronym>IP</acronym> address. Replace the
+ <literal>DHCP</literal> keyword shown above with the
address information. Be sure to retain any other
- parameters you have set up for selecting an access
- point:</para>
+ parameters for selecting the access point:</para>
<programlisting>wlans_ath0="wlan0"
ifconfig_wlan0="inet <replaceable>192.168.1.100</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid <replaceable>your_ssid_here</replaceable>"</programlisting>
@@ -1199,80 +1174,92 @@ ifconfig_wlan0="inet <replaceable>192.168.1.100</replaceable> netmask <replaceab
</sect4>
<sect4 id="network-wireless-wpa">
- <title>WPA</title>
+ <title><acronym>WPA</acronym></title>
- <para>WPA (Wi-Fi Protected Access) is a security protocol
- used together with 802.11 networks to address the lack of
- proper authentication and the weakness of
- <link linkend="network-wireless-wep">WEP</link>. WPA
- leverages the 802.1X authentication protocol and uses one
- of several ciphers instead of WEP for data integrity. The
- only cipher required by WPA is TKIP (Temporary Key
- Integrity Protocol). TKIP is a cipher that extends the
- basic RC4 cipher used by WEP by adding integrity checking,
- tamper detection, and measures for responding to any
- detected intrusions. TKIP is designed to work on legacy
- hardware with only software modification; it represents a
- compromise that improves security but is still not
- entirely immune to attack. WPA also specifies the
- AES-CCMP cipher as an alternative to TKIP and that is
- preferred when possible; for this specification the term
- WPA2 (or RSN) is commonly used.</para>
+ <para>Wi-Fi Protected Access (<acronym>WPA</acronym>) is a
+ security protocol used together with 802.11 networks to
+ address the lack of proper authentication and the weakness
+ of <acronym>WEP</acronym>. WPA leverages the 802.1X
+ authentication protocol and uses one of several ciphers
+ instead of <acronym>WEP</acronym> for data integrity.
+ The only cipher required by <acronym>WPA</acronym> is the
+ Temporary Key Integrity Protocol
+ (<acronym>TKIP</acronym>). <acronym>TKIP</acronym> is a
+ cipher that extends the basic RC4 cipher used by
+ <acronym>WEP</acronym> by adding integrity checking,
+ tamper detection, and measures for responding to detected
+ intrusions. <acronym>TKIP</acronym> is designed to work
+ on legacy hardware with only software modification. It
+ represents a compromise that improves security but is
+ still not entirely immune to attack.
+ <acronym>WPA</acronym> also specifies the
+ <acronym>AES-CCMP</acronym> cipher as an alternative to
+ <acronym>TKIP</acronym>, and that is preferred when
+ possible. For this specification, the term
+ <acronym>WPA2</acronym> or <acronym>RSN</acronym> is
+ commonly used.</para>
- <para>WPA defines authentication and encryption protocols.
- Authentication is most commonly done using one of two
- techniques: by 802.1X and a backend authentication service
- such as RADIUS, or by a minimal handshake between the
- station and the access point using a pre-shared secret.
- The former is commonly termed WPA Enterprise with the
- latter known as WPA Personal. Since most people will not
- set up a RADIUS backend server for their wireless network,
- WPA-PSK is by far the most commonly encountered
- configuration for WPA.</para>
+ <para><acronym>WPA</acronym> defines authentication and
+ encryption protocols. Authentication is most commonly
+ done using one of two techniques: by 802.1X and a backend
+ authentication service such as <acronym>RADIUS</acronym>,
+ or by a minimal handshake between the station and the
+ access point using a pre-shared secret. The former is
+ commonly termed <acronym>WPA</acronym> Enterprise and the
+ latter is known as <acronym>WPA</acronym> Personal. Since
+ most people will not set up a <acronym>RADIUS</acronym>
+ backend server for their wireless network,
+ <acronym>WPA-PSK</acronym> is by far the most commonly
+ encountered configuration for
+ <acronym>WPA</acronym>.</para>
- <para>The control of the wireless connection and the
- authentication (key negotiation or authentication with a
- server) is done with the &man.wpa.supplicant.8; utility.
- This program requires a configuration file,
+ <para>The control of the wireless connection and the key
+ negotiation or authentication with a server is done using
+ &man.wpa.supplicant.8;. This program requires a
+ configuration file,
<filename>/etc/wpa_supplicant.conf</filename>, to run.
- More information regarding this file can be found in the
- &man.wpa.supplicant.conf.5; manual page.</para>
+ More information regarding this file can be found in
+ &man.wpa.supplicant.conf.5;.</para>
<sect5 id="network-wireless-wpa-wpa-psk">
- <title>WPA-PSK</title>
+ <title><acronym>WPA-PSK</acronym></title>
- <para>WPA-PSK, also known as WPA-Personal, is based on a
- pre-shared key (PSK) generated from a given password and
- that will be used as the master key in the wireless
- network. This means every wireless user will share the
- same key. WPA-PSK is intended for small networks where
- the use of an authentication server is not possible or
- desired.</para>
+ <para><acronym>WPA-PSK</acronym>, also known as
+ <acronym>WPA</acronym> Personal, is based on a
+ pre-shared key (<acronym>PSK</acronym>) which is
+ generated from a given password and used as the master
+ key in the wireless network. This means every wireless
+ user will share the same key.
+ <acronym>WPA-PSK</acronym> is intended for small
+ networks where the use of an authentication server is
+ not possible or desired.</para>
<warning>
- <para>Always use strong passwords that are
- sufficiently long and made from a rich alphabet so
- they will not be guessed and/or attacked.</para>
+ <para>Always use strong passwords that are sufficiently
+ long and made from a rich alphabet so that they will
+ not be easily guessed or attacked.</para>
</warning>
- <para>The first step is the configuration of the
- <filename>/etc/wpa_supplicant.conf</filename> file with
- the SSID and the pre-shared key of your network:</para>
+ <para>The first step is the configuration of
+ <filename>/etc/wpa_supplicant.conf</filename> with
+ the <acronym>SSID</acronym> and the pre-shared key of
+ the network:</para>
<programlisting>network={
ssid="freebsdap"
psk="freebsdmall"
}</programlisting>
- <para>Then, in <filename>/etc/rc.conf</filename>, we
+ <para>Then, in <filename>/etc/rc.conf</filename>,
indicate that the wireless device configuration will be
- done with WPA and the IP address will be obtained with
- DHCP:</para>
+ done with <acronym>WPA</acronym> and the
+ <acronym>IP</acronym> address will be obtained with
+ <acronym>DHCP</acronym>:</para>
<programlisting>wlans_ath0="wlan0"
ifconfig_wlan0="WPA DHCP"</programlisting>
- <para>Then we can bring up the interface:</para>
+ <para>Then, bring up the interface:</para>
<screen>&prompt.root; <userinput>service netif start</userinput>
Starting wpa_supplicant.
@@ -1293,10 +1280,9 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
wme burst roaming MANUAL</screen>
- <para>Or you can try to configure it manually using the
- same <filename>/etc/wpa_supplicant.conf</filename> <link
- linkend="network-wireless-wpa-wpa-psk">above</link>, and
- run:</para>
+ <para>Or, try to configure the interface manually using
+ the information in
+ <filename>/etc/wpa_supplicant.conf</filename>:</para>
<screen>&prompt.root; <userinput>wpa_supplicant -i <replaceable>wlan0</replaceable> -c /etc/wpa_supplicant.conf</userinput>
Trying to associate with 00:11:95:c3:0d:ac (SSID='freebsdap' freq=2412 MHz)
@@ -1304,9 +1290,9 @@ Associated with 00:11:95:c3:0d:ac
WPA: Key negotiation completed with 00:11:95:c3:0d:ac [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:11:95:c3:0d:ac completed (auth) [id=0 id_str=]</screen>
- <para>The next operation is the launch of the
- <command>dhclient</command> command to get the IP
- address from the DHCP server:</para>
+ <para>The next operation is to launch &man.dhclient.8;
+ to get the <acronym>IP</acronym> address from the
+ <acronym>DHCP</acronym> server:</para>
<screen>&prompt.root; <userinput>dhclient <replaceable>wlan0</replaceable></userinput>
DHCPREQUEST on wlan0 to 255.255.255.255 port 67
@@ -1326,17 +1312,15 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
<note>
<para>If <filename>/etc/rc.conf</filename> has an
- <literal>ifconfig_wlan0</literal> entry with the
- <literal>DHCP</literal> string (like
- <literal>ifconfig_wlan0="DHCP"</literal>),
- <command>dhclient</command> will be launched
- automatically after <command>wpa_supplicant</command>
- associates with the access point.</para>
+ <literal>ifconfig_wlan0="DHCP"</literal> entry,
+ &man.dhclient.8; will be launched automatically after
+ &man.wpa.supplicant.8; associates with the access
+ point.</para>
</note>
- <para>If DHCP is not possible or desired,
- you can set a static IP address after
- <command>wpa_supplicant</command> has authenticated the
+ <para>If <acronym>DHCP</acronym> is not possible or
+ desired, set a static <acronym>IP</acronym> address
+ after &man.wpa.supplicant.8; has authenticated the
station:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> inet <replaceable>192.168.0.100</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput>
@@ -1352,43 +1336,51 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
wme burst roaming MANUAL</screen>
- <para>When DHCP is not used, you also have to manually set
- the default gateway and the nameserver:</para>
+ <para>When <acronym>DHCP</acronym> is not used, the
+ default gateway and the nameserver also have to be
+ manually set:</para>
<screen>&prompt.root; <userinput>route add default <replaceable>your_default_router</replaceable></userinput>
&prompt.root; <userinput>echo "nameserver <replaceable>your_DNS_server</replaceable>" >> /etc/resolv.conf</userinput></screen>
</sect5>
<sect5 id="network-wireless-wpa-eap-tls">
- <title>WPA with EAP-TLS</title>
+ <title><acronym>WPA</acronym> with
+ <acronym>EAP-TLS</acronym></title>
- <para>The second way to use WPA is with an 802.1X backend
- authentication server. In this case WPA is called
- WPA-Enterprise to differentiate it from the less secure
- WPA-Personal with its pre-shared key.
- Authentication in WPA-Enterprise is based on the
- Extensible Authentication Protocol (EAP).</para>
+ <para>The second way to use <acronym>WPA</acronym> is with
+ an 802.1X backend authentication server. In this case,
+ <acronym>WPA</acronym> is called
+ <acronym>WPA</acronym> Enterprise to differentiate it
+ from the less secure <acronym>WPA</acronym> Personal.
+ Authentication in <acronym>WPA</acronym> Enterprise is
+ based on the Extensible Authentication Protocol
+ (<acronym>EAP</acronym>).</para>
- <para>EAP does not come with an encryption method.
- Instead, it was decided to embed EAP inside an encrypted
- tunnel. There are many EAP authentication methods, but
- EAP-TLS, EAP-TTLS, and EAP-PEAP are the most
+ <para><acronym>EAP</acronym> does not come with an
+ encryption method. Instead, <acronym>EAP</acronym> is
+ embedded inside an encrypted tunnel. There are many
+ <acronym>EAP</acronym> authentication methods, but
+ <acronym>EAP-TLS</acronym>, <acronym>EAP-TTLS</acronym>,
+ and <acronym>EAP-PEAP</acronym> are the most
common.</para>
- <para>EAP-TLS (EAP with Transport Layer Security) is a
- very well-supported authentication protocol in the
- wireless world since it was the first EAP method to be
- certified by the <ulink
- url="http://www.wi-fi.org/">Wi-Fi alliance</ulink>.
- EAP-TLS will require three certificates to run: the CA
- certificate (installed on all machines), the server
- certificate for your authentication server, and one
- client certificate for each wireless client. In this
- EAP method, both authentication server and wireless
- client authenticate each other in presenting their
- respective certificates, and they verify that these
- certificates were signed by your organization's
- certificate authority (CA).</para>
+ <para>EAP with Transport Layer Security
+ (<acronym>EAP-TLS</acronym>) is a well-supported
+ wireless authentication protocol since it was the
+ first <acronym>EAP</acronym> method to be certified
+ by the <ulink
+ url="http://www.wi-fi.org/">Wi-Fi alliance</ulink>.
+ <acronym>EAP-TLS</acronym> requires three certificates
+ to run: the certificate of the Certificate Authority
+ (<acronym>CA</acronym>) installed on all machines, the
+ server certificate for the authentication server, and
+ one client certificate for each wireless client. In
+ this <acronym>EAP</acronym> method, both the
+ authentication server and wireless client authenticate
+ each other by presenting their respective certificates,
+ and then verify that these certificates were signed by
+ the organization's <acronym>CA</acronym>.</para>
<para>As previously, the configuration is done via
<filename>/etc/wpa_supplicant.conf</filename>:</para>
@@ -1408,35 +1400,38 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
<calloutlist>
<callout arearefs="co-tls-ssid">
<para>This field indicates the network name
- (SSID).</para>
+ (<acronym>SSID</acronym>).</para>
</callout>
<callout arearefs="co-tls-proto">
- <para>Here, we use RSN (&ieee; 802.11i) protocol,
- i.e., WPA2.</para>
+ <para>This example uses the <acronym>RSN</acronym>
+ &ieee; 802.11i protocol, also known as
+ <acronym>WPA2</acronym>.</para>
</callout>
<callout arearefs="co-tls-kmgmt">
<para>The <literal>key_mgmt</literal> line refers to
- the key management protocol we use. In our case it
- is WPA using EAP authentication:
- <literal>WPA-EAP</literal>.</para>
+ the key management protocol to use. In this
+ example, it is <acronym>WPA</acronym> using
+ <acronym>EAP</acronym> authentication.</para>
</callout>
<callout arearefs="co-tls-eap">
- <para>In this field, we mention the EAP method for our
- connection.</para>
+ <para>This field indicates the <acronym>EAP</acronym>
+ method for the connection.</para>
</callout>
<callout arearefs="co-tls-id">
<para>The <literal>identity</literal> field contains
- the identity string for EAP.</para>
+ the identity string for
+ <acronym>EAP</acronym>.</para>
</callout>
<callout arearefs="co-tls-cacert">
<para>The <literal>ca_cert</literal> field indicates
- the pathname of the CA certificate file. This file
- is needed to verify the server certificate.</para>
+ the pathname of the <acronym>CA</acronym>
+ certificate file. This file is needed to verify
+ the server certificate.</para>
</callout>
<callout arearefs="co-tls-clientcert">
@@ -1458,7 +1453,7 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
</callout>
</calloutlist>
- <para>Then add the following lines to
+ <para>Then, add the following lines to
<filename>/etc/rc.conf</filename>:</para>
<programlisting>wlans_ath0="wlan0"
@@ -1483,28 +1478,27 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
wme burst roaming MANUAL</screen>
- <para>As previously shown, it is also possible to bring up
- the interface manually with both
- <command>wpa_supplicant</command> and
- <command>ifconfig</command> commands.</para>
+ <para>It is also possible to bring up the interface
+ manually using &man.wpa.supplicant.8; and
+ &man.ifconfig.8;.</para>
</sect5>
<sect5 id="network-wireless-wpa-eap-ttls">
- <title>WPA with EAP-TTLS</title>
+ <title><acronym>WPA</acronym> with
+ <acronym>EAP-TTLS</acronym></title>
- <para>With EAP-TLS both the authentication server and the
- client need a certificate, with EAP-TTLS (EAP-Tunneled
- Transport Layer Security) a client certificate is
- optional. This method is close to what some secure web
- sites do , where the web server can create a secure SSL
- tunnel even if the visitors do not have client-side
- certificates. EAP-TTLS will use the encrypted TLS
- tunnel for safe transport of the authentication
- data.</para>
+ <para>With <acronym>EAP-TTLS</acronym>, both the
+ authentication server and the client need a certificate.
+ With <acronym>EAP-TTLS</acronym>, a client certificate
+ is optional. This method is similar to a web server
+ which creates a secure <acronym>SSL</acronym> tunnel
+ even if visitors do not have client-side certificates.
+ <acronym>EAP-TTLS</acronym> uses an encrypted
+ <acronym>TLS</acronym> tunnel for safe transport of
+ the authentication data.</para>
- <para>The configuration is done via the
- <filename>/etc/wpa_supplicant.conf</filename>
- file:</para>
+ <para>The required configuration can be added to
+ <filename>/etc/wpa_supplicant.conf</filename>:</para>
<programlisting>network={
ssid="freebsdap"
@@ -1519,37 +1513,41 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
<calloutlist>
<callout arearefs="co-ttls-eap">
- <para>In this field, we mention the EAP method for our
- connection.</para>
+ <para>This field specifies the <acronym>EAP</acronym>
+ method for the connection.</para>
</callout>
<callout arearefs="co-ttls-id">
<para>The <literal>identity</literal> field contains
- the identity string for EAP authentication inside
- the encrypted TLS tunnel.</para>
+ the identity string for <acronym>EAP</acronym>
+ authentication inside the encrypted
+ <acronym>TLS</acronym> tunnel.</para>
</callout>
<callout arearefs="co-ttls-passwd">
<para>The <literal>password</literal> field contains
- the passphrase for the EAP authentication.</para>
+ the passphrase for the <acronym>EAP</acronym>
+ authentication.</para>
</callout>
<callout arearefs="co-ttls-cacert">
<para>The <literal>ca_cert</literal> field indicates
- the pathname of the CA certificate file. This file
- is needed to verify the server certificate.</para>
+ the pathname of the <acronym>CA</acronym>
+ certificate file. This file is needed to verify
+ the server certificate.</para>
</callout>
<callout arearefs="co-ttls-pha2">
- <para>In this field, we mention the authentication
- method used in the encrypted TLS tunnel. In our
- case, EAP with MD5-Challenge has been used. The
- <quote>inner authentication</quote> phase is often
- called <quote>phase2</quote>.</para>
+ <para>This field specifies the authentication
+ method used in the encrypted <acronym>TLS</acronym>
+ tunnel. In this example,
+ <acronym>EAP</acronym> with MD5-Challenge is used.
+ The <quote>inner authentication</quote> phase is
+ often called <quote>phase2</quote>.</para>
</callout>
</calloutlist>
- <para>You also have to add the following lines to
+ <para>Next, add the following lines to
<filename>/etc/rc.conf</filename>:</para>
<programlisting>wlans_ath0="wlan0"
@@ -1577,34 +1575,42 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
</sect5>
<sect5 id="network-wireless-wpa-eap-peap">
- <title>WPA with EAP-PEAP</title>
+ <title><acronym>WPA</acronym> with
+ <acronym>EAP-PEAP</acronym></title>
<note>
- <para>PEAPv0/EAP-MSCHAPv2 is the most common PEAP
- method. In the rest of this document, we will use the
- PEAP term to refer to that method.</para>
+ <para><acronym>PEAPv0/EAP-MSCHAPv2</acronym> is the most
+ common <acronym>PEAP</acronym> method. In this
+ chapter, the term <acronym>PEAP</acronym> is used to
+ refer to that method.</para>
</note>
- <para>PEAP (Protected EAP) has been designed as an
- alternative to EAP-TTLS, and is the most used EAP
- standard after EAP-TLS. In other words, if you have a
- network with mixed OSes, PEAP should be the most
- supported standard after EAP-TLS.</para>
+ <para>Protected EAP (<acronym>PEAP</acronym>) is designed
+ as an alternative to <acronym>EAP-TTLS</acronym> and
+ is the most used <acronym>EAP</acronym> standard after
+ <acronym>EAP-TLS</acronym>. In a network with mixed
+ operating systems, <acronym>PEAP</acronym> should be
+ the most supported standard after
+ <acronym>EAP-TLS</acronym>.</para>
- <para>PEAP is similar to EAP-TTLS: it uses a server-side
+ <para><acronym>PEAP</acronym> is similar to
+ <acronym>EAP-TTLS</acronym> as it uses a server-side
certificate to authenticate clients by creating an
- encrypted TLS tunnel between the client and the
- authentication server, which protects the ensuing
- exchange of authentication information. In terms of
- security, the difference between EAP-TTLS and PEAP is
- that PEAP authentication broadcasts the username in the
- clear, with only the password sent in the encrypted TLS
- tunnel. EAP-TTLS will use the TLS tunnel for both
- username and password.</para>
+ encrypted <acronym>TLS</acronym> tunnel between the
+ client and the authentication server, which protects
+ the ensuing exchange of authentication information.
+ <acronym>PEAP</acronym> authentication differs from
+ <acronym>EAP-TTLS</acronym> as it broadcasts the
+ username in the clear and only the password is sent
+ in the encrypted <acronym>TLS</acronym> tunnel.
+ <acronym>EAP-TTLS</acronym> will use the
+ <acronym>TLS</acronym> tunnel for both the username
+ and password.</para>
- <para>We have to edit the
- <filename>/etc/wpa_supplicant.conf</filename> file and
- add the EAP-PEAP related settings:</para>
+ <para>Add the following lines to
+ <filename>/etc/wpa_supplicant.conf</filename> to
+ configure the <acronym>EAP-PEAP</acronym> related
+ settings:</para>
<programlisting>network={
ssid="freebsdap"
@@ -1620,54 +1626,58 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
<calloutlist>
<callout arearefs="co-peap-eap">
- <para>In this field, we mention the EAP method for our
- connection.</para>
+ <para>This field specifies the <acronym>EAP</acronym>
+ method for the connection.</para>
</callout>
<callout arearefs="co-peap-id">
<para>The <literal>identity</literal> field contains
- the identity string for EAP authentication inside
- the encrypted TLS tunnel.</para>
+ the identity string for <acronym>EAP</acronym>
+ authentication inside the encrypted
+ <acronym>TLS</acronym> tunnel.</para>
</callout>
<callout arearefs="co-peap-passwd">
<para>The <literal>password</literal> field contains
- the passphrase for the EAP authentication.</para>
+ the passphrase for the <acronym>EAP</acronym>
+ authentication.</para>
</callout>
<callout arearefs="co-peap-cacert">
<para>The <literal>ca_cert</literal> field indicates
- the pathname of the CA certificate file. This file
- is needed to verify the server certificate.</para>
+ the pathname of the <acronym>CA</acronym>
+ certificate file. This file is needed to verify
+ the server certificate.</para>
</callout>
<callout arearefs="co-peap-pha1">
<para>This field contains the parameters for the
- first phase of authentication (the TLS tunnel).
- According to the authentication server used, you
- will have to specify a specific label for
- authentication. Most of the time, the label will be
- <quote>client EAP encryption</quote> which is set by
- using <literal>peaplabel=0</literal>. More
- information can be found in the
- &man.wpa.supplicant.conf.5; manual page.</para>
+ first phase of authentication, the
+ <acronym>TLS</acronym> tunnel. According to the
+ authentication server used, specify a specific
+ label for authentication. Most of the time, the
+ label will be <quote>client <acronym>EAP</acronym>
+ encryption</quote> which is set by using
+ <literal>peaplabel=0</literal>. More information
+ can be found in &man.wpa.supplicant.conf.5;.</para>
</callout>
<callout arearefs="co-peap-pha2">
- <para>In this field, we mention the authentication
- protocol used in the encrypted TLS tunnel. In the
- case of PEAP, it is
+ <para>This field specifies the authentication
+ protocol used in the encrypted
+ <acronym>TLS</acronym> tunnel. In the
+ case of <acronym>PEAP</acronym>, it is
<literal>auth=MSCHAPV2</literal>.</para>
</callout>
</calloutlist>
- <para>The following must be added to
+ <para>Add the following to
<filename>/etc/rc.conf</filename>:</para>
<programlisting>wlans_ath0="wlan0"
ifconfig_wlan0="WPA DHCP"</programlisting>
- <para>Then we can bring up the interface:</para>
+ <para>Then, bring up the interface:</para>
<screen>&prompt.root; <userinput>service netif start</userinput>
Starting wpa_supplicant.
@@ -1690,15 +1700,15 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
</sect4>
<sect4 id="network-wireless-wep">
- <title>WEP</title>
+ <title><acronym>WEP</acronym></title>
- <para>WEP (Wired Equivalent Privacy) is part of the original
- 802.11 standard. There is no authentication mechanism,
- only a weak form of access control, and it is easily
- cracked.</para>
+ <para>Wired Equivalent Privacy (<acronym>WEP</acronym>) is
+ part of the original 802.11 standard. There is no
+ authentication mechanism, only a weak form of access
+ control which is easily cracked.</para>
- <para>WEP can be set up with
- <command>ifconfig</command>:</para>
+ <para><acronym>WEP</acronym> can be set up using
+ &man.ifconfig.8;:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> create wlandev <replaceable>ath0</replaceable></userinput>
&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> inet <replaceable>192.168.1.100</replaceable> netmask <replaceable>255.255.255.0</replaceable> \
@@ -1707,38 +1717,38 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
<itemizedlist>
<listitem>
- <para>The <literal>weptxkey</literal> means which WEP
- key will be used in the transmission. Here we used
- the third key. This must match the setting in the
- access point. If you do not have any idea of which
- key is used by the access point, try
- <literal>1</literal> (i.e., the first key) for this
+ <para>The <literal>weptxkey</literal> specifies which
+ <acronym>WEP</acronym> key will be used in the
+ transmission. This example uses the third key.
+ This must match the setting on the access point.
+ When unsure which key is used by the access point,
+ try <literal>1</literal> (the first key) for this
value.</para>
</listitem>
<listitem>
<para>The <literal>wepkey</literal> selects one of the
- WEP keys. It should be in the format
- <replaceable>index:key</replaceable>. Key
+ <acronym>WEP</acronym> keys. It should be in the
+ format <replaceable>index:key</replaceable>. Key
<literal>1</literal> is used by default; the index
- only needs to be set if we use a key other
- than the first key.</para>
+ only needs to be set when using a key other than the
+ first key.</para>
<note>
- <para>You must replace the
- <literal>0x3456789012</literal> with the key
- configured for use on the access point.</para>
+ <para>Replace the <literal>0x3456789012</literal>
+ with the key configured for use on the access
+ point.</para>
</note>
</listitem>
</itemizedlist>
- <para>You are encouraged to read the &man.ifconfig.8; manual
- page for further information.</para>
+ <para>Refer to &man.ifconfig.8; for further
+ information.</para>
- <para>The <command>wpa_supplicant</command> facility also
- can be used to configure your wireless interface with WEP.
- The example above can be set up by adding the following
- lines to
+ <para>The &man.wpa.supplicant.8; facility can be used to
+ configure a wireless interface with
+ <acronym>WEP</acronym>. The example above can be set up
+ by adding the following lines to
<filename>/etc/wpa_supplicant.conf</filename>:</para>
<programlisting>network={
@@ -1760,13 +1770,14 @@ Associated with 00:13:46:49:41:76</screen>
<sect2>
<title>Ad-hoc Mode</title>
- <para>IBSS mode, also called ad-hoc mode, is designed for point
- to point connections. For example, to establish an ad-hoc
- network between the machine <hostid>A</hostid> and the machine
- <hostid>B</hostid>, we will just need to choose two IP
- addresses and a SSID.</para>
+ <para><acronym>IBSS</acronym> mode, also called ad-hoc mode, is
+ designed for point to point connections. For example, to
+ establish an ad-hoc network between the machines
+ <hostid>A</hostid> and <hostid>B</hostid>, choose two
+ <acronym>IP</acronym> addresses and a
+ <acronym>SSID</acronym>.</para>
- <para>On the box <hostid>A</hostid>:</para>
+ <para>On <hostid>A</hostid>:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> create wlandev <replaceable>ath0</replaceable> wlanmode adhoc</userinput>
&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid <replaceable>freebsdap</replaceable></userinput>
@@ -1780,10 +1791,10 @@ Associated with 00:13:46:49:41:76</screen>
country US ecm authmode OPEN privacy OFF txpower 21.5 scanvalid 60
protmode CTS wme burst</screen>
- <para>The <literal>adhoc</literal> parameter indicates the
- interface is running in the IBSS mode.</para>
+ <para>The <literal>adhoc</literal> parameter indicates that the
+ interface is running in <acronym>IBSS</acronym> mode.</para>
- <para>On <hostid>B</hostid>, we should be able to detect
+ <para><hostid>B</hostid> should now be able to detect
<hostid>A</hostid>:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> create wlandev <replaceable>ath0</replaceable> wlanmode adhoc</userinput>
@@ -1791,9 +1802,9 @@ Associated with 00:13:46:49:41:76</screen>
SSID/MESH ID BSSID CHAN RATE S:N INT CAPS
freebsdap 02:11:95:c3:0d:ac 2 54M -64:-96 100 IS WME</screen>
- <para>The <literal>I</literal> in the output confirms the
- machine <hostid>A</hostid> is in ad-hoc mode. We just have to
- configure <hostid>B</hostid> with a different IP
+ <para>The <literal>I</literal> in the output confirms that
+ <hostid>A</hostid> is in ad-hoc mode. Now, configure
+ <hostid>B</hostid> with a different <acronym>IP</acronym>
address:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> inet <replaceable>192.168.0.2</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid <replaceable>freebsdap</replaceable></userinput>
@@ -1814,42 +1825,46 @@ Associated with 00:13:46:49:41:76</screen>
<sect2 id="network-wireless-ap">
<title>&os; Host Access Points</title>
- <para>&os; can act as an Access Point (AP) which eliminates the
- need to buy a hardware AP or run an ad-hoc network. This can
- be particularly useful when your &os; machine is acting as a
- gateway to another network (e.g., the Internet).</para>
+ <para>&os; can act as an Access Point (<acronym>AP</acronym>)
+ which eliminates the need to buy a hardware
+ <acronym>AP</acronym> or run an ad-hoc network. This can
+ be particularly useful when a &os; machine is acting as a
+ gateway to another network such as the Internet.</para>
<sect3 id="network-wireless-ap-basic">
<title>Basic Settings</title>
- <para>Before configuring your &os; machine as an AP, the
- kernel must be configured with the appropriate wireless
- networking support for your wireless card. You also have to
- add support for the security protocols you intend to
- use. For more details, see
- <xref linkend="network-wireless-basic"/>.</para>
+ <para>Before configuring a &os; machine as an
+ <acronym>AP</acronym>, the kernel must be configured with
+ the appropriate networking support for the wireless card
+ as well as the security protocols being used. For more
+ details, see <xref
+ linkend="network-wireless-basic"/>.</para>
<note>
- <para>The use of the NDIS driver wrapper and the &windows;
- drivers do not currently allow AP operation. Only native
- &os; wireless drivers support AP mode.</para>
+ <para>The <acronym>NDIS</acronym> driver wrapper for
+ &windows; drivers does not currently support
+ <acronym>AP</acronym> operation. Only native &os;
+ wireless drivers support <acronym>AP</acronym>
+ mode.</para>
</note>
- <para>Once wireless networking support is loaded, you can
- check if your wireless device supports the host-based access
- point mode (also known as hostap mode):</para>
+ <para>Once wireless networking support is loaded, check if
+ the wireless device supports the host-based access point
+ mode, also known as hostap mode:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> create wlandev <replaceable>ath0</replaceable></userinput>
&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> list caps</userinput>
drivercaps=6f85edc1<STA,FF,TURBOP,IBSS,HOSTAP,AHDEMO,TXPMGT,SHSLOT,SHPREAMBLE,MONITOR,MBSS,WPA1,WPA2,BURST,WME,WDS,BGSCAN,TXFRAG>
cryptocaps=1f<WEP,TKIP,AES,AES_CCM,TKIPMIC></screen>
- <para>This output displays the card capabilities; the
- <literal>HOSTAP</literal> word confirms this wireless card
- can act as an Access Point. Various supported ciphers are
- also mentioned: WEP, TKIP, AES, etc. This information
- is important to know what security protocols can be used
- on the Access Point.</para>
+ <para>This output displays the card's capabilities. The
+ <literal>HOSTAP</literal> word confirms that this wireless
+ card can act as an <acronym>AP</acronym>. Various supported
+ ciphers are also listed: <acronym>WEP</acronym>,
+ <acronym>TKIP</acronym>, and <acronym>AES</acronym>. This
+ information indicates which security protocols can be used
+ on the <acronym>AP</acronym>.</para>
<para>The wireless device can only be put into hostap mode
during the creation of the network pseudo-device, so a
@@ -1863,8 +1878,8 @@ cryptocaps=1f<WEP,TKIP,AES,AES_CCM,TKIPMIC></screen>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> create wlandev <replaceable>ath0</replaceable> wlanmode hostap</userinput>
&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid <replaceable>freebsdap</replaceable> mode 11g channel 1</userinput></screen>
- <para>Use <command>ifconfig</command> again to see the status
- of the <devicename>wlan0</devicename> interface:</para>
+ <para>Use &man.ifconfig.8; again to see the status of the
+ <devicename>wlan0</devicename> interface:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable></userinput>
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
@@ -1893,22 +1908,23 @@ ifconfig_wlan0="inet <replaceable>192.168.0.1</replaceable> netmask <replaceable
<title>Host-based Access Point Without Authentication or
Encryption</title>
- <para>Although it is not recommended to run an AP without any
- authentication or encryption, this is a simple way to check
- if your AP is working. This configuration is also important
- for debugging client issues.</para>
+ <para>Although it is not recommended to run an
+ <acronym>AP</acronym> without any authentication or
+ encryption, this is a simple way to check if the
+ <acronym>AP</acronym> is working. This configuration is
+ also important for debugging client issues.</para>
- <para>Once the AP configured as previously shown, it is
- possible from another wireless machine to initiate a scan to
- find the AP:</para>
+ <para>Once the <acronym>AP</acronym> is configured, initiate
+ a scan from another wireless machine to find the
+ <acronym>AP</acronym>:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> create wlandev <replaceable>ath0</replaceable></userinput>
&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> up scan</userinput>
SSID/MESH ID BSSID CHAN RATE S:N INT CAPS
freebsdap 00:11:95:c3:0d:ac 1 54M -66:-96 100 ES WME</screen>
- <para>The client machine found the Access Point and can be
- associated with it:</para>
+ <para>The client machine found the <acronym>AP</acronym> and
+ can be associated with it:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> inet <replaceable>192.168.0.2</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid <replaceable>freebsdap</replaceable></userinput>
&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable></userinput>
@@ -1924,39 +1940,42 @@ freebsdap 00:11:95:c3:0d:ac 1 54M -66:-96 100 ES WME</screen>
</sect3>
<sect3>
- <title>WPA Host-based Access Point</title>
+ <title><acronym>WPA</acronym> Host-based Access Point</title>
- <para>This section will focus on setting up &os; Access Point
- using the WPA security protocol. More details regarding WPA
- and the configuration of WPA-based wireless clients can be
- found in the <xref linkend="network-wireless-wpa"/>.</para>
+ <para>This section focuses on setting up a &os;
+ <acronym>AP</acronym> using the <acronym>WPA</acronym>
+ security protocol. More details regarding
+ <acronym>WPA</acronym> and the configuration of
+ <acronym>WPA</acronym>-based
+ wireless clients can be found in <xref
+ linkend="network-wireless-wpa"/>.</para>
- <para>The <application>hostapd</application> daemon is used to
- deal with client authentication and keys management on the
- WPA enabled Access Point.</para>
+ <para>The &man.hostapd.8; daemon is used to deal with client
+ authentication and key management on the
+ <acronym>WPA</acronym>-enabled <acronym>AP</acronym>.</para>
- <para>In the following, all the configuration operations will
- be performed on the &os; machine acting as AP. Once the
- AP is correctly working, <application>hostapd</application>
- should be automatically enabled at boot with the following
- line in <filename>/etc/rc.conf</filename>:</para>
+ <para>The following configuration operations are performed
+ on the &os; machine acting as the <acronym>AP</acronym>.
+ Once the <acronym>AP</acronym> is correctly working,
+ &man.hostapd.8; should be automatically enabled at boot
+ with the following line in
+ <filename>/etc/rc.conf</filename>:</para>
<programlisting>hostapd_enable="YES"</programlisting>
- <para>Before trying to configure
- <application>hostapd</application>, be sure you have done
- the basic settings introduced in the
- <xref linkend="network-wireless-ap-basic"/>.</para>
+ <para>Before trying to configure &man.hostapd.8;, first
+ configure the basic settings introduced in <xref
+ linkend="network-wireless-ap-basic"/>.</para>
<sect4>
- <title>WPA-PSK</title>
+ <title><acronym>WPA-PSK</acronym></title>
- <para>WPA-PSK is intended for small networks where the use
- of an backend authentication server is not possible or
- desired.</para>
+ <para><acronym>WPA-PSK</acronym> is intended for small
+ networks where the use of a backend authentication server
+ is not possible or desired.</para>
- <para>The configuration is done in the
- <filename>/etc/hostapd.conf</filename> file:</para>
+ <para>The configuration is done in
+ <filename>/etc/hostapd.conf</filename>:</para>
<programlisting>interface=wlan0 <co id="co-ap-wpapsk-iface"/>
debug=1 <co id="co-ap-wpapsk-dbug"/>
@@ -1971,30 +1990,28 @@ wpa_pairwise=CCMP TKIP <co id="co-ap-wpapsk-pwise"/></programlisting>
<calloutlist>
<callout arearefs="co-ap-wpapsk-iface">
<para>This field indicates the wireless interface used
- for the Access Point.</para>
+ for the <acronym>AP</acronym>.</para>
</callout>
<callout arearefs="co-ap-wpapsk-dbug">
<para>This field sets the level of verbosity during the
- execution of <application>hostapd</application>. A
- value of <literal>1</literal> represents the minimal
+ execution of &man.hostapd.8;. A value of
+ <literal>1</literal> represents the minimal
level.</para>
</callout>
<callout arearefs="co-ap-wpapsk-ciface">
<para>The <literal>ctrl_interface</literal> field gives
- the pathname of the directory used by
- <application>hostapd</application> to stores its
- domain socket files for the communication with
- external programs such as &man.hostapd.cli.8;. The
- default value is used here.</para>
+ the pathname of the directory used by &man.hostapd.8;
+ to store its domain socket files for the communication
+ with external programs such as &man.hostapd.cli.8;.
+ The default value is used in this example.</para>
</callout>
<callout arearefs="co-ap-wpapsk-cifacegrp">
<para>The <literal>ctrl_interface_group</literal> line
- sets the group (here, it is the
- <groupname>wheel</groupname> group) allowed to access
- to the control interface files.</para>
+ sets the group which is allowed to access the control
+ interface files.</para>
</callout>
<callout arearefs="co-ap-wpapsk-ssid">
@@ -2002,43 +2019,49 @@ wpa_pairwise=CCMP TKIP <co id="co-ap-wpapsk-pwise"/></programlisting>
</callout>
<callout arearefs="co-ap-wpapsk-wpa">
- <para>The <literal>wpa</literal> field enables WPA and
- specifies which WPA authentication protocol will be
- required. A value of <literal>1</literal> configures
- the AP for WPA-PSK.</para>
+ <para>The <literal>wpa</literal> field enables
+ <acronym>WPA</acronym> and specifies which
+ <acronym>WPA</acronym> authentication protocol will
+ be required. A value of <literal>1</literal>
+ configures the <acronym>AP</acronym> for
+ <acronym>WPA-PSK</acronym>.</para>
</callout>
<callout arearefs="co-ap-wpapsk-pass">
<para>The <literal>wpa_passphrase</literal> field
- contains the ASCII passphrase for the WPA
- authentication.</para>
+ contains the ASCII passphrase for
+ <acronym>WPA</acronym> authentication.</para>
<warning>
<para>Always use strong passwords that are
sufficiently long and made from a rich alphabet so
- they will not be guessed and/or attacked.</para>
+ that they will not be easily guessed or
+ attacked.</para>
</warning>
</callout>
<callout arearefs="co-ap-wpapsk-kmgmt">
- <para>The <literal>wpa_key_mgmt</literal> line refers to
- the key management protocol we use. In our case it is
- WPA-PSK.</para>
+ <para>The <literal>wpa_key_mgmt</literal> line refers
+ to the key management protocol to use. This example
+ sets <acronym>WPA-PSK</acronym>.</para>
</callout>
<callout arearefs="co-ap-wpapsk-pwise">
<para>The <literal>wpa_pairwise</literal> field
indicates the set of accepted encryption algorithms by
- the Access Point. Here both TKIP (WPA) and CCMP
- (WPA2) ciphers are accepted. CCMP cipher is an
- alternative to TKIP and that is strongly preferred
- when possible; TKIP should be used solely for stations
- incapable of doing CCMP.</para>
+ the <acronym>AP</acronym>. In this example, both
+ <acronym>TKIP</acronym> (<acronym>WPA</acronym>) and
+ <acronym>CCMP</acronym> (<acronym>WPA2</acronym>)
+ ciphers are accepted. The <acronym>CCMP</acronym>
+ cipher is an alternative to <acronym>TKIP</acronym>
+ and is strongly preferred when possible.
+ <acronym>TKIP</acronym> should be used solely for
+ stations incapable of doing
+ <acronym>CCMP</acronym>.</para>
</callout>
</calloutlist>
- <para>The next step is to start
- <application>hostapd</application>:</para>
+ <para>The next step is to start &man.hostapd.8;:</para>
<screen>&prompt.root; <userinput>service hostapd forcestart</userinput></screen>
@@ -2052,28 +2075,30 @@ wpa_pairwise=CCMP TKIP <co id="co-ap-wpapsk-pwise"/></programlisting>
ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
authmode WPA2/802.11i privacy MIXED deftxkey 2 TKIP 2:128-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100</screen>
- <para>The Access Point is running, the clients can now be
- associated with it, see
- <xref linkend="network-wireless-wpa"/> for more details.
- It is possible to see the stations associated with the AP
- using the <command>ifconfig
- <replaceable>wlan0</replaceable> list sta</command>
- command.</para>
+ <para>Once the <acronym>AP</acronym> is running, the
+ clients can associate with it. See <xref
+ linkend="network-wireless-wpa"/> for more details.
+ It is possible to see the stations associated with the
+ <acronym>AP</acronym> using <command>ifconfig
+ <replaceable>wlan0</replaceable> list
+ sta</command>.</para>
</sect4>
</sect3>
<sect3>
- <title>WEP Host-based Access Point</title>
+ <title><acronym>WEP</acronym> Host-based Access Point</title>
- <para>It is not recommended to use WEP for setting up an
- Access Point since there is no authentication mechanism and
- it is easily to be cracked. Some legacy wireless cards only
- support WEP as security protocol, these cards will only
- allow to set up AP without authentication or encryption or
- using the WEP protocol.</para>
+ <para>It is not recommended to use <acronym>WEP</acronym> for
+ setting up an <acronym>AP</acronym> since there is no
+ authentication mechanism and the encryption is easily
+ cracked. Some legacy wireless cards only support
+ <acronym>WEP</acronym> and these cards will only support
+ an <acronym>AP</acronym> without authentication or
+ encryption.</para>
<para>The wireless device can now be put into hostap mode and
- configured with the correct SSID and IP address:</para>
+ configured with the correct <acronym>SSID</acronym> and
+ <acronym>IP</acronym> address:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> create wlandev <replaceable>ath0</replaceable> wlanmode hostap</userinput>
&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable> \
@@ -2081,25 +2106,26 @@ wpa_pairwise=CCMP TKIP <co id="co-ap-wpapsk-pwise"/></programlisting>
<itemizedlist>
<listitem>
- <para>The <literal>weptxkey</literal> means which WEP
- key will be used in the transmission. Here we used the
- third key (note that the key numbering starts with
- <literal>1</literal>). This parameter must be specified
- to really encrypt the data.</para>
+ <para>The <literal>weptxkey</literal> indicates which
+ <acronym>WEP</acronym> key will be used in the
+ transmission. This example uses the third key as key
+ numbering starts with <literal>1</literal>. This
+ parameter must be specified in order to encrypt the
+ data.</para>
</listitem>
<listitem>
- <para>The <literal>wepkey</literal> means setting the
- selected WEP key. It should in the format
- <replaceable>index:key</replaceable>, if the index is
- not given, key <literal>1</literal> is set. That is
- to say we need to set the index if we use keys other
- than the first key.</para>
+ <para>The <literal>wepkey</literal> sets the selected
+ <acronym>WEP</acronym> key. It should be in the format
+ <replaceable>index:key</replaceable>. If the index is
+ not given, key <literal>1</literal> is set. The index
+ needs to be set when using keys other than the first
+ key.</para>
</listitem>
</itemizedlist>
- <para>Use again <command>ifconfig</command> to see the status
- of the <devicename>wlan0</devicename> interface:</para>
+ <para>Use &man.ifconfig.8; to see the status of the
+ <devicename>wlan0</devicename> interface:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable></userinput>
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
@@ -2111,108 +2137,108 @@ wpa_pairwise=CCMP TKIP <co id="co-ap-wpapsk-pwise"/></programlisting>
country US ecm authmode OPEN privacy ON deftxkey 3 wepkey 3:40-bit
txpower 21.5 scanvalid 60 protmode CTS wme burst dtimperiod 1 -dfs</screen>
- <para>From another wireless machine, it is possible to
- initiate a scan to find the AP:</para>
+ <para>From another wireless machine, it is now possible to
+ initiate a scan to find the <acronym>AP</acronym>:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> create wlandev <replaceable>ath0</replaceable></userinput>
&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> up scan</userinput>
SSID BSSID CHAN RATE S:N INT CAPS
freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPS</screen>
- <para>The client machine found the Access Point and can be
- associated with it using the correct parameters (key, etc.),
- see <xref linkend="network-wireless-wep"/> for more
- details.</para>
+ <para>In this example, the client machine found the
+ <acronym>AP</acronym> and can associate with it using the
+ correct parameters. See <xref
+ linkend="network-wireless-wep"/> for more details.</para>
</sect3>
</sect2>
<sect2>
- <title>Using Both Wired and Wireless Connection</title>
+ <title>Using Both Wired and Wireless Connections</title>
- <para>Wired connection provides better performance and
- reliability, while wireless connection provides flexibility
- and mobility, users of laptop computers usually want to
- combine these together and roam seamlessly between the
- two.</para>
+ <para>A wired connection provides better performance and
+ reliability, while a wireless connection provides flexibility
+ and mobility. Laptop users typically want to roam seamlessly
+ between the two types of connections.</para>
<para>On &os;, it is possible to combine two or even more
network interfaces together in a <quote>failover</quote>
- fashion, that is, to use the most preferred and available
- connection from a group of network interfaces, and have the
- operating system switch automatically when the link state
- changes.</para>
+ fashion. This type of configuration uses the most preferred
+ and available connection from a group of network interfaces,
+ and the operating system switches automatically when the link
+ state changes.</para>
- <para>We will cover link aggregation and failover in
- <xref linkend="network-aggregation"/> where an example for
- using both wired and wireless connection is also provided at
- <xref linkend="networking-lagg-wired-and-wireless"/>.</para>
+ <para>Link aggregation and failover is covered in <xref
+ linkend="network-aggregation"/> and an example for using
+ both wired and wireless connections is provided at <xref
+ linkend="networking-lagg-wired-and-wireless"/>.</para>
</sect2>
<sect2>
<title>Troubleshooting</title>
- <para>If you are having trouble with wireless networking, there
- are a number of steps you can take to help troubleshoot the
- problem.</para>
+ <para>This section describes
+ a number of steps to help troubleshoot common wireless
+ networking problems.</para>
<itemizedlist>
<listitem>
- <para>If you do not see the access point listed when
- scanning be sure you have not configured your wireless
+ <para>If the access point is not listed when scanning,
+ check that the configuration has not limited the wireless
device to a limited set of channels.</para>
</listitem>
<listitem>
- <para>If you cannot associate to an access point verify the
- configuration of your station matches the one of the
+ <para>If the device cannot associate with an access point,
+ verify that the configuration matches the settings on the
access point. This includes the authentication scheme and
- any security protocols. Simplify your configuration as
- much as possible. If you are using a security protocol
- such as WPA or WEP configure the access point for open
- authentication and no security to see if you can get
- traffic to pass.</para>
+ any security protocols. Simplify the configuration as
+ much as possible. If using a security protocol such as
+ <acronym>WPA</acronym> or <acronym>WEP</acronym>,
+ configure the access point for open authentication and
+ no security to see if traffic will pass.</para>
</listitem>
<listitem>
- <para>Once you can associate to the access point diagnose
- any security configuration using simple tools like
+ <para>Once the system can associate with the access point,
+ diagnose the security configuration using tools like
&man.ping.8;.</para>
- <para>The <command>wpa_supplicant</command> has much
- debugging support; try running it manually with the
- <option>-dd</option> option and look at the system
- logs.</para>
+ <para>Debugging support is provided by
+ &man.wpa.supplicant.8;. Try running this utility manually
+ with the <option>-dd</option> option and look at the
+ system logs.</para>
</listitem>
<listitem>
- <para>There are also many lower-level debugging tools. You
- can enable debugging messages in the 802.11 protocol
- support layer using the <command>wlandebug</command>
- program found in
- <filename class="directory">/usr/src/tools/tools/net80211</filename>.
- For example:</para>
+ <para>There are many lower-level debugging tools.
+ Debugging messages can be enabled in the 802.11 protocol
+ support layer using &man.wlandebug.8;. On a &os; system
+ prior to &os; 9.1, this program can be found in
+ <filename
+ class="directory">/usr/src/tools/tools/net80211</filename>.
+ For example, to enable console messages related to
+ scanning for access points and the 802.11 protocol
+ handshakes required to arrange communication:</para>
<screen>&prompt.root; <userinput>wlandebug -i <replaceable>ath0</replaceable> +scan+auth+debug+assoc</userinput>
net.wlan.0.debug: 0 => 0xc80000<assoc,auth,scan></screen>
- <para>can be used to enable console messages related to
- scanning for access points and doing the 802.11 protocol
- handshakes required to arrange communication.</para>
-
- <para>There are also many useful statistics maintained by
- the 802.11 layer; the <command>wlanstats</command> tool
+ <para>Many useful statistics are maintained by
+ the 802.11 layer and <command>wlanstats</command>, found
+ in <filename
+ class="directory">/usr/src/tools/tools/net80211</filename>,
will dump this information. These statistics should
- identify all errors identified by the 802.11 layer.
- Beware however that some errors are identified in the
- device drivers that lie below the 802.11 layer so they may
- not show up. To diagnose device-specific problems you
- need to refer to the drivers' documentation.</para>
+ display all errors identified by the 802.11 layer.
+ However, some errors are identified in the device drivers
+ that lie below the 802.11 layer so they may not show up.
+ To diagnose device-specific problems, refer to the
+ drivers' documentation.</para>
</listitem>
</itemizedlist>
<para>If the above information does not help to clarify the
- problem, please submit a problem report and include output
- from the above tools.</para>
+ problem, submit a problem report and include output from the
+ above tools.</para>
</sect2>
</sect1>
@@ -2240,29 +2266,29 @@ freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPS</screen>
networks operating in the 2.4 GHz unlicensed band, with a
range of 10 meters. Networks are usually formed ad-hoc from
portable devices such as cellular phones, handhelds and
- laptops. Unlike the other popular wireless technology, Wi-Fi,
- Bluetooth offers higher level service profiles, e.g., FTP-like
- file servers, file pushing, voice transport, serial line
- emulation, and more.</para>
+ laptops. Unlike Wi-Fi wireless technology, Bluetooth offers
+ higher level service profiles, such as FTP-like file servers,
+ file pushing, voice transport, serial line emulation, and
+ more.</para>
<para>The Bluetooth stack in &os; is implemented using the
- Netgraph framework (see &man.netgraph.4;). A broad variety of
- Bluetooth USB dongles is supported by the &man.ng.ubt.4;
- driver. The Broadcom BCM2033 chip based Bluetooth devices are
- supported via the &man.ubtbcmfw.4; and &man.ng.ubt.4; drivers.
- The 3Com Bluetooth PC Card 3CRWB60-A is supported by the
+ &man.netgraph.4; framework. A broad variety of Bluetooth
+ <acronym>USB</acronym> dongles is supported by &man.ng.ubt.4;.
+ Broadcom BCM2033 based Bluetooth devices are supported by
+ the &man.ubtbcmfw.4; and &man.ng.ubt.4; drivers. The 3Com
+ Bluetooth PC Card 3CRWB60-A is supported by the
&man.ng.bt3c.4; driver. Serial and UART based Bluetooth
- devices are supported via &man.sio.4;, &man.ng.h4.4; and
- &man.hcseriald.8;. This section describes the use of the USB
- Bluetooth dongle.</para>
+ devices are supported by &man.sio.4;, &man.ng.h4.4; and
+ &man.hcseriald.8;. This section describes the use of a
+ <acronym>USB</acronym> Bluetooth dongle.</para>
</sect2>
<sect2>
<title>Plugging in the Device</title>
- <para>By default Bluetooth device drivers are available as
- kernel modules. Before attaching a device, you will need to
- load the driver into the kernel:</para>
+ <para>By default, Bluetooth device drivers are available as
+ kernel modules. Before attaching a device, load the driver
+ into the kernel:</para>
<screen>&prompt.root; <userinput>kldload ng_ubt</userinput></screen>
@@ -2272,19 +2298,19 @@ freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPS</screen>
<programlisting>ng_ubt_load="YES"</programlisting>
- <para>Plug in your USB dongle. The output similar to the
- following will appear on the console (or in syslog):</para>
+ <para>Plug in the <acronym>USB</acronym> dongle. Output
+ similar to the following will appear on the console and in
+ the system log:</para>
<screen>ubt0: vendor 0x0a12 product 0x0001, rev 1.10/5.25, addr 2
ubt0: Interface 0 endpoints: interrupt=0x81, bulk-in=0x82, bulk-out=0x2
ubt0: Interface 1 (alt.config 5) endpoints: isoc-in=0x83, isoc-out=0x3,
wMaxPacketSize=49, nframes=6, buffer size=294</screen>
- <para>&man.service.8;
- is used to start and stop the Bluetooth stack. It is a good
- idea to stop the stack before unplugging the device, but it is
- not (usually) fatal. When starting the stack, you will
- receive output similar to the following:</para>
+ <para>To start and stop the Bluetooth stack, use
+ &man.service.8;. It is a good idea to stop the stack before
+ unplugging the device. When starting the stack, the output
+ should be similar to the following:</para>
<screen>&prompt.root; <userinput>service bluetooth start ubt0</userinput>
BD_ADDR: 00:02:72:00:d4:1a
@@ -2301,38 +2327,42 @@ Number of SCO packets: 8</screen>
</sect2>
<sect2>
- <title>Host Controller Interface (HCI)</title>
+ <title>Host Controller Interface
+ (<acronym>HCI</acronym>)</title>
<indexterm><primary>HCI</primary></indexterm>
- <para>Host Controller Interface (HCI) provides a command
- interface to the baseband controller and link manager, and
- access to hardware status and control registers. This
- interface provides a uniform method of accessing the Bluetooth
- baseband capabilities. HCI layer on the Host exchanges data
- and commands with the HCI firmware on the Bluetooth hardware.
- The Host Controller Transport Layer (i.e., physical bus)
- driver provides both HCI layers with the ability to exchange
- information with each other.</para>
+ <para>The Host Controller Interface (<acronym>HCI</acronym>)
+ provides a command interface to the baseband controller and
+ link manager as well as access to hardware status and control
+ registers. This interface provides a uniform method for
+ accessing Bluetooth baseband capabilities. The
+ <acronym>HCI</acronym> layer on the host exchanges data and
+ commands with the <acronym>HCI</acronym> firmware on the
+ Bluetooth hardware. The Host Controller Transport Layer
+ (physical bus) driver provides both <acronym>HCI</acronym>
+ layers with the ability to exchange information.</para>
- <para>A single Netgraph node of type <emphasis>hci</emphasis> is
- created for a single Bluetooth device. The HCI node is
- normally connected to the Bluetooth device driver node
- (downstream) and the L2CAP node (upstream). All HCI
- operations must be performed on the HCI node and not on the
- device driver node. Default name for the HCI node is
- <quote>devicehci</quote>. For more details refer to the
- &man.ng.hci.4; manual page.</para>
+ <para>A single netgraph node of type <emphasis>hci</emphasis>
+ is created for a single Bluetooth device. The
+ <acronym>HCI</acronym> node is normally connected to the
+ downstream Bluetooth device driver node and the upstream
+ <acronym>L2CAP</acronym> node. All <acronym>HCI</acronym>
+ operations must be performed on the <acronym>HCI</acronym>
+ node and not on the device driver node. The default name
+ for the <acronym>HCI</acronym> node is
+ <quote>devicehci</quote>. For more details, refer to
+ &man.ng.hci.4;.</para>
<para>One of the most common tasks is discovery of Bluetooth
- devices in RF proximity. This operation is called
- <emphasis>inquiry</emphasis>. Inquiry and other HCI related
- operations are done with the &man.hccontrol.8; utility. The
- example below shows how to find out which Bluetooth devices
- are in range. You should receive the list of devices in a few
- seconds. Note that a remote device will only answer the
- inquiry if it put into <emphasis>discoverable</emphasis>
- mode.</para>
+ devices in <acronym>RF</acronym> proximity. This operation is
+ called <emphasis>inquiry</emphasis>. Inquiry and other
+ <acronym>HCI</acronym> related operations are done using
+ &man.hccontrol.8;. The example below shows how to find out
+ which Bluetooth devices are in range. The list of devices
+ should be displayed in a few seconds. Note that a remote
+ device will only answer the inquiry if it is set to
+ <emphasis>discoverable</emphasis> mode.</para>
<screen>&prompt.user; <userinput>hccontrol -n ubt0hci inquiry</userinput>
Inquiry result, num_responses=1
@@ -2345,29 +2375,29 @@ Inquiry result #0
Clock offset: 0x78ef
Inquiry complete. Status: No error [00]</screen>
- <para><literal>BD_ADDR</literal> is unique address of a
- Bluetooth device, similar to MAC addresses of a network card.
- This address is needed for further communication with a
- device. It is possible to assign human readable name to a
- BD_ADDR. The <filename>/etc/bluetooth/hosts</filename> file
- contains information regarding the known Bluetooth hosts. The
- following example shows how to obtain human readable name that
+ <para>The <literal>BD_ADDR</literal> is the unique address of a
+ Bluetooth device, similar to the <acronym>MAC</acronym>
+ address of a network card. This address is needed for
+ further communication with a device. It is possible to
+ assign a human readable name to a BD_ADDR. Information
+ regarding the known Bluetooth hosts is contained in
+ <filename>/etc/bluetooth/hosts</filename>. The following
+ example shows how to obtain the human readable name that
was assigned to the remote device:</para>
<screen>&prompt.user; <userinput>hccontrol -n ubt0hci remote_name_request 00:80:37:29:19:a4</userinput>
BD_ADDR: 00:80:37:29:19:a4
Name: Pav's T39</screen>
- <para>If you perform an inquiry on a remote Bluetooth device, it
- will find your computer as
+ <para>If an inquiry is performed on a remote Bluetooth device,
+ it will find the computer as
<quote>your.host.name (ubt0)</quote>. The name assigned to the
local device can be changed at any time.</para>
<para>The Bluetooth system provides a point-to-point connection
- (only two Bluetooth units involved), or a point-to-multipoint
- connection. In the point-to-multipoint connection the
- connection is shared among several Bluetooth devices. The
- following example shows how to obtain the list of active
+ between two Bluetooth units, or a point-to-multipoint
+ connection which is shared among several Bluetooth devices.
+ The following example shows how to obtain the list of active
baseband connections for the local device:</para>
<screen>&prompt.user; <userinput>hccontrol -n ubt0hci read_connection_list</userinput>
@@ -2375,8 +2405,8 @@ Remote BD_ADDR Handle Type Mode Role Encrypt Pending Queue State
00:80:37:29:19:a4 41 ACL 0 MAST NONE 0 0 OPEN</screen>
<para>A <emphasis>connection handle</emphasis> is useful when
- termination of the baseband connection is required. Note,
- that it is normally not required to do it by hand. The stack
+ termination of the baseband connection is required, though
+ it is normally not required to do this by hand. The stack
will automatically terminate inactive baseband
connections.</para>
@@ -2384,47 +2414,49 @@ Remote BD_ADDR Handle Type Mode Role Encrypt Pending Queue State
Connection handle: 41
Reason: Connection terminated by local host [0x16]</screen>
- <para>Refer to <command>hccontrol help</command> for a complete
- listing of available HCI commands. Most of the HCI commands
- do not require superuser privileges.</para>
+ <para>Type <command>hccontrol help</command> for a complete
+ listing of available <acronym>HCI</acronym> commands. Most
+ of the <acronym>HCI</acronym> commands do not require
+ superuser privileges.</para>
</sect2>
<sect2>
<title>Logical Link Control and Adaptation Protocol
- (L2CAP)</title>
+ (<acronym>L2CAP</acronym>)</title>
<indexterm><primary>L2CAP</primary></indexterm>
- <para>Logical Link Control and Adaptation Protocol (L2CAP)
- provides connection-oriented and connectionless data services
- to upper layer protocols with protocol multiplexing capability
- and segmentation and reassembly operation. L2CAP permits
+ <para>The Logical Link Control and Adaptation Protocol
+ (<acronym>L2CAP</acronym>) provides connection-oriented and
+ connectionless data services to upper layer protocols with
+ protocol multiplexing capability and segmentation and
+ reassembly operation. <acronym>L2CAP</acronym> permits
higher level protocols and applications to transmit and
- receive L2CAP data packets up to 64 kilobytes in
- length.</para>
+ receive <acronym>L2CAP</acronym> data packets up to 64
+ kilobytes in length.</para>
- <para>L2CAP is based around the concept of
- <emphasis>channels</emphasis>. Channel is a logical
- connection on top of baseband connection. Each channel is
+ <para><acronym>L2CAP</acronym> is based around the concept of
+ <emphasis>channels</emphasis>. A channel is a logical
+ connection on top of a baseband connection. Each channel is
bound to a single protocol in a many-to-one fashion. Multiple
channels can be bound to the same protocol, but a channel
- cannot be bound to multiple protocols. Each L2CAP packet
- received on a channel is directed to the appropriate higher
- level protocol. Multiple channels can share the same baseband
- connection.</para>
+ cannot be bound to multiple protocols. Each
+ <acronym>L2CAP</acronym> packet received on a channel is
+ directed to the appropriate higher level protocol. Multiple
+ channels can share the same baseband connection.</para>
- <para>A single Netgraph node of type <emphasis>l2cap</emphasis>
- is created for a single Bluetooth device. The L2CAP node is
- normally connected to the Bluetooth HCI node (downstream) and
- Bluetooth sockets nodes (upstream). Default name for the
- L2CAP node is <quote>devicel2cap</quote>. For more details
- refer to the &man.ng.l2cap.4; manual page.</para>
+ <para>A single netgraph node of type <emphasis>l2cap</emphasis>
+ is created for a single Bluetooth device. The
+ <acronym>L2CAP</acronym> node is normally connected to the
+ downstream Bluetooth <acronym>HCI</acronym> node and upstream
+ Bluetooth socket nodes. The default name for the
+ <acronym>L2CAP</acronym> node is <quote>devicel2cap</quote>.
+ For more details refer to &man.ng.l2cap.4;.</para>
<para>A useful command is &man.l2ping.8;, which can be used to
ping other devices. Some Bluetooth implementations might not
- return all of the data sent to them, so
- <literal>0 bytes</literal> in the following example is
- normal.</para>
+ return all of the data sent to them, so <literal>0
+ bytes</literal> in the following example is normal.</para>
<screen>&prompt.root; <userinput>l2ping -a 00:80:37:29:19:a4</userinput>
0 bytes from 0:80:37:29:19:a4 seq_no=0 time=48.633 ms result=0
@@ -2433,9 +2465,10 @@ Reason: Connection terminated by local host [0x16]</screen>
0 bytes from 0:80:37:29:19:a4 seq_no=3 time=46.150 ms result=0</screen>
<para>The &man.l2control.8; utility is used to perform various
- operations on L2CAP nodes. This example shows how to obtain
- the list of logical connections (channels) and the list of
- baseband connections for the local device:</para>
+ operations on <acronym>L2CAP</acronym> nodes. This example
+ shows how to obtain the list of logical connections (channels)
+ and the list of baseband connections for the local
+ device:</para>
<screen>&prompt.user; <userinput>l2control -a 00:02:72:00:d4:1a read_channel_list</userinput>
L2CAP channels:
@@ -2446,10 +2479,10 @@ L2CAP connections:
Remote BD_ADDR Handle Flags Pending State
00:07:e0:00:0b:ca 41 O 0 OPEN</screen>
- <para>Another diagnostic tool is &man.btsockstat.1;. It does a
- job similar to as &man.netstat.1; does, but for Bluetooth
- network-related data structures. The example below shows the
- same logical connection as &man.l2control.8; above.</para>
+ <para>Another diagnostic tool is &man.btsockstat.1;. It is
+ similar to &man.netstat.1;, but for Bluetooth network-related
+ data structures. The example below shows the same logical
+ connection as &man.l2control.8; above.</para>
<screen>&prompt.user; <userinput>btsockstat</userinput>
Active L2CAP sockets
@@ -2464,32 +2497,35 @@ c2e8bc80 0 250 00:02:72:00:d4:1a 00:07:e0:00:0b:ca 3 6 OPEN</scree
</sect2>
<sect2>
- <title>RFCOMM Protocol</title>
+ <title><acronym>RFCOMM</acronym> Protocol</title>
- <para>The RFCOMM protocol provides emulation of serial ports
- over the L2CAP protocol. The protocol is based on the ETSI
- standard TS 07.10. RFCOMM is a simple transport protocol,
+ <para>The <acronym>RFCOMM</acronym> protocol provides emulation
+ of serial ports over the <acronym>L2CAP</acronym> protocol.
+ The protocol is based on the ETSI standard TS 07.10.
+ <acronym>RFCOMM</acronym> is a simple transport protocol,
with additional provisions for emulating the 9 circuits of
- RS-232 (EIATIA-232-E) serial ports. The RFCOMM protocol
- supports up to 60 simultaneous connections (RFCOMM channels)
- between two Bluetooth devices.</para>
+ RS-232 (EIATIA-232-E) serial ports. <acronym>RFCOMM</acronym>
+ supports up to 60 simultaneous connections
+ (<acronym>RFCOMM</acronym> channels) between two Bluetooth
+ devices.</para>
- <para>For the purposes of RFCOMM, a complete communication path
- involves two applications running on different devices (the
- communication endpoints) with a communication segment between
- them. RFCOMM is intended to cover applications that make use
- of the serial ports of the devices in which they reside. The
- communication segment is a Bluetooth link from one device to
- another (direct connect).</para>
+ <para>For the purposes of <acronym>RFCOMM</acronym>, a complete
+ communication path involves two applications running on the
+ communication endpoints with a communication segment between
+ them. <acronym>RFCOMM</acronym> is intended to cover
+ applications that make use of the serial ports of the devices
+ in which they reside. The communication segment is a direct
+ connect Bluetooth link from one device to another.</para>
- <para>RFCOMM is only concerned with the connection between the
- devices in the direct connect case, or between the device and
- a modem in the network case. RFCOMM can support other
- configurations, such as modules that communicate via Bluetooth
- wireless technology on one side and provide a wired interface
- on the other side.</para>
+ <para><acronym>RFCOMM</acronym> is only concerned with the
+ connection between the devices in the direct connect case,
+ or between the device and a modem in the network case.
+ <acronym>RFCOMM</acronym> can support other configurations,
+ such as modules that communicate via Bluetooth wireless
+ technology on one side and provide a wired interface on the
+ other side.</para>
- <para>In &os; the RFCOMM protocol is implemented at the
+ <para>In &os;, <acronym>RFCOMM</acronym> is implemented at the
Bluetooth sockets layer.</para>
</sect2>
@@ -2498,26 +2534,27 @@ c2e8bc80 0 250 00:02:72:00:d4:1a 00:07:e0:00:0b:ca 3 6 OPEN</scree
<para>By default, Bluetooth communication is not authenticated,
and any device can talk to any other device. A Bluetooth
- device (for example, cellular phone) may choose to require
- authentication to provide a particular service (for example,
- Dial-Up service). Bluetooth authentication is normally done
- with <emphasis>PIN codes</emphasis>. A PIN code is an ASCII
- string up to 16 characters in length. User is required to
- enter the same PIN code on both devices. Once user has
- entered the PIN code, both devices will generate a
- <emphasis>link key</emphasis>. After that the link key can be
- stored either in the devices themselves or in a persistent
- storage. Next time both devices will use previously generated
- link key. The described above procedure is called
- <emphasis>pairing</emphasis>. Note that if the link key is
- lost by any device then pairing must be repeated.</para>
+ device, such as a cellular phone, may choose to require
+ authentication to provide a particular service. Bluetooth
+ authentication is normally done with a
+ <emphasis><acronym>PIN</acronym> code</emphasis>, an ASCII
+ string up to 16 characters in length. The user is required
+ to enter the same <acronym>PIN</acronym> code on both devices.
+ Once the user has entered the <acronym>PIN</acronym> code,
+ both devices will generate a <emphasis>link key</emphasis>.
+ After that, the link key can be stored either in the devices
+ or in a persistent storage. Next time, both devices will
+ use the previously generated link key. This procedure is
+ called <emphasis>pairing</emphasis>. Note that if the link
+ key is lost by either device, the pairing must be
+ repeated.</para>
- <para>The &man.hcsecd.8; daemon is responsible for handling of
- all Bluetooth authentication requests. The default
- configuration file is
- <filename>/etc/bluetooth/hcsecd.conf</filename>. An example
- section for a cellular phone with the PIN code arbitrarily set
- to <quote>1234</quote> is shown below:</para>
+ <para>The &man.hcsecd.8; daemon is responsible for handling
+ Bluetooth authentication requests. The default configuration
+ file is <filename>/etc/bluetooth/hcsecd.conf</filename>. An
+ example section for a cellular phone with the
+ <acronym>PIN</acronym> code arbitrarily set to
+ <quote>1234</quote> is shown below:</para>
<programlisting>device {
bdaddr 00:80:37:29:19:a4;
@@ -2526,27 +2563,28 @@ c2e8bc80 0 250 00:02:72:00:d4:1a 00:07:e0:00:0b:ca 3 6 OPEN</scree
pin "1234";
}</programlisting>
- <para>There is no limitation on PIN codes (except length). Some
- devices (for example Bluetooth headsets) may have a fixed PIN
- code built in. The <option>-d</option> switch forces the
- &man.hcsecd.8; daemon to stay in the foreground, so it is easy
- to see what is happening. Set the remote device to receive
- pairing and initiate the Bluetooth connection to the remote
- device. The remote device should say that pairing was
- accepted, and request the PIN code. Enter the same PIN code
- as you have in <filename>hcsecd.conf</filename>. Now your PC
- and the remote device are paired. Alternatively, you can
- initiate pairing on the remote device.</para>
+ <para>The only limitation on <acronym>PIN</acronym> codes is
+ length. Some devices, such as Bluetooth headsets, may have
+ a fixed <acronym>PIN</acronym> code built in. The
+ <option>-d</option> switch forces &man.hcsecd.8; to stay in
+ the foreground, so it is easy to see what is happening. Set
+ the remote device to receive pairing and initiate the
+ Bluetooth connection to the remote device. The remote device
+ should indicate that pairing was accepted and request the
+ <acronym>PIN</acronym> code. Enter the same
+ <acronym>PIN</acronym> code listed in
+ <filename>hcsecd.conf</filename>. Now the computer and the
+ remote device are paired. Alternatively, pairing can be
+ initiated on the remote device.</para>
- <para>The following line can be added to the
- <filename>/etc/rc.conf</filename> file to have
- <application>hcsecd</application> started automatically on
- system start:</para>
+ <para>The following line can be added to
+ <filename>/etc/rc.conf</filename> to configure &man.hcsecd.8;
+ to start automatically on system start:</para>
<programlisting>hcsecd_enable="YES"</programlisting>
- <para>The following is a sample of the
- <application>hcsecd</application> daemon output:</para>
+ <para>The following is a sample of the &man.hcsecd.8; daemon
+ output:</para>
<programlisting>hcsecd[16484]: Got Link_Key_Request event from 'ubt0hci', remote bdaddr 0:80:37:29:19:a4
hcsecd[16484]: Found matching entry, remote bdaddr 0:80:37:29:19:a4, name 'Pav's T39', link key doesn't exist
@@ -2557,42 +2595,47 @@ hcsecd[16484]: Sending PIN_Code_Reply to 'ubt0hci' for remote bdaddr 0:80:37:29:
</sect2>
<sect2>
- <title>Service Discovery Protocol (SDP)</title>
+ <title>Service Discovery Protocol
+ (<acronym>SDP</acronym>)</title>
<indexterm><primary>SDP</primary></indexterm>
- <para>The Service Discovery Protocol (SDP) provides the means
- for client applications to discover the existence of services
- provided by server applications as well as the attributes of
- those services. The attributes of a service include the type
- or class of service offered and the mechanism or protocol
- information needed to utilize the service.</para>
+ <para>The Service Discovery Protocol (<acronym>SDP</acronym>)
+ provides the means for client applications to discover the
+ existence of services provided by server applications as well
+ as the attributes of those services. The attributes of a
+ service include the type or class of service offered and the
+ mechanism or protocol information needed to utilize the
+ service.</para>
- <para>SDP involves communication between a SDP server and a SDP
+ <para><acronym>SDP</acronym> involves communication between a
+ <acronym>SDP</acronym> server and a <acronym>SDP</acronym>
client. The server maintains a list of service records that
describe the characteristics of services associated with the
server. Each service record contains information about a
single service. A client may retrieve information from a
- service record maintained by the SDP server by issuing a SDP
- request. If the client, or an application associated with the
- client, decides to use a service, it must open a separate
- connection to the service provider in order to utilize the
- service. SDP provides a mechanism for discovering services
- and their attributes, but it does not provide a mechanism for
- utilizing those services.</para>
+ service record maintained by the <acronym>SDP</acronym> server
+ by issuing a <acronym>SDP</acronym> request. If the client,
+ or an application associated with the client, decides to use
+ a service, it must open a separate connection to the service
+ provider in order to utilize the service.
+ <acronym>SDP</acronym> provides a mechanism for discovering
+ services and their attributes, but it does not provide a
+ mechanism for utilizing those services.</para>
- <para>Normally, a SDP client searches for services based on some
- desired characteristics of the services. However, there are
- times when it is desirable to discover which types of services
- are described by an SDP server's service records without any a
- priori information about the services. This process of
+ <para>Normally, a <acronym>SDP</acronym> client searches for
+ services based on some desired characteristics of the
+ services. However, there are times when it is desirable to
+ discover which types of services are described by an
+ <acronym>SDP</acronym> server's service records without any
+ prior information about the services. This process of
looking for any offered services is called
<emphasis>browsing</emphasis>.</para>
- <para>The Bluetooth SDP server &man.sdpd.8; and command line
- client &man.sdpcontrol.8; are included in the standard &os;
- installation. The following example shows how to perform a
- SDP browse query.</para>
+ <para>The Bluetooth <acronym>SDP</acronym> server, &man.sdpd.8;,
+ and command line client, &man.sdpcontrol.8;, are included in
+ the standard &os; installation. The following example shows
+ how to perform a <acronym>SDP</acronym> browse query.</para>
<screen>&prompt.user; <userinput>sdpcontrol -a 00:01:03:fc:6e:ec browse</userinput>
Record Handle: 00000000
@@ -2617,137 +2660,158 @@ Protocol Descriptor List:
Bluetooth Profile Descriptor List:
LAN Access Using PPP (0x1102) ver. 1.0</screen>
- <para>... and so on. Note that each service has a list of
- attributes (RFCOMM channel for example). Depending on the
- service you might need to make a note of some of the
+ <para>Note that each service has a list of attributes, such
+ as the <acronym>RFCOMM</acronym> channel. Depending on the
+ service, the user might need to make note of some of the
attributes. Some Bluetooth implementations do not support
- service browsing and may return an empty list. In this case
+ service browsing and may return an empty list. In this case,
it is possible to search for the specific service. The
- example below shows how to search for the OBEX Object Push
- (OPUSH) service:</para>
+ example below shows how to search for the
+ <acronym>OBEX</acronym> Object Push
+ (<acronym>OPUSH</acronym>) service:</para>
<screen>&prompt.user; <userinput>sdpcontrol -a 00:01:03:fc:6e:ec search OPUSH</userinput></screen>
<para>Offering services on &os; to Bluetooth clients is done
with the &man.sdpd.8; server. The following line can be added
- to the <filename>/etc/rc.conf</filename> file:</para>
+ to <filename>/etc/rc.conf</filename>:</para>
<programlisting>sdpd_enable="YES"</programlisting>
- <para>Then the <application>sdpd</application> daemon can be
+ <para>Then the &man.sdpd.8; daemon can be
started with:</para>
<screen>&prompt.root; <userinput>service sdpd start</userinput></screen>
<para>The local server application that wants to provide
Bluetooth service to the remote clients will register service
- with the local SDP daemon. The example of such application is
- &man.rfcomm.pppd.8;. Once started it will register Bluetooth
- LAN service with the local SDP daemon.</para>
+ with the local <acronym>SDP</acronym> daemon. An example of
+ such an application is &man.rfcomm.pppd.8;. Once started,
+ it will register the Bluetooth LAN service with the local
+ <acronym>SDP</acronym> daemon.</para>
- <para>The list of services registered with the local SDP server
- can be obtained by issuing SDP browse query via local control
+ <para>The list of services registered with the local
+ <acronym>SDP</acronym> server can be obtained by issuing a
+ <acronym>SDP</acronym> browse query via the local control
channel:</para>
<screen>&prompt.root; <userinput>sdpcontrol -l browse</userinput></screen>
</sect2>
<sect2>
- <title>Dial-Up Networking (DUN) and Network Access with PPP
- (LAN) Profiles</title>
+ <title>Dial-Up Networking and Network Access with
+ <acronym>PPP</acronym> Profiles</title>
- <para>The Dial-Up Networking (DUN) profile is mostly used with
- modems and cellular phones. The scenarios covered by this
- profile are the following:</para>
+ <para>The Dial-Up Networking (<acronym>DUN</acronym>) profile is
+ mostly used with modems and cellular phones. The scenarios
+ covered by this profile are the following:</para>
<itemizedlist>
<listitem>
- <para>use of a cellular phone or modem by a computer as a
+ <para>Use of a cellular phone or modem by a computer as a
wireless modem for connecting to a dial-up Internet access
- server, or using other dial-up services;</para>
+ server, or for using other dial-up services.</para>
</listitem>
<listitem>
- <para>use of a cellular phone or modem by a computer to
+ <para>Use of a cellular phone or modem by a computer to
receive data calls.</para>
</listitem>
</itemizedlist>
- <para>Network Access with PPP (LAN) profile can be used in the
- following situations:</para>
+ <para>Network access with a <acronym>PPP</acronym> profile can
+ be used in the following situations:</para>
<itemizedlist>
<listitem>
- <para>LAN access for a single Bluetooth device;</para>
+ <para><acronym>LAN</acronym> access for a single Bluetooth
+ device.</para>
</listitem>
<listitem>
- <para>LAN access for multiple Bluetooth devices;</para>
+ <para><acronym>LAN</acronym> access for multiple Bluetooth
+ devices.</para>
</listitem>
<listitem>
- <para>PC to PC (using PPP networking over serial cable
- emulation).</para>
+ <para>PC to PC connection using <acronym>PPP</acronym>
+ networking over serial cable emulation.</para>
</listitem>
</itemizedlist>
- <para>In &os; both profiles are implemented with &man.ppp.8; and
- &man.rfcomm.pppd.8; - a wrapper that converts RFCOMM Bluetooth
- connection into something PPP can operate with. Before any
- profile can be used, a new PPP label in the
- <filename>/etc/ppp/ppp.conf</filename> must be created.
- Consult &man.rfcomm.pppd.8; manual page for examples.</para>
+ <para>In &os;, these profiles are implemented with &man.ppp.8;
+ and the &man.rfcomm.pppd.8; wrapper which converts a
+ <acronym>RFCOMM</acronym> Bluetooth connection into something
+ <acronym>PPP</acronym> can use. Before a profile can be used,
+ a new <acronym>PPP</acronym> label must be created in
+ <filename>/etc/ppp/ppp.conf</filename>. Consult
+ &man.rfcomm.pppd.8; for examples.</para>
- <para>In the following example &man.rfcomm.pppd.8; will be used
- to open RFCOMM connection to remote device with BD_ADDR
- 00:80:37:29:19:a4 on DUN RFCOMM channel. The actual RFCOMM
- channel number will be obtained from the remote device via
- SDP. It is possible to specify RFCOMM channel by hand, and in
- this case &man.rfcomm.pppd.8; will not perform SDP query. Use
- &man.sdpcontrol.8; to find out RFCOMM channel on the remote
- device.</para>
+ <para>In the following example, &man.rfcomm.pppd.8; is used
+ to open a <acronym>RFCOMM</acronym> connection to a remote
+ device with a BD_ADDR of <literal>00:80:37:29:19:a4</literal>
+ on a <acronym>DUN</acronym> <acronym>RFCOMM</acronym> channel.
+ The actual <acronym>RFCOMM</acronym> channel number will be
+ obtained from the remote device via <acronym>SDP</acronym>.
+ It is possible to specify the <acronym>RFCOMM</acronym>
+ channel by hand, and in this case &man.rfcomm.pppd.8; will
+ not perform the <acronym>SDP</acronym> query. Use
+ &man.sdpcontrol.8; to find out the <acronym>RFCOMM</acronym>
+ channel on the remote device.</para>
<screen>&prompt.root; <userinput>rfcomm_pppd -a 00:80:37:29:19:a4 -c -C dun -l rfcomm-dialup</userinput></screen>
- <para>In order to provide Network Access with PPP (LAN) service
- the &man.sdpd.8; server must be running. A new entry for LAN
- clients must be created in the
- <filename>/etc/ppp/ppp.conf</filename> file. Consult
- &man.rfcomm.pppd.8; manual page for examples. Finally, start
- RFCOMM PPP server on valid RFCOMM channel number. The RFCOMM
- PPP server will automatically register Bluetooth LAN service
- with the local SDP daemon. The example below shows how to
- start RFCOMM PPP server.</para>
+ <para>In order to provide network access with the
+ <acronym>PPP</acronym> <acronym>LAN</acronym> service,
+ &man.sdpd.8; must be running and a new entry for
+ <acronym>LAN</acronym> clients must be created in
+ <filename>/etc/ppp/ppp.conf</filename>. Consult
+ &man.rfcomm.pppd.8; for examples. Finally, start the
+ <acronym>RFCOMM</acronym> <acronym>PPP</acronym> server on a
+ valid <acronym>RFCOMM</acronym> channel number. The
+ <acronym>RFCOMM</acronym> <acronym>PPP</acronym> server will
+ automatically register the Bluetooth <acronym>LAN</acronym>
+ service with the local <acronym>SDP</acronym> daemon. The
+ example below shows how to start the <acronym>RFCOMM</acronym>
+ <acronym>PPP</acronym> server.</para>
<screen>&prompt.root; <userinput>rfcomm_pppd -s -C 7 -l rfcomm-server</userinput></screen>
</sect2>
<sect2>
- <title>OBEX Object Push (OPUSH) Profile</title>
+ <title><acronym>OBEX</acronym> Object Push
+ (<acronym>OPUSH</acronym>) Profile</title>
<indexterm><primary>OBEX</primary></indexterm>
- <para>OBEX is a widely used protocol for simple file transfers
- between mobile devices. Its main use is in infrared
- communication, where it is used for generic file transfers
- between notebooks or PDAs, and for sending business cards or
- calendar entries between cellular phones and other devices
- with PIM applications.</para>
+ <para><acronym>OBEX</acronym> is a widely used protocol for
+ simple file transfers between mobile devices. Its main use
+ is in infrared communication, where it is used for generic
+ file transfers between notebooks or <acronym>PDA</acronym>s,
+ and for sending business cards or calendar entries between
+ cellular phones and other devices with <acronym>PIM</acronym>
+ applications.</para>
- <para>The OBEX server and client are implemented as a
- third-party package <application>obexapp</application>, which
- is available as <filename
- role="package">comms/obexapp</filename> port.</para>
+ <para>The <acronym>OBEX</acronym> server and client are
+ implemented as a third-party package,
+ <application>obexapp</application>, which is available as
+ <filename role="package">comms/obexapp</filename> package or
+ port.</para>
- <para>OBEX client is used to push and/or pull objects from the
- OBEX server. An object can, for example, be a business card
- or an appointment. The OBEX client can obtain RFCOMM channel
- number from the remote device via SDP. This can be done by
- specifying service name instead of RFCOMM channel number.
- Supported service names are: IrMC, FTRN and OPUSH. It is
- possible to specify RFCOMM channel as a number. Below is an
- example of an OBEX session, where device information object is
- pulled from the cellular phone, and a new object (business
- card) is pushed into the phone's directory.</para>
+ <para>The <acronym>OBEX</acronym> client is used to push and/or
+ pull objects from the <acronym>OBEX</acronym> server. An
+ object can, for example, be a business card or an appointment.
+ The <acronym>OBEX</acronym> client can obtain the
+ <acronym>RFCOMM</acronym> channel number from the remote
+ device via <acronym>SDP</acronym>. This can be done by
+ specifying the service name instead of the
+ <acronym>RFCOMM</acronym> channel number. Supported service
+ names are: <acronym>IrMC</acronym>, <acronym>FTRN</acronym>,
+ and <acronym>OPUSH</acronym>. It is also possible to specify
+ the <acronym>RFCOMM</acronym> channel as a number. Below is
+ an example of an <acronym>OBEX</acronym> session where the
+ device information object is pulled from the cellular phone,
+ and a new object, the business card, is pushed into the
+ phone's directory.</para>
<screen>&prompt.user; <userinput>obexapp -a 00:80:37:29:19:a4 -C IrMC</userinput>
obex> get telecom/devinfo.txt devinfo-t39.txt
@@ -2757,35 +2821,38 @@ Success, response: OK, Success (0x20)
obex> di
Success, response: OK, Success (0x20)</screen>
- <para>In order to provide OBEX Object Push service, &man.sdpd.8;
- server must be running. A root folder, where all incoming
- objects will be stored, must be created. The default path to
- the root folder
- is <filename class="directory">/var/spool/obex</filename>.
- Finally, start OBEX server on valid RFCOMM channel number.
- The OBEX server will automatically register OBEX Object Push
- service with the local SDP daemon. The example below shows
- how to start OBEX server.</para>
+ <para>In order to provide the <acronym>OPUSH</acronym> service,
+ &man.sdpd.8; must be running and a root folder, where all
+ incoming objects will be stored, must be created. The
+ default path to the root folder is <filename
+ class="directory">/var/spool/obex</filename>. Finally,
+ start the <acronym>OBEX</acronym> server on a valid
+ <acronym>RFCOMM</acronym> channel number. The
+ <acronym>OBEX</acronym> server will automatically register
+ the <acronym>OPUSH</acronym> service with the local
+ <acronym>SDP</acronym> daemon. The example below shows how
+ to start the <acronym>OBEX</acronym> server.</para>
<screen>&prompt.root; <userinput>obexapp -s -C 10</userinput></screen>
</sect2>
<sect2>
- <title>Serial Port Profile (SPP)</title>
+ <title>Serial Port Profile</title>
- <para>The Serial Port Profile (SPP) allows Bluetooth devices to
- perform RS232 (or similar) serial cable emulation. The
- scenario covered by this profile deals with legacy
- applications using Bluetooth as a cable replacement, through a
- virtual serial port abstraction.</para>
+ <para>The Serial Port Profile (<acronym>SPP</acronym>) allows
+ Bluetooth devices to perform serial cable emulation. This
+ profile allows legacy applications to use Bluetooth as a
+ cable replacement, through a virtual serial port
+ abstraction.</para>
- <para>The &man.rfcomm.sppd.1; utility implements the Serial Port
- profile. A pseudo tty is used as a virtual serial port
- abstraction. The example below shows how to connect to a
- remote device Serial Port service. Note that you do not have
- to specify a RFCOMM channel - &man.rfcomm.sppd.1; can obtain
- it from the remote device via SDP. If you would like to
- override this, specify a RFCOMM channel on the command
+ <para>In &os;, &man.rfcomm.sppd.1; implements
+ <acronym>SPP</acronym> and a pseudo tty is used as a virtual
+ serial port abstraction. The example below shows how to
+ connect to a remote device serial port service. A
+ <acronym>RFCOMM</acronym> channel does not have to be
+ specified as &man.rfcomm.sppd.1; can obtain it from the
+ remote device via <acronym>SDP</acronym>. To override this,
+ specify a <acronym>RFCOMM</acronym> channel on the command
line.</para>
<screen>&prompt.root; <userinput>rfcomm_sppd -a 00:07:E0:00:0B:CA -t /dev/ttyp6</userinput>
@@ -2807,26 +2874,25 @@ rfcomm_sppd[94692]: Starting on /dev/ttyp6...</screen>
switching. By default, when &os; is accepting a new
connection, it tries to perform a role switch and become
master. Devices, which do not support this will not be able
- to connect. Note that role switching is performed when a
- new connection is being established, so it is not possible
- to ask the remote device if it does support role switching.
- There is a HCI option to disable role switching on the local
- side:</para>
+ to connect. Since role switching is performed when a
+ new connection is being established, it is not possible
+ to ask the remote device if it supports role switching.
+ There is a <acronym>HCI</acronym> option to disable role
+ switching on the local side:</para>
<screen>&prompt.root; <userinput>hccontrol -n ubt0hci write_node_role_switch 0</userinput></screen>
</sect3>
<sect3>
- <title>Something is Going Wrong, Can I See What Exactly is
- Happening?</title>
+ <title>Displaying Bluetooth Packets</title>
- <para>Yes, you can. Use the third-party package
- <application>hcidump</application>, which is available as
- <filename role="package">comms/hcidump</filename> port. The
- <application>hcidump</application> utility is similar to
- &man.tcpdump.1;. It can be used to display the content of
- the Bluetooth packets on the terminal and to dump the
- Bluetooth packets to a file.</para>
+ <para>Use the third-party package
+ <application>hcidump</application>, which is available as a
+ <filename role="package">comms/hcidump</filename> package or
+ port. This utility is similar to &man.tcpdump.1; and can
+ be used to display the contents of Bluetooth packets on
+ the terminal and to dump the Bluetooth packets to a
+ file.</para>
</sect3>
</sect2>
</sect1>
@@ -2846,20 +2912,21 @@ rfcomm_sppd[94692]: Starting on /dev/ttyp6...</screen>
<sect2>
<title>Introduction</title>
- <indexterm><primary>IP subnet</primary></indexterm>
+ <indexterm><primary><acronym>IP</acronym>
+ subnet</primary></indexterm>
<indexterm><primary>bridge</primary></indexterm>
- <para>It is sometimes useful to divide one physical network
- (such as an Ethernet segment) into two separate network
- segments without having to create IP subnets and use a router
- to connect the segments together. A device that connects two
- networks together in this fashion is called a
- <quote>bridge</quote>. A FreeBSD system with two network
- interface cards can act as a bridge.</para>
+ <para>It is sometimes useful to divide one physical network,
+ such as an Ethernet segment, into two separate network
+ segments without having to create <acronym>IP</acronym>
+ subnets and use a router to connect the segments together.
+ A device that connects two networks together in this fashion
+ is called a <quote>bridge</quote>. A &os; system with two
+ network interface cards can act as a bridge.</para>
- <para>The bridge works by learning the MAC layer addresses
- (Ethernet addresses) of the devices on each of its network
- interfaces. It forwards traffic between two networks only
- when its source and destination are on different
+ <para>The bridge works by learning the <acronym>MAC</acronym>
+ layer (Ethernet) addresses of the devices on each of its
+ network interfaces. It forwards traffic between two networks
+ only when the source and destination are on different
networks.</para>
<para>In many respects, a bridge is like an Ethernet switch with
@@ -2878,8 +2945,8 @@ rfcomm_sppd[94692]: Starting on /dev/ttyp6...</screen>
<para>The basic operation of a bridge is to join two or more
network segments together. There are many reasons to use a
host based bridge over plain networking equipment such as
- cabling constraints, firewalling or connecting pseudo
- networks such as a Virtual Machine interface. A bridge can
+ cabling constraints, firewalling, or connecting pseudo
+ networks such as a virtual machine interface. A bridge can
also connect a wireless interface running in hostap mode to
a wired network and act as an access point.</para>
</sect3>
@@ -2891,68 +2958,73 @@ rfcomm_sppd[94692]: Starting on /dev/ttyp6...</screen>
<indexterm><primary>NAT</primary></indexterm>
<para>A common situation is where firewall functionality is
- needed without routing or network address translation
- (NAT).</para>
+ needed without routing or Network Address Translation
+ (<acronym>NAT</acronym>).</para>
- <para>An example is a small company that is connected via DSL
- or ISDN to their ISP. They have a 13 globally-accessible IP
- addresses from their ISP and have 10 PCs on their network.
- In this situation, using a router-based firewall is
- difficult because of subnetting issues.</para>
+ <para>An example is a small company that is connected via
+ <acronym>DSL</acronym>
+ or <acronym>ISDN</acronym> to an <acronym>ISP</acronym>.
+ There are thirteen globally-accessible <acronym>IP</acronym>
+ addresses from the <acronym>ISP</acronym> and ten computers
+ on the network. In this situation, using a router-based
+ firewall is difficult because of subnetting issues.</para>
<indexterm><primary>router</primary></indexterm>
- <indexterm><primary>DSL</primary></indexterm>
- <indexterm><primary>ISDN</primary></indexterm>
+ <indexterm><primary><acronym>DSL</acronym></primary></indexterm>
+ <indexterm><primary><acronym>ISDN</acronym></primary></indexterm>
<para>A bridge-based firewall can be configured and dropped
- into the path just downstream of their DSL/ISDN router
- without any IP numbering issues.</para>
+ into the path just downstream of the <acronym>DSL</acronym>
+ or <acronym>ISDN</acronym> router without any
+ <acronym>IP</acronym> numbering issues.</para>
</sect3>
<sect3>
<title>Network Tap</title>
<para>A bridge can join two network segments and be used to
- inspect all Ethernet frames that pass between them. This
- can either be from using &man.bpf.4;/&man.tcpdump.1; on the
- bridge interface or by sending a copy of all frames out an
- additional interface (span port).</para>
+ inspect all Ethernet frames that pass between them using
+ &man.bpf.4; and &man.tcpdump.1; on the bridge interface or
+ by sending a copy of all frames out an additional interface
+ known as a span port.</para>
</sect3>
<sect3>
- <title>Layer 2 VPN</title>
+ <title>Layer 2 <acronym>VPN</acronym></title>
- <para>Two Ethernet networks can be joined across an IP link by
- bridging the networks to an EtherIP tunnel or a &man.tap.4;
- based solution such as OpenVPN.</para>
+ <para>Two Ethernet networks can be joined across an
+ <acronym>IP</acronym> link by bridging the networks to an
+ EtherIP tunnel or a &man.tap.4; based solution such as
+ <application>OpenVPN</application>.</para>
</sect3>
<sect3>
<title>Layer 2 Redundancy</title>
<para>A network can be connected together with multiple links
- and use the Spanning Tree Protocol to block redundant paths.
- For an Ethernet network to function properly only one active
- path can exist between two devices, Spanning Tree will
- detect loops and put the redundant links into a blocked
- state. Should one of the active links fail then the
- protocol will calculate a different tree and reenable one of
- the blocked paths to restore connectivity to all points in
- the network.</para>
+ and use the Spanning Tree Protocol <acronym>STP</acronym>
+ to block redundant paths. For an Ethernet network to
+ function properly, only one active path can exist between
+ two devices. <acronym>STP</acronym> will detect loops and
+ put the redundant links into a blocked state. Should one
+ of the active links fail, <acronym>STP</acronym> will
+ calculate a different tree and enable one of the blocked
+ paths to restore connectivity to all points in the
+ network.</para>
</sect3>
</sect2>
<sect2>
<title>Kernel Configuration</title>
- <para>This section covers &man.if.bridge.4; bridge
- implementation, a netgraph bridging driver is also available,
- for more information see &man.ng.bridge.4; manual page.</para>
+ <para>This section covers the &man.if.bridge.4; implementation.
+ A netgraph bridging driver is also available, and is described
+ in &man.ng.bridge.4;.</para>
- <para>The bridge driver is a kernel module and will be
+ <para>In &os;, &man.if.bridge.4; is a kernel module which is
automatically loaded by &man.ifconfig.8; when creating a
- bridge interface. It is possible to compile the bridge in to
- the kernel by adding <literal>device if_bridge</literal> to
- your kernel configuration file.</para>
+ bridge interface. It is also possible to compile the bridge
+ in to the kernel by adding <literal>device if_bridge</literal>
+ to a custom kernel configuration file.</para>
<para>Packet filtering can be used with any firewall package
that hooks in via the &man.pfil.9; framework. The firewall
@@ -2966,9 +3038,7 @@ rfcomm_sppd[94692]: Starting on /dev/ttyp6...</screen>
<title>Enabling the Bridge</title>
<para>The bridge is created using interface cloning. To create
- a bridge use &man.ifconfig.8;, if the bridge driver is not
- present in the kernel then it will be loaded
- automatically.</para>
+ a bridge use &man.ifconfig.8;:</para>
<screen>&prompt.root; <userinput>ifconfig bridge create</userinput>
bridge0
@@ -2979,17 +3049,18 @@ bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0</screen>
- <para>A bridge interface is created and is automatically
+ <para>When a bridge interface is created, it is automatically
assigned a randomly generated Ethernet address. The
<literal>maxaddr</literal> and <literal>timeout</literal>
- parameters control how many MAC addresses the bridge will keep
- in its forwarding table and how many seconds before each entry
- is removed after it is last seen. The other parameters
- control how Spanning Tree operates.</para>
+ parameters control how many <acronym>MAC</acronym> addresses
+ the bridge will keep in its forwarding table and how many
+ seconds before each entry is removed after it is last seen.
+ The other parameters control how <acronym>STP</acronym>
+ operates.</para>
- <para>Add the member network interfaces to the bridge. For the
- bridge to forward packets all member interfaces and the bridge
- need to be up:</para>
+ <para>Next, add the member network interfaces to the bridge.
+ For the bridge to forward packets, all member interfaces and
+ the bridge need to be up:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 addm fxp0 addm fxp1 up</userinput>
&prompt.root; <userinput>ifconfig fxp0 up</userinput>
@@ -2997,24 +3068,25 @@ bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
<para>The bridge is now forwarding Ethernet frames between
<devicename>fxp0</devicename> and
- <devicename>fxp1</devicename>. The equivalent configuration
- in <filename>/etc/rc.conf</filename> so the bridge is created
- at startup is:</para>
+ <devicename>fxp1</devicename>. Add the following lines to
+ <filename>/etc/rc.conf</filename> so the bridge is created
+ at startup:</para>
<programlisting>cloned_interfaces="bridge0"
ifconfig_bridge0="addm fxp0 addm fxp1 up"
ifconfig_fxp0="up"
ifconfig_fxp1="up"</programlisting>
- <para>If the bridge host needs an IP address then the correct
- place to set this is on the bridge interface itself rather
- than one of the member interfaces. This can be set statically
- or via DHCP:</para>
+ <para>If the bridge host needs an <acronym>IP</acronym>
+ address, the correct place to set this is on the bridge
+ interface itself rather than one of the member interfaces.
+ This can be set statically or via
+ <acronym>DHCP</acronym>:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 inet 192.168.0.1/24</userinput></screen>
- <para>It is also possible to assign an IPv6 address to a bridge
- interface.</para>
+ <para>It is also possible to assign an <acronym>IPv6</acronym>
+ address to a bridge interface.</para>
</sect2>
<sect2>
@@ -3023,14 +3095,15 @@ ifconfig_fxp1="up"</programlisting>
<indexterm><primary>firewall</primary></indexterm>
<para>When packet filtering is enabled, bridged packets will
- pass through the filter inbound on the originating interface,
- on the bridge interface and outbound on the appropriate
+ pass through the filter inbound on the originating interface
+ on the bridge interface, and outbound on the appropriate
interfaces. Either stage can be disabled. When direction of
- the packet flow is important it is best to firewall on the
+ the packet flow is important, it is best to firewall on the
member interfaces rather than the bridge itself.</para>
<para>The bridge has several configurable settings for passing
- non-IP and ARP packets, and layer2 firewalling with IPFW. See
+ non-<acronym>IP</acronym> and <acronym>IP</acronym> packets,
+ and layer2 firewalling with &man.ipfw.8;. See
&man.if.bridge.4; for more information.</para>
</sect2>
@@ -3038,21 +3111,22 @@ ifconfig_fxp1="up"</programlisting>
<title>Spanning Tree</title>
<para>The bridge driver implements the Rapid Spanning Tree
- Protocol (RSTP or 802.1w) with backwards compatibility with
- the legacy Spanning Tree Protocol (STP). Spanning Tree is
- used to detect and remove loops in a network topology. RSTP
- provides faster Spanning Tree convergence than legacy STP, the
- protocol will exchange information with neighbouring switches
- to quickly transition to forwarding without creating
- loops.
- &os; supports RSTP and STP as operating modes, with RSTP
- being the default mode.</para>
+ Protocol (<acronym>RSTP</acronym> or 802.1w) with backwards
+ compatibility with legacy <acronym>STP</acronym>.
+ <acronym>STP</acronym> is used to detect and remove loops
+ in a network topology. <acronym>RSTP</acronym> provides
+ faster convergence than legacy <acronym>STP</acronym>, the
+ protocol will exchange information with neighboring switches
+ to quickly transition to forwarding without creating loops.
+ &os; supports <acronym>RSTP</acronym> and
+ <acronym>STP</acronym> as operating modes, with
+ <acronym>RSTP</acronym> being the default mode.</para>
- <para>Spanning Tree can be enabled on member interfaces using
- the <literal>stp</literal> command. For a bridge with
+ <para><acronym>STP</acronym> can be enabled on member interfaces
+ using &man.ifconfig.8;. For a bridge with
<devicename>fxp0</devicename> and
<devicename>fxp1</devicename> as the current interfaces,
- enable STP with the following:</para>
+ enable <acronym>STP</acronym> with:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 stp fxp0 stp fxp1</userinput>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
@@ -3070,11 +3144,11 @@ bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1
<para>This bridge has a spanning tree ID of
<literal>00:01:02:4b:d4:50</literal> and a priority of
<literal>32768</literal>. As the <literal>root id</literal>
- is the same it indicates that this is the root bridge for the
+ is the same, it indicates that this is the root bridge for the
tree.</para>
- <para>Another bridge on the network also has spanning tree
- enabled:</para>
+ <para>Another bridge on the network also has
+ <acronym>STP</acronym> enabled:</para>
<screen>bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 96:3d:4b:f1:79:7a
@@ -3090,9 +3164,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1
<para>The line <literal>root id 00:01:02:4b:d4:50 priority 32768
ifcost 400000 port 4</literal> shows that the root bridge is
- <literal>00:01:02:4b:d4:50</literal> as above and has a path
- cost of <literal>400000</literal> from this bridge, the path
- to the root bridge is via <literal>port 4</literal> which is
+ <literal>00:01:02:4b:d4:50</literal> and has a path cost of
+ <literal>400000</literal> from this bridge. The path to the
+ root bridge is via <literal>port 4</literal> which is
<devicename>fxp0</devicename>.</para>
</sect2>
@@ -3103,7 +3177,7 @@ bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1
<title>Reconstruct Traffic Flows</title>
<para>The bridge supports monitor mode, where the packets are
- discarded after &man.bpf.4; processing, and are not
+ discarded after &man.bpf.4; processing and are not
processed or forwarded further. This can be used to
multiplex the input of two or more interfaces into a single
&man.bpf.4; stream. This is useful for reconstructing the
@@ -3122,9 +3196,9 @@ bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1
<para>A copy of every Ethernet frame received by the bridge
will be transmitted out a designated span port. The number
- of span ports configured on a bridge is unlimited, if an
- interface is designated as a span port then it may not also
- be used as a regular bridge port. This is most useful for
+ of span ports configured on a bridge is unlimited, but if an
+ interface is designated as a span port, it cannot also be
+ used as a regular bridge port. This is most useful for
snooping a bridged network passively on another host
connected to one of the span ports of the bridge.</para>
@@ -3140,102 +3214,107 @@ bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1
<para>A private interface does not forward any traffic to any
other port that is also a private interface. The traffic is
blocked unconditionally so no Ethernet frames will be
- forwarded, including ARP. If traffic needs to be
- selectively blocked then a firewall should be used
+ forwarded, including <acronym>ARP</acronym>. If traffic
+ needs to be selectively blocked, a firewall should be used
instead.</para>
</sect3>
<sect3>
<title>Sticky Interfaces</title>
- <para>If a bridge member interface is marked as sticky then
+ <para>If a bridge member interface is marked as sticky,
dynamically learned address entries are treated at static
once entered into the forwarding cache. Sticky entries are
never aged out of the cache or replaced, even if the address
is seen on a different interface. This gives the benefit of
static address entries without the need to pre-populate the
- forwarding table, clients learnt on a particular segment of
- the bridge can not roam to another segment.</para>
+ forwarding table. Clients learned on a particular segment
+ of the bridge can not roam to another segment.</para>
- <para>Another example of using sticky addresses would be to
- combine the bridge with VLANs to create a router where
- customer networks are isolated without wasting IP address
- space. Consider that
+ <para>Another example of using sticky addresses is to
+ combine the bridge with <acronym>VLAN</acronym>s to create
+ a router where customer networks are isolated without
+ wasting <acronym>IP</acronym> address space. Consider that
<hostid role="hostname">CustomerA</hostid> is on
- <literal>vlan100</literal> and
- <hostid role="hostname">CustomerB</hostid> is on
+ <literal>vlan100</literal> and <hostid
+ role="hostname">CustomerB</hostid> is on
<literal>vlan101</literal>. The bridge has the address
<hostid role="ipaddr">192.168.0.1</hostid> and is also an
- internet router.</para>
+ Internet router.</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 addm vlan100 sticky vlan100 addm vlan101 sticky vlan101</userinput>
&prompt.root; <userinput>ifconfig bridge0 inet 192.168.0.1/24</userinput></screen>
- <para>Both clients see
- <hostid role="ipaddr">192.168.0.1</hostid> as their default
- gateway and since the bridge cache is sticky they can not
- spoof the MAC address of the other customer to intercept
- their traffic.</para>
+ <para>In this example, both clients see <hostid
+ role="ipaddr">192.168.0.1</hostid> as their default
+ gateway. Since the bridge cache is sticky, one host can not
+ spoof the <acronym>MAC</acronym> address of the other
+ customer in order to intercept their traffic.</para>
- <para>Any communication between the VLANs can be blocked using
- private interfaces (or a firewall):</para>
+ <para>Any communication between the <acronym>VLAN</acronym>s
+ can be blocked using a firewall or, as seen in this example,
+ private interfaces:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 private vlan100 private vlan101</userinput></screen>
- <para>The customers are completely isolated from each other,
- the full <hostid role="netmask">/24</hostid> address range
- can be allocated without subnetting.</para>
+ <para>The customers are completely isolated from each other
+ and the full <hostid role="netmask">/24</hostid> address
+ range can be allocated without subnetting.</para>
</sect3>
<sect3>
<title>Address Limits</title>
- <para>The number of unique source MAC addresses behind an
- interface can be limited. Once the limit is reached packets
- with unknown source addresses are dropped until an
- existing host cache entry expires or is removed.</para>
+ <para>The number of unique source <acronym>MAC</acronym>
+ addresses behind an interface can be limited. Once the
+ limit is reached, packets with unknown source addresses
+ are dropped until an existing host cache entry expires or
+ is removed.</para>
<para>The following example sets the maximum number of
- Ethernet devices for
- <hostid role="hostname">CustomerA</hostid> on
- <literal>vlan100</literal> to 10.</para>
+ Ethernet devices for <hostid
+ role="hostname">CustomerA</hostid> on
+ <literal>vlan100</literal> to 10:</para>
<screen>&prompt.root; <userinput>ifconfig bridge0 ifmaxaddr vlan100 10</userinput></screen>
</sect3>
<sect3>
- <title>SNMP Monitoring</title>
+ <title><acronym>SNMP</acronym> Monitoring</title>
- <para>The bridge interface and STP parameters can be monitored
- via the SNMP daemon which is included in the &os; base
- system. The exported bridge MIBs conform to the IETF
- standards so any SNMP client or monitoring package can be
+ <para>The bridge interface and <acronym>STP</acronym>
+ parameters can be monitored via &man.bsnmpd.1; which is
+ included in the &os; base system. The exported bridge
+ <acronym>MIB</acronym>s conform to the
+ <acronym>IETF</acronym> standards so any
+ <acronym>SNMP</acronym> client or monitoring package can be
used to retrieve the data.</para>
- <para>On the bridge machine uncomment the
+ <para>On the bridge, uncomment the
<literal>begemotSnmpdModulePath."bridge" =
"/usr/lib/snmp_bridge.so"</literal> line from
- <filename>/etc/snmp.config</filename> and start the
- <application>bsnmpd</application> daemon. Other
- configuration such as community names and access lists may
- need to be modified. See &man.bsnmpd.1; and
- &man.snmp.bridge.3; for more information.</para>
+ <filename>/etc/snmp.config</filename> and start
+ &man.bsnmpd.1;. Other configuration, such as community
+ names and access lists, may need to be modified. See
+ &man.bsnmpd.1; and &man.snmp.bridge.3; for more
+ information.</para>
<para>The following examples use the
- <application>Net-SNMP</application> software
- (<filename role="package">net-mgmt/net-snmp</filename>) to
- query a bridge, the
- <filename role="package">net-mgmt/bsnmptools</filename> port
- can also be used. From the SNMP client host add to
- <filename>$HOME/.snmp/snmp.conf</filename> the following
- lines to import the bridge MIB definitions in to
- <application>Net-SNMP</application>:</para>
+ <application>Net-SNMP</application> software (<filename
+ role="package">net-mgmt/net-snmp</filename>) to query a
+ bridge from a client system. The <filename
+ role="package">net-mgmt/bsnmptools</filename> port can
+ also be used. From the <acronym>SNMP</acronym> client
+ which is running <application>Net-SNMP</application>, add
+ the following lines to
+ <filename>$HOME/.snmp/snmp.conf</filename> in order to
+ import the bridge <acronym>MIB</acronym> definitions:</para>
<programlisting>mibdirs +/usr/share/snmp/mibs
mibs +BRIDGE-MIB:RSTP-MIB:BEGEMOT-MIB:BEGEMOT-BRIDGE-MIB</programlisting>
- <para>To monitor a single bridge via the IETF BRIDGE-MIB
- (RFC4188) do</para>
+ <para>To monitor a single bridge using the IETF BRIDGE-MIB
+ (RFC4188):</para>
<screen>&prompt.user; <userinput>snmpwalk -v 2c -c public bridge1.example.com mib-2.dot1dBridge</userinput>
BRIDGE-MIB::dot1dBaseBridgeAddress.0 = STRING: 66:fb:9b:6e:5c:44
@@ -3254,16 +3333,16 @@ BRIDGE-MIB::dot1dStpPortDesignatedPort.3 = Hex-STRING: 03 80
BRIDGE-MIB::dot1dStpPortForwardTransitions.3 = Counter32: 1
RSTP-MIB::dot1dStpVersion.0 = INTEGER: rstp(2)</screen>
- <para>The <literal>dot1dStpTopChanges.0</literal> value is two
- which means that the STP bridge topology has changed twice,
- a topology change means that one or more links in the
- network have changed or failed and a new tree has been
- calculated. The
+ <para>The <literal>dot1dStpTopChanges.0</literal> value is
+ two, indicating that the <acronym>STP</acronym> bridge
+ topology has changed twice. A topology change means that
+ one or more links in the network have changed or failed
+ and a new tree has been calculated. The
<literal>dot1dStpTimeSinceTopologyChange.0</literal> value
will show when this happened.</para>
- <para>To monitor multiple bridge interfaces one may use the
- private BEGEMOT-BRIDGE-MIB:</para>
+ <para>To monitor multiple bridge interfaces, the private
+ BEGEMOT-BRIDGE-MIB can be used:</para>
<screen>&prompt.user; <userinput>snmpwalk -v 2c -c public bridge1.example.com</userinput>
enterprises.fokus.begemot.begemotBridge
@@ -3282,7 +3361,7 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeStpDesignatedRoot."bridge0" = Hex-STRING: 80 00
BEGEMOT-BRIDGE-MIB::begemotBridgeStpDesignatedRoot."bridge2" = Hex-STRING: 80 00 00 50 8B B8 C6 A9</screen>
<para>To change the bridge interface being monitored via the
- <literal>mib-2.dot1dBridge</literal> subtree do:</para>
+ <literal>mib-2.dot1dBridge</literal> subtree:</para>
<screen>&prompt.user; <userinput>snmpset -v 2c -c private bridge1.example.com</userinput>
BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2</screen>
@@ -3304,8 +3383,8 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2</screen>
<indexterm><primary>lagg</primary></indexterm>
<indexterm><primary>failover</primary></indexterm>
- <indexterm><primary>fec</primary></indexterm>
- <indexterm><primary>lacp</primary></indexterm>
+ <indexterm><primary><acronym>FEC</acronym></primary></indexterm>
+ <indexterm><primary><acronym>LACP</acronym></primary></indexterm>
<indexterm><primary>loadbalance</primary></indexterm>
<indexterm><primary>roundrobin</primary></indexterm>
@@ -3320,6 +3399,9 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2</screen>
<sect2>
<title>Operating Modes</title>
+ <para>The following operating modes are supported by
+ &man.lagg.4;:</para>
+
<variablelist>
<varlistentry>
<term>Failover</term>
@@ -3327,8 +3409,8 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2</screen>
<para>Sends and receives traffic only through the master
port. If the master port becomes unavailable, the next
active port is used. The first interface added is the
- master port; any interfaces added after that are used as
- failover devices. If failover to a non-master port
+ master port and any interfaces added after that are used
+ as failover devices. If failover to a non-master port
occurs, the original port will become master when it
becomes available again.</para>
</listitem>
@@ -3337,40 +3419,49 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2</screen>
<varlistentry>
<term>&cisco; Fast ðerchannel;</term>
<listitem>
- <para>&cisco; Fast ðerchannel; (FEC), is a static setup
- and does not negotiate aggregation with the peer or
- exchange frames to monitor the link. If the switch
- supports LACP then that should be used instead.</para>
+ <para>&cisco; Fast ðerchannel; (<acronym>FEC</acronym>)
+ is a static setup and does not negotiate aggregation
+ with the peer or exchange frames to monitor the link.
+ If the switch supports <acronym>LACP</acronym>, that
+ should be used instead.</para>
<para><acronym>FEC</acronym> balances outgoing traffic
across the active ports based on hashed protocol header
information and accepts incoming traffic from any active
port. The hash includes the Ethernet source and
- destination address, and, if available, the VLAN tag,
- and the IPv4/IPv6 source and destination address.</para>
+ destination address and, if available, the
+ <acronym>VLAN</acronym> tag, and the
+ <acronym>IPv4</acronym> or <acronym>IPv6</acronym>
+ source and destination address.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>LACP</term>
+ <term><acronym>LACP</acronym></term>
<listitem>
<para>The &ieee; 802.3ad Link Aggregation Control Protocol
- (LACP) and the Marker Protocol. LACP will negotiate a
- set of aggregable links with the peer in to one or more
- Link Aggregated Groups (LAG). Each LAG is composed of
- ports of the same speed, set to full-duplex operation.
- The traffic will be balanced across the ports in the LAG
- with the greatest total speed, in most cases there will
- only be one LAG which contains all ports. In the event
- of changes in physical connectivity, Link Aggregation
- will quickly converge to a new configuration.</para>
+ (<acronym>LACP</acronym>) and the Marker Protocol.
+ <acronym>LACP</acronym> will negotiate a set of
+ aggregable links with the peer in to one or more Link
+ Aggregated Groups (<acronym>LAG</acronym>s). Each
+ <acronym>LAG</acronym> is composed of ports of the
+ same speed, set to full-duplex operation. The traffic
+ will be balanced across the ports in the
+ <acronym>LAG</acronym> with the greatest total speed.
+ In most cases, there will only be one
+ <acronym>LAG</acronym> which contains all ports. In
+ the event of changes in physical connectivity,
+ <acronym>LACP</acronym> will quickly converge to a new
+ configuration.</para>
<para><acronym>LACP</acronym> balances outgoing traffic
across the active ports based on hashed protocol header
information and accepts incoming traffic from any active
port. The hash includes the Ethernet source and
- destination address, and, if available, the VLAN tag,
- and the IPv4/IPv6 source and destination address.</para>
+ destination address and, if available, the
+ <acronym>VLAN</acronym> tag, and the IPv4 or
+ <acronym>IPv6</acronym> source and destination
+ address.</para>
</listitem>
</varlistentry>
@@ -3388,7 +3479,7 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2</screen>
<para>Distributes outgoing traffic using a round-robin
scheduler through all active ports and accepts incoming
traffic from any active port. This mode violates
- Ethernet Frame ordering and should be used with
+ Ethernet frame ordering and should be used with
caution.</para>
</listitem>
</varlistentry>
@@ -3399,23 +3490,24 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2</screen>
<title>Examples</title>
<example id="networking-lacp-aggregation-cisco">
- <title>LACP Aggregation with a &cisco; Switch</title>
+ <title><acronym>LACP</acronym> Aggregation with a &cisco;
+ Switch</title>
<para>This example connects two interfaces on a &os; machine
to the switch as a single load balanced and fault tolerant
link. More interfaces can be added to increase throughput
- and fault tolerance. Since frame ordering is mandatory on
- Ethernet links then any traffic between two stations always
- flows over the same physical link limiting the maximum speed
- to that of one interface. The transmit algorithm attempts
- to use as much information as it can to distinguish
- different traffic flows and balance across the available
- interfaces.</para>
+ and fault tolerance. Frame ordering is mandatory on
+ Ethernet links and any traffic between two stations always
+ flows over the same physical link, limiting the maximum
+ speed to that of one interface. The transmit algorithm
+ attempts to use as much information as it can to
+ distinguish different traffic flows and balance across the
+ available interfaces.</para>
- <para>On the &cisco; switch add the
+ <para>On the &cisco; switch, add the
<replaceable>FastEthernet0/1</replaceable> and
- <replaceable>FastEthernet0/2</replaceable> interfaces to the
- channel-group <replaceable>1</replaceable>:</para>
+ <replaceable>FastEthernet0/2</replaceable> interfaces to
+ channel group <replaceable>1</replaceable>:</para>
<screen><userinput>interface <replaceable>FastEthernet0/1</replaceable>
channel-group <replaceable>1</replaceable> mode active
@@ -3428,7 +3520,7 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2</screen>
<para>Create the &man.lagg.4; interface using
<replaceable>fxp0</replaceable> and
<replaceable>fxp1</replaceable>, and bring the interfaces up
- with the IP Address of
+ with the <acronym>IP</acronym> address of
<replaceable>10.0.0.3/24</replaceable>:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>fxp0</replaceable> up</userinput>
@@ -3442,9 +3534,10 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2</screen>
<para>Ports marked as <emphasis>ACTIVE</emphasis> are part of
the active aggregation group that has been negotiated with
- the remote switch and traffic will be transmitted and
- received. Use the verbose output of &man.ifconfig.8; to
- view the LAG identifiers.</para>
+ the remote switch. Traffic will be transmitted and
+ received through active ports. Use the verbose output of
+ &man.ifconfig.8; to view the <acronym>LAG</acronym>
+ identifiers.</para>
<screen>lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
@@ -3455,7 +3548,7 @@ BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2</screen>
laggport: fxp1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: fxp0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING></screen>
- <para>To see the port status on the switch, use
+ <para>To see the port status on the &cisco; switch, use
<userinput>show lacp neighbor</userinput>:</para>
<screen>switch# show lacp neighbor
@@ -3472,8 +3565,8 @@ Port Flags Priority Dev ID Age Key Number State
Fa0/1 SA 32768 0005.5d71.8db8 29s 0x146 0x3 0x3D
Fa0/2 SA 32768 0005.5d71.8db8 29s 0x146 0x4 0x3D</screen>
- <para>For more detail use the <userinput>show lacp neighbor
- detail</userinput> command.</para>
+ <para>For more detail, type <userinput>show lacp neighbor
+ detail</userinput>.</para>
<para>To retain this configuration across reboots, the
following entries can be added to
@@ -3490,11 +3583,12 @@ ifconfig_<literal>lagg<replaceable>0</replaceable></literal>="laggproto lacp lag
<para>Failover mode can be used to switch over to a secondary
interface if the link is lost on the master interface.
- Bring the underlying physical interfaces up. Create the
- &man.lagg.4; interface, using
- <replaceable>fxp0</replaceable> as the master interface and
- <replaceable>fxp1</replaceable> as the secondary interface
- and assign an IP Address of
+ To configure failover mode, first bring the underlying
+ physical interfaces up. Then, create the &man.lagg.4;
+ interface, using <replaceable>fxp0</replaceable> as the
+ master interface and <replaceable>fxp1</replaceable> as
+ the secondary interface, and assign an <acronym>IP</acronym>
+ address of
<replaceable>10.0.0.15/24</replaceable>:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>fxp0</replaceable> up</userinput>
@@ -3502,9 +3596,8 @@ ifconfig_<literal>lagg<replaceable>0</replaceable></literal>="laggproto lacp lag
&prompt.root; <userinput>ifconfig <literal>lagg<replaceable>0</replaceable></literal> create</userinput>
&prompt.root; <userinput>ifconfig <literal>lagg<replaceable>0</replaceable></literal> up laggproto failover laggport <replaceable>fxp0</replaceable> laggport <replaceable>fxp1</replaceable> <replaceable>10.0.0.15/24</replaceable></userinput></screen>
- <para>The interface will look something like this, the major
- differences will be the <acronym>MAC</acronym> address and
- the device names:</para>
+ <para>The interface should now look something like
+ this:</para>
<screen>&prompt.root; <userinput>ifconfig <literal>lagg<replaceable>0</replaceable></literal></userinput>
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
@@ -3519,9 +3612,9 @@ lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 150
<para>Traffic will be transmitted and received on
<replaceable>fxp0</replaceable>. If the link is lost on
- <replaceable>fxp0</replaceable> then
+ <replaceable>fxp0</replaceable>,
<replaceable>fxp1</replaceable> will become the active link.
- If the link is restored on the master interface then it will
+ If the link is restored on the master interface, it will
once again become the active link.</para>
<para>To retain this configuration across reboots, the
@@ -3538,28 +3631,29 @@ ifconfig_<literal>lagg<replaceable>0</replaceable></literal>="laggproto failover
<title>Failover Mode Between Wired and Wireless
Interfaces</title>
- <para>For laptop users, it is usually desirable to make
- wireless as a secondary interface, which is to be used when
- the wired connection is not available. With &man.lagg.4;,
- it is possible to use one IP address, prefer the wired
- connection for both performance and security reasons, while
+ <para>For laptop users, it is usually desirable to configure
+ the wireless device as a secondary interface, which is used
+ when the wired connection is not available. With
+ &man.lagg.4;, it is possible to use one
+ <acronym>IP</acronym> address, prefer the wired connection
+ for both performance and security reasons, while
maintaining the ability to transfer data over the wireless
connection.</para>
- <para>In this setup, we will need to override the underlying
- wireless interface's <acronym>MAC</acronym> address to match
- the &man.lagg.4;'s, which is inherited from the master
- interface being used, the wired interface.</para>
+ <para>In this setup, override the underlying wireless
+ interface's <acronym>MAC</acronym> address to match that
+ of the &man.lagg.4;, which is inherited from the wired
+ interface.</para>
- <para>In this setup, we will treat the wired interface,
- <replaceable>bge0</replaceable>, as the master, and the
- wireless interface, <replaceable>wlan0</replaceable>, as the
- failover interface. The <replaceable>wlan0</replaceable>
- was created from <replaceable>iwn0</replaceable> which we
- will set up with the wired connection's
- <acronym>MAC</acronym> address. The first step would be to
- obtain the <acronym>MAC</acronym> address from the wired
- interface:</para>
+ <para>In this example, the wired interface,
+ <replaceable>bge0</replaceable>, is the master, and the
+ wireless interface, <replaceable>wlan0</replaceable>, is
+ the failover interface. The
+ <replaceable>wlan0</replaceable> device was created from
+ <replaceable>iwn0</replaceable>, which will be configured
+ with the wired connection's <acronym>MAC</acronym> address.
+ The first step is to determine the <acronym>MAC</acronym>
+ address of the wired interface:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>bge0</replaceable></userinput>
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
@@ -3570,32 +3664,30 @@ bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active</screen>
- <para>You can replace the <replaceable>bge0</replaceable> to
- match your reality, and will get a different
- <literal>ether</literal> line which is the
- <acronym>MAC</acronym> address of your wired interface.
- Now, we change the underlying wireless interface,
- <replaceable>iwn0</replaceable>:</para>
+ <para>Replace <replaceable>bge0</replaceable> to match the
+ system's interface name. The <literal>ether</literal>
+ line will contain the <acronym>MAC</acronym> address of
+ the wired interface. Now, change the
+ <acronym>MAC</acronym> address of the underlying wireless
+ interface:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>iwn0</replaceable> ether <replaceable>00:21:70:da:ae:37</replaceable></userinput></screen>
- <para>Bring the wireless interface up, but do not set an IP
- address on it:</para>
+ <para>Bring the wireless interface up, but do not set an
+ <acronym>IP</acronym> address:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable> create wlandev <replaceable>iwn0</replaceable> ssid <replaceable>my_router</replaceable> up</userinput></screen>
<para>Bring the <replaceable>bge0</replaceable> interface up.
Create the &man.lagg.4; interface with
<replaceable>bge0</replaceable> as master, and failover to
- <replaceable>wlan0</replaceable> if necessary:</para>
+ <replaceable>wlan0</replaceable>:</para>
<screen>&prompt.root; <userinput>ifconfig <replaceable>bge0</replaceable> up</userinput>
&prompt.root; <userinput>ifconfig <literal>lagg<replaceable>0</replaceable></literal> create</userinput>
&prompt.root; <userinput>ifconfig <literal>lagg<replaceable>0</replaceable></literal> up laggproto failover laggport <replaceable>bge0</replaceable> laggport <replaceable>wlan0</replaceable></userinput></screen>
- <para>The interface will look something like this, the major
- differences will be the <acronym>MAC</acronym> address and
- the device names:</para>
+ <para>The interface will now look something like this:</para>
<screen>&prompt.root; <userinput>ifconfig <literal>lagg<replaceable>0</replaceable></literal></userinput>
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
@@ -3607,8 +3699,8 @@ lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 150
laggport: wlan0 flags=0<>
laggport: bge0 flags=5<MASTER,ACTIVE></screen>
- <para>Then start the DHCP client to obtain an IP
- address:</para>
+ <para>Then, start the <acronym>DHCP</acronym> client to
+ obtain an <acronym>IP</acronym> address:</para>
<screen>&prompt.root; <userinput>dhclient <literal>lagg<replaceable>0</replaceable></literal></userinput></screen>
@@ -3648,100 +3740,62 @@ ifconfig_<literal>lagg<replaceable>0</replaceable></literal>="laggproto failover
<indexterm><primary>diskless workstation</primary></indexterm>
<indexterm><primary>diskless operation</primary></indexterm>
- <para>A FreeBSD machine can boot over the network and operate
+ <para>A &os; machine can boot over the network and operate
without a local disk, using file systems mounted from an
<acronym>NFS</acronym> server. No system modification is
necessary, beyond standard configuration files. Such a system
is relatively easy to set up because all the necessary elements
are readily available:</para>
- <itemizedlist>
- <listitem>
- <para>There are at least two possible methods to load the
- kernel over the network:</para>
+ <para>The &intel; Preboot eXecution Environment
+ (<acronym>PXE</acronym>) can be used to load the kernel over
+ the network. It provides a form of smart boot
+ <acronym>ROM</acronym> built into some networking cards or
+ motherboards. See &man.pxeboot.8; for more details.</para>
- <itemizedlist>
- <listitem>
- <para><acronym>PXE</acronym>: The &intel; Preboot
- eXecution Environment system is a form of smart boot ROM
- built into some networking cards or motherboards. See
- &man.pxeboot.8; for more details.</para>
- </listitem>
+ <para>A sample script
+ (<filename>/usr/share/examples/diskless/clone_root</filename>)
+ eases the creation and maintenance of the workstation's root
+ file system on the server. The script will probably require
+ a little customization.</para>
- <listitem>
- <para>The <application>Etherboot</application> port
- (<filename role="package">net/etherboot</filename>)
- produces ROM-able code to boot kernels over the network.
- The code can be either burnt into a boot PROM on a
- network card, or loaded from a local floppy (or hard)
- disk drive, or from a running &ms-dos; system. Many
- network cards are supported.</para>
- </listitem>
- </itemizedlist>
- </listitem>
+ <para>Standard system startup files exist in <filename
+ class="directory">/etc</filename> to detect and support a
+ diskless system startup.</para>
- <listitem>
- <para>A sample script
- (<filename>/usr/share/examples/diskless/clone_root</filename>)
- eases the creation and maintenance of the workstation's root
- file system on the server. The script will probably require
- a little customization but it will get you started very
- quickly.</para>
- </listitem>
-
- <listitem>
- <para>Standard system startup files exist
- in <filename class="directory">/etc</filename>
- to detect and support a diskless system startup.</para>
- </listitem>
-
- <listitem>
- <para>Swapping, if needed, can be done either to an
- <acronym>NFS</acronym> file or to a local disk.</para>
- </listitem>
- </itemizedlist>
+ <para>Swapping, if needed, can be done either to an
+ <acronym>NFS</acronym> file or to a local disk.</para>
<para>There are many ways to set up diskless workstations. Many
elements are involved, and most can be customized to suit local
taste. The following will describe variations on the setup of a
complete system, emphasizing simplicity and compatibility with
- the standard FreeBSD startup scripts. The system described has
+ the standard &os; startup scripts. The system described has
the following characteristics:</para>
<itemizedlist>
<listitem>
- <para>The diskless workstations use a shared read-only
- <filename class="directory">/</filename> file system,
- and a shared read-only
+ <para>The diskless workstations use a shared, read-only
+ <filename class="directory">/</filename> and
<filename class="directory">/usr</filename>.</para>
- <para>The root file system is a copy of a standard FreeBSD
- root (typically the server's), with some configuration files
- overridden by ones specific to diskless operation or,
- possibly, to the workstation they belong to.</para>
+ <para>The root file system is a copy of a standard &os;
+ root, with some configuration files overridden by ones
+ specific to diskless operation or, possibly, to the
+ workstation they belong to.</para>
<para>The parts of the root which have to be writable are
overlaid with &man.md.4; file systems. Any changes will be
lost when the system reboots.</para>
</listitem>
-
- <listitem>
- <para>The kernel is transferred and loaded either with
- <application>Etherboot</application> or
- <acronym>PXE</acronym> as some situations may mandate the
- use of either method.</para>
- </listitem>
</itemizedlist>
<caution>
<para>As described, this system is insecure. It should live in
- a protected area of a network, and be untrusted by other
+ a protected area of a network and be untrusted by other
hosts.</para>
</caution>
- <para>All the information in this section has been tested using
- &os; 5.2.1-RELEASE.</para>
-
<sect2>
<title>Background Information</title>
@@ -3763,8 +3817,8 @@ ifconfig_<literal>lagg<replaceable>0</replaceable></literal>="laggproto failover
</itemizedlist>
<para>In this context, having some knowledge of the background
- mechanisms involved is very useful to solve the problems that
- may arise.</para>
+ mechanisms involved is useful to solve the problems that may
+ arise.</para>
<para>Several operations need to be performed for a successful
bootstrap:</para>
@@ -3772,26 +3826,26 @@ ifconfig_<literal>lagg<replaceable>0</replaceable></literal>="laggproto failover
<itemizedlist>
<listitem>
<para>The machine needs to obtain initial parameters such as
- its IP address, executable filename, server name, root
- path. This is done using the <acronym>DHCP</acronym> or
- BOOTP protocols. <acronym>DHCP</acronym> is a compatible
- extension of BOOTP, and uses the same port numbers and
- basic packet format.</para>
+ its <acronym>IP</acronym> address, executable filename,
+ server name, and root path. This is done using the
+ <acronym>DHCP</acronym> or <acronym>BOOTP</acronym>
+ protocols. <acronym>DHCP</acronym> is a compatible
+ extension of <acronym>BOOTP</acronym>, and uses the same
+ port numbers and basic packet format. It is possible to
+ configure a system to use only <acronym>BOOTP</acronym>
+ and &man.bootpd.8; is included in the base &os;
+ system.</para>
+ </listitem>
- <para>It is possible to configure a system to use only
- BOOTP. The &man.bootpd.8; server program is included in
- the base &os; system.</para>
-
- <para>However, <acronym>DHCP</acronym> has a number of
- advantages over BOOTP (nicer configuration files,
- possibility of using <acronym>PXE</acronym>, plus many
- others not directly related to diskless operation), and we
- will describe mainly a <acronym>DHCP</acronym>
+ <listitem>
+ <para><acronym>DHCP</acronym> has a number of advantages
+ over <acronym>BOOTP</acronym> such as nicer configuration
+ files and support for <acronym>PXE</acronym>. This
+ section describes mainly a <acronym>DHCP</acronym>
configuration, with equivalent examples using
&man.bootpd.8; when possible. The sample configuration
- will use the <application>ISC DHCP</application> software
- package (release 3.0.1.r12 was installed on the test
- server).</para>
+ uses <application>ISC DHCP</application> which is
+ available in the Ports Collection.</para>
</listitem>
<listitem>
@@ -3800,56 +3854,32 @@ ifconfig_<literal>lagg<replaceable>0</replaceable></literal>="laggproto failover
<acronym>NFS</acronym> are used. The choice between
<acronym>TFTP</acronym> and <acronym>NFS</acronym> is a
compile time option in several places. A common source of
- error is to specify filenames for the wrong protocol:
+ error is to specify filenames for the wrong protocol.
<acronym>TFTP</acronym> typically transfers all files from
- a single directory on the server, and would expect
- filenames relative to this directory.
- <acronym>NFS</acronym> needs absolute file paths.</para>
+ a single directory on the server and expects filenames
+ relative to this directory. <acronym>NFS</acronym> needs
+ absolute file paths.</para>
</listitem>
<listitem>
<para>The possible intermediate bootstrap programs and the
- kernel need to be initialized and executed. There are
- several important variations in this area:</para>
-
- <itemizedlist>
- <listitem>
-
- <para><acronym>PXE</acronym> will load &man.pxeboot.8;,
- which is a modified version of the &os; third stage
- loader. The &man.loader.8; will obtain most
- parameters necessary to system startup, and leave them
- in the kernel environment before transferring control.
- It is possible to use a <filename>GENERIC</filename>
- kernel in this case.</para>
- </listitem>
-
- <listitem>
- <para><application>Etherboot</application>, will
- directly load the kernel, with less preparation. You
- will need to build a kernel with specific
- options.</para>
- </listitem>
- </itemizedlist>
-
- <para><acronym>PXE</acronym> and
- <application>Etherboot</application> work equally well;
- however, because kernels normally let the &man.loader.8;
- do more work for them, <acronym>PXE</acronym> is the
- preferred method.</para>
-
- <para>If your <acronym>BIOS</acronym> and network cards
- support <acronym>PXE</acronym>, you should probably use
- it.</para>
+ kernel need to be initialized and executed.
+ <acronym>PXE</acronym> loads &man.pxeboot.8;, which is
+ a modified version of the &os; third stage loader,
+ &man.loader.8;. The third stage loader will obtain most
+ parameters necessary to system startup and leave them
+ in the kernel environment before transferring control.
+ It is possible to use a <filename>GENERIC</filename>
+ kernel in this case.</para>
</listitem>
<listitem>
- <para>Finally, the machine needs to access its file systems.
- <acronym>NFS</acronym> is used in all cases.</para>
+ <para>Finally, the machine needs to access its file systems
+ using <acronym>NFS</acronym>.</para>
</listitem>
</itemizedlist>
- <para>See also &man.diskless.8; manual page.</para>
+ <para>Refer to &man.diskless.8; for more information.</para>
</sect2>
<sect2>
@@ -3865,22 +3895,19 @@ ifconfig_<literal>lagg<replaceable>0</replaceable></literal>="laggproto failover
</indexterm>
<para>The <application>ISC DHCP</application> server can
- answer both BOOTP and <acronym>DHCP</acronym>
- requests.</para>
+ answer both <acronym>BOOTP</acronym> and
+ <acronym>DHCP</acronym> requests.</para>
- <para><application>ISC DHCP 4.2</application> is not part of
- the base system. You will first need to install the
- <filename role="package">net/isc-dhcp42-server</filename>
- port or the corresponding package.</para>
+ <para><application>ISC DHCP</application> is not part of
+ the base system. Install the <filename
+ role="package">net/isc-dhcp42-server</filename> port or
+ package.</para>
<para>Once <application>ISC DHCP</application> is installed,
- it needs a configuration file to run (normally named
- <filename>/usr/local/etc/dhcpd.conf</filename>). Here
- follows a commented example, where host
- <hostid>margaux</hostid> uses
- <application>Etherboot</application> and host
- <hostid>corbieres</hostid> uses
- <acronym>PXE</acronym>:</para>
+ edit its configuration file,
+ <filename>/usr/local/etc/dhcpd.conf</filename>. Here
+ follows a commented example for <acronym>PXE</acronym> host
+ <hostid>corbieres</hostid>:</para>
<programlisting>default-lease-time 600;
max-lease-time 7200;
@@ -3895,19 +3922,12 @@ subnet 192.168.4.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.4.255;
- host margaux {
- hardware ethernet 01:23:45:67:89:ab;
- fixed-address margaux.example.com;
- next-server 192.168.4.4; <co id="co-dhcp-next-server"/>
- filename "/data/misc/kernel.diskless"; <co id="co-dhcp-filename"/>
- option root-path "192.168.4.4:/data/misc/diskless"; <co id="co-dhcp-root-path"/>
- }
host corbieres {
hardware ethernet 00:02:b3:27:62:df;
fixed-address corbieres.example.com;
- next-server 192.168.4.4;
- filename "pxeboot";
- option root-path "192.168.4.4:/data/misc/diskless";
+ next-server 192.168.4.4; <co id="co-dhcp-next-server"/>
+ filename "pxeboot"; <co id="co-dhcp-filename"/>
+ option root-path "192.168.4.4:/data/misc/diskless"; <co id="co-dhcp-root-path"/>
}
}</programlisting>
@@ -3917,42 +3937,35 @@ subnet 192.168.4.0 netmask 255.255.255.0 {
to send the value in the <literal>host</literal>
declarations as the hostname for the diskless host.
An alternate way would be to add an <literal>option
- host-name
- <replaceable>margaux</replaceable></literal> inside
- the <literal>host</literal> declarations.</para>
+ host-name <replaceable>corbieres</replaceable></literal>
+ inside the <literal>host</literal> declarations.</para>
</callout>
<callout arearefs="co-dhcp-next-server">
<para>The <literal>next-server</literal> directive
designates the <acronym>TFTP</acronym> or
<acronym>NFS</acronym> server to use for loading
- loader or kernel file (the default is to use the same
- host as the <acronym>DHCP</acronym> server).</para>
+ &man.loader.8; or the kernel file. The default is to
+ use the same host as the <acronym>DHCP</acronym>
+ server.</para>
</callout>
<callout arearefs="co-dhcp-filename">
- <para>The <literal>filename</literal> directive
- defines the file that
- <application>Etherboot</application> or
- <acronym>PXE</acronym> will load for the next execution
- step. It must be specified according to the transfer
- method used. <application>Etherboot</application> can
- be compiled to use <acronym>NFS</acronym> or
- <acronym>TFTP</acronym>. The &os; port configures
- <acronym>NFS</acronym> by default.
+ <para>The <literal>filename</literal> directive defines
+ the file that <acronym>PXE</acronym> will load for the
+ next execution step. It must be specified according
+ to the transfer method used.
<acronym>PXE</acronym> uses <acronym>TFTP</acronym>,
- which is why a relative filename is used here (this may
- depend on the <acronym>TFTP</acronym> server
- configuration, but would be fairly typical). Also,
+ which is why a relative filename is used here. Also,
<acronym>PXE</acronym> loads
<filename>pxeboot</filename>, not the kernel. There are
other interesting possibilities, like loading
<filename>pxeboot</filename> from a &os; CD-ROM
- <filename class="directory">/boot</filename> directory
- (as &man.pxeboot.8; can load a
- <filename>GENERIC</filename> kernel, this makes it
- possible to use <acronym>PXE</acronym> to boot from a
- remote CD-ROM).</para>
+ <filename class="directory">/boot</filename> directory.
+ Since &man.pxeboot.8; can load a
+ <filename>GENERIC</filename> kernel, it is possible to
+ use <acronym>PXE</acronym> to boot from a remote
+ CD-ROM.</para>
</callout>
<callout arearefs="co-dhcp-root-path">
@@ -3960,101 +3973,19 @@ subnet 192.168.4.0 netmask 255.255.255.0 {
the path to the root file system, in usual
<acronym>NFS</acronym> notation. When using
<acronym>PXE</acronym>, it is possible to leave off the
- host's IP as long as you do not enable the kernel option
- BOOTP. The <acronym>NFS</acronym> server will then be
- the same as the <acronym>TFTP</acronym> one.</para>
+ host's <acronym>IP</acronym> address as long as the
+ <acronym>BOOTP</acronym> kernel option is not enabled.
+ The <acronym>NFS</acronym> server will then be the
+ same as the <acronym>TFTP</acronym> one.</para>
</callout>
</calloutlist>
</sect3>
- <sect3>
- <title>Configuration Using BOOTP</title>
-
- <indexterm>
- <primary>BOOTP</primary>
- <secondary>diskless operation</secondary>
- </indexterm>
-
- <para>Here follows an equivalent
- <application>bootpd</application> configuration (reduced to
- one client). This would be found in
- <filename>/etc/bootptab</filename>.</para>
-
- <para>Please note that <application>Etherboot</application>
- must be compiled with the non-default option
- <literal>NO_DHCP_SUPPORT</literal> in order to use BOOTP,
- and that <acronym>PXE</acronym> <emphasis>needs</emphasis>
- <acronym>DHCP</acronym>. The only obvious advantage of
- <application>bootpd</application> is that it exists in the
- base system.</para>
-
- <programlisting>.def100:\
- :hn:ht=1:sa=192.168.4.4:vm=rfc1048:\
- :sm=255.255.255.0:\
- :ds=192.168.4.1:\
- :gw=192.168.4.1:\
- :hd="/tftpboot":\
- :bf="/kernel.diskless":\
- :rp="192.168.4.4:/data/misc/diskless":
-
-margaux:ha=0123456789ab:tc=.def100</programlisting>
- </sect3>
-
- <sect3>
- <title>Preparing a Boot Program with
- <application>Etherboot</application></title>
-
- <indexterm>
- <primary>Etherboot</primary>
- </indexterm>
-
- <para><ulink
- url="http://etherboot.sourceforge.net">Etherboot's Web
- site</ulink> contains <ulink
- url="http://etherboot.sourceforge.net/doc/html/userman/t1.html">
- extensive documentation</ulink> mainly intended for Linux
- systems, but nonetheless containing useful information. The
- following will just outline how you would use
- <application>Etherboot</application> on a FreeBSD
- system.</para>
-
- <para>You must first install the
- <filename role="package">net/etherboot</filename> package or
- port.</para>
-
- <para>You can change the <application>Etherboot</application>
- configuration (i.e., to use <acronym>TFTP</acronym> instead
- of <acronym>NFS</acronym>) by editing the
- <filename>Config</filename> file in the
- <application>Etherboot</application> source
- directory.</para>
-
- <para>For our setup, we shall use a boot floppy. For other
- methods (PROM, or &ms-dos; program), please refer to the
- <application>Etherboot</application> documentation.</para>
-
- <para>To make a boot floppy, insert a floppy in the drive on
- the machine where you installed
- <application>Etherboot</application>, then change your
- current directory to
- the <filename class="directory">src</filename>
- directory in the <application>Etherboot</application> tree and
- type:</para>
-
- <screen>&prompt.root; <userinput>gmake bin32/<replaceable>devicetype</replaceable>.fd0</userinput></screen>
-
- <para><replaceable>devicetype</replaceable> depends on the
- type of the Ethernet card in the diskless workstation.
- Refer to the <filename>NIC</filename> file in the same
- directory to determine the right
- <replaceable>devicetype</replaceable>.</para>
- </sect3>
-
<sect3>
<title>Booting with <acronym>PXE</acronym></title>
- <para>By default, the &man.pxeboot.8; loader loads the kernel
- via <acronym>NFS</acronym>. It can be compiled to use
+ <para>By default, &man.pxeboot.8; loads the kernel via
+ <acronym>NFS</acronym>. It can be compiled to use
<acronym>TFTP</acronym> instead by specifying the
<literal>LOADER_TFTP_SUPPORT</literal> option in
<filename>/etc/make.conf</filename>. See the comments in
@@ -4068,10 +3999,9 @@ margaux:ha=0123456789ab:tc=.def100</programlisting>
<literal>BOOT_PXELDR_ALWAYS_SERIAL</literal>.</para>
<para>To use <acronym>PXE</acronym> when the machine starts,
- you will usually need to select the <literal>Boot from
- network</literal> option in your <acronym>BIOS</acronym>
- setup, or type a function key during the PC
- initialization.</para>
+ select the <literal>Boot from network</literal> option in
+ the <acronym>BIOS</acronym> setup or type a function key
+ during system initialization.</para>
</sect3>
<sect3>
@@ -4087,27 +4017,26 @@ margaux:ha=0123456789ab:tc=.def100</programlisting>
<secondary>diskless operation</secondary>
</indexterm>
- <para>If you are using <acronym>PXE</acronym> or
- <application>Etherboot</application> configured to use
- <acronym>TFTP</acronym>, you need to enable
- <application>tftpd</application> on the file server:</para>
+ <para>If <acronym>PXE</acronym> is configured to use
+ <acronym>TFTP</acronym>, enable &man.tftpd.8; on the file
+ server:</para>
<procedure>
<step>
- <para>Create a directory from which
- <application>tftpd</application> will serve the files,
- e.g., <filename class="directory">/tftpboot</filename>.</para>
+ <para>Create a directory from which &man.tftpd.8; will
+ serve the files, such as <filename
+ class="directory">/tftpboot</filename>.</para>
</step>
<step>
- <para>Add this line to your
+ <para>Add this line to
<filename>/etc/inetd.conf</filename>:</para>
<programlisting>tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /tftpboot</programlisting>
<note>
- <para>It appears that at least some
- <acronym>PXE</acronym> versions want the
+ <para>Some
+ <acronym>PXE</acronym> versions require the
<acronym>TCP</acronym> version of
<acronym>TFTP</acronym>. In this case, add a second
line, replacing <literal>dgram udp</literal> with
@@ -4116,29 +4045,27 @@ margaux:ha=0123456789ab:tc=.def100</programlisting>
</step>
<step>
- <para>Tell <application>inetd</application> to reread its
- configuration file. The
- <option>inetd_enable="YES"</option> must be in the
- <filename>/etc/rc.conf</filename> file for this command
- to execute correctly:</para>
+ <para>Tell &man.inetd.8; to reread its configuration file.
+ Add <option>inetd_enable="YES"</option> to
+ <filename>/etc/rc.conf</filename> in order for this
+ command to execute correctly:</para>
<screen>&prompt.root; <userinput>service inetd restart</userinput></screen>
</step>
</procedure>
- <para>You can place
- the <filename class="directory">tftpboot</filename>
- directory anywhere on the server. Make sure that the
- location is set in both <filename>inetd.conf</filename> and
- <filename>dhcpd.conf</filename>.</para>
+ <para>Place <filename class="directory">tftpboot</filename>
+ anywhere on the server. Make sure that the location is
+ set in both <filename>/etc/inetd.conf</filename> and
+ <filename>/usr/local/etc/dhcpd.conf</filename>.</para>
- <para>In all cases, you also need to enable
+ <para>Enable
<acronym>NFS</acronym> and export the appropriate file
system on the <acronym>NFS</acronym> server.</para>
<procedure>
<step>
- <para>Add this to
+ <para>Add this line to
<filename>/etc/rc.conf</filename>:</para>
<programlisting>nfs_server_enable="YES"</programlisting>
@@ -4147,20 +4074,19 @@ margaux:ha=0123456789ab:tc=.def100</programlisting>
<step>
<para>Export the file system where the diskless root
directory is located by adding the following to
- <filename>/etc/exports</filename> (adjust the volume
- mount point and replace <replaceable>margaux
+ <filename>/etc/exports</filename>. Adjust the
+ mount point and replace <replaceable>
corbieres</replaceable> with the names of the diskless
- workstations):</para>
+ workstations:</para>
<programlisting><replaceable>/data/misc</replaceable> -alldirs -ro <replaceable>margaux corbieres</replaceable></programlisting>
</step>
<step>
- <para>Tell <application>mountd</application> to reread its
- configuration file. If you actually needed to enable
- <acronym>NFS</acronym> in
- <filename>/etc/rc.conf</filename> at the first step, you
- probably want to reboot instead.</para>
+ <para>Tell &man.mountd.8; to reread its configuration
+ file. If <acronym>NFS</acronym> is enabled in
+ <filename>/etc/rc.conf</filename>, it is recommended
+ to reboot instead.</para>
<screen>&prompt.root; <userinput>service mountd restart</userinput></screen>
</step>
@@ -4175,76 +4101,58 @@ margaux:ha=0123456789ab:tc=.def100</programlisting>
<secondary>kernel configuration</secondary>
</indexterm>
- <para>If using <application>Etherboot</application>, you need
- to create a kernel configuration file for the diskless
- client with the following options (in addition to the usual
- ones):</para>
+ <para>When using <acronym>PXE</acronym>, building a custom
+ kernel with the following options is not strictly necessary.
+ These options cause more <acronym>DHCP</acronym> requests
+ to be issued during kernel startup, with a small risk of
+ inconsistency between the new values and those retrieved
+ by &man.pxeboot.8; in some special cases. The advantage
+ is that the host name will be set. Otherwise, set the
+ host name in a client-specific
+ <filename>/etc/rc.conf</filename>.</para>
<programlisting>options BOOTP # Use BOOTP to obtain IP address/hostname
options BOOTP_NFSROOT # NFS mount root file system using BOOTP info</programlisting>
- <para>You may also want to use <literal>BOOTP_NFSV3</literal>,
+ <para>The custom kernel can also include
+ <literal>BOOTP_NFSV3</literal>,
<literal>BOOT_COMPAT</literal> and
- <literal>BOOTP_WIRED_TO</literal> (refer to
- <filename>NOTES</filename>).</para>
+ <literal>BOOTP_WIRED_TO</literal>. Refer to
+ <filename>NOTES</filename> for descriptions of these
+ options.</para>
<para>These option names are historical and slightly
misleading as they actually enable indifferent use of
- <acronym>DHCP</acronym> and BOOTP inside the kernel (it is
- also possible to force strict BOOTP or
- <acronym>DHCP</acronym> use).</para>
+ <acronym>DHCP</acronym> and <acronym>BOOTP</acronym>
+ inside the kernel.</para>
- <para>Build the kernel (see <xref linkend="kernelconfig"/>),
- and copy it to the place specified in
- <filename>dhcpd.conf</filename>.</para>
-
- <note>
- <para>When using <acronym>PXE</acronym>, building a kernel
- with the above options is not strictly necessary (though
- suggested). Enabling them will cause more
- <acronym>DHCP</acronym> requests to be issued during
- kernel startup, with a small risk of inconsistency between
- the new values and those retrieved by &man.pxeboot.8; in
- some special cases. The advantage of using them is that
- the host name will be set as a side effect. Otherwise you
- will need to set the host name by another method, for
- example in a client-specific <filename>rc.conf</filename>
- file.</para>
- </note>
-
- <note>
- <para>In order to be loadable with
- <application>Etherboot</application>, a kernel needs to
- have the device hints compiled in. You would typically
- set the following option in the configuration file (see
- the <filename>NOTES</filename> configuration comments
- file):</para>
-
- <programlisting>hints "GENERIC.hints"</programlisting>
- </note>
+ <para>Build the custom kernel, using the instructions in
+ <xref linkend="kernelconfig"/>, and copy it to the place
+ specified in
+ <filename>/usr/local/etc/dhcpd.conf</filename>.</para>
</sect3>
<sect3>
- <title>Preparing the Root Filesystem</title>
+ <title>Preparing the Root File System</title>
<indexterm>
<primary>root file system</primary>
<secondary>diskless operation</secondary>
</indexterm>
- <para>You need to create a root file system for the diskless
- workstations, in the location listed as
+ <para>Create a root file system for the diskless
+ workstations in the location listed as
<literal>root-path</literal> in
- <filename>dhcpd.conf</filename>.</para>
+ <filename>/usr/local/etc/dhcpd.conf</filename>.</para>
<sect4>
<title>Using <command>make world</command> to Populate
Root</title>
<para>This method is quick and will install a complete
- virgin system (not only the root file system) into
- <envar>DESTDIR</envar>. All you have to do is simply
- execute the following script:</para>
+ virgin system, not just the root file system, into
+ <envar>DESTDIR</envar>. Execute the following
+ script:</para>
<programlisting>#!/bin/sh
export DESTDIR=/data/misc/diskless
@@ -4253,10 +4161,11 @@ cd /usr/src; make buildworld && make buildkernel
make installworld && make installkernel
cd /usr/src/etc; make distribution</programlisting>
- <para>Once done, you may need to customize your
+ <para>Once done, customize
<filename>/etc/rc.conf</filename> and
<filename>/etc/fstab</filename> placed into
- <envar>DESTDIR</envar> according to your needs.</para>
+ <envar>DESTDIR</envar> according to the system's
+ requirements.</para>
</sect4>
</sect3>
@@ -4273,13 +4182,12 @@ cd /usr/src/etc; make distribution</programlisting>
<acronym>NFS</acronym> swap at boot time. Swap must be
enabled by the startup scripts, by mounting a writable
file system and creating and enabling a swap file. To
- create a swap file of appropriate size, you can do like
- this:</para>
+ create a swap file:</para>
<screen>&prompt.root; <userinput>dd if=/dev/zero of=<replaceable>/path/to/swapfile</replaceable> bs=1k count=1 oseek=<replaceable>100000</replaceable></userinput></screen>
- <para>To enable it you have to add the following line to
- your <filename>rc.conf</filename>:</para>
+ <para>To enable the swap file, add the following line to
+ <filename>/etc/rc.conf</filename>:</para>
<programlisting>swapfile=<replaceable>/path/to/swapfile</replaceable></programlisting>
</sect4>
@@ -4289,39 +4197,37 @@ cd /usr/src/etc; make distribution</programlisting>
<title>Miscellaneous Issues</title>
<sect4>
- <title>Running with a Read-only
- <filename class="directory">/usr</filename></title>
+ <title>Running with a Read-only <filename
+ class="directory">/usr</filename></title>
<indexterm>
<primary>diskless operation</primary>
<secondary>/usr read-only</secondary>
</indexterm>
- <para>If the diskless workstation is configured to run X,
- you will have to adjust the
- <application>XDM</application> configuration file, which
- puts the error log
- on <filename class="directory">/usr</filename> by
- default.</para>
+ <para>If the diskless workstation is configured to run
+ <application>&xorg;</application>, adjust the
+ <application>XDM</application> configuration file as it
+ puts the error log on <filename
+ class="directory">/usr</filename> by default.</para>
</sect4>
<sect4>
- <title>Using a Non-FreeBSD Server</title>
+ <title>Using a Non-&os; Server</title>
<para>When the server for the root file system is not
- running FreeBSD, you will have to create the root file
- system on a FreeBSD machine, then copy it to its
- destination, using <command>tar</command> or
- <command>cpio</command>.</para>
+ running &os;, create the root file system on a &os;
+ machine, then copy it to its destination, using
+ &man.tar.1; or &man.cpio.1;.</para>
<para>In this situation, there are sometimes problems with
- the special files
- in <filename class="directory">/dev</filename>, due to
- differing major/minor integer sizes. A solution to this
- problem is to export a directory from the non-FreeBSD
- server, mount this directory onto a FreeBSD machine, and
- use &man.devfs.5; to allocate device nodes transparently
- for the user.</para>
+ the special files in <filename
+ class="directory">/dev</filename>, due to differing
+ major/minor integer sizes. A solution to this problem
+ is to export a directory from the non-&os; server, mount
+ this directory onto a &os; machine, and use &man.devfs.5;
+ to allocate device nodes transparently for the
+ user.</para>
</sect4>
</sect3>
</sect2>
@@ -4340,63 +4246,67 @@ cd /usr/src/etc; make distribution</programlisting>
</author>
</authorgroup>
</sect1info>
- <title>PXE Booting with an NFS Root File System</title>
+ <title>PXE Booting with an <acronym>NFS</acronym> Root File
+ System</title>
<para>The &intel; Preboot eXecution Environment
(<acronym>PXE</acronym>) allows booting the operating system
over the network. <acronym>PXE</acronym> support is usually
- provided in the <acronym>BIOS</acronym> of modern motherboards,
- where it can be enabled in the <acronym>BIOS</acronym> settings
- which enable booting from the network. A fully functioning
+ provided in the <acronym>BIOS</acronym> where it can be enabled
+ in the <acronym>BIOS</acronym> settings which enable booting
+ from the network. A fully functioning
<acronym>PXE</acronym> setup also requires properly configured
<acronym>DHCP</acronym> and <acronym>TFTP</acronym>
servers.</para>
<para>When the host computer boots, it receives information over
<acronym>DHCP</acronym> about where to obtain the initial boot
- loader via TFTP. After the host computer receives this
- information, it downloads the boot loader via
- <acronym>TFTP</acronym>, and then executes the boot loader.
+ loader via <acronym>TFTP</acronym>. After the host computer
+ receives this information, it downloads the boot loader via
+ <acronym>TFTP</acronym> and then executes the boot loader.
This is documented in section 2.2.1 of the <ulink
url="http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf">Preboot
- Execution Environment (PXE) Specification</ulink>. In &os;,
- the boot loader retrieved during the <acronym>PXE</acronym>
- process is <filename>/boot/pxeboot</filename>. After
+ Execution Environment (<acronym>PXE</acronym>)
+ Specification</ulink>. In &os;, the boot loader retrieved
+ during the <acronym>PXE</acronym> process is
+ <filename>/boot/pxeboot</filename>. After
<filename>/boot/pxeboot</filename> executes, the &os; kernel is
- loaded, and the rest of the &os; bootup sequence proceeds.
+ loaded and the rest of the &os; bootup sequence proceeds.
Refer to <xref linkend="boot"/> for more information about the
&os; booting process.</para>
<sect2>
- <title>Setting Up the <command>chroot</command> Environment for
- the NFS Root File System</title>
+ <title>Setting Up the &man.chroot.8; Environment for the
+ <acronym>NFS</acronym> Root File System</title>
<procedure>
<step>
<para>Choose a directory which will have a &os;
- installation which will be NFS mountable. For example, a
- directory such as
- <filename class="directory">/b/tftpboot/FreeBSD/install</filename> can be
- used.</para>
+ installation which will be <acronym>NFS</acronym>
+ mountable. For example, a directory such as <filename
+ class="directory">/b/tftpboot/FreeBSD/install</filename>
+ can be used.</para>
<screen>&prompt.root; <userinput>export NFSROOTDIR=/b/tftpboot/FreeBSD/install</userinput>
&prompt.root; <userinput>mkdir -p ${NFSROOTDIR}</userinput></screen>
</step>
<step>
- <para>Enable the NFS server by following the instructions
- in <xref linkend="network-configuring-nfs"/>.</para>
+ <para>Enable the <acronym>NFS</acronym> server by following
+ the instructions in <xref
+ linkend="network-configuring-nfs"/>.</para>
</step>
<step>
- <para>Export the directory via NFS by adding the following
- to <filename>/etc/exports</filename>:</para>
+ <para>Export the directory via <acronym>NFS</acronym> by
+ adding the following to
+ <filename>/etc/exports</filename>:</para>
<programlisting>/b -ro -alldirs</programlisting>
</step>
<step>
- <para>Restart the NFS server:</para>
+ <para>Restart the <acronym>NFS</acronym> server:</para>
<screen>&prompt.root; <userinput>service nfsd restart</userinput></screen>
</step>
@@ -4414,14 +4324,14 @@ cd /usr/src/etc; make distribution</programlisting>
</step>
<step>
- <para>Restart inetd:</para>
+ <para>Restart &man.inetd.8;:</para>
<screen>&prompt.root; <userinput>service inetd restart</userinput></screen>
</step>
<step>
- <para><link linkend="makeworld">Rebuild the &os; kernel and
- userland</link>:</para>
+ <para>Rebuild the &os; kernel and userland (<xref
+ linkend="makeworld"/>):</para>
<screen>&prompt.root; <userinput>cd /usr/src</userinput>
&prompt.root; <userinput>make buildworld</userinput>
@@ -4438,9 +4348,9 @@ cd /usr/src/etc; make distribution</programlisting>
</step>
<step>
- <para>Test that the <acronym>TFTP</acronym> server works and
- can download the boot loader which will be obtained
- via PXE:</para>
+ <para>Test that the <acronym>TFTP</acronym> server works
+ and can download the boot loader which will be obtained
+ via <acronym>PXE</acronym>:</para>
<screen>&prompt.root; <userinput>tftp localhost</userinput>
tftp> <userinput>get FreeBSD/install/boot/pxeboot</userinput>
@@ -4450,38 +4360,36 @@ Received 264951 bytes in 0.1 seconds</screen>
<step>
<para>Edit <filename>${NFSROOTDIR}/etc/fstab</filename> and
create an entry to mount the root file system over
- NFS:</para>
+ <acronym>NFS</acronym>:</para>
<programlisting># Device Mountpoint FSType Options Dump Pass
myhost.example.com:/b/tftpboot/FreeBSD/install / nfs ro 0 0</programlisting>
- <para>Replace
- <replaceable>myhost.example.com</replaceable> with the
- hostname or IP address of your <acronym>NFS</acronym>
- server. In this example, the root file system is mounted
- "read-only" in order to prevent <acronym>NFS</acronym>
- clients from potentially deleting the contents of the root
- file system.</para>
+ <para>Replace <replaceable>myhost.example.com</replaceable>
+ with the hostname or <acronym>IP</acronym> address of the
+ <acronym>NFS</acronym> server. In this example, the root
+ file system is mounted read-only in order to prevent
+ <acronym>NFS</acronym> clients from potentially deleting
+ the contents of the root file system.</para>
</step>
<step>
<para>Set the root password in the &man.chroot.8;
- environment.</para>
+ environment:</para>
<screen>&prompt.root; <userinput>chroot ${NFSROOTDIR}</userinput>
&prompt.root; <userinput>passwd</userinput></screen>
- <para>This will set the root password for client
- machines which are <acronym>PXE</acronym>
- booting.</para>
+ <para>This sets the root password for client machines which
+ are <acronym>PXE</acronym> booting.</para>
</step>
<step>
- <para>Enable ssh root logins for client machines which are
- <acronym>PXE</acronym> booting by editing
- <filename>${NFSROOTDIR}/etc/ssh/sshd_config</filename> and
- enabling the <literal>PermitRootLogin</literal> option.
- This is documented in &man.sshd.config.5;.</para>
+ <para>Enable &man.ssh.1; root logins for client machines
+ which are <acronym>PXE</acronym> booting by editing
+ <filename>${NFSROOTDIR}/etc/ssh/sshd_config</filename>
+ and enabling <literal>PermitRootLogin</literal>. This
+ option is documented in &man.sshd.config.5;.</para>
</step>
<step>
@@ -4502,44 +4410,43 @@ myhost.example.com:/b/tftpboot/FreeBSD/install / nfs ro
<title>Configuring Memory File Systems Used by
<filename>/etc/rc.initdiskless</filename></title>
- <para>If you boot from an NFS root volume,
- <filename>/etc/rc</filename> detects that you booted over NFS
- and runs the <filename>/etc/rc.initdiskless</filename> script.
- Read the comments in this script to understand what is going
- on. We need to
- make <filename class="directory">/etc</filename>
- and <filename class="directory">/var</filename>
- memory backed file systems because
- these directories need to be writable, but the NFS root
- directory is read-only.</para>
+ <para>When booting from an <acronym>NFS</acronym> root volume,
+ <filename>/etc/rc</filename> detects the
+ <acronym>NFS</acronym> boot and runs
+ <filename>/etc/rc.initdiskless</filename>. Read the comments
+ in this script to understand what is going on. In this case,
+ <filename class="directory">/etc</filename> and <filename
+ class="directory">/var</filename> need to be memory backed
+ file systems so that these directories are writable but the
+ <acronym>NFS</acronym> root directory is read-only:</para>
<screen>&prompt.root; <userinput>chroot ${NFSROOTDIR}</userinput>
&prompt.root; <userinput>mkdir -p conf/base</userinput>
&prompt.root; <userinput>tar -c -v -f conf/base/etc.cpio.gz --format cpio --gzip etc</userinput>
&prompt.root; <userinput>tar -c -v -f conf/base/var.cpio.gz --format cpio --gzip var</userinput></screen>
- <para>When the system boots, memory file systems
- for <filename class="directory">/etc</filename>
- and <filename class="directory">/var</filename> will
- be created and mounted, and the contents of the
+ <para>When the system boots, memory file systems for <filename
+ class="directory">/etc</filename> and <filename
+ class="directory">/var</filename> will be created and
+ mounted and the contents of the
<filename>cpio.gz</filename> files will be copied into
them.</para>
</sect2>
<sect2 id="network-pxe-setting-up-dhcp">
- <title>Setting up the DHCP Server</title>
+ <title>Setting up the <acronym>DHCP</acronym> Server</title>
- <para>PXE requires a <acronym>TFTP</acronym> server and a
- <acronym>DHCP</acronym> server to be set up. The
- <acronym>DHCP</acronym> server does not necessarily need to be
- the same machine as the <acronym>TFTP</acronym> server, but it
- needs to be accessible in your network.</para>
+ <para><acronym>PXE</acronym> requires a <acronym>TFTP</acronym>
+ and a <acronym>DHCP</acronym> server to be set up. The
+ <acronym>DHCP</acronym> server does not need to be the same
+ machine as the <acronym>TFTP</acronym> server, but it needs
+ to be accessible in the network.</para>
<procedure>
<step>
<para>Install the <acronym>DHCP</acronym> server by
- following the instructions documented at
- <xref linkend="network-dhcp-server"/>. Make sure that
+ following the instructions documented at <xref
+ linkend="network-dhcp-server"/>. Make sure that
<filename>/etc/rc.conf</filename> and
<filename>/usr/local/etc/dhcpd.conf</filename> are
correctly configured.</para>
@@ -4549,10 +4456,10 @@ myhost.example.com:/b/tftpboot/FreeBSD/install / nfs ro
<para>In <filename>/usr/local/etc/dhcpd.conf</filename>,
configure the <literal>next-server</literal>,
<literal>filename</literal>, and
- <literal>option root-path</literal> settings, to specify
- your <acronym>TFTP</acronym> server IP address, the path
- to <filename>/boot/pxeboot</filename> in
- <acronym>TFTP</acronym>, and the path to the
+ <literal>option root-path</literal> settings to specify
+ the <acronym>TFTP</acronym> server <acronym>IP</acronym>
+ address, the path to <filename>/boot/pxeboot</filename>
+ in <acronym>TFTP</acronym>, and the path to the
<acronym>NFS</acronym> root file system. Here is a sample
<filename>dhcpd.conf</filename> setup:</para>
@@ -4580,33 +4487,34 @@ myhost.example.com:/b/tftpboot/FreeBSD/install / nfs ro
</sect2>
<sect2>
- <title>Configuring the PXE Client and Debugging Connection
- Problems</title>
+ <title>Configuring the <acronym>PXE</acronym> Client and
+ Debugging Connection Problems</title>
<procedure>
<step>
<para>When the client machine boots up, enter the
<acronym>BIOS</acronym> configuration menu. Configure the
<acronym>BIOS</acronym> to boot from the network. If all
- your previous configuration steps are correct, then
- everything should "just work".</para>
+ previous configuration steps are correct, everything
+ should "just work".</para>
</step>
<step>
- <para>Use the
- <filename role="package">net/wireshark</filename> port to
- debug the network traffic involved during the
- <acronym>PXE</acronym> booting process, which is
- illustrated in the diagram below. In
- <xref linkend="network-pxe-setting-up-dhcp"/>, an example
+ <para>Use the <filename
+ role="package">net/wireshark</filename> package or
+ port to debug the network traffic involved during the
+ <acronym>PXE</acronym> booting process, as illustrated
+ in the diagram below. In <xref
+ linkend="network-pxe-setting-up-dhcp"/>, an example
configuration is shown where the <acronym>DHCP</acronym>,
<acronym>TFTP</acronym>, and <acronym>NFS</acronym>
- servers are actually on the same machine. However, these
- severs can be on separate machines.</para>
+ servers are on the same machine. However, these
+ servers can be on separate machines.</para>
<figure>
- <title>PXE Booting Process with NFS Root Mount</title>
+ <title><acronym>PXE</acronym> Booting Process with
+ <acronym>NFS</acronym> Root Mount</title>
<mediaobjectco>
<imageobjectco>
@@ -4622,32 +4530,34 @@ myhost.example.com:/b/tftpboot/FreeBSD/install / nfs ro
</imageobject>
<calloutlist>
<callout arearefs="co-pxenfs1">
- <para>Client broadcasts DHCPDISCOVER.</para>
+ <para>Client broadcasts a
+ <literal>DHCPDISCOVER</literal> message.</para>
</callout>
<callout arearefs="co-pxenfs2">
- <para>DHCP server responds with IP address,
+ <para>The <acronym>DHCP</acronym> server responds
+ with the <acronym>IP</acronym> address,
<literal>next-server</literal>,
<literal>filename</literal>, and
- <literal>root-path</literal>.</para>
+ <literal>root-path</literal> values.</para>
</callout>
<callout arearefs="co-pxenfs3">
- <para>Client sends <acronym>TFTP</acronym>
- request to <literal>next-server</literal>
+ <para>The client sends a <acronym>TFTP</acronym>
+ request to <literal>next-server</literal>,
asking to retrieve
<literal>filename</literal>.</para>
</callout>
<callout arearefs="co-pxenfs4">
- <para>TFTP server responds and sends
- <literal>filename</literal> to client.</para>
+ <para>The <acronym>TFTP</acronym> server responds
+ and sends <literal>filename</literal> to
+ client.</para>
</callout>
<callout arearefs="co-pxenfs5">
- <para>Client executes
- <literal>filename</literal> which is
- &man.pxeboot.8;. &man.pxeboot.8; loads the
- kernel. When the kernel executes, the root
- filesystem specified by
- <literal>root-path</literal> is mounted over
- <acronym>NFS</acronym>.</para>
+ <para>The client executes
+ <literal>filename</literal>, which is
+ &man.pxeboot.8;, which then loads the kernel.
+ When the kernel executes, the root file system
+ specified by <literal>root-path</literal> is
+ mounted over <acronym>NFS</acronym>.</para>
</callout>
</calloutlist>
</imageobjectco>
@@ -4657,26 +4567,26 @@ myhost.example.com:/b/tftpboot/FreeBSD/install / nfs ro
<step>
<para>Make sure that the <filename>pxeboot</filename> file
- can be retrieved by <acronym>TFTP</acronym>. On your
- <acronym>TFTP</acronym> server, look in
+ can be retrieved by <acronym>TFTP</acronym>. On the
+ <acronym>TFTP</acronym> server, read
<filename>/var/log/xferlog</filename> to ensure that the
<filename>pxeboot</filename> file is being retrieved from
- the correct location. To test the configuration from
- <filename>dhcpd.conf</filename> above:</para>
+ the correct location. To test this example
+ configuration:</para>
<screen>&prompt.root; <userinput>tftp 192.168.0.1</userinput>
tftp> <userinput>get FreeBSD/install/boot/pxeboot</userinput>
Received 264951 bytes in 0.1 seconds</screen>
- <para>Read &man.tftpd.8; and &man.tftp.1;. The
- <literal>BUGS</literal> sections in these pages document
- some limitations with <acronym>TFTP</acronym>.</para>
+ <para>The <literal>BUGS</literal> sections in &man.tftpd.8;
+ and &man.tftp.1; document some limitations with
+ <acronym>TFTP</acronym>.</para>
</step>
<step>
<para>Make sure that the root file system can be mounted
- via <acronym>NFS</acronym>. To test configuration from
- <filename>dhcpd.conf</filename> above:</para>
+ via <acronym>NFS</acronym>. To test this example
+ configuration:</para>
<screen>&prompt.root; <userinput>mount -t nfs 192.168.0.1:/b/tftpboot/FreeBSD/install /mnt</userinput></screen>
</step>
@@ -4687,7 +4597,8 @@ Received 264951 bytes in 0.1 seconds</screen>
understand how the <filename>pxeboot</filename> loader
sets variables like <literal>boot.nfsroot.server</literal>
and <literal>boot.nfsroot.path</literal>. These variables
- are then used in the NFS diskless root mount code in
+ are then used in the <acronym>NFS</acronym> diskless root
+ mount code in
<filename>src/sys/nfsclient/nfs_diskless.c</filename>.</para>
</step>
@@ -4698,332 +4609,6 @@ Received 264951 bytes in 0.1 seconds</screen>
</sect2>
</sect1>
- <sect1 id="network-isdn">
- <title>ISDN</title>
-
- <indexterm>
- <primary>ISDN</primary>
- </indexterm>
-
- <para>A good resource for information on ISDN technology and
- hardware is
- <ulink url="http://www.alumni.caltech.edu/~dank/isdn/">Dan
- Kegel's ISDN Page</ulink>.</para>
-
- <para>A quick simple road map to ISDN follows:</para>
-
- <itemizedlist>
- <listitem>
- <para>If you live in Europe you might want to investigate the
- ISDN card section.</para>
- </listitem>
-
- <listitem>
- <para>If you are planning to use ISDN primarily to connect to
- the Internet with an Internet Provider on a dial-up
- non-dedicated basis, you might look into Terminal Adapters.
- This will give you the most flexibility, with the fewest
- problems, if you change providers.</para>
- </listitem>
-
- <listitem>
- <para>If you are connecting two LANs together, or connecting
- to the Internet with a dedicated ISDN connection, you might
- consider the stand alone router/bridge option.</para>
- </listitem>
- </itemizedlist>
-
- <para>Cost is a significant factor in determining what solution
- you will choose. The following options are listed from least
- expensive to most expensive.</para>
-
- <sect2 id="network-isdn-cards">
- <sect2info>
- <authorgroup>
- <author>
- <firstname>Hellmuth</firstname>
- <surname>Michaelis</surname>
- <contrib>Contributed by </contrib>
- </author>
- </authorgroup>
- </sect2info>
- <title>ISDN Cards</title>
-
- <indexterm>
- <primary>ISDN</primary>
- <secondary>cards</secondary>
- </indexterm>
-
- <para>FreeBSD's ISDN implementation supports only the DSS1/Q.931
- (or Euro-ISDN) standard using passive cards. Some active
- cards are supported where the firmware also supports other
- signaling protocols; this also includes the first supported
- Primary Rate (PRI) ISDN card.</para>
-
- <para>The <application>isdn4bsd</application> software allows
- you to connect to other ISDN routers using either IP over raw
- HDLC or by using synchronous PPP: either by using kernel PPP
- with <literal>isppp</literal>, a modified &man.sppp.4; driver,
- or by using userland &man.ppp.8;. By using userland
- &man.ppp.8;, channel bonding of two or more ISDN B-channels is
- possible. A telephone answering machine application is also
- available as well as many utilities such as a software 300
- Baud modem.</para>
-
- <para>Some growing number of PC ISDN cards are supported under
- FreeBSD and the reports show that it is successfully used all
- over Europe and in many other parts of the world.</para>
-
- <para>The passive ISDN cards supported are mostly the ones with
- the Infineon (formerly Siemens) ISAC/HSCX/IPAC ISDN chipsets,
- but also ISDN cards with chips from Cologne Chip (ISA bus
- only), PCI cards with Winbond W6692 chips, some cards with the
- Tiger300/320/ISAC chipset combinations and some vendor
- specific chipset based cards such as the AVM Fritz!Card PCI
- V.1.0 and the AVM Fritz!Card PnP.</para>
-
- <para>Currently the active supported ISDN cards are the AVM B1
- (ISA and PCI) BRI cards and the AVM T1 PCI PRI cards.</para>
-
- <para>For documentation on <application>isdn4bsd</application>,
- have a look at the
- <ulink url="http://www.freebsd-support.de/i4b/">homepage of
- isdn4bsd</ulink> which also has pointers to hints, erratas
- and much more documentation such as the <ulink
- url="http://people.FreeBSD.org/~hm/">isdn4bsd
- handbook</ulink>.</para>
-
- <para>In case you are interested in adding support for a
- different ISDN protocol, a currently unsupported ISDN PC card
- or otherwise enhancing <application>isdn4bsd</application>,
- please get in touch with &a.hm;.</para>
-
- <para>For questions regarding the installation, configuration
- and troubleshooting <application>isdn4bsd</application>, a
- &a.isdn.name; mailing list is available.</para>
- </sect2>
-
- <sect2>
- <title>ISDN Terminal Adapters</title>
-
- <para>Terminal adapters (TA), are to ISDN what modems are to
- regular phone lines.</para>
-
- <indexterm><primary>modem</primary></indexterm>
- <para>Most TA's use the standard Hayes modem AT command set, and
- can be used as a drop in replacement for a modem.</para>
-
- <para>A TA will operate basically the same as a modem except
- connection and throughput speeds will be much faster than your
- old modem. You will need to configure
- <link linkend="ppp">PPP</link> exactly the same as for a modem
- setup. Make sure you set your serial speed as high as
- possible.</para>
-
- <indexterm><primary>PPP</primary></indexterm>
- <para>The main advantage of using a TA to connect to an Internet
- Provider is that you can do Dynamic PPP. As IP address space
- becomes more and more scarce, most providers are not willing
- to provide you with a static IP any more. Most stand-alone
- routers are not able to accommodate dynamic IP
- allocation.</para>
-
- <para>TA's completely rely on the PPP daemon that you are
- running for their features and stability of connection. This
- allows you to upgrade easily from using a modem to ISDN on a
- FreeBSD machine, if you already have PPP set up. However, at
- the same time any problems you experienced with the PPP
- program and are going to persist.</para>
-
- <para>If you want maximum stability, use the kernel
- <link linkend="ppp">PPP</link> option, not the
- <link linkend="userppp">userland PPP</link>.</para>
-
- <para>The following TA's are known to work with FreeBSD:</para>
-
- <itemizedlist>
- <listitem>
- <para>Motorola BitSurfer and Bitsurfer Pro</para>
- </listitem>
-
- <listitem>
- <para>Adtran</para>
- </listitem>
- </itemizedlist>
-
- <para>Most other TA's will probably work as well, TA vendors try
- to make sure their product can accept most of the standard
- modem AT command set.</para>
-
- <para>The real problem with external TA's is that, like modems,
- you need a good serial card in your computer.</para>
-
- <para>You should read the <ulink
- url="&url.articles.serial-uart;/index.html">FreeBSD Serial
- Hardware</ulink> tutorial for a detailed understanding of
- serial devices, and the differences between asynchronous and
- synchronous serial ports.</para>
-
- <para>A TA running off a standard PC serial port (asynchronous)
- limits you to 115.2 Kbs, even though you have a
- 128 Kbs connection. To fully utilize the 128 Kbs
- that ISDN is capable of, you must move the TA to a synchronous
- serial card.</para>
-
- <para>Do not be fooled into buying an internal TA and thinking
- you have avoided the synchronous/asynchronous issue. Internal
- TA's simply have a standard PC serial port chip built into
- them. All this will do is save you having to buy another
- serial cable and find another empty electrical socket.</para>
-
- <para>A synchronous card with a TA is at least as fast as a
- stand-alone router, and with a simple 386 FreeBSD box driving
- it, probably more flexible.</para>
-
- <para>The choice of synchronous card/TA versus stand-alone
- router is largely a religious issue. There has been some
- discussion of this in the mailing lists. We suggest you
- search the
- <ulink url="&url.base;/search/index.html">archives</ulink> for
- the complete discussion.</para>
- </sect2>
-
- <sect2>
- <title>Stand-alone ISDN Bridges/Routers</title>
-
- <indexterm>
- <primary>ISDN</primary>
- <secondary>stand-alone bridges/routers</secondary>
- </indexterm>
- <para>ISDN bridges or routers are not at all specific to FreeBSD
- or any other operating system. For a more complete
- description of routing and bridging technology, please refer
- to a networking reference book.</para>
-
- <para>In the context of this section, the terms router and
- bridge will be used interchangeably.</para>
-
- <para>As the cost of low end ISDN routers/bridges comes down, it
- will likely become a more and more popular choice. An ISDN
- router is a small box that plugs directly into your local
- Ethernet network, and manages its own connection to the other
- bridge/router. It has built in software to communicate via
- PPP and other popular protocols.</para>
-
- <para>A router will allow you much faster throughput than a
- standard TA, since it will be using a full synchronous ISDN
- connection.</para>
-
- <para>The main problem with ISDN routers and bridges is that
- interoperability between manufacturers can still be a problem.
- If you are planning to connect to an Internet provider, you
- should discuss your needs with them.</para>
-
- <para>If you are planning to connect two LAN segments together,
- such as your home LAN to the office LAN, this is the simplest
- lowest
- maintenance solution. Since you are buying the equipment for
- both sides of the connection you can be assured that the link
- will work.</para>
-
- <para>For example to connect a home computer or branch office
- network to a head office network the following setup could be
- used:</para>
-
- <example>
- <title>Branch Office or Home Network</title>
-
- <indexterm><primary>10 base 2</primary></indexterm>
- <para>Network uses a bus based topology with 10 base 2
- Ethernet (<quote>thinnet</quote>). Connect router to
- network cable with AUI/10BT transceiver, if
- necessary.</para>
-
- <mediaobject>
- <imageobject>
- <imagedata fileref="advanced-networking/isdn-bus"/>
- </imageobject>
-
- <textobject>
- <literallayout class="monospaced">---Sun workstation
-|
----FreeBSD box
-|
----Windows 95
-|
-Stand-alone router
- |
-ISDN BRI line</literallayout>
- </textobject>
-
- <textobject>
- <phrase>10 Base 2 Ethernet</phrase>
- </textobject>
- </mediaobject>
-
- <para>If your home/branch office is only one computer you can
- use a twisted pair crossover cable to connect to the
- stand-alone router directly.</para>
- </example>
-
- <example>
- <title>Head Office or Other LAN</title>
-
- <indexterm><primary>10 base T</primary></indexterm>
- <para>Network uses a star topology with 10 base T Ethernet
- (<quote>Twisted Pair</quote>).</para>
-
- <mediaobject>
- <imageobject>
- <imagedata
- fileref="advanced-networking/isdn-twisted-pair"/>
- </imageobject>
-
- <textobject>
- <literallayout class="monospaced"> -------Novell Server
- | H |
- | ---Sun
- | |
- | U ---FreeBSD
- | |
- | ---Windows 95
- | B |
- |___---Stand-alone router
- |
- ISDN BRI line</literallayout>
- </textobject>
-
- <textobject>
- <phrase>ISDN Network Diagram</phrase>
- </textobject>
- </mediaobject>
- </example>
-
- <para>One large advantage of most routers/bridges is that they
- allow you to have 2 <emphasis>separate independent</emphasis>
- PPP connections to 2 separate sites at the
- <emphasis>same</emphasis> time. This is not supported on most
- TA's, except for specific (usually expensive) models that have
- two serial ports. Do not confuse this with channel bonding,
- MPP, etc.</para>
-
- <para>This can be a very useful feature if, for example, you
- have an dedicated ISDN connection at your office and would
- like to tap into it, but do not want to get another ISDN line
- at work. A router at the office location can manage a
- dedicated B channel connection (64 Kbps) to the Internet
- and use the other B channel for a separate data connection.
- The second B channel can be used for dial-in, dial-out or
- dynamically bonding (MPP, etc.) with the first B channel for
- more bandwidth.</para>
-
- <indexterm><primary>IPX/SPX</primary></indexterm>
- <para>An Ethernet bridge will also allow you to transmit more
- than just IP traffic. You can also send IPX/SPX or whatever
- other protocols you use.</para>
- </sect2>
- </sect1>
-
<sect1 id="network-natd">
<sect1info>
<authorgroup>
@@ -5040,52 +4625,59 @@ ISDN BRI line</literallayout>
<title>Overview</title>
<indexterm>
- <primary><application>natd</application></primary>
+ <primary>&man.natd.8;</primary>
</indexterm>
- <para>FreeBSD's Network Address Translation daemon, commonly
- known as &man.natd.8; is a daemon that accepts incoming raw IP
- packets, changes the source to the local machine and
- re-injects these packets back into the outgoing IP packet
- stream. &man.natd.8; does this by changing the source IP
- address and port such that when data is received back, it is
- able to determine the original location of the data and
- forward it back to its original requester.</para>
+ <para>&os;'s Network Address Translation
+ (<acronym>NAT</acronym>) daemon, &man.natd.8;, accepts
+ incoming raw <acronym>IP</acronym> packets, changes the
+ source to the local machine, and injects these packets back
+ into the outgoing <acronym>IP</acronym> packet stream. The
+ source <acronym>IP</acronym> address and port are changed
+ such that when data is received back, it is able to determine
+ the original location of the data and forward it back to its
+ original requester.</para>
<indexterm>
<primary>Internet connection sharing</primary>
</indexterm>
<indexterm>
- <primary>NAT</primary>
+ <primary><acronym>NAT</acronym></primary>
</indexterm>
- <para>The most common use of NAT is to perform what is commonly
- known as Internet Connection Sharing.</para>
+ <para>The most common use of <acronym>NAT</acronym> is to
+ perform what is commonly known as Internet Connection
+ Sharing.</para>
</sect2>
<sect2 id="network-natsetup">
<title>Setup</title>
- <para>Due to the diminishing IP space in IPv4, and the increased
- number of users on high-speed consumer lines such as cable or
- DSL, people are increasingly in need of an Internet Connection
- Sharing solution. The ability to connect several computers
- online through one connection and IP address makes
- &man.natd.8; a reasonable choice.</para>
+ <para>Due to the diminishing <acronym>IP</acronym> address
+ space in <acronym>IPv4</acronym> and the increased number of
+ users on high-speed consumer lines such as cable or
+ <acronym>DSL</acronym>, people are increasingly in need of
+ an Internet Connection Sharing solution. The ability to
+ connect several computers online through one connection and
+ <acronym>IP</acronym> address makes &man.natd.8; a reasonable
+ choice.</para>
<para>Most commonly, a user has a machine connected to a cable
- or DSL line with one IP address and wishes to use this one
- connected computer to provide Internet access to several more
- over a LAN.</para>
+ or <acronym>DSL</acronym> line with one <acronym>IP</acronym>
+ address and wishes to use this one connected computer to
+ provide Internet access to several more over a
+ <acronym>LAN</acronym>.</para>
- <para>To do this, the FreeBSD machine on the Internet must act
- as a gateway. This gateway machine must have two
- NICs—one for connecting to the Internet router, the
- other connecting to a LAN. All the machines on the LAN are
- connected through a hub or switch.</para>
+ <para>To do this, the &os; machine connected to the Internet
+ must act as a gateway. This gateway machine must have two
+ <acronym>NIC</acronym>s: one connects to the Internet router
+ and the other connects to a <acronym>LAN</acronym>. All the
+ machines on the <acronym>LAN</acronym> are connected through
+ a hub or switch.</para>
<note>
- <para>There are many ways to get a LAN connected to the
- Internet through a &os; gateway. This example will only
- cover a gateway with at least two NICs.</para>
+ <para>There are many ways to get a <acronym>LAN</acronym>
+ connected to the Internet through a &os; gateway. This
+ example will only cover a gateway with at least two
+ <acronym>NIC</acronym>s.</para>
</note>
<mediaobject>
@@ -5112,7 +4704,7 @@ ISDN BRI line</literallayout>
<para>A setup like this is commonly used to share an Internet
connection. One of the <acronym>LAN</acronym> machines is
- connected to the Internet. The rest of the machines access
+ connected to the Internet and the rest of the machines access
the Internet through that <quote>gateway</quote>
machine.</para>
</sect2>
@@ -5125,10 +4717,9 @@ ISDN BRI line</literallayout>
<secondary>configuration</secondary>
</indexterm>
- <para>The kernel features for network address translation with
- &man.natd.8; are not enabled in the
- <filename>GENERIC</filename> kernel, but they can be preloaded
- at boot time, by adding a couple of options to
+ <para>The kernel features for &man.natd.8; are not enabled in
+ the <filename>GENERIC</filename> kernel, but they can be
+ loaded at boot time by adding a couple of options to
<filename>/boot/loader.conf</filename>:</para>
<programlisting>ipfw_load="YES"
@@ -5136,18 +4727,17 @@ ipdivert_load="YES"</programlisting>
<para>Additionally, the
<literal>net.inet.ip.fw.default_to_accept</literal> tunable
- option may be set to <literal>1</literal>:</para>
+ option should be set to <literal>1</literal>:</para>
<programlisting>net.inet.ip.fw.default_to_accept="1"</programlisting>
<note>
- <para>It is a very good idea to set this option during the
- first attempts to setup a firewall and NAT gateway. This
- way the default policy of &man.ipfw.8; will be
- <literal>allow ip from any to any</literal> instead of the
- less permissive <literal>deny ip from any to any</literal>,
- and it will be slightly more difficult to get locked out of
- the system right after a reboot.</para>
+ <para>It is a good idea to set this option during the first
+ attempts to setup a firewall and <acronym>NAT</acronym>
+ gateway. This sets the default policy of &man.ipfw.8; to
+ be more permissive than the default <literal>deny ip from
+ any to any</literal>, making it slightly more difficult
+ to get locked out of the system right after a reboot.</para>
</note>
</sect2>
@@ -5158,16 +4748,15 @@ ipdivert_load="YES"</programlisting>
<primary>kernel</primary>
<secondary>configuration</secondary>
</indexterm>
- <para>When modules are not an option or if it is preferrable to
- build all the required features into the running kernel, the
- following options must be in the kernel configuration
+ <para>When modules are not an option or if it is preferable to
+ build all the required features into a custom kernel, the
+ following options must be in the custom kernel configuration
file:</para>
<programlisting>options IPFIREWALL
options IPDIVERT</programlisting>
- <para>Additionally, at choice, the following may also be
- suitable:</para>
+ <para>Additionally, the following may also be suitable:</para>
<programlisting>options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE</programlisting>
@@ -5176,8 +4765,9 @@ options IPFIREWALL_VERBOSE</programlisting>
<sect2 id="network-natdsystemconfiguration">
<title>System Startup Configuration</title>
- <para>To enable firewall and NAT support at boot time, the
- following must be in <filename>/etc/rc.conf</filename>:</para>
+ <para>To enable firewall and <acronym>NAT</acronym> support at
+ boot time, the following must be in
+ <filename>/etc/rc.conf</filename>:</para>
<programlisting>gateway_enable="YES" <co id="co-natd-gateway-enable"/>
firewall_enable="YES" <co id="co-natd-firewall-enable"/>
@@ -5206,8 +4796,9 @@ natd_flags="" <co id="co-natd-natd-flags"/></programlisting>
</callout>
<callout arearefs="co-natd-natd-interface">
- <para>Indicates which interface to forward packets through
- (the interface connected to the Internet).</para>
+ <para>Indicates which interface to forward packets through.
+ This is the interface that is connected to the
+ Internet.</para>
</callout>
<callout arearefs="co-natd-natd-flags">
@@ -5216,10 +4807,10 @@ natd_flags="" <co id="co-natd-natd-flags"/></programlisting>
</callout>
</calloutlist>
- <para>Having the previous options defined in
- <filename>/etc/rc.conf</filename> would run
+ <para>These
+ <filename>/etc/rc.conf</filename> options will run
<command>natd -interface fxp0</command> at boot. This can
- also be run manually.</para>
+ also be run manually after boot.</para>
<note>
<para>It is also possible to use a configuration file for
@@ -5230,61 +4821,62 @@ natd_flags="" <co id="co-natd-natd-flags"/></programlisting>
<programlisting>natd_flags="-f /etc/natd.conf"</programlisting>
- <para>The <filename>/etc/natd.conf</filename> file will
- contain a list of configuration options, one per line. For
- example the next section case would use the following
- file:</para>
+ <para>A list of configuration options, one per line, can be
+ added to <filename>/etc/natd.conf</filename>. For
+ example:</para>
<programlisting>redirect_port tcp 192.168.0.2:6667 6667
redirect_port tcp 192.168.0.3:80 80</programlisting>
- <para>For more information about the configuration file,
- consult the &man.natd.8; manual page about the
- <option>-f</option> option.</para>
+ <para>For more information about this configuration file,
+ consult &man.natd.8;.</para>
</note>
- <para>Each machine and interface behind the LAN should be
- assigned IP address numbers in the private network space as
- defined by
- <ulink url="ftp://ftp.isi.edu/in-notes/rfc1918.txt">RFC
- 1918</ulink> and have a default gateway of the
- <application>natd</application> machine's internal IP
+ <para>Each machine and interface behind the
+ <acronym>LAN</acronym> should be assigned
+ <acronym>IP</acronym> addresses in the private network space,
+ as defined by <ulink
+ url="ftp://ftp.isi.edu/in-notes/rfc1918.txt">RFC
+ 1918</ulink>, and have a default gateway of the
+ &man.natd.8; machine's internal <acronym>IP</acronym>
address.</para>
<para>For example, client <hostid>A</hostid> and
- <hostid>B</hostid> behind the LAN have IP addresses of
- <hostid role="ipaddr">192.168.0.2</hostid> and
- <hostid role="ipaddr">192.168.0.3</hostid>, while the natd
- machine's LAN interface has an IP address of
- <hostid role="ipaddr">192.168.0.1</hostid>. Client
- <hostid>A</hostid> and <hostid>B</hostid>'s default gateway
- must be set to that of the <application>natd</application>
- machine, <hostid role="ipaddr">192.168.0.1</hostid>. The
- <application>natd</application> machine's external, or
- Internet interface does not require any special modification
- for &man.natd.8; to work.</para>
+ <hostid>B</hostid> behind the <acronym>LAN</acronym> have
+ <acronym>IP</acronym> addresses of <hostid
+ role="ipaddr">192.168.0.2</hostid> and <hostid
+ role="ipaddr">192.168.0.3</hostid>, while the &man.natd.8;
+ machine's <acronym>LAN</acronym> interface has an
+ <acronym>IP</acronym> address of <hostid
+ role="ipaddr">192.168.0.1</hostid>. The default gateway
+ of clients <hostid>A</hostid> and <hostid>B</hostid> must be
+ set to that of the &man.natd.8; machine, <hostid
+ role="ipaddr">192.168.0.1</hostid>. The &man.natd.8;
+ machine's external Internet interface does not require any
+ special modification for &man.natd.8; to work.</para>
</sect2>
<sect2 id="network-natdport-redirection">
<title>Port Redirection</title>
- <para>The drawback with &man.natd.8; is that the LAN clients are
- not accessible from the Internet. Clients on the LAN can make
+ <para>The drawback with &man.natd.8; is that the
+ <acronym>LAN</acronym> clients are not accessible from the
+ Internet. Clients on the <acronym>LAN</acronym> can make
outgoing connections to the world but cannot receive incoming
ones. This presents a problem if trying to run Internet
- services on one of the LAN client machines. A simple way
- around this is to redirect selected Internet ports on the
- <application>natd</application> machine to a LAN
+ services on one of the <acronym>LAN</acronym> client machines.
+ A simple way around this is to redirect selected Internet
+ ports on the &man.natd.8; machine to a <acronym>LAN</acronym>
client.</para>
- <para>For example, an IRC server runs on client
- <hostid>A</hostid>, and a web server runs on client
+ <para>For example, an <acronym>IRC</acronym> server runs on
+ client <hostid>A</hostid> and a web server runs on client
<hostid>B</hostid>. For this to work properly, connections
- received on ports 6667 (IRC) and 80 (web) must be redirected
- to the respective machines.</para>
+ received on ports 6667 (<acronym>IRC</acronym>) and 80
+ (<acronym>HTTP</acronym>) must be redirected to the
+ respective machines.</para>
- <para>The <option>-redirect_port</option> must be passed to
- &man.natd.8; with the proper options. The syntax is as
+ <para>The syntax for <option>-redirect_port</option> is as
follows:</para>
<programlisting> -redirect_port proto targetIP:targetPORT[-targetPORT]
@@ -5296,11 +4888,11 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
<programlisting> -redirect_port tcp 192.168.0.2:6667 6667
-redirect_port tcp 192.168.0.3:80 80</programlisting>
- <para>This will redirect the proper <emphasis>tcp</emphasis>
- ports to the LAN client machines.</para>
+ <para>This redirects the proper <acronym>TCP</acronym> ports
+ to the <acronym>LAN</acronym> client machines.</para>
- <para>The <option>-redirect_port</option> argument can be used
- to indicate port ranges over individual ports. For example,
+ <para>Port ranges over individual ports can be indicated with
+ <option>-redirect_port</option>. For example,
<replaceable>tcp 192.168.0.2:2000-3000 2000-3000</replaceable>
would redirect all connections received on ports 2000 to 3000
to ports 2000 to 3000 on client <hostid>A</hostid>.</para>
@@ -5319,23 +4911,26 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
<title>Address Redirection</title>
<indexterm><primary>address redirection</primary></indexterm>
- <para>Address redirection is useful if several IP addresses are
- available, yet they must be on one machine. With this,
- &man.natd.8; can assign each LAN client its own external IP
- address. &man.natd.8; then rewrites outgoing packets from the
- LAN clients with the proper external IP address and redirects
- all traffic incoming on that particular IP address back to the
- specific LAN client. This is also known as static NAT. For
- example, the IP addresses
- <hostid role="ipaddr">128.1.1.1</hostid>,
- <hostid role="ipaddr">128.1.1.2</hostid>, and
- <hostid role="ipaddr">128.1.1.3</hostid> belong to the
- <application>natd</application> gateway machine.
- <hostid role="ipaddr">128.1.1.1</hostid> can be used as the
- <application>natd</application> gateway machine's external IP
+ <para>Address redirection is useful if more than one
+ <acronym>IP</acronym> address is available. Each
+ <acronym>LAN</acronym> client can be assigned its own
+ external <acronym>IP</acronym> address by &man.natd.8;,
+ which will then rewrite outgoing packets from the
+ <acronym>LAN</acronym> clients with the proper external
+ <acronym>IP</acronym> address and redirects all traffic
+ incoming on that particular <acronym>IP</acronym> address
+ back to the specific <acronym>LAN</acronym> client. This is
+ also known as static <acronym>NAT</acronym>. For example,
+ if <acronym>IP</acronym> addresses <hostid
+ role="ipaddr">128.1.1.1</hostid>, <hostid
+ role="ipaddr">128.1.1.2</hostid>, and <hostid
+ role="ipaddr">128.1.1.3</hostid> are available, <hostid
+ role="ipaddr">128.1.1.1</hostid> can be used as the
+ &man.natd.8; machine's external <acronym>IP</acronym>
address, while <hostid role="ipaddr">128.1.1.2</hostid> and
- <hostid role="ipaddr">128.1.1.3</hostid> are forwarded back to
- LAN clients <hostid>A</hostid> and <hostid>B</hostid>.</para>
+ <hostid role="ipaddr">128.1.1.3</hostid> are forwarded back
+ to <acronym>LAN</acronym> clients <hostid>A</hostid> and
+ <hostid>B</hostid>.</para>
<para>The <option>-redirect_address</option> syntax is as
follows:</para>
@@ -5348,13 +4943,14 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
<tbody>
<row>
<entry>localIP</entry>
- <entry>The internal IP address of the LAN
- client.</entry>
+ <entry>The internal <acronym>IP</acronym> address of
+ the <acronym>LAN</acronym> client.</entry>
</row>
<row>
<entry>publicIP</entry>
- <entry>The external IP address corresponding to the LAN
+ <entry>The external <acronym>IP</acronym> address
+ corresponding to the <acronym>LAN</acronym>
client.</entry>
</row>
</tbody>
@@ -5367,16 +4963,16 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
-redirect_address 192.168.0.3 128.1.1.3</programlisting>
<para>Like <option>-redirect_port</option>, these arguments are
- also placed within the <literal>natd_flags=""</literal> option
+ placed within the <literal>natd_flags=""</literal> option
of <filename>/etc/rc.conf</filename>, or passed via a
configuration file. With address redirection, there is no
need for port redirection since all data received on a
- particular IP address is redirected.</para>
+ particular <acronym>IP</acronym> address is redirected.</para>
- <para>The external IP addresses on the
- <application>natd</application> machine must be active and
- aliased to the external interface. Look at &man.rc.conf.5; to
- do so.</para>
+ <para>The external <acronym>IP</acronym> addresses on the
+ &man.natd.8; machine must be active and aliased to the
+ external interface. Refer to &man.rc.conf.5; for
+ details.</para>
</sect2>
</sect1>
@@ -5405,29 +5001,32 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
</authorgroup>
</sect1info>
- <title>IPv6</title>
+ <title><acronym>IPv6</acronym></title>
- <para>IPv6 (also known as IPng <quote>IP next generation</quote>)
- is the new version of the well known IP protocol (also known as
- <acronym>IPv4</acronym>). Like the other current *BSD systems,
- FreeBSD includes the KAME IPv6 reference implementation. So
- your FreeBSD system comes with all you will need to experiment
- with IPv6. This section focuses on getting IPv6 configured and
- running.</para>
+ <para><acronym>IPv6</acronym>, also known as
+ <acronym>IPng</acronym> <quote><acronym>IP</acronym> next
+ generation</quote>, is the new version of the well known
+ <acronym>IP</acronym> protocol, also known as
+ <acronym>IPv4</acronym>. &os; includes the <ulink
+ url="http://www.kame.net/">KAME</ulink>
+ <acronym>IPv6</acronym> reference implementation. &os; comes
+ with everything needed to use <acronym>IPv6</acronym>. This
+ section focuses on getting <acronym>IPv6</acronym> configured
+ and running.</para>
<para>In the early 1990s, people became aware of the rapidly
- diminishing address space of IPv4. Given the expansion rate of
- the Internet there were two major concerns:</para>
+ diminishing address space of <acronym>IPv4</acronym>. Given
+ the expansion rate of the Internet, there were two major
+ concerns:</para>
<itemizedlist>
<listitem>
<para>Running out of addresses. Today this is not so much of
- a concern any more, since RFC1918 private address space
- (<hostid role="ipaddr">10.0.0.0/8</hostid>,
- <hostid role="ipaddr">172.16.0.0/12</hostid>, and
- <hostid role="ipaddr">192.168.0.0/16</hostid>) and Network
- Address Translation (<acronym>NAT</acronym>) are being
- employed.</para>
+ a concern, since RFC1918 private address space (<hostid
+ role="ipaddr">10.0.0.0/8</hostid>, <hostid
+ role="ipaddr">172.16.0.0/12</hostid>, and <hostid
+ role="ipaddr">192.168.0.0/16</hostid>) and
+ <acronym>NAT</acronym> are being employed.</para>
</listitem>
<listitem>
@@ -5436,57 +5035,59 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
</listitem>
</itemizedlist>
- <para>IPv6 deals with these and many other issues:</para>
+ <para><acronym>IPv6</acronym> deals with these and many other
+ issues by providing the following:</para>
<itemizedlist>
<listitem>
- <para>128 bit address space. In other words theoretically
- there are
+ <para>128 bit address space which allows for
340,282,366,920,938,463,463,374,607,431,768,211,456
- addresses available. This means there are approximately
- 6.67 * 10^27 IPv6 addresses per square meter on our
- planet.</para>
+ addresses. This means there are approximately
+ 6.67 * 10^27 <acronym>IPv6</acronym> addresses per square
+ meter on the planet.</para>
</listitem>
<listitem>
- <para>Routers will only store network aggregation addresses in
- their routing tables thus reducing the average space of a
+ <para>Routers only store network aggregation addresses in
+ their routing tables, thus reducing the average space of a
routing table to 8192 entries.</para>
</listitem>
</itemizedlist>
- <para>There are also lots of other useful features of IPv6 such
- as:</para>
+ <para>There are other useful features of
+ <acronym>IPv6</acronym>:</para>
<itemizedlist>
<listitem>
<para>Address autoconfiguration (<ulink
- url="http://www.ietf.org/rfc/rfc2462.txt">RFC2462</ulink>)</para>
+ url="http://www.ietf.org/rfc/rfc2462.txt">RFC2462</ulink>).</para>
</listitem>
<listitem>
<para>Anycast addresses (<quote>one-out-of
- many</quote>)</para>
+ many</quote>).</para>
</listitem>
<listitem>
- <para>Mandatory multicast addresses</para>
+ <para>Mandatory multicast addresses.</para>
</listitem>
<listitem>
- <para>IPsec (IP security)</para>
+ <para><acronym>IPsec</acronym> (<acronym>IP</acronym>
+ security).</para>
</listitem>
<listitem>
- <para>Simplified header structure</para>
+ <para>Simplified header structure.</para>
</listitem>
<listitem>
- <para>Mobile <acronym>IP</acronym></para>
+ <para>Mobile <acronym>IP</acronym>.</para>
</listitem>
<listitem>
- <para>IPv6-to-IPv4 transition mechanisms</para>
+ <para><acronym>IPv6</acronym>-to-<acronym>IPv4</acronym>
+ transition mechanisms.</para>
</listitem>
</itemizedlist>
@@ -5500,13 +5101,13 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
</itemizedlist>
<sect2>
- <title>Background on IPv6 Addresses</title>
+ <title>Background on <acronym>IPv6</acronym> Addresses</title>
- <para>There are different types of IPv6 addresses: Unicast,
- Anycast and Multicast.</para>
+ <para>There are different types of <acronym>IPv6</acronym>
+ addresses: unicast, anycast, and multicast.</para>
<para>Unicast addresses are the well known addresses. A packet
- sent to a unicast address arrives exactly at the interface
+ sent to a unicast address arrives at the interface
belonging to the address.</para>
<para>Anycast addresses are syntactically indistinguishable from
@@ -5520,18 +5121,18 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
interfaces belonging to the multicast group.</para>
<note>
- <para>The IPv4 broadcast address (usually
- <hostid role="ipaddr">xxx.xxx.xxx.255</hostid>) is expressed
- by multicast addresses in IPv6.</para>
+ <para>The <acronym>IPv4</acronym> broadcast address, usually
+ <hostid role="ipaddr">xxx.xxx.xxx.255</hostid>, is expressed
+ by multicast addresses in <acronym>IPv6</acronym>.</para>
</note>
<table frame="none">
- <title>Reserved IPv6 Addresses</title>
+ <title>Reserved <acronym>IPv6</acronym> Addresses</title>
<tgroup cols="4">
<thead>
<row>
- <entry>IPv6 address</entry>
+ <entry><acronym>IPv6</acronym> address</entry>
<entry>Prefixlength (Bits)</entry>
<entry>Description</entry>
<entry>Notes</entry>
@@ -5543,35 +5144,38 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
<entry><hostid role="ip6addr">::</hostid></entry>
<entry>128 bits</entry>
<entry>unspecified</entry>
- <entry>cf. <hostid role="ipaddr">0.0.0.0</hostid> in
- IPv4</entry>
+ <entry>Equivalent to <hostid
+ role="ipaddr">0.0.0.0</hostid> in
+ <acronym>IPv4</acronym>.</entry>
</row>
<row>
<entry><hostid role="ip6addr">::1</hostid></entry>
<entry>128 bits</entry>
<entry>loopback address</entry>
- <entry>cf. <hostid role="ipaddr">127.0.0.1</hostid> in
- IPv4</entry>
+ <entry>Equivalent to <hostid
+ role="ipaddr">127.0.0.1</hostid> in
+ <acronym>IPv4</acronym>.</entry>
</row>
<row>
<entry><hostid
role="ip6addr">::00:xx:xx:xx:xx</hostid></entry>
<entry>96 bits</entry>
- <entry>embedded IPv4</entry>
- <entry>The lower 32 bits are the IPv4 address. Also
- called <quote>IPv4 compatible IPv6
- address</quote></entry>
+ <entry>embedded <acronym>IPv4</acronym></entry>
+ <entry>The lower 32 bits are the compatible
+ <acronym>IPv4</acronym> address.</entry>
</row>
<row>
<entry><hostid
role="ip6addr">::ff:xx:xx:xx:xx</hostid></entry>
<entry>96 bits</entry>
- <entry>IPv4 mapped IPv6 address</entry>
- <entry>The lower 32 bits are the IPv4 address.
- For hosts which do not support IPv6.</entry>
+ <entry><acronym>IPv4</acronym> mapped
+ <acronym>IPv6</acronym> address</entry>
+ <entry>The lower 32 bits are the <acronym>IPv4</acronym>
+ address for hosts which do not support
+ <acronym>IPv6</acronym>.</entry>
</row>
<row>
@@ -5579,7 +5183,8 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
role="ip6addr">feb::</hostid></entry>
<entry>10 bits</entry>
<entry>link-local</entry>
- <entry>cf. loopback address in IPv4</entry>
+ <entry>Equivalent to the loopback address in
+ <acronym>IPv4</acronym>.</entry>
</row>
<row>
@@ -5612,34 +5217,32 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
</sect2>
<sect2>
- <title>Reading IPv6 Addresses</title>
+ <title>Reading <acronym>IPv6</acronym> Addresses</title>
<para>The canonical form is represented as:
- <hostid role="ip6addr">x:x:x:x:x:x:x:x</hostid>, each
- <quote>x</quote> being a 16 Bit hex value. For example
+ <hostid role="ip6addr">x:x:x:x:x:x:x:x</hostid>, with each
+ <quote>x</quote> being a 16 bit hex value. For example:
<hostid
- role="ip6addr">FEBC:A574:382B:23C1:AA49:4592:4EFE:9982</hostid></para>
+ role="ip6addr">FEBC:A574:382B:23C1:AA49:4592:4EFE:9982</hostid>.</para>
- <para>Often an address will have long substrings of all zeros
- therefore one such substring per address can be abbreviated by
- <quote>::</quote>. Also up to three leading <quote>0</quote>s
- per hexquad can be omitted. For example
+ <para>Often an address will have long substrings of all zeros.
+ One such substring per address can be abbreviated by
+ <quote>::</quote>. Also, up to three leading
+ <quote>0</quote>s per hex quad can be omitted. For example,
<hostid role="ip6addr">fe80::1</hostid> corresponds to the
canonical form <hostid
role="ip6addr">fe80:0000:0000:0000:0000:0000:0000:0001</hostid>.</para>
- <para>A third form is to write the last 32 Bit part in the
- well known (decimal) IPv4 style with dots <quote>.</quote>
- as separators. For example
- <hostid role="ip6addr">2002::10.0.0.1</hostid>
- corresponds to the (hexadecimal) canonical representation
- <hostid
- role="ip6addr">2002:0000:0000:0000:0000:0000:0a00:0001</hostid>
- which in turn is equivalent to writing
- <hostid role="ip6addr">2002::a00:1</hostid>.</para>
+ <para>A third form is to write the last 32 bit part in the
+ well known (decimal) <acronym>IPv4</acronym> style with dots
+ (<quote>.</quote>) as separators. For example, <hostid
+ role="ip6addr">2002::10.0.0.1</hostid> corresponds to the
+ hexadecimal canonical representation <hostid
+ role="ip6addr">2002:0000:0000:0000:0000:0000:0a00:0001</hostid>,
+ which in turn is equivalent to <hostid
+ role="ip6addr">2002::a00:1</hostid>.</para>
- <para>By now the reader should be able to understand the
- following:</para>
+ <para>Here is a sample entry from &man.ifconfig.8;:</para>
<screen>&prompt.root; <userinput>ifconfig</userinput></screen>
@@ -5651,25 +5254,26 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
status: active</programlisting>
<para><hostid
- role="ip6addr">fe80::200:21ff:fe03:8e1%rl0</hostid>
- is an auto configured link-local address. It is generated
- from the MAC address as part of the auto configuration.</para>
+ role="ip6addr">fe80::200:21ff:fe03:8e1%rl0</hostid> is an
+ auto configured link-local address. It is generated from
+ the <acronym>MAC</acronym> address as part of the auto
+ configuration.</para>
- <para>For further information on the structure of IPv6 addresses
- see <ulink
+ <para>For further information on the structure of
+ <acronym>IPv6</acronym> addresses, see <ulink
url="http://www.ietf.org/rfc/rfc3513.txt">RFC3513</ulink>.</para>
</sect2>
<sect2>
<title>Getting Connected</title>
- <para>Currently there are four ways to connect to other IPv6
- hosts and networks:</para>
+ <para>Currently, there are four ways to connect to other
+ <acronym>IPv6</acronym> hosts and networks:</para>
<itemizedlist>
<listitem>
- <para>Contact your Internet Service Provider to see if they
- offer IPv6 yet.</para>
+ <para>Contact an Internet Service Provider to see if they
+ offer <acronym>IPv6</acronym>.</para>
</listitem>
<listitem>
@@ -5678,37 +5282,36 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
</listitem>
<listitem>
- <para>Tunnel via 6-to-4 (<ulink
- url="http://www.ietf.org/rfc/rfc3068.txt">RFC3068</ulink>)</para>
+ <para>Tunnel via 6-to-4 as described in <ulink
+ url="http://www.ietf.org/rfc/rfc3068.txt">RFC3068</ulink>.</para>
</listitem>
<listitem>
<para>Use the
- <filename role="package">net/freenet6</filename> port if
- you are on a dial-up connection.</para>
+ <filename role="package">net/freenet6</filename> port
+ for a dial-up connection.</para>
</listitem>
</itemizedlist>
</sect2>
<sect2>
- <title>DNS in the IPv6 World</title>
+ <title><acronym>DNS</acronym> in the <acronym>IPv6</acronym>
+ World</title>
- <para>There used to be two types of DNS records for IPv6. The
- IETF has declared A6 records obsolete. AAAA records are the
- standard now.</para>
+ <para>There used to be two types of <acronym>DNS</acronym>
+ records for <acronym>IPv6</acronym>. The
+ <acronym>IETF</acronym> has declared <acronym>AAAA</acronym>
+ records as the current standard.</para>
- <para>Using AAAA records is straightforward. Assign your
- hostname to the new IPv6 address you just received by
- adding:</para>
+ <para>Using <acronym>AAAA</acronym> records is straightforward.
+ Assign the hostname to the <acronym>IPv6</acronym> address
+ in the primary zone <acronym>DNS</acronym> file:</para>
<programlisting>MYHOSTNAME AAAA MYIPv6ADDR</programlisting>
- <para>To your primary zone DNS file. In case you do not serve
- your own <acronym>DNS</acronym> zones ask your
- <acronym>DNS</acronym> provider. Current versions of
- <application>bind</application> (version 8.3 and 9) and
- <filename role="package">dns/djbdns</filename> (with the IPv6
- patch) support AAAA records.</para>
+ <para>Current versions of &man.named.8; and <filename
+ role="package">dns/djbdns</filename> support
+ <acronym>AAAA</acronym> records.</para>
</sect2>
<sect2>
@@ -5716,92 +5319,93 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
<filename>/etc/rc.conf</filename></title>
<sect3>
- <title>IPv6 Client Settings</title>
+ <title><acronym>IPv6</acronym> Client Settings</title>
- <para>These settings will help you configure a machine that
- will be on your LAN and act as a client, not a router. To
- have &man.rtsol.8; autoconfigure your interface on boot on
- &os; 9.<replaceable>x</replaceable> and later,
- add:</para>
+ <para>These settings configure a machine on a
+ <acronym>LAN</acronym> which acts as a client, not a
+ router. To instruct &man.rtsol.8; to autoconfigure the
+ interface on boot on
+ &os; 9.<replaceable>x</replaceable> and later, add
+ this line to <filename>rc.conf</filename>:</para>
<programlisting>ipv6_prefer="YES"</programlisting>
- <para>to <filename>rc.conf</filename>.</para>
-
- <para>For &os; 8.<replaceable>x</replaceable> and
- earlier, add:</para>
+ <para>For &os; 8.<replaceable>x</replaceable>,
+ add:</para>
<programlisting>ipv6_enable="YES"</programlisting>
- <para>To statically assign an IP address such as <hostid
+ <para>To statically assign the <acronym>IPv6</acronym>
+ address, <hostid
role="ip6addr">2001:471:1f11:251:290:27ff:fee0:2093</hostid>,
- to your <devicename>fxp0</devicename> interface, add the
- following for
+ to <devicename>fxp0</devicename>, add the following for
&os; 9.<replaceable>x</replaceable>:</para>
<programlisting>ifconfig_fxp0_ipv6="inet6 2001:471:1f11:251:290:27ff:fee0:2093 prefixlen <replaceable>64</replaceable>"</programlisting>
<note>
<para>Be sure to change <replaceable>prefixlen
- 64</replaceable> to the appropriate value for the subnet
- within which the computer is networked.</para>
+ 64</replaceable> to the appropriate value for the
+ subnet.</para>
</note>
- <para>For &os; 8<replaceable>x</replaceable> and earlier,
+ <para>For &os; 8<replaceable>x</replaceable>,
add:</para>
<programlisting>ipv6_ifconfig_fxp0="2001:471:1f11:251:290:27ff:fee0:2093"</programlisting>
- <para>To assign a default router of
- <hostid role="ip6addr">2001:471:1f11:251::1</hostid> add the
+ <para>To assign a default router of <hostid
+ role="ip6addr">2001:471:1f11:251::1</hostid>, add the
following to <filename>/etc/rc.conf</filename>:</para>
<programlisting>ipv6_defaultrouter="2001:471:1f11:251::1"</programlisting>
</sect3>
<sect3>
- <title>IPv6 Router/Gateway Settings</title>
+ <title><acronym>IPv6</acronym> Router/Gateway Settings</title>
- <para>This will help you take the directions that your tunnel
- provider has given you and convert it into settings that
- will persist through reboots. To restore your tunnel on
- startup use something like the following in
- <filename>/etc/rc.conf</filename>:</para>
+ <para>This section demonstrates how to take the directions
+ from a tunnel provider and convert it into settings that
+ will persist through reboots. To restore the tunnel on
+ startup, add the following lines to
+ <filename>/etc/rc.conf</filename>.</para>
- <para>List the Generic Tunneling interfaces that will be
- configured, for example
+ <para>The first entry lists the generic tunneling interfaces
+ to be configured. This example configures one interface,
<devicename>gif0</devicename>:</para>
<programlisting>gif_interfaces="gif0"</programlisting>
- <para>To configure the interface with a local endpoint of
+ <para>To configure that interface with a local endpoint of
<replaceable>MY_IPv4_ADDR</replaceable> to a remote endpoint
of <replaceable>REMOTE_IPv4_ADDR</replaceable>:</para>
<programlisting>gifconfig_gif0="<replaceable>MY_IPv4_ADDR REMOTE_IPv4_ADDR</replaceable>"</programlisting>
- <para>To apply the IPv6 address you have been assigned for use
- as your IPv6 tunnel endpoint, add the following for
+ <para>To apply the <acronym>IPv6</acronym> address that has
+ been assigned for use as the <acronym>IPv6</acronym> tunnel
+ endpoint, add the following line for
&os; 9.<replaceable>x</replaceable> and later:</para>
<programlisting>ifconfig_gif0_ipv6="inet6 <replaceable>MY_ASSIGNED_IPv6_TUNNEL_ENDPOINT_ADDR</replaceable>"</programlisting>
- <para>For &os; 8.<replaceable>x</replaceable> and
- earlier, add:</para>
+ <para>For &os; 8.<replaceable>x</replaceable>,
+ add:</para>
<programlisting>ipv6_ifconfig_gif0="<replaceable>MY_ASSIGNED_IPv6_TUNNEL_ENDPOINT_ADDR</replaceable>"</programlisting>
- <para>Then all you have to do is set the default route for
- IPv6. This is the other side of the IPv6 tunnel:</para>
+ <para>Then, set the default route for
+ <acronym>IPv6</acronym>. This is the other side of the
+ <acronym>IPv6</acronym> tunnel:</para>
<programlisting>ipv6_defaultrouter="<replaceable>MY_IPv6_REMOTE_TUNNEL_ENDPOINT_ADDR</replaceable>"</programlisting>
</sect3>
<sect3>
- <title>IPv6 Tunnel Settings</title>
+ <title><acronym>IPv6</acronym> Tunnel Settings</title>
- <para>If the server is to route IPv6 between the rest of your
- network and the world, the following
+ <para>If the server is to route <acronym>IPv6</acronym>
+ between the rest of the network and the world, the following
<filename>/etc/rc.conf</filename> setting will also be
needed:</para>
@@ -5812,38 +5416,65 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
<sect2>
<title>Router Advertisement and Host Auto Configuration</title>
- <para>This section will help you setup &man.rtadvd.8; to
- advertise the IPv6 default route.</para>
+ <para>This section demonstrates how to setup &man.rtadvd.8; to
+ advertise the <acronym>IPv6</acronym> default route.</para>
- <para>To enable &man.rtadvd.8; you will need the following in
- your <filename>/etc/rc.conf</filename>:</para>
+ <para>To enable &man.rtadvd.8;, add the following to
+ <filename>/etc/rc.conf</filename>:</para>
<programlisting>rtadvd_enable="YES"</programlisting>
- <para>It is important that you specify the interface on which to
- do IPv6 router solicitation. For example to tell
- &man.rtadvd.8; to use <devicename>fxp0</devicename>:</para>
+ <para>It is important to specify the interface on which to
+ do <acronym>IPv6</acronym> router solicitation. For example,
+ to tell &man.rtadvd.8; to use
+ <devicename>fxp0</devicename>:</para>
<programlisting>rtadvd_interfaces="fxp0"</programlisting>
- <para>Now we must create the configuration file,
- <filename>/etc/rtadvd.conf</filename>. Here is an
+ <para>Next, create the configuration file,
+ <filename>/etc/rtadvd.conf</filename> as seen in this
example:</para>
<programlisting>fxp0:\
:addrs#1:addr="2001:471:1f11:246::":prefixlen#64:tc=ether:</programlisting>
<para>Replace <devicename>fxp0</devicename> with the interface
- you are going to be using.</para>
+ to be used and <hostid
+ role="ip6addr">2001:471:1f11:246::</hostid> with the
+ prefix of the allocation.</para>
- <para>Next, replace
- <hostid role="ip6addr">2001:471:1f11:246::</hostid> with the
- prefix of your allocation.</para>
+ <para>For a dedicated <hostid role="netmask">/64</hostid>
+ subnet, nothing else needs to be changed. Otherwise, change
+ the <literal>prefixlen#</literal> to the correct value.</para>
+ </sect2>
- <para>If you are dedicated a <hostid role="netmask">/64</hostid>
- subnet you will not need to change anything else. Otherwise,
- you will need to change the <literal>prefixlen#</literal> to
- the correct value.</para>
+ <sect2>
+ <title><acronym>IPv6</acronym> and <acronym>IPv6</acronym>
+ Address Mapping</title>
+
+ <para>When <acronym>IPv6</acronym> is enabled on a server, there
+ may be a need to enable <acronym>IPv4</acronym> mapped
+ <acronym>IPv6</acronym> address communication. This
+ compatibility option allows for <acronym>IPv4</acronym>
+ addresses to be represented as <acronym>IPv6</acronym>
+ addresses. Permitting <acronym>IPv6</acronym> applications
+ to communicate with <acronym>IPv4</acronym> and vice versa
+ may be a security issue.</para>
+
+ <para>This option may not be required in most cases and is
+ available only for compatibility. This option will allow
+ <acronym>IPv6</acronym>-only applications to work with
+ <acronym>IPv4</acronym> in a dual stack environment. This
+ is most useful for third party applications which may not
+ support an <acronym>IPv6</acronym>-only environment. To
+ enable this feature,
+ add the following to <filename>/etc/rc.conf</filename>:</para>
+
+ <programlisting>ipv6_ipv4mapping="YES"</programlisting>
+
+ <para>Reviewing the information in <acronym>RFC</acronym> 3493,
+ section 3.6 and 3.7 as well as <acronym>RFC</acronym> 4038
+ section 4.2 may be useful to some adminstrators.</para>
</sect2>
</sect1>
@@ -5858,34 +5489,38 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
</authorgroup>
</sect1info>
- <title>Asynchronous Transfer Mode (ATM)</title>
+ <title>Asynchronous Transfer Mode (<acronym>ATM</acronym>)</title>
<sect2>
- <title>Configuring Classical IP over ATM (PVCs)</title>
+ <title>Configuring Classical <acronym>IP</acronym> over
+ <acronym>ATM</acronym></title>
- <para>Classical IP over ATM (<acronym>CLIP</acronym>) is the
- simplest method to use Asynchronous Transfer Mode (ATM)
- with IP. It can be used with
- switched connections (SVCs) and with permanent connections
- (PVCs). This section describes how to set up a network based
- on PVCs.</para>
+ <para>Classical <acronym>IP</acronym> over
+ <acronym>ATM</acronym> (<acronym>CLIP</acronym>) is the
+ simplest method to use Asynchronous Transfer Mode
+ (<acronym>ATM</acronym>) with <acronym>IP</acronym>. It can
+ be used with Switched Virtual Circuits
+ (<acronym>SVC</acronym>s) and with Permanent Virtual Circuits
+ (<acronym>PVC</acronym>s). This section describes how to
+ set up a network based on <acronym>PVC</acronym>s.</para>
<sect3>
<title>Fully Meshed Configurations</title>
<para>The first method to set up a <acronym>CLIP</acronym>
- with PVCs is to connect each machine to each other machine
- in the network via a dedicated PVC. While this is simple to
- configure it tends to become impractical for a larger number
- of machines. The example supposes that we have four
- machines in the network, each connected to the
- <acronym role="Asynchronous Transfer Mode">ATM</acronym>
- network with an
- <acronym role="Asynchronous Transfer Mode">ATM</acronym>
- adapter card. The first step is the planning of the IP
- addresses and the
- <acronym role="Asynchronous Transfer Mode">ATM</acronym>
- connections between the machines. We use the
+ with <acronym>PVC</acronym>s is to connect each machine
+ to each other machine in the network via a dedicated
+ <acronym>PVC</acronym>. While this is simple to
+ configure, it becomes impractical for a large number of
+ machines. The following example supposes four machines in
+ the network, each connected to the <acronym
+ role="Asynchronous Transfer Mode">ATM</acronym> network
+ with an <acronym
+ role="Asynchronous Transfer Mode">ATM</acronym> adapter
+ card. The first step is the planning of the
+ <acronym>IP</acronym> addresses and the <acronym
+ role="Asynchronous Transfer Mode">ATM</acronym>
+ connections between the machines. This example uses the
following:</para>
<informaltable frame="none" pgwide="1">
@@ -5895,7 +5530,7 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
<thead>
<row>
<entry>Host</entry>
- <entry>IP Address</entry>
+ <entry><acronym>IP</acronym> Address</entry>
</row>
</thead>
@@ -5927,8 +5562,8 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
</tgroup>
</informaltable>
- <para>To build a fully meshed net we need one ATM connection
- between each pair of machines:</para>
+ <para>To build a fully meshed net, one <acronym>ATM</acronym>
+ connection is needed between each pair of machines:</para>
<informaltable frame="none" pgwide="1">
<tgroup cols="2">
@@ -5981,22 +5616,24 @@ redirect_port tcp 192.168.0.3:80 80</programlisting>
</tgroup>
</informaltable>
- <para>The VPI and VCI values at each end of the connection may
- of course differ, but for simplicity we assume that they are
- the same. Next we need to configure the ATM interfaces on
- each host:</para>
+ <para>The Virtual Path Identifier <acronym>VPI</acronym> and
+ Virtual Channel Identifier <acronym>VCI</acronym> values
+ at each end of the connection may differ, but for
+ simplicity, this example assumes they are the same. Next,
+ configure the <acronym>ATM</acronym> interfaces on each
+ host:</para>
<screen>hostA&prompt.root; <userinput>ifconfig hatm0 192.168.173.1 up</userinput>
hostB&prompt.root; <userinput>ifconfig hatm0 192.168.173.2 up</userinput>
hostC&prompt.root; <userinput>ifconfig hatm0 192.168.173.3 up</userinput>
hostD&prompt.root; <userinput>ifconfig hatm0 192.168.173.4 up</userinput></screen>
- <para>assuming that the ATM interface is
- <devicename>hatm0</devicename> on all hosts. Now the PVCs
- need to be configured on <hostid>hostA</hostid> (we assume
- that they are already configured on the ATM switches, you
- need to consult the manual for the switch on how to do
- this).</para>
+ <para>This example assumes that the <acronym>ATM</acronym>
+ interface is <devicename>hatm0</devicename> on all hosts.
+ Next, the <acronym>PVC</acronym>s need to be configured on
+ <hostid>hostA</hostid>. This should already be configured
+ on the <acronym>ATM</acronym> switch; consult the manual
+ for the switch on how to do this.</para>
<screen>hostA&prompt.root; <userinput>atmconfig natm add 192.168.173.2 hatm0 0 100 llc/snap ubr</userinput>
hostA&prompt.root; <userinput>atmconfig natm add 192.168.173.3 hatm0 0 101 llc/snap ubr</userinput>
@@ -6014,19 +5651,19 @@ hostD&prompt.root; <userinput>atmconfig natm add 192.168.173.1 hatm0 0 102 llc/s
hostD&prompt.root; <userinput>atmconfig natm add 192.168.173.2 hatm0 0 104 llc/snap ubr</userinput>
hostD&prompt.root; <userinput>atmconfig natm add 192.168.173.3 hatm0 0 105 llc/snap ubr</userinput></screen>
- <para>Of course other traffic contracts than UBR can be used
- given the ATM adapter supports those. In this case the name
- of the traffic contract is followed by the parameters of the
- traffic. Help for the &man.atmconfig.8; tool can be
- obtained with:</para>
+ <para>Other traffic contracts besides <literal>ubr</literal>
+ can be used if the <acronym>ATM</acronym> adapter supports
+ it. In this case, the name of the traffic contract is
+ followed by the parameters of the traffic. Help for the
+ &man.atmconfig.8; tool can be obtained with:</para>
<screen>&prompt.root; <userinput>atmconfig help natm add</userinput></screen>
- <para>or in the &man.atmconfig.8; manual page.</para>
+ <para>Refer to &man.atmconfig.8; for more information.</para>
<para>The same configuration can also be done via
- <filename>/etc/rc.conf</filename>. For
- <hostid>hostA</hostid> this would look like:</para>
+ <filename>/etc/rc.conf</filename>. These lines configure
+ <hostid>hostA</hostid>:</para>
<programlisting>network_interfaces="lo0 hatm0"
ifconfig_hatm0="inet 192.168.173.1 up"
@@ -6054,37 +5691,38 @@ route_hostD="192.168.173.4 hatm0 0 102 llc/snap ubr"</programlisting>
</authorgroup>
</sect1info>
- <title>Common Address Redundancy Protocol (CARP)</title>
+ <title>Common Address Redundancy Protocol
+ (<acronym>CARP</acronym>)</title>
<indexterm>
- <primary>CARP</primary>
+ <primary><acronym>CARP</acronym></primary>
</indexterm>
<indexterm>
<primary>Common Address Redundancy Protocol</primary>
</indexterm>
- <para>The Common Address Redundancy Protocol, or
- <acronym>CARP</acronym> allows multiple hosts to share the same
- <acronym>IP</acronym> address. In some configurations, this may
- be used for availability or load balancing. Hosts may use
- separate <acronym>IP</acronym> addresses as well, as in the
+ <para>The Common Address Redundancy Protocol
+ (<acronym>CARP</acronym>) allows multiple hosts to share the
+ same <acronym>IP</acronym> address. In some configurations,
+ this may be used for availability or load balancing. Hosts
+ may use separate <acronym>IP</acronym> addresses, as in the
example provided here.</para>
<para>To enable support for <acronym>CARP</acronym>, the &os;
- kernel must be rebuilt as described in
- <xref linkend="kernelconfig"/> with the following option:</para>
+ kernel can be rebuilt as described in <xref
+ linkend="kernelconfig"/> with the following option:</para>
<programlisting>device carp</programlisting>
<para>Alternatively, the <filename>if_carp.ko</filename> module
- can be loaded at boot time. Add the following line to the
+ can be loaded at boot time. Add the following line to
<filename>/boot/loader.conf</filename>:</para>
<programlisting>if_carp_load="YES"</programlisting>
<para><acronym>CARP</acronym> functionality should now be
- available and may be tuned via several <command>sysctl</command>
- <acronym>OID</acronym>s:</para>
+ available and may be tuned via several &man.sysctl.8;
+ variables:</para>
<informaltable frame="none" pgwide="1">
<tgroup cols="2">
@@ -6106,15 +5744,15 @@ route_hostD="192.168.173.4 hatm0 0 102 llc/snap ubr"</programlisting>
<entry><varname>net.inet.carp.preempt</varname></entry>
<entry>This option downs all of the
<acronym>CARP</acronym> interfaces on the host when one
- of them goes down. Disabled by default</entry>
+ goes down. Disabled by default.</entry>
</row>
<row>
<entry><varname>net.inet.carp.log</varname></entry>
<entry>A value of <literal>0</literal> disables any
- logging. A Value of <literal>1</literal> enables
+ logging. A value of <literal>1</literal> enables
logging of bad <acronym>CARP</acronym> packets. Values
- greater than <literal>1</literal> enables logging of
+ greater than <literal>1</literal> enable logging of
state changes for the <acronym>CARP</acronym>
interfaces. The default value is
<literal>1</literal>.</entry>
@@ -6128,63 +5766,64 @@ route_hostD="192.168.173.4 hatm0 0 102 llc/snap ubr"</programlisting>
<row>
<entry><varname>net.inet.carp.suppress_preempt</varname></entry>
- <entry>A read only <acronym>OID</acronym> showing the
- status of preemption suppression. Preemption can be
- suppressed if link on an interface is down. A value of
- <literal>0</literal>, means that preemption is not
+ <entry>A read-only variable showing the status of
+ preemption suppression. Preemption can be suppressed
+ if the link on an interface is down. A value of
+ <literal>0</literal> means that preemption is not
suppressed. Every problem increments this
- <acronym>OID</acronym>.</entry>
+ variable.</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>The <acronym>CARP</acronym> devices themselves may be
- created via the <command>ifconfig</command> command:</para>
+ created using &man.ifconfig.8;:</para>
<screen>&prompt.root; <userinput>ifconfig carp0 create</userinput></screen>
- <para>In a real environment, these interfaces will need unique
- identification numbers known as a <acronym>VHID</acronym>. This
- <acronym>VHID</acronym> or Virtual Host Identification will be
- used to distinguish the host on the network.</para>
+ <para>In a real environment, each interface has a unique
+ identification number known as a Virtual Host IDentification
+ (<acronym>VHID</acronym>) which is used to distinguish the
+ host on the network.</para>
<sect2>
- <title>Using CARP for Server Availability (CARP)</title>
+ <title>Using <acronym>CARP</acronym> for Server
+ Availability</title>
- <para>One use of <acronym>CARP</acronym>, as noted above, is for
- server availability. This example will provide failover
- support for three hosts, all with unique <acronym>IP</acronym>
+ <para>One use of <acronym>CARP</acronym> is to provide server
+ availability. This example configures failover support for
+ three hosts, all with unique <acronym>IP</acronym>
addresses and providing the same web content. These machines
- will act in conjunction with a Round Robin
+ act in conjunction with a Round Robin
<acronym>DNS</acronym> configuration. The failover machine
- will have two additional <acronym>CARP</acronym> interfaces,
- one for each of the content server's <acronym>IP</acronym>s.
- When a failure occurs, the failover server should pick up the
- failed machine's <acronym>IP</acronym> address. This means
- the failure should go completely unnoticed to the user. The
- failover server requires identical content and services as the
- other content servers it is expected to pick up load
- for.</para>
+ has two additional <acronym>CARP</acronym> interfaces, one
+ for each of the content server's
+ <acronym>IP</acronym> addresses. When a
+ failure occurs, the failover server will pick up the failed
+ machine's <acronym>IP</acronym> address.
+ This means that the failure should go completely unnoticed
+ by the user. The failover server requires identical content
+ and services as the other content servers it is expected to
+ pick up load for.</para>
<para>The two machines should be configured identically other
- than their issued hostnames and <acronym>VHID</acronym>s.
- This example calls these machines
+ than their hostnames and <acronym>VHID</acronym>s. This
+ example calls these machines
<hostid>hosta.example.org</hostid> and
<hostid>hostb.example.org</hostid> respectively. First, the
required lines for a <acronym>CARP</acronym> configuration
- have to be added to <filename>rc.conf</filename>. For
- <hostid>hosta.example.org</hostid>, the
- <filename>rc.conf</filename> file should contain the following
- lines:</para>
+ have to be added to <filename>/etc/rc.conf</filename>. Here
+ are the lines for
+ <hostid>hosta.example.org</hostid>:</para>
<programlisting>hostname="hosta.example.org"
ifconfig_fxp0="inet 192.168.1.3 netmask 255.255.255.0"
cloned_interfaces="carp0"
ifconfig_carp0="vhid 1 pass testpass 192.168.1.50/24"</programlisting>
- <para>On <hostid>hostb.example.org</hostid> the following lines
- should be in <filename>rc.conf</filename>:</para>
+ <para>On <hostid>hostb.example.org</hostid>, use the following
+ lines:</para>
<programlisting>hostname="hostb.example.org"
ifconfig_fxp0="inet 192.168.1.4 netmask 255.255.255.0"
@@ -6193,19 +5832,18 @@ ifconfig_carp0="vhid 2 pass testpass 192.168.1.51/24"</programlisting>
<note>
<para>It is very important that the passwords, specified by
- the <option>pass</option> option to
- <command>ifconfig</command>, are identical. The
- <devicename>carp</devicename> devices will only listen to
- and accept advertisements from machines with the correct
- password. The <acronym>VHID</acronym> must also be
- different for each machine.</para>
+ the <option>pass</option> option to &man.ifconfig.8;, are
+ identical. The <devicename>carp</devicename> devices will
+ only listen to and accept advertisements from machines
+ with the correct password. The <acronym>VHID</acronym>
+ must also be unique for each machine.</para>
</note>
<para>The third machine, <hostid>provider.example.org</hostid>,
should be prepared so that it may handle failover from either
host. This machine will require two
<devicename>carp</devicename> devices, one to handle each
- host. The appropriate <filename>rc.conf</filename>
+ host. The appropriate <filename>/etc/rc.conf</filename>
configuration lines will be similar to the following:</para>
<programlisting>hostname="provider.example.org"
@@ -6216,7 +5854,7 @@ ifconfig_carp1="vhid 2 advskew 100 pass testpass 192.168.1.51/24"</programlistin
<para>Having the two <devicename>carp</devicename> devices will
allow <hostid>provider.example.org</hostid> to notice and pick
- up the <acronym>IP</acronym> address of either machine should
+ up the <acronym>IP</acronym> address of either machine, should
it stop responding.</para>
<note>
@@ -6225,8 +5863,8 @@ ifconfig_carp1="vhid 2 advskew 100 pass testpass 192.168.1.51/24"</programlistin
<hostid>provider.example.org</hostid> may not relinquish the
<acronym>IP</acronym> address back to the original content
server. In this case, an administrator may have to manually
- force the IP back to the master. The following command
- should be issued on
+ force the <acronym>IP</acronym> back to the master. The
+ following command should be issued on
<hostid>provider.example.org</hostid>:</para>
<screen>&prompt.root; <userinput>ifconfig carp0 down && ifconfig carp0 up</userinput></screen>
@@ -6235,13 +5873,11 @@ ifconfig_carp1="vhid 2 advskew 100 pass testpass 192.168.1.51/24"</programlistin
interface which corresponds to the correct host.</para>
</note>
- <para>At this point, <acronym>CARP</acronym> should be
- completely enabled and available for testing. For testing,
- either networking has to be restarted or the machines need to
- be rebooted.</para>
+ <para>At this point, <acronym>CARP</acronym> should be enabled
+ and available for testing. For testing, either networking
+ has to be restarted or the machines rebooted.</para>
- <para>More information is always available in the &man.carp.4;
- manual page.</para>
+ <para>More information is available in &man.carp.4;.</para>
</sect2>
</sect1>
</chapter>
diff --git a/en_US.ISO8859-1/books/handbook/audit/chapter.xml b/en_US.ISO8859-1/books/handbook/audit/chapter.xml
index 5d5540e5f6..e666e6a91e 100644
--- a/en_US.ISO8859-1/books/handbook/audit/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/audit/chapter.xml
@@ -60,8 +60,8 @@ requirements. -->
</listitem>
<listitem>
- <para>How to configure Event Auditing on &os; for users
- and processes.</para>
+ <para>How to configure Event Auditing on &os; for users and
+ processes.</para>
</listitem>
<listitem>
@@ -85,8 +85,8 @@ requirements. -->
</listitem>
<listitem>
- <para>Have some familiarity with security and how it
- pertains to &os; (<xref linkend="security"/>).</para>
+ <para>Have some familiarity with security and how it pertains
+ to &os; (<xref linkend="security"/>).</para>
</listitem>
</itemizedlist>
@@ -104,9 +104,9 @@ requirements. -->
Administrators should take into account disk space
requirements associated with high volume audit configurations.
For example, it may be desirable to dedicate a file system to
- the <filename class="directory">/var/audit</filename> tree so that other file
- systems are not affected if the audit file system becomes
- full.</para>
+ the <filename class="directory">/var/audit</filename> tree
+ so that other file systems are not affected if the audit file
+ system becomes full.</para>
</warning>
</sect1>
@@ -133,9 +133,9 @@ requirements. -->
<listitem>
<para><emphasis>class</emphasis>: Event classes are named sets
of related events, and are used in selection expressions.
- Commonly used classes of events include
- <quote>file creation</quote> (fc), <quote>exec</quote> (ex)
- and <quote>login_logout</quote> (lo).</para>
+ Commonly used classes of events include <quote>file
+ creation</quote> (fc), <quote>exec</quote> (ex) and
+ <quote>login_logout</quote> (lo).</para>
</listitem>
<listitem>
@@ -199,8 +199,8 @@ requirements. -->
<programlisting>options AUDIT</programlisting>
<para>Rebuild and reinstall
- the kernel via the normal process explained in
- <xref linkend="kernelconfig"/>.</para>
+ the kernel via the normal process explained in <xref
+ linkend="kernelconfig"/>.</para>
<para>Once an audit-enabled kernel is built, installed, and the
system has been rebooted, enable the audit daemon by adding the
@@ -249,10 +249,10 @@ requirements. -->
<listitem>
<para><filename>audit_warn</filename> - A customizable shell
- script used by <application>auditd</application> to generate
- warning messages in exceptional situations, such as when
- space for audit records is running low or when the audit
- trail file has been rotated.</para>
+ script used by &man.auditd.8; to generate warning messages
+ in exceptional situations, such as when space for audit
+ records is running low or when the audit trail file has
+ been rotated.</para>
</listitem>
</itemizedlist>
@@ -400,8 +400,8 @@ requirements. -->
</itemizedlist>
<para>These audit event classes may be customized by modifying
- the <filename>audit_class</filename> and
- <filename>audit_event</filename> configuration files.</para>
+ the <filename>audit_class</filename> and <filename>audit_
+ event</filename> configuration files.</para>
<para>Each audit class in the list is combined with a prefix
indicating whether successful/failed operations are matched,
@@ -451,18 +451,16 @@ requirements. -->
<title>Configuration Files</title>
<para>In most cases, administrators will need to modify only two
- files when configuring the audit system:
- <filename>audit_control</filename> and
- <filename>audit_user</filename>. The first controls
- system-wide audit properties and policies; the second may be
- used to fine-tune auditing by user.</para>
+ files when configuring the audit system: <filename>audit_
+ control</filename> and <filename>audit_user</filename>.
+ The first controls system-wide audit properties and policies;
+ the second may be used to fine-tune auditing by user.</para>
<sect3 id="audit-auditcontrol">
<title>The <filename>audit_control</filename> File</title>
- <para>The <filename>audit_control</filename> file specifies a
- number of defaults for the audit subsystem. Viewing the
- contents of this file, we see the following:</para>
+ <para>A number of defaults for the audit subsystem are
+ specified in <filename>audit_control</filename>:</para>
<programlisting>dir:/var/audit
flags:lo
@@ -471,7 +469,7 @@ naflags:lo
policy:cnt
filesz:0</programlisting>
- <para>The <option>dir</option> option is used to set one or
+ <para>The <option>dir</option> entry is used to set one or
more directories where audit logs will be stored. If more
than one directory entry appears, they will be used in order
as they fill. It is common to configure audit so that audit
@@ -484,17 +482,17 @@ filesz:0</programlisting>
example above, successful and failed login and logout events
are audited for all users.</para>
- <para>The <option>minfree</option> option defines the minimum
+ <para>The <option>minfree</option> entry defines the minimum
percentage of free space for the file system where the audit
trail is stored. When this threshold is exceeded, a warning
will be generated. The above example sets the minimum free
space to twenty percent.</para>
- <para>The <option>naflags</option> option specifies audit
- classes to be audited for non-attributed events, such as the
- login process and system daemons.</para>
+ <para>The <option>naflags</option> entry specifies audit classes
+ to be audited for non-attributed events, such as the login
+ process and system daemons.</para>
- <para>The <option>policy</option> option specifies a
+ <para>The <option>policy</option> entry specifies a
comma-separated list of policy flags controlling various
aspects of audit behavior. The default
<literal>cnt</literal> flag indicates that the system should
@@ -504,7 +502,7 @@ filesz:0</programlisting>
to the &man.execve.2; system call to be audited as part of
command execution.</para>
- <para>The <option>filesz</option> option specifies the maximum
+ <para>The <option>filesz</option> entry specifies the maximum
size in bytes to allow an audit trail file to grow to before
automatically terminating and rotating the trail file. The
default, 0, disables automatic log rotation. If the
@@ -516,25 +514,24 @@ filesz:0</programlisting>
<sect3 id="audit-audituser">
<title>The <filename>audit_user</filename> File</title>
- <para>The <filename>audit_user</filename> file permits the
- administrator to specify further audit requirements for
- specific users. Each line configures auditing for a user
- via two fields: the first is the
- <literal>alwaysaudit</literal> field, which specifies a set
- of events that should always be audited for the user, and
- the second is the <literal>neveraudit</literal> field, which
- specifies a set of events that should never be audited for
- the user.</para>
+ <para>The administrator can specify further audit requirements
+ for specific users in <filename>audit_user</filename>.
+ Each line configures auditing for a user via two fields:
+ the first is the <literal>alwaysaudit</literal> field,
+ which specifies a set of events that should always be
+ audited for the user, and the second is the
+ <literal>neveraudit</literal> field, which specifies a set
+ of events that should never be audited for the user.</para>
<para>The following example <filename>audit_user</filename>
- file audits login/logout events and successful command
- execution for the <username>root</username> user, and audits
- file creation and successful command execution for the
- <username>www</username> user. If used with the example
- <filename>audit_control</filename> file above, the
+ audits login/logout events and successful command
+ execution for <username>root</username>, and audits
+ file creation and successful command execution for
+ <username>www</username>. If used with the above example
+ <filename>audit_control</filename>, the
<literal>lo</literal> entry for <username>root</username> is
redundant, and login/logout events will also be audited for
- the <username>www</username> user.</para>
+ <username>www</username>.</para>
<programlisting>root:lo,+ex:no
www:fc,+ex:no</programlisting>
@@ -553,14 +550,13 @@ www:fc,+ex:no</programlisting>
&man.praudit.1; command converts trail files to a simple text
format; the &man.auditreduce.1; command may be used to reduce
the audit trail file for analysis, archiving, or printing
- purposes. <command>auditreduce</command> supports a variety
- of selection parameters, including event type, event class,
+ purposes. A variety of selection parameters are supported by
+ &man.auditreduce.1;, including event type, event class,
user, date or time of the event, and the file path or object
acted on.</para>
- <para>For example, the <command>praudit</command> utility will
- dump the entire contents of a specified audit log in plain
- text:</para>
+ <para>For example, &man.praudit.1; will dump the entire
+ contents of a specified audit log in plain text:</para>
<screen>&prompt.root; <userinput>praudit /var/audit/AUDITFILE</userinput></screen>
@@ -569,11 +565,11 @@ www:fc,+ex:no</programlisting>
the audit log to dump.</para>
<para>Audit trails consist of a series of audit records made up
- of tokens, which <command>praudit</command> prints
- sequentially one per line. Each token is of a specific type,
- such as <literal>header</literal> holding an audit record
- header, or <literal>path</literal> holding a file path from a
- name lookup. The following is an example of an
+ of tokens, which &man.praudit.1; prints sequentially one per
+ line. Each token is of a specific type, such as
+ <literal>header</literal> holding an audit record header, or
+ <literal>path</literal> holding a file path from a name
+ lookup. The following is an example of an
<literal>execve</literal> event:</para>
<programlisting>header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec
@@ -605,9 +601,9 @@ trailer,133</programlisting>
successful execution, and the <literal>trailer</literal>
concludes the record.</para>
- <para><command>praudit</command> also supports
- an XML output format, which can be selected using the
- <option>-x</option> argument.</para>
+ <para><acronym>XML</acronym> output format is also supported by
+ &man.praudit.1;, and can be selected using
+ <option>-x</option>.</para>
</sect2>
<sect2>
@@ -619,20 +615,19 @@ trailer,133</programlisting>
<screen>&prompt.root; <userinput>auditreduce -u trhodes /var/audit/AUDITFILE | praudit</userinput></screen>
- <para>This will select all audit records produced for the user
- <username>trhodes</username> stored in the
- <filename><replaceable>AUDITFILE</replaceable></filename>
- file.</para>
+ <para>This will select all audit records produced for
+ <username>trhodes</username> stored in
+ <filename><replaceable>AUDITFILE</replaceable></filename>.</para>
</sect2>
<sect2>
<title>Delegating Audit Review Rights</title>
<para>Members of the <groupname>audit</groupname> group are
- given permission to read audit trails in
- <filename class="directory">/var/audit</filename>; by default, this group is
- empty, so only the <username>root</username> user may read
- audit trails. Users may be added to the
+ given permission to read audit trails in <filename
+ class="directory">/var/audit</filename>; by default, this
+ group is empty, so only the <username>root</username> user
+ may read audit trails. Users may be added to the
<groupname>audit</groupname> group in order to delegate audit
review rights to the user. As the ability to track audit log
contents provides significant insight into the behavior of
@@ -674,9 +669,9 @@ trailer,133</programlisting>
SSH session, then a continuous stream of audit events will
be generated at a high rate, as each event being printed
will generate another event. It is advisable to run
- <command>praudit</command> on an audit pipe device from
- sessions without fine-grained I/O auditing in order to avoid
- this happening.</para>
+ &man.praudit.1; on an audit pipe device from sessions
+ without fine-grained I/O auditing in order to avoid this
+ happening.</para>
</warning>
</sect2>
@@ -684,24 +679,23 @@ trailer,133</programlisting>
<title>Rotating Audit Trail Files</title>
<para>Audit trails are written to only by the kernel, and
- managed only by the audit daemon,
- <application>auditd</application>. Administrators should not
- attempt to use &man.newsyslog.conf.5; or other tools to
- directly rotate audit logs. Instead, the
- <command>audit</command> management tool may be used to shut
- down auditing, reconfigure the audit system, and perform log
- rotation. The following command causes the audit daemon to
- create a new audit log and signal the kernel to switch to
- using the new log. The old log will be terminated and
- renamed, at which point it may then be manipulated by the
- administrator.</para>
+ managed only by the audit daemon, &man.auditd.8;.
+ Administrators should not attempt to use
+ &man.newsyslog.conf.5; or other tools to directly rotate
+ audit logs. Instead, the &man.audit.8; management tool may
+ be used to shut down auditing, reconfigure the audit system,
+ and perform log rotation. The following command causes the
+ audit daemon to create a new audit log and signal the kernel
+ to switch to using the new log. The old log will be
+ terminated and renamed, at which point it may then be
+ manipulated by the administrator.</para>
<screen>&prompt.root; <userinput>audit -n</userinput></screen>
<warning>
- <para>If the <application>auditd</application> daemon is not
- currently running, this command will fail and an error
- message will be produced.</para>
+ <para>If &man.auditd.8; is not currently running, this
+ command will fail and an error message will be
+ produced.</para>
</warning>
<para>Adding the following line to
@@ -710,11 +704,11 @@ trailer,133</programlisting>
<programlisting>0 */12 * * * root /usr/sbin/audit -n</programlisting>
- <para>The change will take effect once you have saved the
- new <filename>/etc/crontab</filename>.</para>
+ <para>The change will take effect once you have saved the new
+ <filename>/etc/crontab</filename>.</para>
<para>Automatic rotation of the audit trail file based on file
- size is possible via the <option>filesz</option> option in
+ size is possible using <option>filesz</option> in
&man.audit.control.5;, and is described in the configuration
files section of this chapter.</para>
</sect2>
diff --git a/en_US.ISO8859-1/books/handbook/basics/chapter.xml b/en_US.ISO8859-1/books/handbook/basics/chapter.xml
index 3a5544e5ed..d9dd5a98eb 100644
--- a/en_US.ISO8859-1/books/handbook/basics/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/basics/chapter.xml
@@ -57,7 +57,7 @@
</listitem>
<listitem>
- <para>What a shell is, and how to change your default login
+ <para>What a shell is, and how to change the default login
environment.</para>
</listitem>
@@ -87,10 +87,10 @@
<para>&os; can be used in various ways. One of them is typing
commands to a text terminal. A lot of the flexibility and power
- of a &unix; operating system is readily available at your hands
- when using &os; this way. This section describes what
+ of a &unix; operating system is readily available when using
+ &os; this way. This section describes what
<quote>terminals</quote> and <quote>consoles</quote> are, and
- how you can use them in &os;.</para>
+ how to use them in &os;.</para>
<sect2 id="consoles-intro">
<title>The Console</title>
@@ -144,15 +144,16 @@ login:</screen>
<screen>login:</screen>
- <para>Type the username that was configured during <link
- linkend="bsdinstall-addusers">system installation</link> and
- press <keycap>Enter</keycap>. Then enter the password
- associated with the username and press <keycap>Enter</keycap>.
- The password is <emphasis>not echoed</emphasis> for security
+ <para>Type the username that was configured during system
+ installation, as described in <xref
+ linkend="bsdinstall-addusers"/>, and press
+ <keycap>Enter</keycap>. Then enter the password associated
+ with the username and press <keycap>Enter</keycap>. The
+ password is <emphasis>not echoed</emphasis> for security
reasons.</para>
- <para>Once the correct password is input, the message of
- the day (<acronym>MOTD</acronym>) will be displayed followed
+ <para>Once the correct password is input, the message of the
+ day (<acronym>MOTD</acronym>) will be displayed followed
by a command prompt (a <literal>#</literal>,
<literal>$</literal>, or <literal>%</literal> character). You
are now logged into the &os; console and ready to try the
@@ -165,8 +166,8 @@ login:</screen>
<para>&os; can be configured to provide many virtual consoles
for inputting commands. Each virtual console has its own
login prompt and output channel, and &os; takes care of
- properly redirecting keyboard input and monitor output as you
- switch between virtual consoles.</para>
+ properly redirecting keyboard input and monitor output as
+ switching occurs between virtual consoles.</para>
<para>Special key combinations have been reserved by &os; for
switching consoles.<footnote>
@@ -228,10 +229,10 @@ ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure</programlisting>
<title>Single User Mode Console</title>
<para>A detailed description of <quote>single user mode</quote>
- can be found <link linkend="boot-singleuser">here</link>.
- There is only one console when &os; is in single user mode as
- no other virtual consoles are available in this mode. The
- settings for single user mode are found in this section of
+ can be found in <xref linkend="boot-singleuser"/>. There is
+ only one console when &os; is in single user mode as no other
+ virtual consoles are available in this mode. The settings
+ for single user mode are found in this section of
<filename>/etc/ttys</filename>:</para>
<programlisting># name getty type status comments
@@ -249,11 +250,11 @@ console none unknown off secure</programlisting>
without prompting for a password.</para>
<para><emphasis>Be careful when changing this setting to
- <literal>insecure</literal></emphasis>. If you ever
- forget the <username>root</username> password, booting into
- single user mode is still possible, but may be difficult for
- someone who is not comfortable with the &os; booting
- process.</para>
+ <literal>insecure</literal></emphasis>. If the
+ <username>root</username> password is forgotten, booting
+ into single user mode is still possible, but may be
+ difficult for someone who is not comfortable with the &os;
+ booting process.</para>
</note>
</sect2>
@@ -301,6 +302,15 @@ console none unknown off secure</programlisting>
managing requests for hardware devices, peripherals, memory, and
CPU time fairly to each user.</para>
+ <para>Much more information about user accounts is in the chapter
+ about <link linkend="users">accounts</link>. It is important to
+ understand that each person (user) who uses the computer should be
+ given their own username and password. The system keeps track
+ of the people using the computer based on this username. Since
+ it is often the case that several people are working on the same
+ project &unix; also provides groups. Several users can be placed
+ in the same group.</para>
+
<para>Because the system is capable of supporting multiple users,
everything the system manages has a set of permissions governing
who can read, write, and execute the resource. These
@@ -382,7 +392,7 @@ console none unknown off secure</programlisting>
</tgroup>
</informaltable>
<indexterm>
- <primary><command>ls</command></primary>
+ <primary>&man.ls.1;</primary>
</indexterm>
<indexterm><primary>directories</primary></indexterm>
@@ -424,10 +434,10 @@ total 530
write, and execute permissions. The executable bit for a
directory has a slightly different meaning than that of files.
When a directory is marked executable, it means it is possible
- to change into that directory using
- <application>cd</application>. This also means that it is
- possible to access the files within that directory, subject to
- the permissions on the files themselves.</para>
+ to change into that directory using &man.cd.1;. This also
+ means that it is possible to access the files within that
+ directory, subject to the permissions on the files
+ themselves.</para>
<para>In order to perform a directory listing, the read permission
must be set on the directory. In order to delete a file that
@@ -588,10 +598,9 @@ total 530
<para>In addition to file permissions, &os; supports the use of
<quote>file flags</quote>. These flags add an additional
- level of security and control over files, but not
- directories. With file flags, even
- <username>root</username> can be prevented from removing or
- altering files.</para>
+ level of security and control over files, but not directories.
+ With file flags, even <username>root</username> can be
+ prevented from removing or altering files.</para>
<para>File flags are modified using &man.chflags.1;. For
example, to enable the system undeletable flag on the file
@@ -669,7 +678,7 @@ total 530
<para>Note that a <literal>s</literal> is now part of the
permission set designated for the file owner, replacing the
executable bit. This allows utilities which need elevated
- permissions, such as <command>passwd</command>.</para>
+ permissions, such as &man.passwd.1;.</para>
<note>
<para>The <literal>nosuid</literal> &man.mount.8; option will
@@ -680,10 +689,10 @@ total 530
</note>
<para>To view this in real time, open two terminals. On
- one, start the <command>passwd</command> process as a normal
- user. While it waits for a new password, check the process
+ one, type <command>passwd</command> as a normal user.
+ While it waits for a new password, check the process
table and look at the user information for
- <command>passwd</command>:</para>
+ &man.passwd.1;:</para>
<para>In terminal A:</para>
@@ -697,9 +706,9 @@ Old Password:</screen>
<screen>trhodes 5232 0.0 0.2 3420 1608 0 R+ 2:10AM 0:00.00 grep passwd
root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
- <para>As stated above, the <command>passwd</command> is run
- by a normal user, but is using the effective
- <acronym>UID</acronym> of <username>root</username>.</para>
+ <para>Although &man.passwd.1; is run as a normal user, it is
+ using the effective <acronym>UID</acronym> of
+ <username>root</username>.</para>
<para>The <literal>setgid</literal> permission performs the
same function as the <literal>setuid</literal> permission;
@@ -709,8 +718,7 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
user who started the process.</para>
<para>To set the <literal>setgid</literal> permission on a
- file, provide <command>chmod</command> with a leading two
- (2):</para>
+ file, provide &man.chmod.1; with a leading two (2):</para>
<screen>&prompt.root; <userinput>chmod 2755 sgidexample.sh</userinput></screen>
@@ -855,8 +863,7 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<row>
<entry><filename
class="directory">/etc/namedb/</filename></entry>
- <entry><command>named</command> configuration files.
- Refer to &man.named.8; for details.</entry>
+ <entry>&man.named.8; configuration files.</entry>
</row>
<row>
@@ -870,8 +877,7 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<row>
<entry><filename
class="directory">/etc/ppp/</filename></entry>
- <entry><command>ppp</command> configuration files as
- described in &man.ppp.8;.</entry>
+ <entry>&man.ppp.8; configuration files.</entry>
</row>
<row>
@@ -967,26 +973,26 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<entry><filename
class="directory">/usr/local/</filename></entry>
<entry>Local executables and libraries. Also used as
- the default destination for the &os; ports
- framework. Within
- <filename class="directory">/usr/local</filename>, the
+ the default destination for the &os; ports framework.
+ Within <filename
+ class="directory">/usr/local</filename>, the
general layout sketched out by &man.hier.7; for
<filename class="directory">/usr</filename> should be
used. Exceptions are the man directory, which is
- directly under
- <filename class="directory">/usr/local</filename>
- rather than under
- <filename class="directory">/usr/local/share</filename>,
- and the ports documentation is in
- <filename class="directory">share/doc/<replaceable>port</replaceable></filename>.</entry>
+ directly under <filename
+ class="directory">/usr/local</filename>
+ rather than under <filename
+ class="directory">/usr/local/share</filename>,
+ and the ports documentation is in <filename
+ class="directory">share/doc/<replaceable>port</replaceable></filename>.</entry>
</row>
<row>
<entry><filename
class="directory">/usr/obj/</filename></entry>
<entry>Architecture-specific target tree produced by
- building the
- <filename class="directory">/usr/src</filename>
+ building the <filename
+ class="directory">/usr/src</filename>
tree.</entry>
</row>
@@ -1051,8 +1057,8 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<entry><filename
class="directory">/var/tmp/</filename></entry>
<entry>Temporary files which are usually preserved
- across a system reboot, unless
- <filename class="directory">/var</filename> is a
+ across a system reboot, unless <filename
+ class="directory">/var</filename> is a
memory-based file system.</entry>
</row>
@@ -1078,47 +1084,45 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<para>Files are stored in directories. A directory may contain no
files, or it may contain many hundreds of files. A directory
- can also contain other directories, allowing you to build up a
- hierarchy of directories within one another in order to organize
+ can also contain other directories, allowing a hierarchy of
+ directories within one another in order to organize
data.</para>
<para>Files and directories are referenced by giving the file or
directory name, followed by a forward slash,
<literal>/</literal>, followed by any other directory names that
- are necessary. For example, if the directory
- <filename class="directory">foo</filename> contains a directory
+ are necessary. For example, if the directory <filename
+ class="directory">foo</filename> contains a directory
<filename class="directory">bar</filename> which contains the
file <filename>readme.txt</filename>, the full name, or
<firstterm>path</firstterm>, to the file is
<filename>foo/bar/readme.txt</filename>. Note that this is
- different from &windows; which uses
- <literal>\</literal> to separate file and directory
- names. &os; does not use drive letters, or other drive names in
- the path. For example, you would not type
- <filename>c:/foo/bar/readme.txt</filename> on &os;.</para>
+ different from &windows; which uses <literal>\</literal> to
+ separate file and directory names. &os; does not use drive
+ letters, or other drive names in the path. For example, one
+ would not type <filename>c:/foo/bar/readme.txt</filename> on
+ &os;.</para>
<para>Directories and files are stored in a file system. Each
file system contains exactly one directory at the very top
level, called the <firstterm>root directory</firstterm> for that
- file system. This root directory can contain other
- directories. One file system is designated the
- <firstterm>root file system</firstterm> or <literal>/</literal>.
- Every other file system is <firstterm>mounted</firstterm> under
- the root file system. No matter how many disks you have on your
- &os; system, every directory appears to be part of the same
- disk.</para>
+ file system. This root directory can contain other directories.
+ One file system is designated the <firstterm>root file
+ system</firstterm> or <literal>/</literal>. Every other file
+ system is <firstterm>mounted</firstterm> under the root file
+ system. No matter how many disks are on the &os; system, every
+ directory appears to be part of the same disk.</para>
- <para>Suppose you have three file systems, called
- <literal>A</literal>, <literal>B</literal>, and
- <literal>C</literal>. Each file system has one root directory,
- which contains two other directories, called
- <literal>A1</literal>, <literal>A2</literal> (and likewise
- <literal>B1</literal>, <literal>B2</literal> and
+ <para>Consider three file systems, called <literal>A</literal>,
+ <literal>B</literal>, and <literal>C</literal>. Each file
+ system has one root directory, which contains two other
+ directories, called <literal>A1</literal>, <literal>A2</literal>
+ (and likewise <literal>B1</literal>, <literal>B2</literal> and
<literal>C1</literal>, <literal>C2</literal>).</para>
- <para>Call <literal>A</literal> the root file system. If you used
- <command>ls</command> to view the contents of this directory you
- would see two subdirectories, <literal>A1</literal> and
+ <para>Call <literal>A</literal> the root file system. If
+ &man.ls.1; is used to view the contents of this directory,
+ it will show two subdirectories, <literal>A1</literal> and
<literal>A2</literal>. The directory tree looks like
this:</para>
@@ -1137,11 +1141,11 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
</mediaobject>
<para>A file system must be mounted on to a directory in another
- file system. When mounting file system
- <literal>B</literal> on to the directory <literal>A1</literal>,
- the root directory of <literal>B</literal> replaces
- <literal>A1</literal>, and the directories in
- <literal>B</literal> appear accordingly:</para>
+ file system. When mounting file system <literal>B</literal>
+ on to the directory <literal>A1</literal>, the root directory
+ of <literal>B</literal> replaces <literal>A1</literal>, and
+ the directories in <literal>B</literal> appear
+ accordingly:</para>
<mediaobject>
<imageobject>
@@ -1163,10 +1167,9 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<para>Any files that are in the <literal>B1</literal> or
<literal>B2</literal> directories can be reached with the path
- <filename class="directory">/A1/B1</filename> or
- <filename class="directory">/A1/B2</filename> as
- necessary. Any files that were in
- <filename class="directory">/A1</filename> have
+ <filename class="directory">/A1/B1</filename> or <filename
+ class="directory">/A1/B2</filename> as necessary. Any files
+ that were in <filename class="directory">/A1</filename> have
been temporarily hidden. They will reappear if
<literal>B</literal> is <firstterm>unmounted</firstterm> from
<literal>A</literal>.</para>
@@ -1194,9 +1197,8 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
</mediaobject>
<para>and the paths would be
- <filename class="directory">/A2/B1</filename> and
- <filename class="directory">/A2/B2</filename>
- respectively.</para>
+ <filename class="directory">/A2/B1</filename> and <filename
+ class="directory">/A2/B2</filename> respectively.</para>
<para>File systems can be mounted on top of one another.
Continuing the last example, the <literal>C</literal> file
@@ -1252,10 +1254,6 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
</textobject>
</mediaobject>
- <para>Typically you create file systems when installing &os;
- and decide where to mount them, and then never change them
- unless you add a new disk.</para>
-
<para>It is entirely possible to have one large root file system,
and not need to create any others. There are some drawbacks to
this approach, and one advantage.</para>
@@ -1268,9 +1266,9 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<firstterm>mount options</firstterm>. For example, the root
file system can be mounted read-only, making it impossible
for users to inadvertently delete or edit a critical file.
- Separating user-writable file systems, such as
- <filename class="directory">/home</filename>, from other
- file systems allows them to be mounted
+ Separating user-writable file systems, such as <filename
+ class="directory">/home</filename>, from other file
+ systems allows them to be mounted
<firstterm>nosuid</firstterm>. This option prevents the
<firstterm>suid</firstterm>/<firstterm>guid</firstterm> bits
on executables stored on the file system from taking effect,
@@ -1287,9 +1285,9 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
</listitem>
<listitem>
- <para>&os;'s file systems are very robust should you lose
- power. However, a power loss at a critical point could
- still damage the structure of the file system. By splitting
+ <para>&os;'s file systems are robust if power is lost.
+ However, a power loss at a critical point could still
+ damage the structure of the file system. By splitting
data over multiple file systems it is more likely that the
system will still come up, making it easier to restore from
backup as necessary.</para>
@@ -1365,8 +1363,9 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<entry>Normally the same size as the enclosing slice.
This allows utilities that need to work on the entire
slice, such as a bad block scanner, to work on the
- <literal>c</literal> partition. You would not normally
- create a file system on this partition.</entry>
+ <literal>c</literal> partition. A file system would not
+ normally be
+ created on this partition.</entry>
</row>
<row>
@@ -1393,7 +1392,7 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<literal>s</literal>, starting at 1. So
<quote>da0<emphasis>s1</emphasis></quote> is the first slice on
the first SCSI drive. There can only be four physical slices on
- a disk, but you can have logical slices inside physical slices
+ a disk, but there can be logical slices inside physical slices
of the appropriate type. These extended slices are numbered
starting at 5, so <quote>ad0<emphasis>s5</emphasis></quote> is
the first extended slice on the first IDE disk. These devices
@@ -1404,17 +1403,18 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<firstterm>partitions</firstterm>, which are represented as
letters from <literal>a</literal> to <literal>h</literal>. This
letter is appended to the device name, so
- <quote>da0<emphasis>a</emphasis></quote> is the <literal>a</literal> partition on
- the first <literal>da</literal> drive, which is <quote>dangerously
- dedicated</quote>. <quote>ad1s3<emphasis>e</emphasis></quote> is
- the fifth partition in the third slice of the second IDE disk
- drive.</para>
+ <quote>da0<emphasis>a</emphasis></quote> is the
+ <literal>a</literal> partition on the first
+ <literal>da</literal> drive, which is <quote>dangerously
+ dedicated</quote>. <quote>ad1s3<emphasis>e</emphasis></quote>
+ is the fifth partition in the third slice of the second IDE
+ disk drive.</para>
<para>Finally, each disk on the system is identified. A disk name
starts with a code that indicates the type of disk, and then a
number, indicating which disk it is. Unlike slices, disk
- numbering starts at 0. Common codes that you will see are
- listed in <xref linkend="basics-dev-codes"/>.</para>
+ numbering starts at 0. Common codes are listed in <xref
+ linkend="basics-dev-codes"/>.</para>
<para>When referring to a partition, include the disk name,
<literal>s</literal>, the slice number, and then the partition
@@ -1568,12 +1568,11 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<para>The file system is best visualized as a tree,
rooted, as it were, at <filename class="directory">/</filename>.
- <filename class="directory">/dev</filename>,
- <filename class="directory">/usr</filename>, and the
- other directories in the root directory are branches, which may
- have their own branches, such as
- <filename class="directory">/usr/local</filename>, and so
- on.</para>
+ <filename class="directory">/dev</filename>, <filename
+ class="directory">/usr</filename>, and the other directories
+ in the root directory are branches, which may have their own
+ branches, such as <filename
+ class="directory">/usr/local</filename>, and so on.</para>
<indexterm><primary>root file system</primary></indexterm>
<para>There are various reasons to house some of these
@@ -1583,14 +1582,13 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<filename class="directory">spool/</filename>, and various types
of temporary files, and as such, may get filled up. Filling up
the root file system is not a good idea, so splitting <filename
- class="directory">/var</filename> from
- <filename class="directory">/</filename> is often
- favorable.</para>
+ class="directory">/var</filename> from <filename
+ class="directory">/</filename> is often favorable.</para>
<para>Another common reason to contain certain directory trees on
other file systems is if they are to be housed on separate
- physical disks, or are separate virtual disks, such as
- <link linkend="network-nfs">Network File System</link> mounts,
+ physical disks, or are separate virtual disks, such as Network
+ File System mounts, described in <xref linkend="network-nfs"/>,
or CDROM drives.</para>
<sect2 id="disks-fstab">
@@ -1601,7 +1599,7 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<secondary>mounted with fstab</secondary>
</indexterm>
- <para>During the <link linkend="boot">boot process</link>,
+ <para>During the boot process (<xref linkend="boot"/>),
file systems listed in <filename>/etc/fstab</filename> are
automatically mounted except for the entries containing
<option>noauto</option>. This file contains entries in the
@@ -1641,8 +1639,8 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<term><literal>options</literal></term>
<listitem>
- <para>Either <option>rw</option> for read-write
- file systems, or <option>ro</option> for read-only file
+ <para>Either <option>rw</option> for read-write file
+ systems, or <option>ro</option> for read-only file
systems, followed by any other options that may be
needed. A common option is <option>noauto</option> for
file systems not normally mounted during the boot
@@ -1684,7 +1682,7 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
</sect2>
<sect2 id="disks-mount">
- <title>The <command>mount</command> Command</title>
+ <title>Using &man.mount.8;</title>
<indexterm>
<primary>file systems</primary>
@@ -1802,14 +1800,14 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
</sect2>
<sect2 id="disks-umount">
- <title>The <command>umount</command> Command</title>
+ <title>Using &man.umount.8;</title>
<indexterm>
<primary>file systems</primary>
<secondary>unmounting</secondary>
</indexterm>
- <para>To unmount a filesystem use &man.umount.8;. This command
+ <para>To unmount a file system use &man.umount.8;. This command
takes one parameter which can be a mountpoint, device name,
<option>-a</option> or <option>-A</option>.</para>
@@ -1836,27 +1834,27 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
processes that are run by &os;.</para>
<para>Each process is uniquely identified by a number called a
- <firstterm>process ID</firstterm>
- (<firstterm>PID</firstterm>). Similar to files, each process
- has one owner and group, and the owner and group permissions are
- used to determine which files and devices the process can open.
- Most processes also have a parent process that started them.
- For example, the shell is a process, and any command started in
- the shell is a process which has the shell as its parent
- process. The exception is a special process called
- &man.init.8; which is always the first process to start at boot
- time and which always has a PID of 1.</para>
+ <firstterm>process ID</firstterm> (<acronym>PID</acronym>).
+ Similar to files, each process has one owner and group, and
+ the owner and group permissions are used to determine which
+ files and devices the process can open. Most processes also
+ have a parent process that started them. For example, the
+ shell is a process, and any command started in the shell is a
+ process which has the shell as its parent process. The
+ exception is a special process called &man.init.8; which is
+ always the first process to start at boot time and which always
+ has a <acronym>PID</acronym> of 1.</para>
<para>To see the processes on the system, use &man.ps.1; and
&man.top.1;. To display a static list of the currently running
- processes, their PIDs, how much memory they are using, and the
- command they were started with, use <command>ps</command>. To
- display all the running processes and update the display every
- few seconds so that you can interactively see what the computer
- is doing, use <command>top</command>.</para>
+ processes, their <acronym>PID</acronym>s, how much memory they
+ are using, and the command they were started with, use
+ &man.ps.1;. To display all the running processes and update
+ the display every few seconds in order to interactively see
+ what the computer is doing, use &man.top.1;.</para>
- <para>By default, <command>ps</command> only shows the commands
- that are running and owned by the user. For example:</para>
+ <para>By default, &man.ps.1; only shows the commands that are
+ running and owned by the user. For example:</para>
<screen>&prompt.user; <userinput>ps</userinput>
PID TT STAT TIME COMMAND
@@ -1877,15 +1875,16 @@ root 5211 0.0 0.2 3620 1724 2 I+ 2:09AM 0:00.01 passwd</screen>
<para>The output from &man.ps.1; is organized into a number of
columns. The <literal>PID</literal> column displays the process
- ID. PIDs are assigned starting at 1, go up to 99999, then wrap
- around back to the beginning. However, a PID is not reassigned
- if it is already in use. The <literal>TT</literal> column shows
- the tty the program is running on and <literal>STAT</literal>
- shows the program's state. <literal>TIME</literal> is the
- amount of time the program has been running on the CPU. This is
- usually not the elapsed time since the program was started, as
- most programs spend a lot of time waiting for things to happen
- before they need to spend time on the CPU. Finally,
+ ID. <acronym>PID</acronym>s are assigned starting at 1, go up
+ to 99999, then wrap around back to the beginning. However, a
+ <acronym>PID</acronym> is not reassigned if it is already in
+ use. The <literal>TT</literal> column shows the tty the program
+ is running on and <literal>STAT</literal> shows the program's
+ state. <literal>TIME</literal> is the amount of time the
+ program has been running on the CPU. This is usually not the
+ elapsed time since the program was started, as most programs
+ spend a lot of time waiting for things to happen before they
+ need to spend time on the CPU. Finally,
<literal>COMMAND</literal> is the command that was used to start
the program.</para>
@@ -1920,25 +1919,25 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
...</screen>
<para>The output is split into two sections. The header (the
- first five lines) shows the PID of the last process to run, the
- system load averages (which are a measure of how busy the system
- is), the system uptime (time since the last reboot) and the
- current time. The other figures in the header relate to how
- many processes are running (47 in this case), how much memory
- and swap space has been used, and how much time the system is
- spending in different CPU states.</para>
+ first five lines) shows the <acronym>PID</acronym> of the last
+ process to run, the system load averages (which are a measure
+ of how busy the system is), the system uptime (time since the
+ last reboot) and the current time. The other figures in the
+ header relate to how many processes are running (47 in this
+ case), how much memory and swap space has been used, and how
+ much time the system is spending in different CPU states.</para>
<para>Below the header is a series of columns containing similar
- information to the output from &man.ps.1;, such as the PID,
- username, amount of CPU time, and the command that started the
- process. By default, &man.top.1; also displays the amount of
- memory space taken by the process. This is split into two
- columns: one for total size and one for resident size. Total
- size is how much memory the application has needed and the
- resident size is how much it is actually using at the moment.
- In this example, <application>mutt</application> has
- required almost 8 MB of RAM, but is currently only using
- 5 MB.</para>
+ information to the output from &man.ps.1;, such as the
+ <acronym>PID</acronym>, username, amount of CPU time, and the
+ command that started the process. By default, &man.top.1; also
+ displays the amount of memory space taken by the process.
+ This is split into two columns: one for total size and one for
+ resident size. Total size is how much memory the application
+ has needed and the resident size is how much it is actually
+ using at the moment. In this example,
+ <application>mutt</application> has required almost 8 MB
+ of RAM, but is currently only using 5 MB.</para>
<para>&man.top.1; automatically updates the display every two
seconds. A different interval can be specified with
@@ -1966,14 +1965,13 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
<para>There is a convention to name programs that normally run as
daemons with a trailing <quote>d</quote>.
<application>BIND</application> is the Berkeley Internet Name
- Domain, but the actual program that executes is
- <command>named</command>. The <application>Apache</application>
- web server program is <command>httpd</command> and the
- line printer spooling daemon is <command>lpd</command>. This is
- only a naming convention. For example, the main mail daemon for
- the <application>Sendmail</application> application is
- <command>sendmail</command>, and not
- <command>maild</command>.</para>
+ Domain, but the actual program that executes is &man.named.8;.
+ The <application>Apache</application> web server program is
+ <command>httpd</command> and the line printer spooling daemon
+ is &man.lpd.8;. This is only a naming convention. For example,
+ the main mail daemon for the <application>Sendmail</application>
+ application is &man.sendmail.8;, and not
+ <literal>maild</literal>.</para>
<para>One way to communicate with a daemon, or any running
process, is to send a <firstterm>signal</firstterm> using
@@ -2035,15 +2033,15 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
<title>Sending a Signal to a Process</title>
<para>This example shows how to send a signal to &man.inetd.8;.
- The <command>inetd</command> configuration file is
- <filename>/etc/inetd.conf</filename>, and
- <command>inetd</command> will re-read this configuration file
- when it is sent a <literal>SIGHUP</literal>.</para>
+ The &man.inetd.8; configuration file is
+ <filename>/etc/inetd.conf</filename>, and &man.inetd.8; will
+ re-read this configuration file when it is sent a
+ <literal>SIGHUP</literal>.</para>
<step>
- <para>Find the PID of the process you want to send the signal
- to using &man.pgrep.1;. In this example, the PID for
- &man.inetd.8; is 198:</para>
+ <para>Find the <acronym>PID</acronym> of the process to send
+ the signal to using &man.pgrep.1;. In this example, the
+ <acronym>PID</acronym> for &man.inetd.8; is 198:</para>
<screen>&prompt.user; <userinput>pgrep -l inetd</userinput>
198 inetd -wW</screen>
@@ -2060,12 +2058,13 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
&prompt.root; <userinput>/bin/kill -s HUP 198</userinput></screen>
<para>Like most &unix; commands, &man.kill.1; will not print
- any output if it is successful. If you send a signal to a
- process that you do not own, you will instead see
+ any output if it is successful. If a signal is sent to a
+ process not owned by that user, the message
<errorname>kill: <replaceable>PID</replaceable>: Operation
- not permitted</errorname>. Mistyping the PID will either
- send the signal to the wrong process, which could have
- negative results, or will send the signal to a PID that is
+ not permitted</errorname> will be displayed. Mistyping
+ the <acronym>PID</acronym> will either send the signal to
+ the wrong process, which could have negative results, or
+ will send the signal to a <acronym>PID</acronym> that is
not currently in use, resulting in the error
<errorname>kill: <replaceable>PID</replaceable>: No such
process</errorname>.</para>
@@ -2092,9 +2091,9 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
<important>
<para>Killing a random process on the system can be a bad idea.
- In particular, &man.init.8;, PID 1, is special. Running
- <command>/bin/kill -s KILL 1</command> is a quick, and
- unrecommended, way to shutdown the system.
+ In particular, &man.init.8;, <acronym>PID</acronym> 1, is
+ special. Running <command>/bin/kill -s KILL 1</command> is
+ a quick, and unrecommended, way to shutdown the system.
<emphasis>Always</emphasis> double check the arguments to
&man.kill.1; <emphasis>before</emphasis> pressing
<keycap>Return</keycap>.</para>
@@ -2112,14 +2111,14 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
them. Many shells provide built in functions to help with
everyday tasks such as file management, file globbing, command
line editing, command macros, and environment variables. &os;
- comes with several shells, including <command>sh</command>, the
- Bourne Shell, and <command>tcsh</command>, the improved C-shell.
- Other shells are available from the &os; Ports Collection, such
- as <command>zsh</command> and <command>bash</command>.</para>
+ comes with several shells, including the Bourne shell
+ (&man.sh.1;) and the extended C shell (&man.tcsh.1;). Other
+ shells are available from the &os; Ports Collection, such as
+ <command>zsh</command> and <command>bash</command>.</para>
<para>The shell that is used is really a matter of taste. A C
programmer might feel more comfortable with a C-like shell such
- as <command>tcsh</command>. A Linux user might prefer
+ as &man.tcsh.1;. A &linux; user might prefer
<command>bash</command>. Each shell has unique properties that
may or may not work with a user's preferred working environment,
which is why there is a choice of which shell to use.</para>
@@ -2176,7 +2175,8 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
<row>
<entry><envar>DISPLAY</envar></entry>
- <entry>Network name of the <application>Xorg</application>
+ <entry>Network name of the
+ <application>&xorg;</application>
display to connect to, if available.</entry>
</row>
@@ -2231,13 +2231,13 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
<indexterm><primary>Bourne shells</primary></indexterm>
<para>How to set an environment variable differs between shells.
- In <command>tcsh</command> and <command>csh</command>, use
+ In &man.tcsh.1; and &man.csh.1;, use
<command>setenv</command> to set environment variables. In
- <command>sh</command> and <command>bash</command>, use
+ &man.sh.1; and <command>bash</command>, use
<command>export</command> to set the current environment
variables. This example sets the default <envar>EDITOR</envar>
to <filename>/usr/local/bin/emacs</filename> for the
- <command>tcsh</command> shell:</para>
+ &man.tcsh.1; shell:</para>
<screen>&prompt.user; <userinput>setenv EDITOR /usr/local/bin/emacs</userinput></screen>
@@ -2254,13 +2254,12 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
<para>Shells treat special characters, known as meta-characters,
as special representations of data. The most common
- meta-character is <literal>*</literal>, which
- represents any number of characters in a filename.
- Meta-characters can be used to perform filename globbing. For
- example, <command>echo *</command> is equivalent to
- <command>ls</command> because the shell takes all the files that
- match <literal>*</literal> and <command>echo</command> lists
- them on the command line.</para>
+ meta-character is <literal>*</literal>, which represents any
+ number of characters in a filename. Meta-characters can be
+ used to perform filename globbing. For example, <command>echo
+ *</command> is equivalent to &man.ls.1; because the shell
+ takes all the files that match <literal>*</literal> and
+ &man.echo.1; lists them on the command line.</para>
<para>To prevent the shell from interpreting a special character,
escape it from the shell by starting it with a backslash
@@ -2276,9 +2275,8 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
to use <command>chsh</command>. Running this command will
open the editor that is configured in the
<envar>EDITOR</envar> environment variable, which by default
- is set to <command>vi</command>. Change
- the <quote>Shell:</quote> line to the full path of the
- new shell.</para>
+ is set to &man.vi.1;. Change the <quote>Shell:</quote> line
+ to the full path of the new shell.</para>
<para>Alternately, use <command>chsh -s</command> which will set
the specified shell without opening an editor. For example,
@@ -2289,15 +2287,15 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
<note>
<para>The new shell <emphasis>must</emphasis> be present in
<filename>/etc/shells</filename>. If the shell was
- installed from the &os; <link linkend="ports">Ports
- Collection</link>, it should be automatically added to
- this file. If it is missing, add it using this
+ installed from the &os; Ports Collection as described in
+ <xref linkend="ports"/>, it should be automatically added
+ to this file. If it is missing, add it using this
command, replacing the path with the path of the
shell:</para>
<screen>&prompt.root; <userinput>echo <replaceable>/usr/local/bin/bash</replaceable> >> /etc/shells</userinput></screen>
- <para>Then rerun <command>chsh</command>.</para>
+ <para>Then rerun &man.chsh.1;.</para>
</note>
</sect2>
</sect1>
@@ -2318,12 +2316,12 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
</indexterm>
<indexterm>
<primary>editors</primary>
- <secondary><command>ee</command></secondary>
+ <secondary>&man.ee.1;</secondary>
</indexterm>
- <para>A simple editor to learn is <application>ee</application>,
- which stands for easy editor. To start this editor, type
- <command>ee <replaceable>filename</replaceable></command> where
+ <para>A simple editor to learn is &man.ee.1;, which stands for
+ easy editor. To start this editor, type <command>ee
+ <replaceable>filename</replaceable></command> where
<replaceable>filename</replaceable> is the name of the file to
be edited. Once inside the editor, all of the commands for
manipulating the editor's functions are listed at the top of the
@@ -2331,18 +2329,17 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
<keycap>Ctrl</keycap>, so <literal>^e</literal> expands to
<keycombo
action="simul"><keycap>Ctrl</keycap><keycap>e</keycap></keycombo>.
- To leave <application>ee</application>, press
- <keycap>Esc</keycap>, then choose the <quote>leave
- editor</quote> option from the main menu. The editor will
- prompt you to save any changes if the file has been
+ To leave &man.ee.1;, press <keycap>Esc</keycap>, then choose
+ the <quote>leave editor</quote> option from the main menu.
+ The editor will prompt to save any changes if the file has been
modified.</para>
<indexterm>
- <primary><command>vi</command></primary>
+ <primary>&man.vi.1;</primary>
</indexterm>
<indexterm>
<primary>editors</primary>
- <secondary><command>vi</command></secondary>
+ <secondary>&man.vi.1;</secondary>
</indexterm>
<indexterm>
<primary><command>emacs</command></primary>
@@ -2352,10 +2349,9 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
<secondary><command>emacs</command></secondary>
</indexterm>
- <para>&os; also comes with more powerful text editors such as
- <application>vi</application> as part of the base system.
- Other editors, like <filename
- role="package">editors/emacs</filename> and
+ <para>&os; also comes with more powerful text editors, such as
+ &man.vi.1;, as part of the base system. Other editors, like
+ <filename role="package">editors/emacs</filename> and
<filename role="package">editors/vim</filename>, are part of the
&os; Ports Collection. These editors offer more functionality
at the expense of being a more complicated to learn. Learning a
@@ -2366,8 +2362,7 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
<para>Many applications which modify files or require typed input
will automatically open a text editor. To alter the default
editor used, set the <envar>EDITOR</envar> environment
- variable as described in the <link
- linkend="shells">shells</link> section.</para>
+ variable as described in <xref linkend="shells"/>.</para>
</sect1>
<sect1 id="basics-devices">
@@ -2393,8 +2388,23 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
<sect1 id="binary-formats">
<title>Binary Formats</title>
- <para>To understand why &os; uses the &man.elf.5; format,the three
- currently <quote>dominant</quote> executable formats for &unix;
+ <para>Typically when a command is passed to the shell, the shell
+ will arrange for an executable file to be loaded into memory and
+ a new process is created. Executable files can either be a binary
+ file (usually created by the linker as part of compiling a program)
+ or a shell script (text file to be interpreted by a binary file,
+ like &man.sh.1; or &man.perl.1;). The &man.file.1; command can
+ usually determine what is inside a file.</para>
+
+ <para>Binary files need to have a well defined format for the system
+ to be able to use them properly. Part of the file will be the
+ executable machine code (the instructions that tell the CPU what
+ to do), part of it will be data space with pre-defined values,
+ part will be data space with no pre-defined values, etc. Through
+ time, different binary file formats have evolved.</para>
+
+ <para>To understand why &os; uses the &man.elf.5; format, the three
+ currently <quote>dominant</quote>, executable formats for &unix;
must be described:</para>
<itemizedlist>
@@ -2441,8 +2451,8 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
the &man.a.out.5; format, a technology tried and proven through
many generations of BSD releases, until the beginning of the 3.X
branch. Though it was possible to build and run native
- <acronym>ELF</acronym> binaries and kernels on a &os;
- system for some time before that, &os; initially resisted the
+ <acronym>ELF</acronym> binaries and kernels on a &os; system
+ for some time before that, &os; initially resisted the
<quote>push</quote> to switch to <acronym>ELF</acronym> as the
default format. Why? When Linux made its painful transition to
<acronym>ELF</acronym>, it was due to their inflexible
@@ -2502,9 +2512,8 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
programs rewrote them and added simpler support for building
cross compilers and plugging in different formats. Those who
wanted to build cross compilers targeting &os; were out of luck
- since the older sources that &os; had for
- <application>as</application> and <application>ld</application>
- were not up to the task. The new GNU tools chain
+ since the older sources that &os; had for &man.as.1; and
+ &man.ld.1; were not up to the task. The new GNU tools chain
(<application>binutils</application>) supports cross
compiling, <acronym>ELF</acronym>, shared libraries, and C++
extensions. In addition, many vendors release
@@ -2539,8 +2548,8 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
<screen>&prompt.user; <userinput>man <replaceable>command</replaceable></userinput></screen>
<para>where <replaceable>command</replaceable> is the name of
- the command you wish to learn about. For example, to learn
- more about <command>ls</command>, type:</para>
+ the command to learn about. For example, to learn more about
+ &man.ls.1;, type:</para>
<screen>&prompt.user; <userinput>man ls</userinput></screen>
@@ -2587,21 +2596,19 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
<para>In some cases, the same topic may appear in more than one
section of the online manual. For example, there is a
- <command>chmod</command> user command and a
- <function>chmod()</function> system call. To tell
- <command>man</command> which section to display, specify the
- section number:</para>
+ &man.chmod.1; user command and a
+ <function>chmod()</function> system call. To tell &man.man.1;
+ which section to display, specify the section number:</para>
<screen>&prompt.user; <userinput>man 1 chmod</userinput></screen>
<para>This will display the manual page for the user command
- <command>chmod</command>. References to a particular section
- of the online manual are traditionally placed in parenthesis
- in written documentation, so &man.chmod.1; refers to the
- <command>chmod</command> user command and &man.chmod.2; refers
- to the system call.</para>
+ &man.chmod.1;. References to a particular section of the
+ online manual are traditionally placed in parenthesis in
+ written documentation, so &man.chmod.1; refers to the user
+ command and &man.chmod.2; refers to the system call.</para>
- <para>If you do not know the command name, use <command>man
+ <para>If the command name is unknown, use <command>man
-k</command> to search for keywords in the command
descriptions:</para>
@@ -2611,8 +2618,8 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
keyword <quote>mail</quote> in their descriptions. This is
equivalent to using &man.apropos.1;.</para>
- <para>To determine what the commands in
- <filename class="directory">/usr/bin</filename> do,
+ <para>To determine what the commands in <filename
+ class="directory">/usr/bin</filename> do,
type:</para>
<screen>&prompt.user; <userinput>cd /usr/bin</userinput>
@@ -2636,7 +2643,7 @@ Swap: 256M Total, 38M Used, 217M Free, 15% Inuse
by the Free Software Foundation (FSF). In addition to manual
pages, these programs may include hypertext documents called
<literal>info</literal> files. These can be viewed using
- <command>info</command> or, if <filename
+ &man.info.1; or, if <filename
role="package">editors/emacs</filename> is installed, the
info mode of <application>emacs</application>.</para>
diff --git a/en_US.ISO8859-1/books/handbook/boot/chapter.xml b/en_US.ISO8859-1/books/handbook/boot/chapter.xml
index 2f4f619f34..c13bec3bbb 100644
--- a/en_US.ISO8859-1/books/handbook/boot/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/boot/chapter.xml
@@ -16,9 +16,9 @@
<para>The process of starting a computer and loading the operating
system is referred to as <quote>the bootstrap process</quote>,
- or simply <quote>booting</quote>. &os;'s boot process
- provides a great deal of flexibility in customizing what happens
- when the system starts, including the ability to select from
+ or simply <quote>booting</quote>. &os;'s boot process provides
+ a great deal of flexibility in customizing what happens when
+ the system starts, including the ability to select from
different operating systems installed on the same computer,
different versions of the same operating system, or a different
installed kernel.</para>
@@ -73,47 +73,54 @@
to the mechanism used to load the operating system, which has
become shortened to <quote>booting</quote>.</para>
- <indexterm><primary>BIOS</primary></indexterm>
+ <indexterm><primary><acronym>BIOS</acronym></primary></indexterm>
<indexterm>
<primary>Basic Input/Output System</primary>
- <see>BIOS</see>
+ <see><acronym>BIOS</acronym></see>
</indexterm>
- <para>On x86 hardware the Basic Input/Output System (BIOS) is
- responsible for loading the operating system. To do this, the
- BIOS looks on the hard disk for the Master Boot Record (MBR),
- which must be located on a specific place on the disk. The BIOS
- has enough knowledge to load and run the MBR, and assumes that
- the MBR can then carry out the rest of the tasks involved in
- loading the operating system, possibly with the help of the
- BIOS.</para>
+ <para>On x86 hardware the Basic Input/Output System
+ (<acronym>BIOS</acronym>) is responsible for loading the
+ operating system. To do this, the <acronym>BIOS</acronym>
+ looks on the hard disk for the Master Boot Record
+ (<acronym>MBR</acronym>), which must be located in a specific
+ place on the disk. The <acronym>BIOS</acronym> has enough
+ knowledge to load and run the <acronym>MBR</acronym>, and
+ assumes that the <acronym>MBR</acronym> can then carry out the
+ rest of the tasks involved in loading the operating system,
+ possibly with the help of the <acronym>BIOS</acronym>.</para>
- <indexterm><primary>Master Boot Record (MBR)</primary></indexterm>
+ <indexterm><primary>Master Boot Record
+ <acronym>MBR</acronym>)</primary></indexterm>
<indexterm><primary>Boot Manager</primary></indexterm>
<indexterm><primary>Boot Loader</primary></indexterm>
- <para>The code within the MBR is usually referred to as a
- <emphasis>boot manager</emphasis>, especially when it interacts
- with the user. In this case the boot manager usually has more
- code in the first <emphasis>track</emphasis> of the disk or
- within some OS's file system. (A boot manager is sometimes also
- called a <emphasis>boot loader</emphasis>, but &os; uses that
- term for a later stage of booting.) Popular boot managers
- include <application>boot0</application> (aka
+ <para>The code within the <acronym>MBR</acronym> is usually
+ referred to as a <emphasis>boot manager</emphasis>, especially
+ when it interacts with the user. In this case, the boot
+ manager usually has more code in the first
+ <emphasis>track</emphasis> of the disk or within the file
+ system of some operating systems. A boot manager is sometimes
+ also called a <emphasis>boot loader</emphasis>, but &os; uses
+ that term for a later stage of booting. Popular boot managers
+ include <application>boot0</application>, also called
<application>Boot Easy</application>, the standard &os; boot
- manager), <application>Grub</application>,
+ manager, <application>Grub</application>,
<application>GAG</application>, and
- <application>LILO</application>. (Only
- <application>boot0</application> fits within the MBR.)</para>
+ <application>LILO</application>. Only
+ <application>boot0</application> fits within the
+ <acronym>MBR</acronym>.</para>
- <para>If only one operating system is installed, a standard PC MBR
- will suffice. This MBR searches for the first bootable (active)
+ <para>If only one operating system is installed, a standard PC
+ <acronym>MBR</acronym> will suffice. This
+ <acronym>MBR</acronym> searches for the first bootable (active)
slice on the disk, and then runs the code on that slice to load
- the remainder of the operating system. By default, the MBR
- installed by &man.fdisk.8; is such an MBR and is based on
+ the remainder of the operating system. By default, the
+ <acronym>MBR</acronym> installed by &man.fdisk.8; is such an
+ <acronym>MBR</acronym> and is based on
<filename>/boot/mbr</filename>.</para>
<para>If multiple operating systems are present, a different boot
@@ -122,18 +129,18 @@
boot managers are discussed in the next subsection.</para>
<para>The remainder of the &os; bootstrap system is divided
- into three stages. The first stage is run by the MBR, which
- knows just enough to get the computer into a specific state and
- run the second stage. The second stage can do a little bit
- more, before running the third stage. The third stage finishes
- the task of loading the operating system. The work is split
- into three stages because PC standards put limits on the size of
- the programs that can be run at stages one and two. Chaining
- the tasks together allows &os; to provide a more flexible
- loader.</para>
+ into three stages. The first stage is run by the
+ <acronym>MBR</acronym>, which knows just enough to get the
+ computer into a specific state and run the second stage. The
+ second stage can do a little bit more, before running the
+ third stage. The third stage finishes the task of loading the
+ operating system. The work is split into three stages because
+ PC standards put limits on the size of the programs that can
+ be run at stages one and two. Chaining the tasks together
+ allows &os; to provide a more flexible loader.</para>
<indexterm><primary>kernel</primary></indexterm>
- <indexterm><primary><command>init</command></primary></indexterm>
+ <indexterm><primary>&man.init.8;</primary></indexterm>
<para>The kernel is then started and it begins to probe for
devices and initialize them for use. Once the kernel boot
@@ -154,11 +161,11 @@
<title>The Boot Manager</title>
<indexterm><primary>Master Boot Record
- (MBR)</primary></indexterm>
+ (<acronym>MBR</acronym>)</primary></indexterm>
- <para>The code in the MBR or boot manager is sometimes referred
- to as <emphasis>stage zero</emphasis> of the boot process.
- This section discusses two boot managers:
+ <para>The code in the <acronym>MBR</acronym> or boot manager is
+ sometimes referred to as <emphasis>stage zero</emphasis> of
+ the boot process. This section discusses two boot managers:
<application>boot0</application> and
<application>LILO</application>.</para>
@@ -166,12 +173,12 @@
<title>The <application>boot0</application> Boot
Manager:</title>
- <para>The MBR installed by &os;'s installer or
- &man.boot0cfg.8; is based on
+ <para>The <acronym>MBR</acronym> installed by &os;'s installer
+ or &man.boot0cfg.8; is based on
<filename>/boot/boot0</filename>. The size and capability
of <application>boot0</application> is restricted to 446
bytes due to the slice table and <literal>0x55AA</literal>
- identifier at the end of the MBR. If
+ identifier at the end of the <acronym>MBR</acronym>. If
<application>boot0</application> and multiple operating
systems are installed, a message similar to this example
will be displayed at boot time:</para>
@@ -187,18 +194,22 @@ Default: F2</screen>
</example>
<para>Other operating systems, in particular &windows;, will
- overwrite an existing MBR if they are installed after &os;.
- If this happens, or you want to replace the existing MBR
- with the &os; MBR, use the following command:</para>
+ overwrite an existing <acronym>MBR</acronym> if they are
+ installed after &os;. If this happens, or to replace the
+ existing <acronym>MBR</acronym> with the &os;
+ <acronym>MBR</acronym>, use the following command:</para>
<screen>&prompt.root; <userinput>fdisk -B -b /boot/boot0 <replaceable>device</replaceable></userinput></screen>
<para>where <replaceable>device</replaceable> is the boot disk,
- such as <devicename>ad0</devicename> for the first IDE disk,
- <devicename>ad2</devicename> for the first IDE disk on a
- second IDE controller, or <devicename>da0</devicename>
- for the first SCSI disk. To create a custom configuration of
- the MBR, refer to &man.boot0cfg.8;.</para>
+ such as <devicename>ad0</devicename> for the first
+ <acronym>IDE</acronym> disk, <devicename>ad2</devicename>
+ for the first <acronym>IDE</acronym> disk on a second
+ <acronym>IDE</acronym> controller, or
+ <devicename>da0</devicename>
+ for the first <acronym>SCSI</acronym> disk. To create a
+ custom configuration of the <acronym>MBR</acronym>, refer to
+ &man.boot0cfg.8;.</para>
<formalpara>
<title>The LILO Boot Manager:</title>
@@ -235,11 +246,11 @@ label=FreeBSD</programlisting>
constraints, they have been split into two, but are always
installed together. They are copied from the combined
<filename>/boot/boot</filename> by the installer or
- <application>bsdlabel</application>.</para>
+ &man.bsdlabel.8;.</para>
<para>They are located outside file systems, in the first track
of the boot slice, starting with the first sector. This is
- where <link linkend="boot-boot0">boot0</link>, or any other
+ where boot0 (<xref linkend="boot-boot0"/>), or any other
boot manager, expects to find a program to run which will
continue the boot process. The number of sectors used is
easily determined from the size of
@@ -256,9 +267,9 @@ label=FreeBSD</programlisting>
can provide a simple interface to choose the kernel or loader
to run.</para>
- <para><link linkend="boot-loader">loader</link> is much more
- sophisticated and provides a boot configuration which is run
- by <filename>boot2</filename>.</para>
+ <para>However, &man.loader.8; is much more sophisticated and
+ provides a boot configuration which is run by
+ <filename>boot2</filename>.</para>
<example id="boot-boot2-example">
<title><filename>boot2</filename> Screenshot</title>
@@ -276,7 +287,8 @@ boot:</screen>
<para>where <replaceable>diskslice</replaceable> is the disk and
slice to boot from, such as <devicename>ad0s1</devicename>
- for the first slice on the first IDE disk.</para>
+ for the first slice on the first <acronym>IDE</acronym>
+ disk.</para>
<warning>
<title>Dangerously Dedicated Mode</title>
@@ -557,10 +569,10 @@ boot:</screen>
first is the default legacy virtual console command line
environment. After the system finishes booting, a console
login prompt is presented. The second environment is the
- graphical environment provided by
- <link linkend="x11">Xorg</link>. Refer to that chapter for
- more information on how to install and configure a graphical
- display manager and a graphical login manager.</para>
+ graphical environment as described in <xref linkend="x11"/>.
+ Refer to that chapter for more information on how to install
+ and configure a graphical display manager and a graphical
+ login manager.</para>
<sect4 id="boot-splash-function">
<title>Splash Screen Function</title>
@@ -574,8 +586,8 @@ boot:</screen>
<para>To use larger images, up to the maximum resolution of
1024 by 768 pixels, load the <acronym>VESA</acronym>
- module during system boot. For a <ulink
- url="kernelconfig">custom kernel</ulink>, include the
+ module during system boot. For a custom kernel, as
+ described in <xref linkend="kernelconfig"/>, include the
<literal>VESA</literal> kernel configuration option.
Loading <acronym>VESA</acronym> support provides the
ability to display a splash screen image that fills the
@@ -666,8 +678,8 @@ bitmap_name="<replaceable>/boot/splash.bin</replaceable>"</programlisting>
or
<filename><replaceable>bluewave</replaceable>.pcx</filename>.</para>
- <para>Other interesting
- <filename>loader.conf</filename> options include:</para>
+ <para>Other interesting <filename>loader.conf</filename>
+ options include:</para>
<variablelist>
<varlistentry>
@@ -710,10 +722,10 @@ bitmap_name="<replaceable>/boot/splash.bin</replaceable>"</programlisting>
<secondary>boot interaction</secondary>
</indexterm>
- <para>Once the kernel is loaded by either the default <link
- linkend="boot-loader">loader</link> or by <link
- linkend="boot-boot1">boot2</link> which bypasses the loader,
- it examines its boot flags, if any, and adjusts its behavior as
+ <para>Once the kernel is loaded by either the default loader
+ (<xref linkend="boot-loader"/>) or by boot2 (<xref
+ linkend="boot-boot1"/>), which bypasses the loader, it
+ examines any boot flags and adjusts its behavior as
necessary.</para>
<sect2 id="boot-kernel-bootflags">
@@ -807,8 +819,9 @@ bitmap_name="<replaceable>/boot/splash.bin</replaceable>"</programlisting>
<quote>device hints</quote>. These <quote>device hints</quote>
are used by device drivers for device configuration.</para>
- <para>Device hints may also be specified at the <link
- linkend="boot-loader"> Stage 3 boot loader</link> prompt.
+ <para>Device hints may also be specified at the Stage 3 boot
+ loader prompt, as demonstrated in <xref
+ linkend="boot-loader"/>.
Variables can be added using <command>set</command>, removed
with <command>unset</command>, and viewed
<command>show</command>. Variables set in
@@ -882,7 +895,7 @@ bitmap_name="<replaceable>/boot/splash.bin</replaceable>"</programlisting>
<title>Init: Process Control Initialization</title>
<indexterm>
- <primary><command>init</command></primary>
+ <primary>&man.init.8;</primary>
</indexterm>
<para>Once the kernel has finished booting, it passes control to
@@ -897,10 +910,9 @@ bitmap_name="<replaceable>/boot/splash.bin</replaceable>"</programlisting>
<para>The automatic reboot sequence makes sure that the file
systems available on the system are consistent. If they are
not, and &man.fsck.8; cannot fix the inconsistencies of a UFS
- file system, &man.init.8; drops the system into
- <link linkend="boot-singleuser">single-user mode</link> so
- that the system administrator can resolve the problem
- directly.</para>
+ file system, &man.init.8; drops the system into single-user
+ mode (<xref linkend="boot-singleuser"/>) so that the system
+ administrator can resolve the problem directly.</para>
</sect2>
<sect2 id="boot-singleuser">
@@ -909,14 +921,13 @@ bitmap_name="<replaceable>/boot/splash.bin</replaceable>"</programlisting>
<indexterm><primary>single-user mode</primary></indexterm>
<indexterm><primary>console</primary></indexterm>
- <para>This mode can be reached through the <link
- linkend="boot-autoreboot">automatic reboot sequence</link>,
- the user booting with <option>-s</option>, or by setting
- the <envar>boot_single</envar> variable in
- <command>loader</command>.</para>
+ <para>This mode can be reached through the automatic reboot
+ sequence (<xref linkend="boot-autoreboot"/>), the user booting
+ with <option>-s</option>, or by setting the <envar>boot_
+ single</envar> variable in &man.loader.8;.</para>
<para>It can also be reached by calling &man.shutdown.8; from
- <link linkend="boot-multiuser">multi-user mode</link> without
+ multi-user mode (<xref linkend="boot-multiuser"/>) without
including <option>-r</option> or <option>-h</option>.</para>
<para>If the system <literal>console</literal> is set to
@@ -952,13 +963,13 @@ console none unknown off insecure</programlisting>
<indexterm><primary>multi-user mode</primary></indexterm>
<para>If &man.init.8; finds the file systems to be in order, or
- once the user has finished their commands in <link
- linkend="boot-singleuser">single-user mode</link>, the
- system enters multi-user mode, in which it starts the
- resource configuration of the system.</para>
+ once the user has finished their commands in single-user
+ mode (<xref linkend="boot-singleuser"/>), the system enters
+ multi-user mode, in which it starts the resource configuration
+ of the system.</para>
<sect3 id="boot-rc">
- <title>Resource Configuration (rc)</title>
+ <title>Resource Configuration</title>
<indexterm><primary>rc files</primary></indexterm>
@@ -983,7 +994,7 @@ console none unknown off insecure</programlisting>
<title>Shutdown Sequence</title>
<indexterm>
- <primary><command>shutdown</command></primary>
+ <primary>&man.shutdown.8;</primary>
</indexterm>
<para>Upon controlled shutdown using &man.shutdown.8;,
@@ -997,8 +1008,8 @@ console none unknown off insecure</programlisting>
that support power management, use <command>shutdown -p
now</command> to turn the power off immediately. To reboot a
&os; system, use <command>shutdown -r now</command>. One must
- be <username>root</username> or a member of the
- <groupname>operator</groupname> group in order to run
+ be <username>root</username> or a member of
+ <groupname>operator</groupname> in order to run
&man.shutdown.8;. One can also use &man.halt.8; and
&man.reboot.8;. Refer to their manual pages and to
&man.shutdown.8; for more information.</para>
diff --git a/en_US.ISO8859-1/books/handbook/config/chapter.xml b/en_US.ISO8859-1/books/handbook/config/chapter.xml
index fba2a7c58b..1653f20602 100644
--- a/en_US.ISO8859-1/books/handbook/config/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/config/chapter.xml
@@ -68,13 +68,12 @@
</listitem>
<listitem>
- <para>How to use the various configuration files in
- <filename class="directory">/etc</filename>.</para>
+ <para>How to use the various configuration files in <filename
+ class="directory">/etc</filename>.</para>
</listitem>
<listitem>
- <para>How to tune &os; using <command>sysctl</command>
- variables.</para>
+ <para>How to tune &os; using &man.sysctl.8; variables.</para>
</listitem>
<listitem>
@@ -120,38 +119,38 @@
<para>When laying out file systems with &man.bsdlabel.8; or
&man.sysinstall.8;, remember that hard drives transfer data
- faster from the outer tracks to the inner. Thus smaller and
- heavier-accessed file systems should be closer to the
+ faster from the outer tracks to the inner. Thus, smaller
+ and heavier-accessed file systems should be closer to the
outside of the drive, while larger partitions like
<filename class="directory">/usr</filename> should be placed
toward the inner parts of the disk. It is a good idea to
- create partitions in an order similar to: root, swap,
- <filename class="directory">/var</filename>,
+ create partitions in an order similar to: <filename
+ class="directory">/</filename>, swap,
+ <filename class="directory">/var</filename>, and
<filename class="directory">/usr</filename>.</para>
<para>The size of the
<filename class="directory">/var</filename> partition
reflects the intended machine's usage. This partition
- <filename class="directory">/var</filename> is used to hold
- mailboxes, log files, and printer spools. Mailboxes and log
- files can grow to unexpected sizes depending on how many
- users exist and how long log files are kept. Most users
- rarely need more than about a gigabyte of free disk space in
- <filename class="directory">/var</filename>.</para>
+ is used to hold mailboxes, log files, and printer spools.
+ Mailboxes and log files can grow to unexpected sizes
+ depending on the number of users and how long log files
+ are kept. On average, most users rarely need more than
+ about a gigabyte of free disk space in <filename
+ class="directory">/var</filename>.</para>
<note>
- <para>There are a few times that a lot of disk space is
- required in
- <filename class="directory">/var/tmp</filename>. When new
- software is installed with &man.pkg.add.1; the packaging
- tools extract a temporary copy of the packages under
- <filename class="directory">/var/tmp</filename>. Large
- software packages, like
+ <para>Sometimes, a lot of disk space is required in
+ <filename class="directory">/var/tmp</filename>. When
+ new software is installed with &man.pkg.add.1;, the
+ packaging tools extract a temporary copy of the packages
+ under <filename class="directory">/var/tmp</filename>.
+ Large software packages, like
<application>Firefox</application>,
<application>OpenOffice</application> or
<application>LibreOffice</application> may be tricky to
- install if there is not enough disk space under
- <filename class="directory">/var/tmp</filename>.</para>
+ install if there is not enough disk space under <filename
+ class="directory">/var/tmp</filename>.</para>
</note>
<para>The <filename class="directory">/usr</filename>
@@ -161,16 +160,14 @@
partition.</para>
<para>When selecting partition sizes, keep the space
- requirements in mind. Running out of space in
- one partition while barely using another can be a
- hassle.</para>
+ requirements in mind. Running out of space in one partition
+ while barely using another can be a hassle.</para>
<note>
- <para>Some users have found that &man.sysinstall.8;'s
- <literal>Auto-defaults</literal> partition sizer will
- sometimes select smaller than adequate
- <filename class="directory">/var</filename> and
- <filename class="directory">/</filename> partitions.
+ <para>The <literal>Auto-defaults</literal> partition sizer
+ used by &man.sysinstall.8; will sometimes select smaller
+ than adequate <filename class="directory">/var</filename>
+ and <filename class="directory">/</filename> partitions.
Partition wisely and generously.</para>
</note>
</sect3>
@@ -182,25 +179,28 @@
<indexterm><primary>swap partition</primary></indexterm>
<para>As a rule of thumb, the swap partition should be about
- double the size of physical memory (RAM) as the kernel's
- virtual memory (VM) paging algorithms are tuned to perform
- best when the swap partition is at least two times
- the size of main memory. Systems with minimal RAM may
- perform better with more swap. Configuring too little swap
- can lead to inefficiencies in the VM page scanning code and
- might create issues later if more memory is added.</para>
+ double the size of physical memory (<acronym>RAM</acronym>)
+ as the kernel's virtual memory (<acronym>VM</acronym>)
+ paging algorithms are tuned to perform best when the swap
+ partition is at least two times the size of main memory.
+ Systems with minimal <acronym>RAM</acronym> may perform
+ better with more swap. Configuring too little swap can
+ lead to inefficiencies in the <acronym>VM</acronym> page
+ scanning code and might create issues later if more memory
+ is added.</para>
- <para>On larger systems with multiple SCSI disks or multiple
- IDE disks operating on different controllers, it is
- recommended that swap be configured on each drive (up to
- four drives). The swap partitions should be approximately
- the same size. The kernel can handle arbitrary sizes but
- internal data structures scale to 4 times the largest swap
- partition. Keeping the swap partitions near the same size
- will allow the kernel to optimally stripe swap space across
- disks. Large swap sizes are fine, even if swap is not used
- much. It might be easier to recover from a runaway program
- before being forced to reboot.</para>
+ <para>On larger systems with multiple <acronym>SCSI</acronym>
+ disks or multiple <acronym>IDE</acronym> disks operating
+ on different controllers, it is recommended that swap be
+ configured on each drive, up to four drives. The swap
+ partitions should be approximately the same size. The
+ kernel can handle arbitrary sizes but internal data
+ structures scale to 4 times the largest swap partition.
+ Keeping the swap partitions near the same size will allow
+ the kernel to optimally stripe swap space across disks.
+ Large swap sizes are fine, even if swap is not used much.
+ It might be easier to recover from a runaway program before
+ being forced to reboot.</para>
</sect3>
<sect3>
@@ -210,24 +210,24 @@
fine, but there are several reasons why this is a bad idea.
First, each partition has different operational
characteristics and separating them allows the file system
- to tune accordingly. For example, the root and
- <filename class="directory">/usr</filename> partitions are
+ to tune accordingly. For example, the root and <filename
+ class="directory">/usr</filename> partitions are
read-mostly, with few writes, while a lot of reads and
- writes could occur in
- <filename class="directory">/var</filename> and
- <filename class="directory">/var/tmp</filename>.</para>
+ writes could occur in <filename
+ class="directory">/var</filename> and <filename
+ class="directory">/var/tmp</filename>.</para>
<para>By properly partitioning a system, fragmentation
introduced in the smaller write heavy partitions will not
- bleed over into the mostly-read partitions. Keeping the
- write-loaded partitions closer to the disk's edge, will
+ bleed over into the mostly read partitions. Keeping the
+ write loaded partitions closer to the disk's edge will
increase I/O performance in the partitions where it occurs
- the most. Now while I/O performance in the larger
- partitions may be needed, shifting them more toward the edge
- of the disk will not lead to a significant performance
- improvement over moving
- <filename class="directory">/var</filename> to the edge.
- Finally, there are safety concerns. A smaller, neater root
+ the most. While I/O performance in the larger partitions
+ may be needed, shifting them more toward the edge of the
+ disk will not lead to a significant performance
+ improvement over moving <filename
+ class="directory">/var</filename> to the edge. Finally,
+ there are safety concerns. A smaller, neater root
partition which is mostly read-only has a greater chance of
surviving a bad crash.</para>
</sect3>
@@ -243,8 +243,8 @@
</indexterm>
<para>The principal location for system configuration information
- is <filename>/etc/rc.conf</filename>. This file contains
- a wide range of configuration information and it is read at
+ is <filename>/etc/rc.conf</filename>. This file contains a
+ wide range of configuration information and it is read at
system startup to configure the system. It provides the
configuration information for the <filename>rc*</filename>
files.</para>
@@ -261,8 +261,7 @@
system-specific configuration in order to keep administration
overhead down. The recommended approach is to place
system-specific configuration into
- <filename>/etc/rc.conf.local</filename>. For
- example:</para>
+ <filename>/etc/rc.conf.local</filename>. For example:</para>
<itemizedlist>
<listitem>
@@ -283,21 +282,20 @@ ifconfig_fxp0="inet 10.1.1.1/8"</programlisting>
</listitem>
</itemizedlist>
- <para><filename>rc.conf</filename> can then be
- distributed to every system using <command>rsync</command> or a
- similar program, while <filename>rc.conf.local</filename>
- remains unique.</para>
+ <para>Distribute <filename>/etc/rc.conf</filename> to every
+ system using <command>rsync</command> or a similar program,
+ while <filename>/etc/rc.conf.local</filename> remains
+ unique.</para>
<para>Upgrading the system using &man.sysinstall.8; or
<command>make world</command> will not overwrite
- <filename>rc.conf</filename>, so system configuration
+ <filename>/etc/rc.conf</filename>, so system configuration
information will not be lost.</para>
<tip>
- <para>The <filename>/etc/rc.conf</filename> configuration file
+ <para>The configuration in <filename>/etc/rc.conf</filename>
is parsed by &man.sh.1;. This allows system operators to
- add a certain amount of logic to this file, which may help to
- create very complex configuration scenarios. Refer to
+ create complex configuration scenarios. Refer to
&man.rc.conf.5; for further information on this topic.</para>
</tip>
</sect1>
@@ -313,17 +311,17 @@ ifconfig_fxp0="inet 10.1.1.1/8"</programlisting>
<indexterm><primary>/usr/local/etc</primary></indexterm>
- <para>Typically, these files are installed in
- <filename class="directory">/usr/local/etc</filename>. In the
- case where an application has a large number of configuration
+ <para>Typically, these files are installed in <filename
+ class="directory">/usr/local/etc</filename>. In the case
+ where an application has a large number of configuration
files, a subdirectory will be created to hold them.</para>
<para>Normally, when a port or package is installed, sample
configuration files are also installed. These are usually
- identified with a <filename>.default</filename> suffix. If
- there are no existing configuration files for the application,
- they will be created by copying the
- <filename>.default</filename> files.</para>
+ identified with a suffix such as <filename>.sample</filename>.
+ If there are no existing configuration files for the
+ application, they can be created by copying the sample
+ files.</para>
<para>For example, consider the contents of the directory
<filename
@@ -340,10 +338,10 @@ ifconfig_fxp0="inet 10.1.1.1/8"</programlisting>
-rw-r--r-- 1 root wheel 7980 May 20 1998 srm.conf
-rw-r--r-- 1 root wheel 7933 May 20 1998 srm.conf.default</literallayout>
- <para>The file sizes show that only
- <filename>srm.conf</filename> has been changed. A later
- update of the <application>Apache</application> port would not
- overwrite this changed file.</para>
+ <para>The file sizes show that only <filename>srm.conf</filename>
+ has been changed. A later update of the
+ <application>Apache</application> port would not overwrite
+ this changed file.</para>
</sect1>
<sect1 id="configtuning-starting-services">
@@ -363,10 +361,10 @@ ifconfig_fxp0="inet 10.1.1.1/8"</programlisting>
<para>Many users install third party software on &os; from the
Ports Collection and require the installed services to be
- started upon system initialization. Services,
- such as <filename role="package">mail/postfix</filename> or
- <filename role="package">www/apache22</filename> are just two of
- the many software packages which may be started during system
+ started upon system initialization. Services, such as
+ <filename role="package">mail/postfix</filename> or
+ <filename role="package">www/apache22</filename> are just two
+ of the many software packages which may be started during system
initialization. This section explains the procedures available
for starting third party software.</para>
@@ -378,13 +376,12 @@ ifconfig_fxp0="inet 10.1.1.1/8"</programlisting>
<para>Now that &os; includes <filename>rc.d</filename>,
configuration of application startup is easier and provides
- more features. Using the key words discussed in the
- <link linkend="configtuning-rcd">rc.d</link> section,
- applications can be set to start after certain other services
- and extra flags can be passed through
- <filename>/etc/rc.conf</filename> in place of hard coded flags
- in the start up script. A basic script may look similar to
- the following:</para>
+ more features. Using the key words discussed in <xref
+ linkend="configtuning-rcd"/>, applications can be set to
+ start after certain other services and extra flags can be
+ passed through <filename>/etc/rc.conf</filename> in place of
+ hard coded flags in the start up script. A basic script may
+ look similar to the following:</para>
<programlisting>#!/bin/sh
#
@@ -411,48 +408,42 @@ pidfile=${utility_pidfile-"/var/run/utility.pid"}
run_rc_command "$1"</programlisting>
<para>This script will ensure that the provided
- <application>utility</application> will be started after the
+ <literal>utility</literal> will be started after the
<literal>DAEMON</literal> pseudo-service. It also provides a
- method for setting and tracking the <acronym>PID</acronym>, or
- process <acronym>ID</acronym> file.</para>
+ method for setting and tracking the process ID
+ (<acronym>PID</acronym>).</para>
<para>This application could then have the following line placed
in <filename>/etc/rc.conf</filename>:</para>
<programlisting>utility_enable="YES"</programlisting>
- <para>This method also allows for easier manipulation of the
- command line arguments, inclusion of the default functions
- provided in <filename>/etc/rc.subr</filename>, compatibility
- with the &man.rcorder.8; utility and provides for easier
- configuration via <filename>rc.conf</filename>.</para>
+ <para>This method allows for easier manipulation of command
+ line arguments, inclusion of the default functions provided
+ in <filename>/etc/rc.subr</filename>, compatibility with
+ &man.rcorder.8;, and provides for easier configuration via
+ <filename>rc.conf</filename>.</para>
</sect2>
<sect2>
<title>Using Services to Start Services</title>
- <para>Other services, such as the <acronym>POP</acronym>3 server
- daemons or <acronym>IMAP</acronym>, could be started using
- &man.inetd.8;. This involves installing the service utility
- from the Ports Collection with a configuration line added to
- <filename>/etc/inetd.conf</filename>, or by
- uncommenting one of the current configuration lines. Working
- with <application>inetd</application> and its configuration is
- described in depth in the
- <link linkend="network-inetd">inetd</link> section.</para>
+ <para>Other services can be started using &man.inetd.8;.
+ Working with &man.inetd.8; and its configuration is
+ described in depth in
+ <xref linkend="network-inetd"/>.</para>
- <para>In some cases it may make more sense to use the
- &man.cron.8; daemon to start system services. This approach
- has a number of advantages because <command>cron</command>
- runs these processes as the <filename>crontab</filename>'s
- file owner. This allows regular users to start and maintain
- some applications.</para>
+ <para>In some cases, it may make more sense to use
+ &man.cron.8; to start system services. This approach
+ has a number of advantages as &man.cron.8; runs these
+ processes as the owner of the &man.crontab.5;. This allows
+ regular users to start and maintain their own
+ applications.</para>
- <para>The <command>cron</command> utility provides a unique
- feature, <literal>@reboot</literal>, which may be used in
- place of the time specification. This will cause the job to
- be run when &man.cron.8; is started, normally during system
- initialization.</para>
+ <para>The <literal>@reboot</literal> feature of &man.cron.8;,
+ may be used in place of the time specification. This causes
+ the job to run when &man.cron.8; is started, normally during
+ system initialization.</para>
</sect2>
</sect1>
@@ -467,7 +458,7 @@ run_rc_command "$1"</programlisting>
</author>
</authorgroup>
</sect1info>
- <title>Configuring the <command>cron</command> Utility</title>
+ <title>Configuring &man.cron.8;</title>
<indexterm><primary>cron</primary>
<secondary>configuration</secondary></indexterm>
@@ -475,20 +466,20 @@ run_rc_command "$1"</programlisting>
<para>One of the most useful utilities in &os; is &man.cron.8;.
This utility runs in the background and regularly checks
<filename>/etc/crontab</filename> for tasks to execute and
- searches
- <filename class="directory">/var/cron/tabs</filename> for custom
- <filename>crontab</filename> files. These files store
- information about specific functions which
- <command>cron</command> is supposed to perform at certain
- times.</para>
+ searches <filename class="directory">/var/cron/tabs</filename>
+ for custom &man.crontab.5; files. These files store
+ information about specific functions which &man.cron.8; is
+ supposed to perform at certain times.</para>
- <para>The <command>cron</command> utility uses two different types
- of configuration files, the system crontab and user crontabs.
- These formats only differ in the sixth field and later. In the
- system crontab, <command>cron</command> will run the command as
- the user specified in the sixth field. In a user crontab, all
- commands run as the user who created the crontab, so the sixth
- field is the last field; this is an important security feature.
+ <para>Two different types of configuration files are used by
+ &man.cron.8;: the system <filename>crontab</filename> and user
+ <filename>crontab</filename>s. These formats only differ in
+ the sixth field and later. In the system
+ <filename>crontab</filename>, &man.cron.8; runs the command as
+ the user specified in the sixth field. In a user
+ <filename>crontab</filename>, all commands run as the user who
+ created the <filename>crontab</filename>, so the sixth field
+ is the last field; this is an important security feature.
The final field is always the command to run.</para>
<note>
@@ -497,31 +488,30 @@ run_rc_command "$1"</programlisting>
Commands in a user's crontab run with the permissions of the
user who owns the crontab.</para>
- <para>The <username>root</username> user can have a user crontab
- just like any other user. The <username>root</username> user
- crontab is separate from <filename>/etc/crontab</filename>
- (the system crontab). Because the system crontab effectively
- invokes the specified commands as root there is usually no
- need to create a user crontab for
+ <para>The <username>root</username> user can have a user
+ <filename>crontab</filename> just like any other user. The
+ <username>root</username> user <filename>crontab</filename>
+ is separate from the system <filename>crontab</filename>,
+ <filename>/etc/crontab</filename>. Because the system
+ <filename>crontab</filename> invokes the specified commands as
+ <username>root</username>, there is usually no need to create
+ a user <filename>crontab</filename> for
<username>root</username>.</para>
</note>
- <para>Let us take a look at <filename>/etc/crontab</filename>,
- the system crontab:</para>
+ <para>Here is a sample entry from
+ <filename>/etc/crontab</filename>:</para>
- <programlisting># /etc/crontab - root's crontab for &os;
+ <programlisting># /etc/crontab - root's crontab for FreeBSD
#
-# $&os;: src/etc/crontab,v 1.32 2002/11/22 16:13:39 tom Exp $
+# $FreeBSD$
# <co id="co-comments"/>
#
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin <co id="co-env"/>
-HOME=/var/log
-#
#
#minute hour mday month wday who command <co id="co-field-descr"/>
#
-#
*/5 * * * * root /usr/libexec/atrun <co id="co-main"/></programlisting>
<calloutlist>
@@ -536,52 +526,46 @@ HOME=/var/log
</callout>
<callout arearefs="co-env">
- <para>First, the environment must be defined. The equals
- (<literal>=</literal>) character is used to define any
- environment settings, as with this example where it is used
- for the <envar>SHELL</envar>, <envar>PATH</envar>, and
- <envar>HOME</envar> options. If the shell line is omitted,
- <command>cron</command> will use the default, which is
- <command>sh</command>. If the <envar>PATH</envar> variable
- is omitted, no default will be used and file locations will
- need to be absolute. If <envar>HOME</envar> is omitted,
- <command>cron</command> will use the invoking users home
- directory.</para>
+ <para>The equals (<literal>=</literal>) character is used to
+ define any environment settings. In this example, it is
+ used to define the <envar>SHELL</envar> and
+ <envar>PATH</envar>. If the <envar>SHELL</envar> is
+ omitted, &man.cron.8; will use the default of &man.sh.1;.
+ If the <envar>PATH</envar> is omitted, no default will be
+ used and file locations will need to be absolute.</para>
</callout>
<callout arearefs="co-field-descr">
- <para>This line defines a total of seven fields. Listed here
- are the values <literal>minute</literal>,
+ <para>This line defines a total of seven fields:
+ <literal>minute</literal>,
<literal>hour</literal>, <literal>mday</literal>,
<literal>month</literal>, <literal>wday</literal>,
<literal>who</literal>, and <literal>command</literal>.
These are almost all self explanatory.
- <literal>minute</literal> is the time in minutes the command
- will be run. <literal>hour</literal> is similar to the
- <literal>minute</literal> option, just in hours.
- <literal>mday</literal> stands for day of the month.
- <literal>month</literal> is similar to
- <literal>hour</literal> and <literal>minute</literal>, as it
- designates the month. The <literal>wday</literal> option
- stands for day of the week. All these fields must be
- numeric values, and follow the twenty-four hour clock. The
- <literal>who</literal> field is special, and only exists in
- <filename>/etc/crontab</filename>. This field specifies
- which user the command should be run as. The last field is
- the command to be executed.</para>
+ <literal>minute</literal> is the time in minutes when the
+ specified command will be run. <literal>hour</literal> is
+ the hour when the specified command will be run.
+ <literal>mday</literal> stands for day of the month and
+ <literal>month</literal> designates the month. The
+ <literal>wday</literal> option stands for day of the week.
+ These fields must be numeric values, representing the
+ twenty-four hour clock, or a <literal>*</literal>,
+ representing all values for that field. The
+ <literal>who</literal> field only exists in the system
+ crontab. This field specifies which user the command
+ should be run as. The last field is the command to be
+ executed.</para>
</callout>
<callout arearefs="co-main">
- <para>This last line will define the values discussed above.
+ <para>This last line defines the values discussed above.
This example has a <literal>*/5</literal> listing,followed
by several more <literal>*</literal> characters. These
<literal>*</literal> characters mean
<quote>first-last</quote>, and can be interpreted as
<emphasis>every</emphasis> time. In this example,
- <command>atrun</command> is invoked by
- <username>root</username> every five minutes regardless of
- the day or month. For more information on
- <command>atrun</command>, refer to &man.atrun.8;.</para>
+ &man.atrun.8; is invoked by <username>root</username>
+ every five minutes, regardless of the day or month.</para>
<para>Commands can have any number of flags passed to them;
however, commands which extend to multiple lines need to be
@@ -590,50 +574,47 @@ HOME=/var/log
</callout>
</calloutlist>
- <para>This is the basic setup for every
- <filename>crontab</filename>, although there is one thing
- different about this one. Field number six, which specifies
- the username, only exists in the system
- <filename>crontab</filename>. This field should be omitted for
- individual user <filename>crontab</filename> files.</para>
+ <para>This is the basic setup for every &man.crontab.5;.
+ However, field number six, which specifies the username, only
+ exists in the system &man.crontab.5;. This field should be
+ omitted for individual user &man.crontab.5; files.</para>
<sect2 id="configtuning-installcrontab">
<title>Installing a Crontab</title>
<important>
<para>Do not use the procedure described here to edit and
- install the system crontab,
+ install the system <filename>crontab</filename>,
<filename>/etc/crontab</filename>. Instead, use an
- editor: <command>cron</command> will notice that the file
- has changed and immediately begin using the updated version.
+ editor and &man.cron.8; will notice that the file has
+ changed and immediately begin using the updated version.
See <ulink
url="&url.books.faq;/admin.html#root-not-found-cron-errors">
this FAQ entry</ulink> for more information.</para>
</important>
- <para>To install a freshly written user
- <filename>crontab</filename>, first use an editor to create
- and save a file in the proper format. Then, specify the file
- name with <command>crontab</command>:</para>
+ <para>To install a freshly written user &man.crontab.5;, use
+ an editor to create and save a file in the proper format.
+ Then, specify the file name with &man.crontab.1;:</para>
<screen>&prompt.user; <userinput>crontab crontab-file</userinput></screen>
<para>In this example, <filename>crontab-file</filename> is the
- filename of a <filename>crontab</filename> that was previously
+ filename of a &man.crontab.5; that was previously
created.</para>
- <para>To list installed <filename>crontab</filename> files, pass
- <option>-l</option> to <command>crontab</command>.</para>
+ <para>To list installed &man.crontab.5; files, pass
+ <option>-l</option> to &man.crontab.1;.</para>
- <para>For users who wish to begin their own crontab file from
- scratch, without the use of a template, the
- <command>crontab -e</command> option is available. This will
- invoke the selected editor with an empty file. When the file
- is saved, it will be automatically installed by
- <command>crontab</command>.</para>
+ <para>Users who wish to begin their own
+ <filename>crontab</filename> file from scratch, without the
+ use of a template, can use <command>crontab -e</command>. This
+ will invoke the default editor with an empty file. When this
+ file is saved, it will be automatically installed by
+ &man.crontab.1;.</para>
- <para>In order to remove a user <filename>crontab</filename>
- completely, use <command>crontab -r</command>.</para>
+ <para>In order to remove a user &man.crontab.5; completely,
+ use <command>crontab -r</command>.</para>
</sect2>
</sect1>
@@ -651,105 +632,102 @@ HOME=/var/log
<title>Using &man.rc.8; Under &os;</title>
- <para>In 2002 &os; integrated the NetBSD <filename>rc.d</filename>
- system for system initialization. Users should notice the files
- listed in the <filename class="directory">/etc/rc.d</filename>
- directory. Many of these files are for basic services which can
- be controlled with the <option>start</option>,
- <option>stop</option>, and <option>restart</option> options.
- For instance, &man.sshd.8; can be restarted with the following
- command:</para>
+ <para>In 2002, &os; integrated the NetBSD &man.rc.8; system for
+ system initialization. The files listed in <filename
+ class="directory">/etc/rc.d</filename> provide basic services
+ which can be controlled with the <option>start</option>,
+ <option>stop</option>, and <option>restart</option> options
+ to &man.service.8;. For instance, &man.sshd.8; can be restarted
+ with the following command:</para>
<screen>&prompt.root; <userinput>service sshd restart</userinput></screen>
- <para>This procedure is similar for other services. Of course,
- services are usually started automatically at boot time as
- specified in &man.rc.conf.5;. For example, enabling the Network
- Address Translation daemon at startup is as simple as adding the
- following line to <filename>/etc/rc.conf</filename>:</para>
+ <para>This procedure can be used to start services on a running
+ system. Services will be started automatically at boot time
+ as specified in &man.rc.conf.5;. For example, to enable
+ &man.natd.8; at system startup, add the following line to
+ <filename>/etc/rc.conf</filename>:</para>
<programlisting>natd_enable="YES"</programlisting>
<para>If a <option>natd_enable="NO"</option> line is already
- present, then simply change the <option>NO</option> to
- <option>YES</option>. The rc scripts will automatically load
- any other dependent services during the next reboot, as
- described below.</para>
+ present, change the <literal>NO</literal> to
+ <literal>YES</literal>. The &man.rc.8; scripts will
+ automatically load any dependent services during the next boot,
+ as described below.</para>
- <para>Since the <filename>rc.d</filename> system is primarily
- intended to start/stop services at system startup/shutdown time,
- the standard <option>start</option>, <option>stop</option> and
+ <para>Since the &man.rc.8; system is primarily intended to start
+ and stop services at system startup and shutdown time, the
+ <option>start</option>, <option>stop</option> and
<option>restart</option> options will only perform their action
- if the appropriate <filename>/etc/rc.conf</filename> variables
- are set. For instance, <command>sshd restart</command> will
+ if the appropriate <filename>/etc/rc.conf</filename> variable
+ is set. For instance, <command>sshd restart</command> will
only work if <varname>sshd_enable</varname> is set to
<option>YES</option> in <filename>/etc/rc.conf</filename>.
To <option>start</option>, <option>stop</option> or
- <option>restart</option> a service regardless of the settings in
- <filename>/etc/rc.conf</filename>, the commands should be
+ <option>restart</option> a service regardless of the settings
+ in <filename>/etc/rc.conf</filename>, these commands should be
prefixed with <quote>one</quote>. For instance, to restart
- <command>sshd</command> regardless of the current
+ &man.sshd.8; regardless of the current
<filename>/etc/rc.conf</filename> setting, execute the following
command:</para>
<screen>&prompt.root; <userinput>service sshd onerestart</userinput></screen>
- <para>It is easy to check if a service is enabled in
- <filename>/etc/rc.conf</filename> by running the appropriate
- <filename>rc.d</filename> script with the option
- <option>rcvar</option>. Thus, an administrator can check that
- <command>sshd</command> is in fact enabled in
- <filename>/etc/rc.conf</filename> by running:</para>
+ <para>To check if a service is enabled in
+ <filename>/etc/rc.conf</filename>, run the appropriate
+ &man.rc.8; script with <option>rcvar</option>. This example
+ checks to see if &man.sshd.8; is enabled in
+ <filename>/etc/rc.conf</filename>:</para>
<screen>&prompt.root; <userinput>service sshd rcvar</userinput>
# sshd
$sshd_enable=YES</screen>
<note>
- <para>The second line (<literal># sshd</literal>) is the output
- from <command>sshd</command>, not a
- <username>root</username> console.</para>
+ <para>The <literal># sshd</literal> line is output from the
+ above command, not a <username>root</username> console.</para>
</note>
<para>To determine whether or not a service is running, use
<option>status</option>. For instance, to verify that
- <command>sshd</command> is running:</para>
+ &man.sshd.8; is running:</para>
<screen>&prompt.root; <userinput>service sshd status</userinput>
sshd is running as pid 433.</screen>
- <para>In some cases it is also possible to <option>reload</option>
- a service. This will attempt to send a signal to an individual
- service, forcing the service to reload its configuration files.
- In most cases this means sending the service a
- <literal>SIGHUP</literal> signal. Support for this feature is
- not included for every service.</para>
+ <para>In some cases, it is also possible to
+ <option>reload</option> a service. This attempts to send a
+ signal to an individual service, forcing the service to reload
+ its configuration files. In most cases, this means sending
+ the service a <literal>SIGHUP</literal> signal. Support for
+ this feature is not included for every service.</para>
- <para>The <filename>rc.d</filename> system is not only used for
- network services, it also contributes to most of the system
- initialization. For instance, when the
- <filename>bgfsck</filename> script is executed, it will print
- out the following message:</para>
+ <para>The &man.rc.8; system is used for network services and it
+ also contributes to most of the system initialization. For
+ instance, when the
+ <filename>/etc/rc.d/bgfsck</filename> script is executed, it
+ prints out the following message:</para>
<screen>Starting background file system checks in 60 seconds.</screen>
- <para>Therefore this file is used for background file system
- checks, which are done only during system initialization.</para>
+ <para>This script is used for background file system checks,
+ which occur only during system initialization.</para>
<para>Many system services depend on other services to function
- properly. For example, NIS and other RPC-based services may
- fail to start until after the <command>rpcbind</command>
- (portmapper) service has started. To resolve this issue,
- information about dependencies and other meta-data is included
- in the comments at the top of each startup script. The
- &man.rcorder.8; program is then used to parse these comments
+ properly. For example, &man.yp.8; and other
+ <acronym>RPC</acronym>-based services may fail to start until
+ after the &man.rpcbind.8; service has started. To resolve this
+ issue, information about dependencies and other meta-data is
+ included in the comments at the top of each startup script.
+ The &man.rcorder.8; program is used to parse these comments
during system initialization to determine the order in which
system services should be invoked to satisfy the
dependencies.</para>
- <para>The following words must be included in all startup scripts
- (they are required by &man.rc.subr.8; to <quote>enable</quote>
- the startup script):</para>
+ <para>The following key word must be included in all startup
+ scripts as it is required by &man.rc.subr.8; to
+ <quote>enable</quote> the startup script:</para>
<itemizedlist>
<listitem>
@@ -758,34 +736,36 @@ sshd is running as pid 433.</screen>
</listitem>
</itemizedlist>
- <para>The following words may be included at the top of each
- startup file. They are not strictly necessary, but they are
+ <para>The following key words may be included at the top of each
+ startup script. They are not strictly necessary, but are
useful as hints to &man.rcorder.8;:</para>
<itemizedlist>
<listitem>
<para><literal>REQUIRE</literal>: Lists services which are
- required for this service. This file will run
- <emphasis>after</emphasis> the specified services.</para>
+ required for this service. The script containing this key
+ word will run <emphasis>after</emphasis> the specified
+ services.</para>
</listitem>
<listitem>
<para><literal>BEFORE</literal>: Lists services which depend
- on this service. This file will run
- <emphasis>before</emphasis> the specified services.</para>
+ on this service. The script containing this key word will
+ run <emphasis>before</emphasis> the specified
+ services.</para>
</listitem>
</itemizedlist>
<para>By carefully setting these keywords for each startup script,
- an administrator has a very fine-grained level of control of the
- startup order of the scripts, without the hassle of
- <quote>runlevels</quote> like some other &unix; operating
+ an administrator has a fine-grained level of control of the
+ startup order of the scripts, without the need for
+ <quote>runlevels</quote> used by some &unix; operating
systems.</para>
- <para>Additional information about the <filename>rc.d</filename>
- system can be found in &man.rc.8; and &man.rc.subr.8;. Refer to
- <ulink url="&url.articles.rc-scripting;">this article</ulink> for
- instructions on how to create custom <filename>rc.d</filename>
+ <para>Additional information can be found in &man.rc.8; and
+ &man.rc.subr.8;. Refer to <ulink
+ url="&url.articles.rc-scripting;">this article</ulink> for
+ instructions on how to create custom &man.rc.8;
scripts.</para>
</sect1>
@@ -808,8 +788,9 @@ sshd is running as pid 433.</screen>
<secondary>configuration</secondary>
</indexterm>
- <para>Adding and configuring a network card is a common task for
- any &os; administrator.</para>
+ <para>Adding and configuring a network interface card
+ (<acronym>NIC</acronym>) is a common task for any &os;
+ administrator.</para>
<sect2>
<title>Locating the Correct Driver</title>
@@ -819,24 +800,27 @@ sshd is running as pid 433.</screen>
<secondary>driver</secondary>
</indexterm>
- <para>First, determine the model of the network interface card
- and the chip it uses. &os; supports a wide variety of network
- interface cards. Check the Hardware Compatibility List for
- the &os; release to see if the card is supported.</para>
+ <para>First, determine the model of the <acronym>NIC</acronym>
+ and the chip it uses. &os; supports a wide variety of
+ <acronym>NIC</acronym>s. Check the Hardware Compatibility
+ List for the &os; release to see if the <acronym>NIC</acronym>
+ is supported.</para>
- <para>If the card is supported, determine the name of the &os;
- driver for the card. Refer to
- <filename>/usr/src/sys/conf/NOTES</filename> and
+ <para>If the <acronym>NIC</acronym> is supported, determine
+ the name of the &os; driver for the <acronym>NIC</acronym>.
+ Refer to <filename>/usr/src/sys/conf/NOTES</filename> and
<filename>/usr/src/sys/<replaceable>arch</replaceable>/conf/NOTES</filename>
- for the list of network interface drivers with some
+ for the list of <acronym>NIC</acronym> drivers with some
information about the supported chipsets. When in doubt, read
the manual page of the driver as it will provide more
information about the supported hardware and any known
limitations of the driver.</para>
- <para>The drivers for common network cards are already present
- in the <filename>GENERIC</filename> kernel, meaning the card
- should show up during boot, as in this example:</para>
+ <para>The drivers for common <acronym>NIC</acronym>s are
+ already present in the <filename>GENERIC</filename> kernel,
+ meaning the <acronym>NIC</acronym> should show up during boot.
+ In this example, two <acronym>NIC</acronym>s using the
+ &man.dc.4; driver are present on the system:</para>
<screen>dc0: <82c169 PNIC 10/100BaseTX> port 0xa000-0xa0ff mem 0xd3800000-0xd38
000ff irq 15 at device 11.0 on pci0
@@ -853,52 +837,49 @@ bmtphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
dc1: Ethernet address: 00:a0:cc:da:da:db
dc1: [ITHREAD]</screen>
- <para>In this example, two cards using the &man.dc.4; driver are
- present on the system.</para>
-
- <para>If the driver for the interface is not present in
- <filename>GENERIC</filename>, but a driver is available, the
- driver will need to be loaded before the interface can be
- configured and used. This may be accomplished in one of two
- ways:</para>
+ <para>If the driver for the <acronym>NIC</acronym> is not
+ present in <filename>GENERIC</filename>, but a driver is
+ available, the driver will need to be loaded before the
+ <acronym>NIC</acronym> can be configured and used. This may
+ be accomplished in one of two ways:</para>
<itemizedlist>
<listitem>
<para>The easiest way is to load a kernel module for the
- network card with &man.kldload.8;. To also automatically
- load the driver at boot time, add the appropriate line to
- <filename>/boot/loader.conf</filename>. Not all NIC
- drivers are available as modules; notable examples of
- devices for which modules do not exist are ISA
- cards.</para>
+ <acronym>NIC</acronym> using &man.kldload.8;. To also
+ automatically load the driver at boot time, add the
+ appropriate line to
+ <filename>/boot/loader.conf</filename>. Not all
+ <acronym>NIC</acronym> drivers are available as
+ modules.</para>
</listitem>
<listitem>
- <para>Alternatively, statically compile support for the card
- into a custom kernel. Refer to
+ <para>Alternatively, statically compile support for the
+ <acronym>NIC</acronym> into a custom kernel. Refer to
<filename>/usr/src/sys/conf/NOTES</filename>,
<filename>/usr/src/sys/<replaceable>arch</replaceable>/conf/NOTES</filename>
and the manual page of the driver to determine which line
to add to the custom kernel configuration file. For more
- information about recompiling the kernel, refer to
- <xref linkend="kernelconfig"/>. If the card was detected
- at boot, the kernel does not need to be recompiled.</para>
+ information about recompiling the kernel, refer to <xref
+ linkend="kernelconfig"/>. If the
+ <acronym>NIC</acronym> was detected at boot, the kernel
+ does not need to be recompiled.</para>
</listitem>
</itemizedlist>
<sect3 id="config-network-ndis">
- <title>Using &windows; NDIS Drivers</title>
+ <title>Using &windows; <acronym>NDIS</acronym> Drivers</title>
- <indexterm><primary>NDIS</primary></indexterm>
+ <indexterm><primary><acronym>NDIS</acronym></primary></indexterm>
<indexterm><primary>NDISulator</primary></indexterm>
<indexterm><primary>&windows; drivers</primary></indexterm>
- <indexterm><primary>Microsoft Windows</primary></indexterm>
- <indexterm>
- <primary>Microsoft Windows</primary>
+ <indexterm><primary>µsoft.windows;</primary>
<secondary>device drivers</secondary>
</indexterm>
<indexterm>
- <primary>KLD (kernel loadable object)</primary>
+ <primary><acronym>KLD</acronym> (kernel loadable
+ object)</primary>
</indexterm>
<!-- We should probably omit the expanded name, and add a <see> entry
for it. Whatever is done must also be done to the same indexterm in
@@ -908,45 +889,44 @@ linuxemu/chapter.xml -->
provide schematics for their drivers to the open source
community because they regard such information as trade
secrets. Consequently, the developers of &os; and other
- operating systems are left two choices: develop the drivers
- by a long and pain-staking process of reverse engineering or
- using the existing driver binaries available for the
- µsoft.windows; platforms. Most developers, including
- those involved with &os;, have taken the latter
- approach.</para>
+ operating systems are left with two choices: develop the
+ drivers by a long and pain-staking process of reverse
+ engineering or using the existing driver binaries available
+ for µsoft.windows; platforms.</para>
- <para>Thanks to the contributions of Bill Paul (wpaul) there
- is <quote>native</quote> support for the Network Driver
- Interface Specification (NDIS). The &os; NDISulator
- (otherwise known as Project Evil) takes a &windows; driver
- binary and basically tricks it into thinking it is running
- on &windows;. Because the &man.ndis.4; driver is using a
- &windows; binary, it only runs on &i386; and amd64 systems.
- PCI, CardBus, PCMCIA (PC-Card), and USB devices are
- supported.</para>
+ <para>&os; provides <quote>native</quote> support for the
+ Network Driver Interface Specification
+ (<acronym>NDIS</acronym>). It includes &man.ndisgen.8;
+ which can be used to convert a &windowsxp; driver into a
+ format that can be used on &os;. Because the &man.ndis.4;
+ driver uses a &windowsxp; binary, it only runs on &i386;
+ and amd64 systems. <acronym>PCI</acronym>, CardBus,
+ <acronym>PCMCIA</acronym>, and <acronym>USB</acronym>
+ devices are supported.</para>
- <para>To use the NDISulator, three things are needed:</para>
+ <para>To use &man.ndisgen.8;, three things are needed:</para>
<orderedlist>
<listitem>
- <para>Kernel sources</para>
+ <para>&os; kernel sources.</para>
</listitem>
<listitem>
- <para>&windowsxp; driver binary
- (<filename>.SYS</filename> extension)</para>
+ <para>A &windowsxp; driver binary with a
+ <filename>.SYS</filename> extension.</para>
</listitem>
<listitem>
- <para>&windowsxp; driver configuration file
- (<filename>.INF</filename> extension)</para>
+ <para>A &windowsxp; driver configuration file with a
+ <filename>.INF</filename> extension.</para>
</listitem>
</orderedlist>
- <para>Locate the files for the specific card. Generally,
- they can be found on the included CDs or at the vendor's
- website. The following examples use
- <filename>W32DRIVER.SYS</filename> and
+ <para>Download the <filename>.SYS</filename> and
+ <filename>.INF</filename> files for the specific
+ <acronym>NIC</acronym>. Generally, these can be found on
+ the driver CD or at the vendor's website. The following
+ examples use <filename>W32DRIVER.SYS</filename> and
<filename>W32DRIVER.INF</filename>.</para>
<para>The driver bit width must match the version of &os;.
@@ -959,10 +939,10 @@ linuxemu/chapter.xml -->
<screen>&prompt.root; <userinput>ndisgen <replaceable>/path/to/W32DRIVER.INF</replaceable> <replaceable>/path/to/W32DRIVER.SYS</replaceable></userinput></screen>
- <para>&man.ndisgen.8; is interactive and prompts for any extra
- information it requires. A new kernel module is written in
- the current directory. Use &man.kldload.8; to load the new
- module:</para>
+ <para>This command is interactive and prompts for any extra
+ information it requires. A new kernel module will be
+ generated in the current directory. Use &man.kldload.8;
+ to load the new module:</para>
<screen>&prompt.root; <userinput>kldload <replaceable>./W32DRIVER_SYS.ko</replaceable></userinput></screen>
@@ -976,12 +956,12 @@ linuxemu/chapter.xml -->
<screen>&prompt.root; <userinput>kldload ndis</userinput>
&prompt.root; <userinput>kldload if_ndis</userinput></screen>
- <para>The first command loads the NDIS miniport driver
- wrapper, the second loads the actual network
- interface.</para>
+ <para>The first command loads the &man.ndis.4; miniport driver
+ wrapper and the second loads the generated
+ <acronym>NIC</acronym> driver.</para>
- <para>Now, check &man.dmesg.8; to see if there were any errors
- loading. If all went well, the output should be similar to
+ <para>Check &man.dmesg.8; to see if there were any load
+ errors. If all went well, the output should be similar to
the following:</para>
<screen>ndis0: <Wireless-G PCI Adapter> mem 0xf4100000-0xf4101fff irq 3 at device 8.0 on pci1
@@ -990,15 +970,14 @@ ndis0: Ethernet address: 0a:b1:2c:d3:4e:f5
ndis0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
ndis0: 11g rates: 6Mbps 9Mbps 12Mbps 18Mbps 36Mbps 48Mbps 54Mbps</screen>
- <para>From here you can treat the
- <devicename>ndis0</devicename> device like any other network
- interface (e.g., <devicename>dc0</devicename>).</para>
+ <para>From here, <devicename>ndis0</devicename> can be
+ configured like any other <acronym>NIC</acronym>.</para>
- <para>To configure the system to load the NDIS modules at
- boot time, copy the generated module,
- <filename>W32DRIVER_SYS.ko</filename>, to the <filename
- class="directory">/boot/modules</filename> directory. Then,
- add the following line to
+ <para>To configure the system to load the &man.ndis.4; modules
+ at boot time, copy the generated module,
+ <filename>W32DRIVER_SYS.ko</filename>, to <filename
+ class="directory">/boot/modules</filename>. Then, add the
+ following line to
<filename>/boot/loader.conf</filename>:</para>
<programlisting>W32DRIVER_SYS_load="YES"</programlisting>
@@ -1013,12 +992,12 @@ ndis0: 11g rates: 6Mbps 9Mbps 12Mbps 18Mbps 36Mbps 48Mbps 54Mbps</screen>
<secondary>configuration</secondary>
</indexterm>
- <para>Once the right driver is loaded for the network card, the
- card needs to be configured. As with many other things, the
- network card may have been configured at installation time by
- <application>sysinstall</application>.</para>
+ <para>Once the right driver is loaded for the
+ <acronym>NIC</acronym>, the card needs to be configured. It
+ may have been configured at installation time by
+ &man.sysinstall.8;.</para>
- <para>To display the configuration for the network interfaces,
+ <para>To display the <acronym>NIC</acronym> configuration,
enter the following command:</para>
<screen>&prompt.user; <userinput>ifconfig</userinput>
@@ -1047,28 +1026,29 @@ lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
<itemizedlist>
<listitem>
<para><devicename>dc0</devicename>: The first Ethernet
- interface</para>
+ interface.</para>
</listitem>
<listitem>
<para><devicename>dc1</devicename>: The second Ethernet
- interface</para>
+ interface.</para>
</listitem>
<listitem>
<para><devicename>lo0</devicename>: The loopback
- device</para>
+ device.</para>
</listitem>
</itemizedlist>
<para>&os; uses the driver name followed by the order in which
- one the card is detected at the kernel boot to name the
- network card. For example <devicename>sis2</devicename> would
- be the third network card on the system using the &man.sis.4;
+ the card is detected at boot to name the
+ <acronym>NIC</acronym>. For example,
+ <devicename>sis2</devicename> is the third
+ <acronym>NIC</acronym> on the system using the &man.sis.4;
driver.</para>
- <para>In this example, the <devicename>dc0</devicename> device
- is up and running. The key indicators are:</para>
+ <para>In this example, <devicename>dc0</devicename> is up and
+ running. The key indicators are:</para>
<orderedlist>
<listitem>
@@ -1078,32 +1058,33 @@ lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
<listitem>
<para>The card has an Internet (<literal>inet</literal>)
- address (in this case
- <hostid role="ipaddr">192.168.1.3</hostid>).</para>
+ address, <hostid
+ role="ipaddr">192.168.1.3</hostid>.</para>
</listitem>
<listitem>
<para>It has a valid subnet mask
- (<literal>netmask</literal>;
- <hostid role="netmask">0xffffff00</hostid> is the same as
- <hostid role="netmask">255.255.255.0</hostid>).</para>
+ (<literal>netmask</literal>), where <hostid
+ role="netmask">0xffffff00</hostid> is the same as
+ <hostid role="netmask">255.255.255.0</hostid>.</para>
</listitem>
<listitem>
- <para>It has a valid broadcast address (in this case,
- <hostid role="ipaddr">192.168.1.255</hostid>).</para>
+ <para>It has a valid broadcast address, <hostid
+ role="ipaddr">192.168.1.255</hostid>.</para>
</listitem>
<listitem>
- <para>The MAC address of the card (<literal>ether</literal>)
- is <hostid role="mac">00:a0:cc:da:da:da</hostid></para>
+ <para>The <acronym>MAC</acronym> address of the card
+ (<literal>ether</literal>) is <hostid
+ role="mac">00:a0:cc:da:da:da</hostid>.</para>
</listitem>
<listitem>
<para>The physical media selection is on autoselection mode
(<literal>media: Ethernet autoselect (100baseTX
<full-duplex>)</literal>). In this example,
- <devicename>dc1</devicename> was configured to run with
+ <devicename>dc1</devicename> is configured to run with
<literal>10baseT/UTP</literal> media. For more
information on available media types for a driver, refer
to its manual page.</para>
@@ -1130,41 +1111,40 @@ lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
<para>it would indicate the card has not been configured.</para>
- <para>To configure the card, you will need
- <username>root</username> privileges. The network card
- configuration can be performed from the command line with
- &man.ifconfig.8; but will not persist after a reboot unless
- the network card's configuration is also added to
- <filename>/etc/rc.conf</filename> using an editor. Add a
- line for each network card present on the system, as seen in
+ <para>The card must be configured as <username>root</username>.
+ The <acronym>NIC</acronym> configuration can be performed
+ from the command line with &man.ifconfig.8; but will not
+ persist after a reboot unless the configuration is also added
+ to <filename>/etc/rc.conf</filename>. Add a line for each
+ <acronym>NIC</acronym> present on the system, as seen in
this example:</para>
<programlisting>ifconfig_dc0="inet 192.168.1.3 netmask 255.255.255.0"
ifconfig_dc1="inet 10.0.0.1 netmask 255.255.255.0 media 10baseT/UTP"</programlisting>
<para>Replace <devicename>dc0</devicename> and
- <devicename>dc1</devicename> and the IP address information
- with the correct values for the system.
- Refer to the man page for the driver, &man.ifconfig.8; and
+ <devicename>dc1</devicename> and the <acronym>IP</acronym>
+ address information with the correct values for the system.
+ Refer to the man page for the driver, &man.ifconfig.8;, and
&man.rc.conf.5; for more details about the allowed options and
the syntax of <filename>/etc/rc.conf</filename>.</para>
<para>If the network was configured during installation, some
- lines about the network card(s) may be already present.
- Double check <filename>/etc/rc.conf</filename> before adding
- any lines.</para>
+ entries for the <acronym>NIC</acronym>(s) may be already
+ present. Double check <filename>/etc/rc.conf</filename>
+ before adding any lines.</para>
- <para>If the network is not using DNS, edit
- <filename>/etc/hosts</filename> to add the names and the IP
- addresses of various machines of the LAN, if they are not
- already there. For more information, refer to &man.hosts.5;
- and to
+ <para>If the network is not using <acronym>DNS</acronym>, edit
+ <filename>/etc/hosts</filename> to add the names and
+ <acronym>IP</acronym> addresses of of the hosts on the
+ <acronym>LAN</acronym>, if they are not already there. For
+ more information, refer to &man.hosts.5; and to
<filename>/usr/share/examples/etc/hosts</filename>.</para>
<note>
- <para>If there is no DHCP server and access to the Internet is
- needed, manually configure the default gateway and the
- nameserver:</para>
+ <para>If there is no <acronym>DHCP</acronym> server and
+ access to the Internet is needed, manually configure the
+ default gateway and the nameserver:</para>
<screen>&prompt.root; <userinput>echo 'defaultrouter="<replaceable>your_default_router</replaceable>"' >> /etc/rc.conf</userinput>
&prompt.root; <userinput>echo 'nameserver <replaceable>your_DNS_server</replaceable>' >> /etc/resolv.conf</userinput></screen>
@@ -1174,7 +1154,7 @@ ifconfig_dc1="inet 10.0.0.1 netmask 255.255.255.0 media 10baseT/UTP"</programlis
<sect2>
<title>Testing and Troubleshooting</title>
- <para>Once the necessary changes in
+ <para>Once the necessary changes to
<filename>/etc/rc.conf</filename> are saved, a reboot can be
used to test the network configuration and to verify that the
system restarts without any configuration errors.
@@ -1185,14 +1165,14 @@ ifconfig_dc1="inet 10.0.0.1 netmask 255.255.255.0 media 10baseT/UTP"</programlis
<note>
<para>If a default gateway has been set in
- <filename>/etc/rc.conf</filename>, use also this
+ <filename>/etc/rc.conf</filename>, also issue this
command:</para>
<screen>&prompt.root; <userinput>service routing restart</userinput></screen>
</note>
<para>Once the networking system has been relaunched, test the
- network interfaces.</para>
+ <acronym>NIC</acronym>s.</para>
<sect3>
<title>Testing the Ethernet Card</title>
@@ -1203,8 +1183,8 @@ ifconfig_dc1="inet 10.0.0.1 netmask 255.255.255.0 media 10baseT/UTP"</programlis
</indexterm>
<para>To verify that an Ethernet card is configured correctly,
- ping the interface itself, and then ping another machine on
- the LAN:</para>
+ &man.ping.8; the interface itself, and then &man.ping.8;
+ another machine on the <acronym>LAN</acronym>:</para>
<screen>&prompt.user; <userinput>ping -c5 192.168.1.3</userinput>
PING 192.168.1.3 (192.168.1.3): 56 data bytes
@@ -1230,9 +1210,9 @@ PING 192.168.1.2 (192.168.1.2): 56 data bytes
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.700/0.729/0.766/0.025 ms</screen>
- <para>To test network resolution, use the machine name instead
- of <hostid role="ipaddr">192.168.1.2</hostid>. If there is
- no DNS server on the network,
+ <para>To test network resolution, use the host name instead
+ of the <acronym>IP</acronym> address. If there is no
+ <acronym>DNS</acronym> server on the network,
<filename>/etc/hosts</filename> must first be
configured.</para>
</sect3>
@@ -1245,20 +1225,19 @@ round-trip min/avg/max/stddev = 0.700/0.729/0.766/0.025 ms</screen>
<secondary>troubleshooting</secondary>
</indexterm>
- <para>Troubleshooting hardware and software configurations is
- always a pain, and a pain which can be alleviated by
- checking the simple things first. Is the network cable
- plugged in? Are the network services properly configured?
- Is the firewall configured correctly? Is the network card
- supported by &os;? Always before sending a bug report,
- check the hardware notes, update the version of &os; to the
- latest STABLE version, check the mailing list archives, and
- search the Internet.</para>
+ <para>When troubleshooting hardware and software
+ configurations, check the simple things first. Is the
+ network cable plugged in? Are the network services properly
+ configured? Is the firewall configured correctly? Is the
+ <acronym>NIC</acronym> supported by &os;? Before sending
+ a bug report, always check the Hardware Notes, update the
+ version of &os; to the latest STABLE version, check the
+ mailing list archives, and search the Internet.</para>
- <para>If the card works, yet performance is poor, it would be
- worthwhile to read over the &man.tuning.7; manual page.
- Also, check the network configuration as incorrect network
- settings can cause slow connections.</para>
+ <para>If the card works, yet performance is poor, read
+ through &man.tuning.7;. Also, check the network
+ configuration as incorrect network settings can cause slow
+ connections.</para>
<para>Some users experience one or two
<errorname>device timeout</errorname> messages, which is
@@ -1267,37 +1246,37 @@ round-trip min/avg/max/stddev = 0.700/0.729/0.766/0.025 ms</screen>
Double check the cable connections. Consider trying another
card.</para>
- <para>At times, users see a few
- <errorname>watchdog timeout</errorname> errors. The first
- thing to do is to check the network cable. Many cards
- require a PCI slot which supports Bus Mastering. On some
- old motherboards, only one PCI slot allows it (usually slot
- 0). Check the network card and the motherboard
+ <para>To resolve <errorname>watchdog timeout</errorname>
+ errors, first check the network cable. Many cards
+ require a <acronym>PCI</acronym> slot which supports bus
+ mastering. On some old motherboards, only one
+ <acronym>PCI</acronym> slot allows it, usually slot 0.
+ Check the <acronym>NIC</acronym> and the motherboard
documentation to determine if that may be the
problem.</para>
<para><errorname>No route to host</errorname> messages occur
if the system is unable to route a packet to the destination
- host. This can happen if no default route is specified, or
+ host. This can happen if no default route is specified or
if a cable is unplugged. Check the output of
<command>netstat -rn</command> and make sure there is a
- valid route to the host. If there is not, read on to
- <xref linkend="advanced-networking"/>.</para>
+ valid route to the host. If there is not, read <xref
+ linkend="advanced-networking"/>.</para>
<para><errorname>ping: sendto: Permission denied</errorname>
error messages are often caused by a misconfigured firewall.
- If <command>ipfw</command> is enabled in the kernel but no
- rules have been defined, then the default policy is to deny
- all traffic, even ping requests! Read on to
- <xref linkend="firewalls"/> for more information.</para>
+ If a firewall is enabled on &os; but no rules have been
+ defined, the default policy is to deny all traffic, even
+ &man.ping.8;. Refer to <xref
+ linkend="firewalls"/> for more information.</para>
- <para>Sometimes performance of the card is poor, or below
- average. In these cases it is best to set the media
+ <para>Sometimes performance of the card is poor or below
+ average. In these cases, try setting the media
selection mode from <literal>autoselect</literal> to the
- correct media selection. While this usually works for most
- hardware, it may not resolve this issue for everyone.
- Again, check all the network settings, and read over the
- &man.tuning.7; manual page.</para>
+ correct media selection. While this works for most
+ hardware, it may or may not resolve the issue. Again,
+ check all the network settings, and refer to
+ &man.tuning.7;.</para>
</sect3>
</sect2>
</sect1>
@@ -1306,9 +1285,10 @@ round-trip min/avg/max/stddev = 0.700/0.729/0.766/0.025 ms</screen>
<title>Virtual Hosts</title>
<indexterm><primary>virtual hosts</primary></indexterm>
- <indexterm><primary>IP aliases</primary></indexterm>
+ <indexterm><primary><acronym>IP</acronym>
+ aliases</primary></indexterm>
- <para>A very common use of &os; is virtual site hosting, where one
+ <para>A common use of &os; is virtual site hosting, where one
server appears to the network as many servers. This is achieved
by assigning multiple network addresses to a single
interface.</para>
@@ -1316,49 +1296,47 @@ round-trip min/avg/max/stddev = 0.700/0.729/0.766/0.025 ms</screen>
<para>A given network interface has one <quote>real</quote>
address, and may have any number of <quote>alias</quote>
addresses. These aliases are normally added by placing alias
- entries in <filename>/etc/rc.conf</filename>.</para>
-
- <para>An alias entry for the interface
- <devicename>fxp0</devicename> looks like:</para>
+ entries in <filename>/etc/rc.conf</filename>, as seen in this
+ example:</para>
<programlisting>ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx"</programlisting>
- <para>Note that alias entries must start with
- <literal>alias0</literal> and proceed upwards in order, (for
- example, <literal>_alias1</literal>, <literal>_alias2</literal>,
- and so on). The configuration process will stop at the first
+ <para>Alias entries must start with
+ <literal>alias<replaceable>0</replaceable></literal> using a
+ sequential number such as
+ <literal>alias0</literal>, <literal>alias1</literal>,
+ and so on. The configuration process will stop at the first
missing number.</para>
- <para>The calculation of alias netmasks is important, but
- fortunately quite simple. For a given interface, there must be
- one address which correctly represents the network's netmask.
- Any other addresses which fall within this network must have a
- netmask of all <literal>1</literal>s (expressed as either
- <hostid role="netmask">255.255.255.255</hostid> or
- <hostid role="netmask">0xffffffff</hostid>).</para>
+ <para>The calculation of alias netmasks is important. For a
+ given interface, there must be one address which correctly
+ represents the network's netmask. Any other addresses which
+ fall within this network must have a netmask of all
+ <literal>1</literal>s, expressed as either <hostid
+ role="netmask">255.255.255.255</hostid> or <hostid
+ role="netmask">0xffffffff</hostid>.</para>
<para>For example, consider the case where the
<devicename>fxp0</devicename> interface is connected to two
- networks: the <hostid role="ipaddr">10.1.1.0</hostid> network
- with a netmask of <hostid role="netmask">255.255.255.0</hostid>
- and the <hostid role="ipaddr">202.0.75.16</hostid> network with
- a netmask of <hostid role="netmask">255.255.255.240</hostid>.
- The system is to be configured to appear in the
- range
- <hostid role="ipaddr">10.1.1.1</hostid> through
- <hostid role="ipaddr">10.1.1.5</hostid> and
- <hostid role="ipaddr">202.0.75.17</hostid> through
- <hostid role="ipaddr">202.0.75.20</hostid>. Only the first
- address in a given network range should have a real
- netmask. All the rest (<hostid role="ipaddr">10.1.1.2</hostid>
- through <hostid role="ipaddr">10.1.1.5</hostid> and
- <hostid role="ipaddr">202.0.75.18</hostid> through
- <hostid role="ipaddr">202.0.75.20</hostid>) must be configured
- with a netmask of
- <hostid role="netmask">255.255.255.255</hostid>.</para>
+ networks: <hostid role="ipaddr">10.1.1.0</hostid> with a
+ netmask of <hostid role="netmask">255.255.255.0</hostid> and
+ <hostid role="ipaddr">202.0.75.16</hostid> with a netmask of
+ <hostid role="netmask">255.255.255.240</hostid>. The system
+ is to be configured to appear in the ranges <hostid
+ role="ipaddr">10.1.1.1</hostid> through <hostid
+ role="ipaddr">10.1.1.5</hostid> and <hostid
+ role="ipaddr">202.0.75.17</hostid> through <hostid
+ role="ipaddr">202.0.75.20</hostid>. Only the first address
+ in a given network range should have a real netmask. All the
+ rest (<hostid role="ipaddr">10.1.1.2</hostid> through <hostid
+ role="ipaddr">10.1.1.5</hostid> and <hostid
+ role="ipaddr">202.0.75.18</hostid> through <hostid
+ role="ipaddr">202.0.75.20</hostid>) must be configured with
+ a netmask of <hostid
+ role="netmask">255.255.255.255</hostid>.</para>
<para>The following <filename>/etc/rc.conf</filename> entries
- configure the adapter correctly for this arrangement:</para>
+ configure the adapter correctly for this scenario:</para>
<programlisting>ifconfig_fxp0="inet 10.1.1.1 netmask 255.255.255.0"
ifconfig_fxp0_alias0="inet 10.1.1.2 netmask 255.255.255.255"
@@ -1384,31 +1362,30 @@ ifconfig_fxp0_alias7="inet 202.0.75.20 netmask 255.255.255.255"</programlisting>
</sect1info>
<title>Configuring the System Logger,
- <application>syslogd</application></title>
+ <command>syslogd</command></title>
<indexterm><primary>system logging</primary></indexterm>
<indexterm><primary>syslog</primary></indexterm>
- <indexterm><primary>syslogd</primary></indexterm>
+ <indexterm><primary>&man.syslogd.8;</primary></indexterm>
<para>System logging is an important aspect of system
- administration. It is used both to detect hardware and software
- issues and errors in the system. It also plays a very
- important role in security auditing and incident response.
- System daemons without a controlling terminal also usually log
- information to a system logging facility or other log
- file.</para>
+ administration. It is used to detect hardware and software
+ issues and errors in the system. It plays an important role
+ in security auditing and incident response. System daemons
+ without a controlling terminal usually log information to a
+ system logging facility or other log file.</para>
<para>This section describes how to configure and use the &os;
system logger, &man.syslogd.8;, and how to perform log rotation
- and log management using &man.newsyslog.8;. Focus
- will be on setting up and using <command>syslogd</command> on
- a local machine. For more advanced setups using a separate
- loghost, see <xref linkend="network-syslogd"/>.</para>
+ and log management using &man.newsyslog.8;. Focus will be on
+ setting up and using &man.syslogd.8; on a local machine. For
+ more advanced setups using a separate loghost, see <xref
+ linkend="network-syslogd"/>.</para>
<sect2>
- <title>Using <application>syslogd</application></title>
+ <title>Using <command>syslogd</command></title>
- <para>In the default &os; configuration &man.syslogd.8; is
+ <para>In the default &os; configuration, &man.syslogd.8; is
started at boot. This is controlled by the variable
<literal>syslogd_enable</literal> in
<filename>/etc/rc.conf</filename>. There are numerous
@@ -1424,7 +1401,7 @@ ifconfig_fxp0_alias7="inet 202.0.75.20 netmask 255.255.255.255"</programlisting>
</sect2>
<sect2>
- <title>Configuring <application>syslogd</application></title>
+ <title>Configuring <command>syslogd</command></title>
<indexterm><primary>syslog.conf</primary></indexterm>
@@ -1441,24 +1418,23 @@ ifconfig_fxp0_alias7="inet 202.0.75.20 netmask 255.255.255.255"</programlisting>
different log files, or discard it, depending on the facility
and level. It is also possible to take action depending on
the application that sent the message, and in the case of
- remote logging, also the hostname of the machine generating
+ remote logging, the hostname of the machine generating
the logging event.</para>
- <para>Configuring &man.syslogd.8; is quite straight
- forward. The configuration file contains one line per action,
- and the syntax for each line is a selector field followed by
- an action field. The syntax of the selector field is
- <replaceable>facility.level</replaceable> which will match
- log messages from <replaceable>facility</replaceable> at level
- <replaceable>level</replaceable> or higher. It is also
- possible to add an optional comparison flag before the level
- to specify more precisely what is logged. Multiple
+ <para>The configuration file for &man.syslogd.8; contains one
+ line per action, and the syntax for each line is a selector
+ field followed by an action field. The syntax of the selector
+ field is <replaceable>facility.level</replaceable> which will
+ match log messages from <replaceable>facility</replaceable>
+ at level <replaceable>level</replaceable> or higher. It is
+ also possible to add an optional comparison flag before the
+ level to specify more precisely what is logged. Multiple
selector fields can be used for the same action, and are
separated with a semicolon (<literal>;</literal>). Using
- <literal>*</literal> will match everything.
- The action field denotes where to send the log message,
- such as a file or a remote log host. As an example, here is
- the default <filename>syslog.conf</filename> from &os;:</para>
+ <literal>*</literal> will match everything. The action field
+ denotes where to send the log message, such as to a file or
+ remote log host. As an example, here is the default
+ <filename>syslog.conf</filename> from &os;:</para>
<programlisting># $&os;$
#
@@ -1466,7 +1442,7 @@ ifconfig_fxp0_alias7="inet 202.0.75.20 netmask 255.255.255.255"</programlisting>
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
-# Consult the &man.syslog.conf.5; manpage.
+# Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit /dev/console <co id="co-syslog-many-match"/>
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.* /var/log/security
@@ -1499,7 +1475,8 @@ cron.* /var/log/cron
<literal>kern.warning</literal>,
<literal>auth.notice</literal> and
<literal>mail.crit</literal>, and send these log messages
- to the console (<filename>/dev/console</filename>).</para>
+ to the console
+ (<devicename>/dev/console</devicename>).</para>
</callout>
<callout arearefs="co-syslog-one-match">
@@ -1517,12 +1494,12 @@ cron.* /var/log/cron
</callout>
<callout arearefs="co-syslog-prog-spec">
- <para>Here is an example usage of a
- <emphasis>program specification</emphasis>. This will
- make the rules following only be valid for the program
- in the program specification. In this case
- this line and the following makes all messages from
- <command>ppp</command>, but no other programs, end up in
+ <para>Here is an example usage of a <emphasis>program
+ specification</emphasis>. This makes the rules
+ following it only valid for the program in the program
+ specification. In this case, this and the following
+ lines log all messages from &man.ppp.8;, but no other
+ programs, to
<filename>/var/log/ppp.log</filename>.</para>
</callout>
</calloutlist>
@@ -1532,7 +1509,7 @@ cron.* /var/log/cron
critical: <literal>emerg</literal>, <literal>alert</literal>,
<literal>crit</literal>, <literal>err</literal>,
<literal>warning</literal>, <literal>notice</literal>,
- <literal>info</literal> and <literal>debug</literal>.</para>
+ <literal>info</literal>, and <literal>debug</literal>.</para>
<para>The facilities are, in no particular order:
<literal>auth</literal>, <literal>authpriv</literal>,
@@ -1542,11 +1519,11 @@ cron.* /var/log/cron
<literal>mail</literal>, <literal>mark</literal>,
<literal>news</literal>, <literal>security</literal>,
<literal>syslog</literal>, <literal>user</literal>,
- <literal>uucp</literal> and <literal>local0</literal> through
+ <literal>uucp</literal>, and <literal>local0</literal> through
<literal>local7</literal>. Be aware that other operating
systems might have different facilities.</para>
- <para>With this knowledge it is easy to add a new line to
+ <para>With this knowledge, it is easy to add a new line to
<filename>/etc/syslog.conf</filename> to log everything from
the different daemons on level <literal>notice</literal> and
higher to <filename>/var/log/daemon.log</filename>. Just add
@@ -1556,15 +1533,15 @@ cron.* /var/log/cron
<para>For more information about the different levels and
facilities, refer to &man.syslog.3; and &man.syslogd.8;.
- For more information about <filename>syslog.conf</filename>,
- its syntax, and more advanced usage examples, see
- &man.syslog.conf.5; and
- <xref linkend="network-syslogd"/>.</para>
+ For more information about
+ <filename>/etc/syslog.conf</filename>, its syntax, and more
+ advanced usage examples, see &man.syslog.conf.5; and <xref
+ linkend="network-syslogd"/>.</para>
</sect2>
<sect2>
<title>Log Management and Rotation with
- <application>newsyslog</application></title>
+ <command>newsyslog</command></title>
<indexterm><primary>newsyslog</primary></indexterm>
<indexterm><primary>newsyslog.conf</primary></indexterm>
@@ -1578,17 +1555,17 @@ cron.* /var/log/cron
to manage log files. This program periodically rotates and
compresses log files, and optionally creates missing log files
and signals programs when log files are moved. The log files
- are not necessarily generated by syslog as &man.newsyslog.8;
- works with any logs written from any program. Note that
- <command>newsyslog</command> is normally run from
- &man.cron.8; and is not a system daemon. In the default
+ are not necessarily generated by &man.syslogd.8; as
+ &man.newsyslog.8; works with any logs written from any
+ program. While &man.newsyslog.8; is normally run from
+ &man.cron.8;, it is not a system daemon. In the default
configuration, it is run every hour.</para>
<sect3>
<title>Configuring
- <application>newsyslog</application></title>
+ <command>newsyslog</command></title>
- <para>To know what actions to take, &man.newsyslog.8; reads
+ <para>To know which actions to take, &man.newsyslog.8; reads
its configuration file, by default
<filename>/etc/newsyslog.conf</filename>. This
configuration file contains one line for each file that
@@ -1599,7 +1576,7 @@ cron.* /var/log/cron
configuration in &os;:</para>
<programlisting># configuration file for newsyslog
-# $&os;$
+# $FreeBSD$
#
# Entries which do not specify the '/pid_file' field will cause the
# syslogd process to be signalled when that log file is rotated. This
@@ -1624,7 +1601,6 @@ cron.* /var/log/cron
/var/log/cron 600 3 100 * JC
/var/log/daily.log 640 7 * @T00 JN
/var/log/debug.log 600 7 100 * JC
-/var/log/init.log 644 3 100 * J
/var/log/kerberos.log 600 7 100 * J
/var/log/lpd-errs 644 7 100 * JC
/var/log/maillog 640 7 * @T00 JC
@@ -1639,30 +1615,29 @@ cron.* /var/log/cron
/var/log/xferlog 600 7 100 * JC</programlisting>
<para>Each line starts with the name of the file to be
- rotated, optionally followed by an owner
- and group for both rotated and newly created files.
- The next field, <literal>mode</literal> is the mode of the
- files and <literal>count</literal> denotes how many rotated
- log files should be kept. The <literal>size</literal> and
- <literal>when</literal> fields tell
- <command>newsyslog</command> when to rotate the file.
- A log file is rotated when either its size is larger than
- the <literal>size</literal> field, or when the time in the
+ rotated, optionally followed by an owner and group for both
+ rotated and newly created files. The
+ <literal>mode</literal> field sets the permissions on the
+ log file and <literal>count</literal> denotes how many
+ rotated log files should be kept. The
+ <literal>size</literal> and <literal>when</literal> fields
+ tell &man.newsyslog.8; when to rotate the file. A log
+ file is rotated when either its size is larger than the
+ <literal>size</literal> field, or when the time in the
<literal>when</literal> filed has passed.
<literal>*</literal> means that this field is ignored. The
<replaceable>flags</replaceable> field gives
- &man.newsyslog.8; further instructions, such as
- how to compress the rotated file, or to create the log file
- if it is missing. The last two fields are optional, and
+ &man.newsyslog.8; further instructions, such as how to
+ compress the rotated file or to create the log file if it
+ is missing. The last two fields are optional, and
specify the <acronym
- role="Process Identifier">PID</acronym>-file of a
- process and a signal number to send to that process with
- when the file is rotated. For more information on all
- fields, valid flags and how to specify the rotation time,
- refer to &man.newsyslog.conf.5;. Remember that
- <command>newsyslog</command> is run from
- <command>cron</command> and can not rotate files more
- often than it is run from &man.cron.8;.</para>
+ role="Process Identifier">PID</acronym> file of a process
+ and a signal number to send to that process when the file
+ is rotated. For more information on all fields, valid
+ flags, and how to specify the rotation time, refer to
+ &man.newsyslog.conf.5;. Since &man.newsyslog.8; is run
+ from &man.cron.8;, it can not rotate files more often than
+ it is run from &man.cron.8;.</para>
</sect3>
</sect2>
</sect1>
@@ -1686,8 +1661,8 @@ cron.* /var/log/cron
<row>
<entry><filename
class="directory">/etc</filename></entry>
- <entry>Generic system configuration information; data
- here is system-specific.</entry>
+ <entry>Generic system-specific configuration
+ information.</entry>
</row>
<row>
@@ -1700,8 +1675,8 @@ cron.* /var/log/cron
<row>
<entry><filename
class="directory">/etc/mail</filename></entry>
- <entry>Extra &man.sendmail.8; configuration, other
- MTA configuration files.</entry>
+ <entry>Extra &man.sendmail.8; configuration and other
+ <acronym>MTA</acronym> configuration files.</entry>
</row>
<row>
@@ -1729,7 +1704,7 @@ cron.* /var/log/cron
<row>
<entry><filename
class="directory">/usr/local/etc/rc.d</filename></entry>
- <entry>Start/stop scripts for installed
+ <entry>&man.rc.8; scripts for installed
applications.</entry>
</row>
@@ -1737,8 +1712,8 @@ cron.* /var/log/cron
<entry><filename
class="directory">/var/db</filename></entry>
<entry>Automatically generated system-specific database
- files, such as the package database, the locate
- database, and so on</entry>
+ files, such as the package database and the
+ &man.locate.1; database.</entry>
</row>
</tbody>
</tgroup>
@@ -1758,12 +1733,13 @@ cron.* /var/log/cron
<primary><filename>resolv.conf</filename></primary>
</indexterm>
- <para><filename>/etc/resolv.conf</filename> dictates how
- &os;'s resolver accesses the Internet Domain Name System
- (DNS).</para>
+ <para>How a
+ &os; system accesses the Internet Domain Name System
+ (<acronym>DNS</acronym>) is controlled by
+ &man.resolv.conf.5;.</para>
<para>The most common entries to
- <filename>resolv.conf</filename> are:</para>
+ <filename>/etc/resolv.conf</filename> are:</para>
<informaltable frame="none" pgwide="1">
<tgroup cols="2">
@@ -1773,9 +1749,10 @@ cron.* /var/log/cron
<tbody>
<row>
<entry><literal>nameserver</literal></entry>
- <entry>The IP address of a name server the resolver
- should query. The servers are queried in the order
- listed with a maximum of three.</entry>
+ <entry>The <acronym>IP</acronym> address of a name
+ server the resolver should query. The servers are
+ queried in the order listed with a maximum of
+ three.</entry>
</row>
<row>
@@ -1793,7 +1770,8 @@ cron.* /var/log/cron
</tgroup>
</informaltable>
- <para>A typical <filename>resolv.conf</filename>:</para>
+ <para>A typical <filename>/etc/resolv.conf</filename> looks
+ like this:</para>
<programlisting>search example.com
nameserver 147.11.1.11
@@ -1804,9 +1782,10 @@ nameserver 147.11.100.30</programlisting>
<literal>domain</literal> options should be used.</para>
</note>
- <para>When using DHCP, &man.dhclient.8; usually rewrites
- <filename>resolv.conf</filename> with information received
- from the DHCP server.</para>
+ <para>When using <acronym>DHCP</acronym>, &man.dhclient.8;
+ usually rewrites <filename>/etc/resolv.conf</filename>
+ with information received from the <acronym>DHCP</acronym>
+ server.</para>
</sect3>
<sect3>
@@ -1815,14 +1794,17 @@ nameserver 147.11.100.30</programlisting>
<indexterm><primary>hosts</primary></indexterm>
<para><filename>/etc/hosts</filename> is a simple text
- database reminiscent of the old Internet. It works in
- conjunction with DNS and NIS providing name to IP address
- mappings. Local computers connected via a LAN can be placed
- in here for simplistic naming purposes instead of setting up
- a &man.named.8; server. Additionally,
+ database which works in conjunction with
+ <acronym>DNS</acronym> and
+ <acronym>NIS</acronym> to provide host name to
+ <acronym>IP</acronym> address mappings. Entries for local
+ computers connected via a <acronym>LAN</acronym> can be
+ added to this file for simplistic naming purposes instead
+ of setting up a &man.named.8; server. Additionally,
<filename>/etc/hosts</filename> can be used to provide a
local record of Internet names, reducing the need to query
- externally for commonly accessed names.</para>
+ external <acronym>DNS</acronym> servers for commonly
+ accessed names.</para>
<programlisting># $&os;$
#
@@ -1857,8 +1839,8 @@ nameserver 147.11.100.30</programlisting>
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
#</programlisting>
- <para><filename>/etc/hosts</filename> takes on the simple
- format of:</para>
+ <para>The format of <filename>/etc/hosts</filename> is as
+ follows:</para>
<programlisting>[Internet address] [official hostname] [alias1] [alias2] ...</programlisting>
@@ -1869,32 +1851,6 @@ nameserver 147.11.100.30</programlisting>
<para>Consult &man.hosts.5; for more information.</para>
</sect3>
</sect2>
-
- <sect2 id="configtuning-sysctlconf">
- <title><filename>sysctl.conf</filename></title>
-
- <indexterm><primary>sysctl.conf</primary></indexterm>
- <indexterm><primary>sysctl</primary></indexterm>
-
- <para><filename>sysctl.conf</filename> looks much like
- <filename>rc.conf</filename>. Values are set in a
- <literal>variable=value</literal> form. The specified values
- are set after the system goes into multi-user mode. Not all
- variables are settable in this mode.</para>
-
- <para>To turn off logging of fatal signal exits and prevent
- users from seeing processes started from other users, the
- following tunables can be set in
- <filename>sysctl.conf</filename>:</para>
-
- <programlisting># Do not log fatal signal exits (e.g., sig 11)
-kern.logsigexit=0
-
-# Prevent users from seeing information about processes that
-# are being run under another UID.
-security.bsd.see_other_uids=0</programlisting>
-
- </sect2>
</sect1>
<sect1 id="configtuning-sysctl">
@@ -1907,11 +1863,11 @@ security.bsd.see_other_uids=0</programlisting>
</indexterm>
<para>&man.sysctl.8; is used to make changes to a running &os;
- system. This includes many advanced options of the TCP/IP stack
- and virtual memory system that can dramatically improve
- performance for an experienced system administrator. Over five
- hundred system variables can be read and set using
- &man.sysctl.8;.</para>
+ system. This includes many advanced options of the
+ <acronym>TCP/IP</acronym> stack and virtual memory system
+ that can dramatically improve performance for an experienced
+ system administrator. Over five hundred system variables can
+ be read and set using &man.sysctl.8;.</para>
<para>At its core, &man.sysctl.8; serves two functions: to read
and to modify system settings.</para>
@@ -1920,13 +1876,12 @@ security.bsd.see_other_uids=0</programlisting>
<screen>&prompt.user; <userinput>sysctl -a</userinput></screen>
- <para>To read a particular variable, for example,
- <varname>kern.maxproc</varname>:</para>
+ <para>To read a particular variable, specify its name:</para>
<screen>&prompt.user; <userinput>sysctl kern.maxproc</userinput>
kern.maxproc: 1044</screen>
- <para>To set a particular variable, use the intuitive
+ <para>To set a particular variable, use the
<replaceable>variable</replaceable>=<replaceable>value</replaceable>
syntax:</para>
@@ -1934,14 +1889,41 @@ kern.maxproc: 1044</screen>
kern.maxfiles: 2088 -> 5000</screen>
<para>Settings of sysctl variables are usually either strings,
- numbers, or booleans (a boolean being <literal>1</literal> for
- yes or a <literal>0</literal> for no).</para>
+ numbers, or booleans, where a a boolean is <literal>1</literal>
+ for yes or <literal>0</literal> for no.</para>
<para>To automatically set some variables each time the machine
boots, add them to <filename>/etc/sysctl.conf</filename>. For
- more information refer to &man.sysctl.conf.5; and <xref
+ more information, refer to &man.sysctl.conf.5; and <xref
linkend="configtuning-sysctlconf"/>.</para>
+ <sect2 id="configtuning-sysctlconf">
+ <title><filename>sysctl.conf</filename></title>
+
+ <indexterm><primary>sysctl.conf</primary></indexterm>
+ <indexterm><primary>sysctl</primary></indexterm>
+
+ <para>The configuration file for &man.sysctl.8;,
+ <filename>/etc/sysctl.conf</filename>, looks much like
+ <filename>/etc/rc.conf</filename>. Values are set in a
+ <literal>variable=value</literal> form. The specified values
+ are set after the system goes into multi-user mode. Not all
+ variables are settable in this mode.</para>
+
+ <para>For example, to turn off logging of fatal signal exits
+ and prevent users from seeing processes started by other
+ users, the following tunables can be set in
+ <filename>/etc/sysctl.conf</filename>:</para>
+
+ <programlisting># Do not log fatal signal exits (e.g., sig 11)
+kern.logsigexit=0
+
+# Prevent users from seeing information about processes that
+# are being run under another UID.
+security.bsd.see_other_uids=0</programlisting>
+
+ </sect2>
+
<sect2 id="sysctl-readonly">
<sect2info>
<authorgroup>
@@ -1956,34 +1938,40 @@ kern.maxfiles: 2088 -> 5000</screen>
<title>&man.sysctl.8; Read-only</title>
<para>In some cases it may be desirable to modify read-only
- &man.sysctl.8; values. While this is sometimes unavoidable,
- it can only be done on (re)boot.</para>
+ &man.sysctl.8; values, which will require a reboot of the
+ system.</para>
- <para>For instance on some laptop models the &man.cardbus.4;
- device will not probe memory ranges, and fail with errors
- which look similar to:</para>
+ <para>For instance, on some laptop models the &man.cardbus.4;
+ device will not probe memory ranges and will fail with errors
+ similar to:</para>
<screen>cbb0: Could not map register memory
device_probe_and_attach: cbb0 attach returned 12</screen>
- <para>Cases like the one above usually require the modification
- of some default &man.sysctl.8; settings which are set read
- only. To overcome these situations a user can put
- &man.sysctl.8; <quote>OIDs</quote> in their local
- <filename>/boot/loader.conf</filename>. Default settings are
- located in
- <filename>/boot/defaults/loader.conf</filename>.</para>
-
- <para>Fixing the problem mentioned above would require a user to
- set <option>hw.pci.allow_unsupported_io_range=1</option> in
- the aforementioned file. Now &man.cardbus.4; will work
- properly.</para>
+ <para>The fix requires the modification of a read-only
+ &man.sysctl.8; setting. Add
+ <option>hw.pci.allow_unsupported_io_range=1</option> to
+ <filename>/boot/loader.conf</filename> and reboot. Now
+ &man.cardbus.4; should work properly.</para>
</sect2>
</sect1>
<sect1 id="configtuning-disk">
<title>Tuning Disks</title>
+ <para>The following section will discuss various tuning
+ mechanisms and options which may be applied to disk
+ devices. In many cases, disks with mechanical parts,
+ such as <acronym>SCSI</acronym> drives, will be the
+ bottleneck driving down the overall system performance. While
+ a solution is to install a drive without mechanical parts,
+ such as a solid state drive, mechanical drives are not
+ going away anytime in the near future. When tuning disks,
+ it is advisable to utilize the features of the &man.iostat.8;
+ command to test various changes to the system. This
+ command will allow the user to obtain valuable information
+ on system <acronym>IO</acronym>.</para>
+
<sect2>
<title>Sysctl Variables</title>
@@ -1994,26 +1982,29 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<primary><varname>vfs.vmiodirenable</varname></primary>
</indexterm>
- <para>The <varname>vfs.vmiodirenable</varname> sysctl variable
- may be set to either 0 (off) or 1 (on); it is 1 by default.
- This variable controls how directories are cached by the
- system. Most directories are small, using just a single
- fragment (typically 1 K) in the file system and less
- (typically 512 bytes) in the buffer cache. With this
- variable turned off (to 0), the buffer cache will only cache
- a fixed number of directories even if the system has a huge
- amount of memory. When turned on (to 1), this sysctl allows
- the buffer cache to use the VM Page Cache to cache the
- directories, making all the memory available for caching
- directories. However, the minimum in-core memory used to
- cache a directory is the physical page size (typically
- 4 K) rather than 512 bytes. Keeping this option
- enabled is recommended if the system is running any services
- which manipulate large numbers of files. Such services can
+ <para>The <varname>vfs.vmiodirenable</varname> &man.sysctl.8;
+ variable
+ may be set to either <literal>0</literal> (off) or
+ <literal>1</literal> (on). It is set to
+ <literal>1</literal> by default. This variable controls
+ how directories are cached by the system. Most directories
+ are small, using just a single fragment (typically 1 K)
+ in the file system and typically 512 bytes in the
+ buffer cache. With this variable turned off, the buffer
+ cache will only cache a fixed number of directories, even
+ if the system has a huge amount of memory. When turned on,
+ this &man.sysctl.8; allows the buffer cache to use the
+ <acronym>VM</acronym> page cache to cache the directories,
+ making all the memory available for caching directories.
+ However, the minimum in-core memory used to cache a
+ directory is the physical page size (typically 4 K)
+ rather than 512 bytes. Keeping this option enabled
+ is recommended if the system is running any services which
+ manipulate large numbers of files. Such services can
include web caches, large mail systems, and news systems.
- Keeping this option on will generally not reduce performance
- even with the wasted memory but you should experiment to
- find out.</para>
+ Keeping this option on will generally not reduce
+ performance, even with the wasted memory, but one should
+ experiment to find out.</para>
</sect3>
<sect3>
@@ -2023,14 +2014,15 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<primary><varname>vfs.write_behind</varname></primary>
</indexterm>
- <para>The <varname>vfs.write_behind</varname> sysctl variable
+ <para>The <varname>vfs.write_behind</varname> &man.sysctl.8;
+ variable
defaults to <literal>1</literal> (on). This tells the file
system to issue media writes as full clusters are collected,
which typically occurs when writing large sequential files.
- The idea is to avoid saturating the buffer cache with dirty
- buffers when it would not benefit I/O performance. However,
- this may stall processes and under certain circumstances
- should be turned off.</para>
+ This avoids saturating the buffer cache with dirty buffers
+ when it would not benefit I/O performance. However, this
+ may stall processes and under certain circumstances should
+ be turned off.</para>
</sect3>
<sect3>
@@ -2040,21 +2032,22 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<primary><varname>vfs.hirunningspace</varname></primary>
</indexterm>
- <para>The <varname>vfs.hirunningspace</varname> sysctl
+ <para>The <varname>vfs.hirunningspace</varname> &man.sysctl.8;
variable determines how much outstanding write I/O may be
queued to disk controllers system-wide at any given
- instance. The default is usually sufficient but on machines
- with lots of disks, try bumping it up to four or five
- <emphasis>megabytes</emphasis>. Note that setting too
- high a value (exceeding the buffer cache's write threshold)
- can lead to extremely bad clustering performance. Do not
- set this value arbitrarily high! Higher write values may
- add latency to reads occurring at the same time.</para>
+ instance. The default is usually sufficient, but on
+ machines with many disks, try bumping it up to four or five
+ <emphasis>megabytes</emphasis>. Setting too high a value
+ which exceeds the buffer cache's write threshold can lead
+ to bad clustering performance. Do not set this value
+ arbitrarily high as higher write values may add latency to
+ reads occurring at the same time.</para>
- <para>There are various other buffer-cache and VM page cache
- related sysctls. Modifying these values is not recommended
- as the VM system does an extremely good job of automatically
- tuning itself.</para>
+ <para>There are various other buffer cache and
+ <acronym>VM</acronym> page cache related &man.sysctl.8;
+ values. Modifying these values is not recommended as the
+ <acronym>VM</acronym> system does a good job of
+ automatically tuning itself.</para>
</sect3>
<sect3>
@@ -2064,13 +2057,13 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<primary><varname>vm.swap_idle_enabled</varname></primary>
</indexterm>
- <para>The <varname>vm.swap_idle_enabled</varname> sysctl
- variable is useful in large multi-user systems with lots of
- users entering and leaving the system and lots of idle
- processes. Such systems tend to generate a great deal of
- continuous pressure on free memory reserves. Turning this
- feature on and tweaking the swapout hysteresis (in idle
- seconds) via <varname>vm.swap_idle_threshold1</varname> and
+ <para>The <varname>vm.swap_idle_enabled</varname>
+ &man.sysctl.8; variable is useful in large multi-user
+ systems with many active login users and lots of idle
+ processes. Such systems tend to generate continuous
+ pressure on free memory reserves. Turning this feature on
+ and tweaking the swapout hysteresis (in idle seconds) via
+ <varname>vm.swap_idle_threshold1</varname> and
<varname>vm.swap_idle_threshold2</varname> depresses the
priority of memory pages associated with idle processes more
quickly then the normal pageout algorithm. This gives a
@@ -2079,8 +2072,9 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
memory sooner rather than later which eats more swap and
disk bandwidth. In a small system this option will have a
determinable effect, but in a large system that is already
- doing moderate paging this option allows the VM system to
- stage whole processes into and out of memory easily.</para>
+ doing moderate paging, this option allows the
+ <acronym>VM</acronym> system to stage whole processes into
+ and out of memory easily.</para>
</sect3>
<sect3>
@@ -2090,24 +2084,23 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<primary><varname>hw.ata.wc</varname></primary>
</indexterm>
- <para>&os; 4.3 flirted with turning off IDE write
- caching. This reduced write bandwidth to IDE disks but was
- considered necessary due to serious data consistency issues
- introduced by hard drive vendors. The problem is that IDE
- drives lie about when a write completes. With IDE write
- caching turned on, IDE hard drives not only write data to
- disk out of order, but will sometimes delay writing some
- blocks indefinitely when under heavy disk loads. A crash or
+ <para>Turning off <acronym>IDE</acronym> write caching reduces
+ write bandwidth to <acronym>IDE</acronym> disks, but may
+ sometimes be necessary due to data consistency issues
+ introduced by hard drive vendors. The problem is that
+ some <acronym>IDE</acronym> drives lie about when a write
+ completes. With <acronym>IDE</acronym> write caching
+ turned on, <acronym>IDE</acronym> hard drives write data
+ to disk out of order and will sometimes delay writing some
+ blocks indefinitely when under heavy disk load. A crash or
power failure may cause serious file system corruption.
- &os;'s default was changed to be safe. Unfortunately, the
- result was such a huge performance loss that we changed
- write caching back to on by default after the release.
Check the default on the system by observing the
- <varname>hw.ata.wc</varname> sysctl variable. If IDE write
- caching is turned off, setting this variable back to 1 will
- turn it back on. This must be done from the boot loader at
- boot time as attempting to do it after the kernel boots
- will have no effect.</para>
+ <varname>hw.ata.wc</varname> &man.sysctl.8; variable. If
+ <acronym>IDE</acronym> write caching is turned off, one can
+ set this read-only variable to
+ <literal>1</literal> in
+ <filename>/boot/loader.conf</filename> in order to enable
+ it at boot time.</para>
<para>For more information, refer to &man.ata.4;.</para>
</sect3>
@@ -2122,17 +2115,18 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<indexterm>
<primary>kernel options</primary>
- <secondary><literal>SCSI_DELAY</literal></secondary>
+ <secondary><literal>SCSI DELAY</literal></secondary>
</indexterm>
- <para>The <literal>SCSI_DELAY</literal> kernel config may be
- used to reduce system boot times. The defaults are fairly
- high and can be responsible for <literal>15</literal>
- seconds of delay in the boot process. Reducing it to
- <literal>5</literal> seconds usually works (especially with
- modern drives). The <varname>kern.cam.scsi_delay</varname>
- boot time tunable should be used. The tunable, and kernel
- config option accept values in terms of
+ <para>The <literal>SCSI_DELAY</literal> kernel configuration
+ option may be used to reduce system boot times. The
+ defaults are fairly high and can be responsible for
+ <literal>15</literal> seconds of delay in the boot process.
+ Reducing it to <literal>5</literal> seconds usually works
+ with modern drives. The
+ <varname>kern.cam.scsi_delay</varname> boot time tunable
+ should be used. The tunable and kernel configuration
+ option accept values in terms of
<emphasis>milliseconds</emphasis> and
<emphasis>not</emphasis>
<emphasis>seconds</emphasis>.</para>
@@ -2143,33 +2137,31 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<title>Soft Updates</title>
<indexterm><primary>Soft Updates</primary></indexterm>
- <indexterm><primary>tunefs</primary></indexterm>
+ <indexterm><primary>&man.tunefs.8;</primary></indexterm>
- <para>The &man.tunefs.8; program can be used to fine-tune a
- file system. This program has many different options, but for
- now we are only concerned with toggling Soft Updates on and
- off, which is done by:</para>
+ <para>To fine-tune a file system, use &man.tunefs.8;. This
+ program has many different options. To toggle Soft Updates
+ on and off, use:</para>
<screen>&prompt.root; <userinput>tunefs -n enable /filesystem</userinput>
&prompt.root; <userinput>tunefs -n disable /filesystem</userinput></screen>
- <para>A filesystem cannot be modified with &man.tunefs.8; while
+ <para>A file system cannot be modified with &man.tunefs.8; while
it is mounted. A good time to enable Soft Updates is before
any partitions have been mounted, in single-user mode.</para>
- <para>Soft Updates drastically improves meta-data performance,
+ <para>Soft Updates is recommended for <acronym>UFS</acronym>
+ file systems as it drastically improves meta-data performance,
mainly file creation and deletion, through the use of a memory
- cache. We recommend to use Soft Updates on all of your file
- systems. There are two downsides to Soft Updates that you
- should be aware of: First, Soft Updates guarantees filesystem
- consistency in the case of a crash but could very easily be
- several seconds (even a minute!) behind updating the physical
- disk. If your system crashes you may lose more work than
- otherwise. Secondly, Soft Updates delays the freeing of
- filesystem blocks. If you have a filesystem (such as the root
- filesystem) which is almost full, performing a major update,
+ cache. There are two downsides to Soft Updates to be aware
+ of. First, Soft Updates guarantee file system consistency
+ in the case of a crash, but could easily be several seconds
+ or even a minute behind updating the physical disk. If the
+ system crashes, unwritten data may be lost. Secondly, Soft
+ Updates delay the freeing of file system blocks. If the
+ root file system is almost full, performing a major update,
such as <command>make installworld</command>, can cause the
- filesystem to run out of space and the update to fail.</para>
+ file system to run out of space and the update to fail.</para>
<sect3>
<title>More Details About Soft Updates</title>
@@ -2179,142 +2171,134 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<secondary>details</secondary>
</indexterm>
- <para>There are two traditional approaches to writing a file
- systems meta-data back to disk. (Meta-data updates are
- updates to non-content data like inodes or
- directories.)</para>
+ <para>Meta-data updates are updates to non-content data like
+ inodes or directories. There are two traditional approaches
+ to writing a file system's meta-data back to disk.</para>
<para>Historically, the default behavior was to write out
- meta-data updates synchronously. If a directory had been
- changed, the system waited until the change was actually
- written to disk. The file data buffers (file contents) were
- passed through the buffer cache and backed up to disk later
- on asynchronously. The advantage of this implementation is
+ meta-data updates synchronously. If a directory changed,
+ the system waited until the change was actually written to
+ disk. The file data buffers (file contents) were passed
+ through the buffer cache and backed up to disk later on
+ asynchronously. The advantage of this implementation is
that it operates safely. If there is a failure during an
- update, the meta-data are always in a consistent state. A
+ update, meta-data is always in a consistent state. A
file is either created completely or not at all. If the
data blocks of a file did not find their way out of the
buffer cache onto the disk by the time of the crash,
- &man.fsck.8; is able to recognize this and repair the
- filesystem by setting the file length to 0. Additionally,
- the implementation is clear and simple. The disadvantage is
- that meta-data changes are slow. An
- <command>rm -r</command>, for instance, touches all the
- files in a directory sequentially, but each directory change
- (deletion of a file) will be written synchronously to the
- disk. This includes updates to the directory itself, to the
- inode table, and possibly to indirect blocks allocated by
- the file. Similar considerations apply for unrolling large
- hierarchies (<command>tar -x</command>).</para>
+ &man.fsck.8; recognizes this and repairs the file system
+ by setting the file length to
+ <literal>0</literal>. Additionally, the implementation is
+ clear and simple. The disadvantage is that meta-data
+ changes are slow. For example, <command>rm -r</command>
+ touches all the files in a directory sequentially, but each
+ directory change will be written synchronously to the
+ disk. This includes updates to the directory itself, to
+ the inode table, and possibly to indirect blocks allocated
+ by the file. Similar considerations apply for unrolling
+ large hierarchies using <command>tar -x</command>.</para>
- <para>The second case is asynchronous meta-data updates. This
- is the default for Linux/ext2fs and
- <command>mount -o async</command> for *BSD ufs. All
- meta-data updates are simply being passed through the buffer
- cache too, that is, they will be intermixed with the updates
- of the file content data. The advantage of this
+ <para>The second approach is to use asynchronous meta-data
+ updates. This is the default for a <acronym>UFS</acronym>
+ file system mounted with <command>mount -o async</command>.
+ Since all meta-data updates are also passed through the
+ buffer cache, they will be intermixed with the updates of
+ the file content data. The advantage of this
implementation is there is no need to wait until each
meta-data update has been written to disk, so all operations
which cause huge amounts of meta-data updates work much
- faster than in the synchronous case. Also, the
- implementation is still clear and simple, so there is a low
- risk for bugs creeping into the code. The disadvantage is
- that there is no guarantee at all for a consistent state of
- the filesystem. If there is a failure during an operation
- that updated large amounts of meta-data (like a power
- failure, or someone pressing the reset button), the
- filesystem will be left in an unpredictable state. There is
- no opportunity to examine the state of the filesystem when
- the system comes up again; the data blocks of a file could
- already have been written to the disk while the updates of
- the inode table or the associated directory were not. It is
- actually impossible to implement a <command>fsck</command>
- which is able to clean up the resulting chaos (because the
- necessary information is not available on the disk). If the
- filesystem has been damaged beyond repair, the only choice
- is to use &man.newfs.8; on it and restore it from
- backup.</para>
+ faster than in the synchronous case. This implementation
+ is still clear and simple, so there is a low risk for bugs
+ creeping into the code. The disadvantage is that there is
+ no guarantee for a consistent state of the file system.
+ If there is a failure during an operation that updated
+ large amounts of meta-data, like a power failure or someone
+ pressing the reset button, the file system will be left
+ in an unpredictable state. There is no opportunity to
+ examine the state of the file system when the system comes
+ up again as the data blocks of a file could already have
+ been written to the disk while the updates of the inode
+ table or the associated directory were not. It is
+ impossible to implement a &man.fsck.8; which is able to
+ clean up the resulting chaos because the necessary
+ information is not available on the disk. If the file
+ system has been damaged beyond repair, the only choice
+ is to reformat it and restore from backup.</para>
- <para>The usual solution for this problem was to implement
+ <para>The usual solution for this problem is to implement
<emphasis>dirty region logging</emphasis>, which is also
- referred to as <emphasis>journaling</emphasis>, although
- that term is not used consistently and is occasionally
- applied to other forms of transaction logging as well.
+ referred to as <emphasis>journaling</emphasis>.
Meta-data updates are still written synchronously, but only
- into a small region of the disk. Later on they will be
- moved to their proper location. Because the logging area is
- a small, contiguous region on the disk, there are no long
+ into a small region of the disk. Later on, they are moved
+ to their proper location. Because the logging area is a
+ small, contiguous region on the disk, there are no long
distances for the disk heads to move, even during heavy
operations, so these operations are quicker than synchronous
- updates. Additionally the complexity of the implementation
- is fairly limited, so the risk of bugs being present is low.
- A disadvantage is that all meta-data are written twice (once
- into the logging region and once to the proper location) so
- for normal work, a performance <quote>pessimization</quote>
- might result. On the other hand, in case of a crash, all
- pending meta-data operations can be quickly either
- rolled-back or completed from the logging area after the
- system comes up again, resulting in a fast filesystem
- startup.</para>
+ updates. Additionally, the complexity of the implementation
+ is limited, so the risk of bugs being present is low. A
+ disadvantage is that all meta-data is written twice, once
+ into the logging region and once to the proper location, so
+ performance <quote>pessimization</quote> might result. On
+ the other hand, in case of a crash, all pending meta-data
+ operations can be either quickly rolled back or completed
+ from the logging area after the system comes up again,
+ resulting in a fast file system startup.</para>
- <para>Kirk McKusick, the developer of Berkeley FFS, solved
- this problem with Soft Updates: all pending meta-data
- updates are kept in memory and written out to disk in a
- sorted sequence (<quote>ordered meta-data updates</quote>).
- This has the effect that, in case of heavy meta-data
- operations, later updates to an item <quote>catch</quote>
- the earlier ones if the earlier ones are still in memory and
- have not already been written to disk. So all operations
- on, say, a directory are generally performed in memory
- before the update is written to disk (the data blocks are
+ <para>Kirk McKusick, the developer of Berkeley
+ <acronym>FFS</acronym>, solved this problem with Soft
+ Updates. All pending meta-data updates are kept in memory
+ and written out to disk in a sorted sequence
+ (<quote>ordered meta-data updates</quote>). This has the
+ effect that, in case of heavy meta-data operations, later
+ updates to an item <quote>catch</quote> the earlier ones
+ which are still in memory and have not already been written
+ to disk. All operations are generally performed in memory
+ before the update is written to disk and the data blocks are
sorted according to their position so that they will not be
- on the disk ahead of their meta-data). If the system
- crashes, this causes an implicit <quote>log rewind</quote>:
- all operations which did not find their way to the disk
- appear as if they had never happened. A consistent
- filesystem state is maintained that appears to be the one of
- 30 to 60 seconds earlier. The algorithm used guarantees
- that all resources in use are marked as such in their
- appropriate bitmaps: blocks and inodes. After a crash, the
- only resource allocation error that occurs is that resources
- are marked as <quote>used</quote> which are actually
- <quote>free</quote>. &man.fsck.8; recognizes this situation,
- and frees the resources that are no longer used. It is safe
- to ignore the dirty state of the filesystem after a crash by
- forcibly mounting it with <command>mount -f</command>. In
- order to free resources that may be unused, &man.fsck.8;
- needs to be run at a later time. This is the idea behind
- the <emphasis>background fsck</emphasis>: at system startup
- time, only a <emphasis>snapshot</emphasis> of the filesystem
- is recorded. The <command>fsck</command> can be run later
- on. All file systems can then be mounted
+ on the disk ahead of their meta-data. If the system
+ crashes, an implicit <quote>log rewind</quote> causes all
+ operations which were not written to the disk appear as if
+ they never happened. A consistent file system state is
+ maintained that appears to be the one of 30 to 60 seconds
+ earlier. The algorithm used guarantees that all resources
+ in use are marked as such in their blocks and inodes.
+ After a crash, the only resource allocation error that
+ occurs is that resources are marked as <quote>used</quote>
+ which are actually <quote>free</quote>. &man.fsck.8;
+ recognizes this situation, and frees the resources that
+ are no longer used. It is safe to ignore the dirty state
+ of the file system after a crash by forcibly mounting it
+ with <command>mount -f</command>. In order to free
+ resources that may be unused, &man.fsck.8; needs to be run
+ at a later time. This is the idea behind the
+ <emphasis>background &man.fsck.8;</emphasis>: at system
+ startup time, only a <emphasis>snapshot</emphasis> of the
+ file system is recorded and &man.fsck.8; is run afterwards.
+ All file systems can then be mounted
<quote>dirty</quote>, so the system startup proceeds in
- multiuser mode. Then, background <command>fsck</command>s
- will be scheduled for all file systems where this is
- required, to free resources that may be unused. (File
- systems that do not use Soft Updates still need the usual
- foreground <command>fsck</command> though.)</para>
+ multi-user mode. Then, background &man.fsck.8; is
+ scheduled for all file systems where this is required, to
+ free resources that may be unused. File systems that do
+ not use Soft Updates still need the usual foreground
+ &man.fsck.8;.</para>
<para>The advantage is that meta-data operations are nearly
- as fast as asynchronous updates which are, faster than
+ as fast as asynchronous updates and are faster than
<emphasis>logging</emphasis>, which has to write the
meta-data twice. The disadvantages are the complexity of
- the code (implying a higher risk for bugs in an area that is
- highly sensitive regarding loss of user data), and a higher
- memory consumption. Additionally there are some
- idiosyncrasies one has to get used to. After a crash, the
- state of the filesystem appears to be somewhat
- <quote>older</quote>. In situations where the standard
- synchronous approach would have caused some zero-length
- files to remain after the <command>fsck</command>, these
- files do not exist at all with a Soft Updates filesystem
- because neither the meta-data nor the file contents have
- ever been written to disk. Disk space is not released until
+ the code, a higher memory consumption, and some
+ idiosyncrasies. After a crash, the state of the file
+ system appears to be somewhat <quote>older</quote>. In
+ situations where the standard synchronous approach would
+ have caused some zero-length files to remain after the
+ &man.fsck.8;, these files do not exist at all with Soft
+ Updates because neither the meta-data nor the file contents
+ have been written to disk. Disk space is not released until
the updates have been written to disk, which may take place
- some time after running <command>rm</command>. This may
- cause problems when installing large amounts of data on a
- filesystem that does not have enough free space to hold all
- the files twice.</para>
+ some time after running &man.rm.1;. This may cause problems
+ when installing large amounts of data on a file system
+ that does not have enough free space to hold all the files
+ twice.</para>
</sect3>
</sect2>
</sect1>
@@ -2337,13 +2321,13 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<primary><varname>kern.maxfiles</varname></primary>
</indexterm>
- <para><varname>kern.maxfiles</varname> can be raised or
- lowered based upon system requirements. This variable
- indicates the maximum number of file descriptors on the
- system. When the file descriptor table is full,
- <errorname>file: table is full</errorname> will show up
- repeatedly in the system message buffer, which can be viewed
- using <command>dmesg</command>.</para>
+ <para>The <varname>kern.maxfiles</varname> &man.sysctl.8;
+ variable can be raised or lowered based upon system
+ requirements. This variable indicates the maximum number
+ of file descriptors on the system. When the file descriptor
+ table is full, <errorname>file: table is full</errorname>
+ will show up repeatedly in the system message buffer, which
+ can be viewed using &man.dmesg.8;.</para>
<para>Each open file, socket, or fifo uses one file
descriptor. A large-scale production server may easily
@@ -2362,18 +2346,20 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
resources needed may be similar to a high-scale web
server.</para>
- <para>The variable <varname>kern.maxusers</varname> is
- automatically sized at boot based on the amount of memory
- available in the system, and may be determined at run-time
- by inspecting the value of the read-only
- <varname>kern.maxusers</varname> sysctl. Some sites will
- require larger or smaller values of
- <varname>kern.maxusers</varname> and may set it as a loader
- tunable; values of 64, 128, and 256 are not uncommon. Going
- above 256 is not recommended unless a huge number of file
- descriptors are needed. Many of the tunable values set to
- their defaults by <varname>kern.maxusers</varname> may be
- individually overridden at boot-time or run-time in
+ <para>The read-only &man.sysctl.8; variable
+ <varname>kern.maxusers</varname> is automatically sized at
+ boot based on the amount of memory available in the system,
+ and may be determined at run-time by inspecting the value
+ of <varname>kern.maxusers</varname>. Some systems require
+ larger or smaller values of
+ <varname>kern.maxusers</varname> and values of
+ <literal>64</literal>, <literal>128</literal>, and
+ <literal>256</literal> are not uncommon. Going above
+ <literal>256</literal> is not recommended unless a huge
+ number of file descriptors is needed. Many of the tunable
+ values set to their defaults by
+ <varname>kern.maxusers</varname> may be individually
+ overridden at boot-time or run-time in
<filename>/boot/loader.conf</filename>. Refer to
&man.loader.conf.5; and
<filename>/boot/defaults/loader.conf</filename> for more
@@ -2381,37 +2367,39 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<para>In older releases, the system will auto-tune
<literal>maxusers</literal> if it is set to
- <literal>0</literal>
+ <literal>0</literal>.
<footnote><para>The auto-tuning algorithm sets
<literal>maxusers</literal> equal to the amount of
- memory in the system, with a minimum of 32, and a
- maximum of 384.</para></footnote>. When setting this
- option, set <literal>maxusers</literal> to at least 4,
- especially if the system runs
- <application>Xorg</application> or is used to
+ memory in the system, with a minimum of
+ <literal>32</literal>, and a maximum of
+ <literal>384</literal>.</para></footnote>. When
+ setting this option, set <literal>maxusers</literal> to
+ at least <literal>4</literal>, especially if the system
+ runs <application>&xorg;</application> or is used to
compile software. The most important table set by
<literal>maxusers</literal> is the maximum number of
processes, which is set to
<literal>20 + 16 * maxusers</literal>. If
- <literal>maxusers</literal> is set to 1, there can only be
- 36 simultaneous processes, including the 18 or so that the
- system starts up at boot time and the 15 or so used by
- <application>Xorg</application>. Even a simple task like
+ <literal>maxusers</literal> is set to <literal>1</literal>,
+ there can only be
+ <literal>36</literal> simultaneous processes, including
+ the <literal>18</literal> or so that the system starts up
+ at boot time and the <literal>15</literal> or so used by
+ <application>&xorg;</application>. Even a simple task like
reading a manual page will start up nine processes to
filter, decompress, and view it. Setting
- <literal>maxusers</literal> to 64 allows up to 1044
- simultaneous processes, which should be enough for nearly
- all uses. If, however, you see the dreaded
- <errortype>proc table full</errortype> error when trying to
- start another program, or are running a server with a large
- number of simultaneous users (like
- <hostid role="fqdn">ftp.FreeBSD.org</hostid>), increase the
- number and rebuild.</para>
+ <literal>maxusers</literal> to <literal>64</literal> allows
+ up to <literal>1044</literal> simultaneous processes, which
+ should be enough for nearly all uses. If, however, the
+ <errortype>proc table full</errortype> error is displayed
+ when trying to start another program, or a server is
+ running with a large number of simultaneous users, increase
+ the number and rebuild.</para>
<note>
<para><literal>maxusers</literal> does
<emphasis>not</emphasis> limit the number of users which
- can log into your machine. It simply sets various table
+ can log into the machine. It instead sets various table
sizes to reasonable values considering the maximum number
of users on the system and how many processes each user
will be running.</para>
@@ -2425,19 +2413,19 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<primary><varname>kern.ipc.somaxconn</varname></primary>
</indexterm>
- <para>The <varname>kern.ipc.somaxconn</varname> sysctl
+ <para>The <varname>kern.ipc.somaxconn</varname> &man.sysctl.8;
variable limits the size of the listen queue for accepting
- new TCP connections. The default value of
- <literal>128</literal> is typically too low for robust
- handling of new connections in a heavily loaded web server
- environment. For such environments, it is recommended to
- increase this value to <literal>1024</literal> or higher.
- The service daemon may itself limit the listen queue size
- (e.g., &man.sendmail.8;, or
- <application>Apache</application>) but will often have a
- directive in its configuration file to adjust the queue
- size. Large listen queues also do a better job of avoiding
- Denial of Service (<abbrev>DoS</abbrev>) attacks.</para>
+ new <literal>TCP</literal> connections. The default value
+ of <literal>128</literal> is typically too low for robust
+ handling of new connections on a heavily loaded web server.
+ For such environments, it is recommended to increase this
+ value to <literal>1024</literal> or higher. A service
+ such as &man.sendmail.8;, or
+ <application>Apache</application> may itself limit the
+ listen queue size, but will often have a directive in its
+ configuration file to adjust the queue size. Large listen
+ queues do a better job of avoiding Denial of Service
+ (<acronym>DoS</acronym>) attacks.</para>
</sect3>
</sect2>
@@ -2447,22 +2435,26 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<para>The <literal>NMBCLUSTERS</literal> kernel configuration
option dictates the amount of network Mbufs available to the
system. A heavily-trafficked server with a low number of
- Mbufs will hinder &os;'s ability. Each cluster represents
- approximately 2 K of memory, so a value of 1024
- represents 2 megabytes of kernel memory reserved for network
- buffers. A simple calculation can be done to figure out how
- many are needed. A web server which maxes out at 1000
- simultaneous connections where each connection uses a
- 6 K receive and 16 K send buffer, requires
- approximately 32 MB worth of network buffers to cover the
- web server. A good rule of thumb is to multiply by 2, so
+ Mbufs will hinder performance. Each cluster represents
+ approximately 2 K of memory, so a value of
+ <literal>1024</literal> represents <literal>2</literal>
+ megabytes of kernel memory reserved for network buffers. A
+ simple calculation can be done to figure out how many are
+ needed. A web server which maxes out at
+ <literal>1000</literal> simultaneous connections where each
+ connection uses a 6 K receive and 16 K send buffer,
+ requires approximately 32 MB worth of network buffers
+ to cover the web server. A good rule of thumb is to multiply
+ by <literal>2</literal>, so
2x32 MB / 2 KB =
- 64 MB / 2 kB = 32768. Values between
- 4096 and 32768 are recommended for machines with greater
- amounts of memory. Under no circumstances should you specify
- an arbitrarily high value for this parameter as it could lead
- to a boot time crash. To observe network cluster usage, use
- <option>-m</option> with &man.netstat.1;.</para>
+ 64 MB / 2 kB =
+ <literal>32768</literal>. Values between
+ <literal>4096</literal> and <literal>32768</literal> are
+ recommended for machines with greater amounts of memory.
+ Never specify an arbitrarily high value for this parameter
+ as it could lead to a boot time crash. To observe network
+ cluster usage, use <option>-m</option> with
+ &man.netstat.1;.</para>
<para>The <varname>kern.ipc.nmbclusters</varname> loader tunable
should be used to tune this at boot time. Only older versions
@@ -2477,11 +2469,11 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
setting its value in <filename>/boot/loader.conf</filename>
(see &man.loader.8; for details). A common indicator that
this parameter needs to be adjusted is when processes are seen
- in the <literal>sfbufa</literal> state. The sysctl variable
- <varname>kern.ipc.nsfbufs</varname> is a read-only glimpse at
- the kernel configured variable. This parameter nominally
- scales with <varname>kern.maxusers</varname>, however it may
- be necessary to tune accordingly.</para>
+ in the <literal>sfbufa</literal> state. The &man.sysctl.8;
+ variable <varname>kern.ipc.nsfbufs</varname> is read-only.
+ This parameter nominally scales with
+ <varname>kern.maxusers</varname>, however it may be necessary
+ to tune accordingly.</para>
<important>
<para>Even though a socket has been marked as non-blocking,
@@ -2498,82 +2490,90 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<primary>net.inet.ip.portrange.*</primary>
</indexterm>
- <para>The <varname>net.inet.ip.portrange.*</varname> sysctl
+ <para>The <varname>net.inet.ip.portrange.*</varname>
+ &man.sysctl.8;
variables control the port number ranges automatically bound
- to TCP and UDP sockets. There are three ranges: a low
- range, a default range, and a high range. Most network
- programs use the default range which is controlled by the
+ to <literal>TCP</literal> and <literal>UDP</literal>
+ sockets. There are three ranges: a low range, a default
+ range, and a high range. Most network programs use the
+ default range which is controlled by
<varname>net.inet.ip.portrange.first</varname> and
<varname>net.inet.ip.portrange.last</varname>, which default
- to 1024 and 5000, respectively. Bound port ranges are used
- for outgoing connections, and it is possible to run the
- system out of ports under certain circumstances. This most
- commonly occurs when running a heavily loaded web proxy.
- The port range is not an issue when running servers which
- handle mainly incoming connections, such as a normal web
- server, or has a limited number of outgoing connections,
- such as a mail relay. For situations where there is a
- shortage of ports, it is recommended to increase
+ to <literal>1024</literal> and <literal>5000</literal>,
+ respectively. Bound port ranges are used for outgoing
+ connections and it is possible to run the system out of
+ ports under certain circumstances. This most commonly
+ occurs when running a heavily loaded web proxy. The port
+ range is not an issue when running a server which handles
+ mainly incoming connections, such as a web server, or has
+ a limited number of outgoing connections, such as a mail
+ relay. For situations where there is a shortage of ports,
+ it is recommended to increase
<varname>net.inet.ip.portrange.last</varname> modestly. A
value of <literal>10000</literal>, <literal>20000</literal>
or <literal>30000</literal> may be reasonable. Consider
firewall effects when changing the port range. Some
- firewalls may block large ranges of ports (usually
- low-numbered ports) and expect systems to use higher ranges
- of ports for outgoing connections — for this reason it
- is not recommended that
+ firewalls may block large ranges of ports, usually
+ low-numbered ports, and expect systems to use higher ranges
+ of ports for outgoing connections. For this reason, it
+ is not recommended that the value of
<varname>net.inet.ip.portrange.first</varname> be
lowered.</para>
</sect3>
<sect3>
- <title>TCP Bandwidth Delay Product</title>
+ <title><literal>TCP</literal> Bandwidth Delay Product</title>
<indexterm>
- <primary>TCP Bandwidth Delay Product Limiting</primary>
+ <primary><literal>TCP</literal> Bandwidth Delay Product
+ Limiting</primary>
<secondary><varname>net.inet.tcp.inflight.enable</varname></secondary>
</indexterm>
- <para>The TCP Bandwidth Delay Product Limiting is similar to
- TCP/Vegas in NetBSD. It can be enabled by setting
- <varname>net.inet.tcp.inflight.enable</varname> sysctl
- variable to <literal>1</literal>. The system will attempt
- to calculate the bandwidth delay product for each connection
- and limit the amount of data queued to the network to just
- the amount required to maintain optimum throughput.</para>
+ <para><literal>TCP</literal> bandwidth delay product limiting
+ can be enabled by setting the
+ <varname>net.inet.tcp.inflight.enable</varname>
+ &man.sysctl.8; variable to <literal>1</literal>. This
+ instructs the system to attempt to calculate the bandwidth
+ delay product for each connection and limit the amount of
+ data queued to the network to just the amount required to
+ maintain optimum throughput.</para>
<para>This feature is useful when serving data over modems,
- Gigabit Ethernet, or even high speed WAN links (or any other
- link with a high bandwidth delay product), especially when
- also using window scaling or when a large send window has
- been configured. When enabling this option, also be sure to
- set <varname>net.inet.tcp.inflight.debug</varname> to
- <literal>0</literal> (disable debugging), and for production
- use setting <varname>net.inet.tcp.inflight.min</varname> to
- at least <literal>6144</literal> may be beneficial.
- However, note that setting high minimums may effectively
- disable bandwidth limiting depending on the link. The
- limiting feature reduces the amount of data built up in
- intermediate route and switch packet queues and reduces the
- amount of data built up in the local host's interface queue.
- With fewer queued packets, interactive connections,
- especially over slow modems, will operate with lower
+ Gigabit Ethernet, high speed <literal>WAN</literal> links,
+ or any other link with a high bandwidth delay product,
+ especially when also using window scaling or when a large
+ send window has been configured. When enabling this option,
+ also set <varname>net.inet.tcp.inflight.debug</varname> to
+ <literal>0</literal> to disable debugging. For production
+ use, setting <varname>net.inet.tcp.inflight.min</varname>
+ to at least <literal>6144</literal> may be beneficial.
+ Setting high minimums may effectively disable bandwidth
+ limiting, depending on the link. The limiting feature
+ reduces the amount of data built up in intermediate route
+ and switch packet queues and reduces the amount of data
+ built up in the local host's interface queue. With fewer
+ queued packets, interactive connections, especially over
+ slow modems, will operate with lower
<emphasis>Round Trip Times</emphasis>. This feature only
- effects server side data transmission such as uploading. It
- has no effect on data reception or downloading.</para>
+ effects server side data transmission such as uploading.
+ It has no effect on data reception or downloading.</para>
<para>Adjusting <varname>net.inet.tcp.inflight.stab</varname>
is <emphasis>not</emphasis> recommended. This parameter
- defaults to 20, representing 2 maximal packets added to the
- bandwidth delay product window calculation. The additional
- window is required to stabilize the algorithm and improve
- responsiveness to changing conditions, but it can also
- result in higher ping times over slow links, though still
- much lower than without the inflight algorithm. In such
- cases, try reducing this parameter to 15, 10, or 5; and
- reducing <varname>net.inet.tcp.inflight.min</varname> (for
- example, to 3500) to get the desired effect. Reducing these
- parameters should be done as a last resort only.</para>
+ defaults to <literal>20</literal>, representing 2 maximal
+ packets added to the bandwidth delay product window
+ calculation. The additional window is required to stabilize
+ the algorithm and improve responsiveness to changing
+ conditions, but it can also result in higher &man.ping.8;
+ times over slow links, though still much lower than without
+ the inflight algorithm. In such cases, try reducing this
+ parameter to <literal>15</literal>,
+ <literal>10</literal>, or <literal>5</literal> and
+ reducing <varname>net.inet.tcp.inflight.min</varname>
+ to a value such as <literal>3500</literal> to get the
+ desired effect. Reducing these parameters should be done
+ as a last resort only.</para>
</sect3>
</sect2>
@@ -2584,13 +2584,14 @@ device_probe_and_attach: cbb0 attach returned 12</screen>
<title><varname>kern.maxvnodes</varname></title>
<para>A vnode is the internal representation of a file or
- directory. So increasing the number of vnodes available to
- the operating system cuts down on disk I/O. Normally this
- is handled by the operating system and does not need to be
+ directory. Increasing the number of vnodes available to
+ the operating system reduces disk I/O. Normally, this is
+ handled by the operating system and does not need to be
changed. In some cases where disk I/O is a bottleneck and
- the system is running out of vnodes, this setting will need
- to be increased. The amount of inactive and free RAM will
- need to be taken into account.</para>
+ the system is running out of vnodes, this setting needs
+ to be increased. The amount of inactive and free
+ <acronym>RAM</acronym> will need to be taken into
+ account.</para>
<para>To see the current number of vnodes in use:</para>
@@ -2602,14 +2603,14 @@ vfs.numvnodes: 91349</screen>
<screen>&prompt.root; <userinput>sysctl kern.maxvnodes</userinput>
kern.maxvnodes: 100000</screen>
- <para>If the current vnode usage is near the maximum,
+ <para>If the current vnode usage is near the maximum, try
increasing <varname>kern.maxvnodes</varname> by a value of
- 1,000 is probably a good idea. Keep an eye on the number of
+ <literal>1000</literal>. Keep an eye on the number of
<varname>vfs.numvnodes</varname>. If it climbs up to the
maximum again, <varname>kern.maxvnodes</varname> will need
- to be increased further. A shift in your memory usage as
- reported by &man.top.1; should be visible. More memory
- should be active.</para>
+ to be increased further. Otherwise, a shift in memory
+ usage as reported by &man.top.1; should be visible and
+ more memory should be active.</para>
</sect3>
</sect2>
</sect1>
@@ -2617,24 +2618,23 @@ kern.maxvnodes: 100000</screen>
<sect1 id="adding-swap-space">
<title>Adding Swap Space</title>
- <para>Despite careful planning, sometimes a system does not run
- as expected. If more swap space is needed, it is simple enough
- to add. There are three ways to increase swap space: add a new
- hard drive, enable swap over NFS, or create a swap file on an
- existing partition.</para>
+ <para>Sometimes a system requires more swap space. There are
+ three ways to increase swap space: add a new hard drive,
+ enable swap over <literal>NFS</literal>, or create a swap file
+ on an existing partition.</para>
- <para>For information on how to encrypt swap space, what options
- for this task exist and why it should be done, refer to
- <xref linkend="swap-encrypting"/> of the Handbook.</para>
+ <para>For information on how to encrypt swap space, which options
+ exist, and why it should be done, refer to <xref
+ linkend="swap-encrypting"/>.</para>
<sect2 id="new-drive-swap">
<title>Swap on a New or Existing Hard Drive</title>
<para>Adding a new hard drive for swap gives better performance
than adding a partition on an existing drive. Setting up
- partitions and hard drives is explained in
- <xref linkend="disks-adding"/>.
- <xref linkend="configtuning-initial"/> discusses partition
+ partitions and hard drives is explained in <xref
+ linkend="disks-adding"/> while <xref
+ linkend="configtuning-initial"/> discusses partition
layouts and swap partition size considerations.</para>
<para>Use &man.swapon.8; to add a swap partition to the system.
@@ -2653,8 +2653,7 @@ kern.maxvnodes: 100000</screen>
</warning>
<para>To automatically add this swap partition on boot, add an
- entry to <filename>/etc/fstab</filename> for the
- partition:</para>
+ entry to <filename>/etc/fstab</filename>:</para>
<programlisting><replaceable>/dev/ada1s1b</replaceable> none swap sw 0 0</programlisting>
@@ -2663,19 +2662,20 @@ kern.maxvnodes: 100000</screen>
</sect2>
<sect2 id="nfs-swap">
- <title>Swapping over NFS</title>
+ <title>Swapping over <literal>NFS</literal></title>
- <para>Swapping over NFS is only recommended if you do not have a
- local hard disk to swap to; NFS swapping will be limited by
- the available network bandwidth and puts an additional burden
- on the NFS server.</para>
+ <para>Swapping over <literal>NFS</literal> is only recommended
+ when there is no local hard disk to swap to.
+ <literal>NFS</literal> swapping will be limited by the
+ available network bandwidth and puts an additional burden
+ on &man.nfsd.8;.</para>
</sect2>
<sect2 id="create-swapfile">
<title>Swapfiles</title>
- <para>You can create a file of a specified size to use as a swap
- file. The following example will create a 64MB file named
+ <para>To create a swap file, specify its size. The following
+ example creates a 64MB file named
<filename>/usr/swap0</filename>.</para>
<example>
@@ -2686,8 +2686,8 @@ kern.maxvnodes: 100000</screen>
<para>The <filename>GENERIC</filename> kernel already
includes the memory disk driver (&man.md.4;) required
- for this operation. When building a custom kernel, make
- sure to include the following line in the custom
+ for this operation. When building a custom kernel,
+ make sure to include the following line in the custom
configuration file:</para>
<programlisting>device md</programlisting>
@@ -2697,15 +2697,15 @@ kern.maxvnodes: 100000</screen>
</listitem>
<listitem>
- <para>Create a swapfile
- (<filename>/usr/swap0</filename>):</para>
+ <para>First, create the swapfile
+ <filename>/usr/swap0</filename>:</para>
<screen>&prompt.root; <userinput>dd if=/dev/zero of=/usr/swap0 bs=1024k count=64</userinput></screen>
</listitem>
<listitem>
- <para>Set proper permissions on
- (<filename>/usr/swap0</filename>):</para>
+ <para>Then, set proper permissions on
+ <filename>/usr/swap0</filename>:</para>
<screen>&prompt.root; <userinput>chmod 0600 /usr/swap0</userinput></screen>
</listitem>
@@ -2718,7 +2718,7 @@ kern.maxvnodes: 100000</screen>
</listitem>
<listitem>
- <para>Reboot the machine or to enable the swap file
+ <para>Reboot the machine or, to enable the swap file
immediately, type:</para>
<screen>&prompt.root; <userinput>mdconfig -a -t vnode -f /usr/swap0 -u 0 && swapon /dev/md0</userinput></screen>
@@ -2753,10 +2753,9 @@ kern.maxvnodes: 100000</screen>
was managed by the <acronym>BIOS</acronym> and the user had less
control and visibility into the power management settings. Some
limited configurability was available via <emphasis>Advanced
- Power Management (APM)</emphasis>. Power and resource
- management is one of the key components of a modern operating
- system. It allows the operating system to monitor system
- limits and to possibly provide an alert if the system
+ Power Management (<acronym>APM</acronym>)</emphasis>. Power
+ and resource management allows the operating system to monitor
+ system limits and to possibly provide an alert if the system
temperature increases unexpectedly.</para>
<para>This section provides comprehensive information about
@@ -2787,83 +2786,90 @@ kern.maxvnodes: 100000</screen>
</sect2>
<sect2 id="acpi-old-spec">
- <title>Shortcomings of Advanced Power Management (APM)</title>
+ <title>Shortcomings of Advanced Power Management</title>
<para>The <acronym>APM</acronym> facility controls the power
- usage of a system based on its activity. The APM BIOS is
- supplied by the (system) vendor and is specific to the
- hardware platform. An APM driver in the operating system
- mediates access to the <emphasis>APM Software
- Interface</emphasis>, which allows management of power
- levels. APM should still be used for systems manufactured at
- or before the year 2000.</para>
+ usage of a system based on its activity. The
+ <acronym>APM</acronym> <acronym>BIOS</acronym> is supplied
+ by the vendor and is specific to the hardware platform. An
+ <acronym>APM</acronym> driver in the operating system
+ mediates access to the <emphasis><acronym>APM</acronym>
+ Software Interface</emphasis>, which allows management of
+ power levels. <acronym>APM</acronym> should still be used
+ for systems manufactured at or before the year 2000.</para>
- <para>There are four major problems in APM. Firstly, power
- management is done by the (vendor-specific) BIOS, and the OS
- does not have any knowledge of it. One example of this, is
- when the user sets idle-time values for a hard drive in the
- APM BIOS, that when exceeded, it (BIOS) would spin down the
- hard drive, without the consent of the OS. Secondly, the APM
- logic is embedded in the BIOS, and it operates outside the
- scope of the OS. This means users can only fix problems in
- their APM BIOS by flashing a new one into the ROM; which is a
- very dangerous procedure with the potential to leave the
- system in an unrecoverable state if it fails. Thirdly, APM is
- a vendor-specific technology, which means that there is a lot
- of parity (duplication of efforts) and bugs found in one
- vendor's BIOS, may not be solved in others. Last but not the
- least, the APM BIOS did not have enough room to implement a
- sophisticated power policy, or one that can adapt very well to
- the purpose of the machine.</para>
+ <para>There are four major problems in <acronym>APM</acronym>.
+ First, power management is done by the vendor-specific
+ <acronym>BIOS</acronym>, separate from the operating system.
+ For example, the user can set idle-time values for a hard
+ drive in the <acronym>APM</acronym> <acronym>BIOS</acronym>
+ so that, when exceeded, the <acronym>BIOS</acronym> spins
+ down the hard drive without the consent of the operating
+ system. Second, the <acronym>APM</acronym> logic is embedded
+ in the <acronym>BIOS</acronym>, and it operates outside the
+ scope of the operating system. This means that users can
+ only fix problems in the <acronym>APM</acronym>
+ <acronym>BIOS</acronym> by flashing a new one into the
+ <acronym>ROM</acronym>, which is a dangerous procedure with
+ the potential to leave the system in an unrecoverable state
+ if it fails. Third, <acronym>APM</acronym> is a
+ vendor-specific technology, meaning that there is a lot of
+ duplication of efforts and bugs found in one vendor's
+ <acronym>BIOS</acronym> may not be solved in others. Lastly,
+ the <acronym>APM</acronym> <acronym>BIOS</acronym> did not
+ have enough room to implement a sophisticated power policy
+ or one that can adapt well to the purpose of the
+ machine.</para>
- <para><emphasis>Plug and Play BIOS (PNPBIOS)</emphasis> was
- unreliable in many situations. PNPBIOS is 16-bit technology,
- so the OS has to use 16-bit emulation in order to
- <quote>interface</quote> with PNPBIOS methods.</para>
+ <para>The <emphasis>Plug and Play <acronym>BIOS</acronym>
+ (<acronym>PNPBIOS</acronym>)</emphasis> was unreliable in
+ many situations. <acronym>PNPBIOS</acronym> is 16-bit
+ technology, so the operating system has to use 16-bit
+ emulation in order to interface with
+ <acronym>PNPBIOS</acronym> methods.</para>
<para>The &os; <acronym>APM</acronym> driver is documented in
- the &man.apm.4; manual page.</para>
+ &man.apm.4;.</para>
</sect2>
<sect2 id="acpi-config">
<title>Configuring <acronym>ACPI</acronym></title>
- <para>The <filename>acpi.ko</filename> driver is loaded by
- default at start up by the &man.loader.8; and should
+ <para>The &man.acpi.4; driver is loaded by default at start
+ up by &man.loader.8; and should
<emphasis>not</emphasis> be compiled into the kernel. The
- reasoning behind this is that modules are easier to work with,
- say if switching to another <filename>acpi.ko</filename>
- without doing a kernel rebuild. This has the advantage of
- making testing easier. Another reason is that starting
+ reasoning is that modules are easier to work with and do not
+ require a kernel rebuild. This has the advantage of making
+ testing easier. Another reason is that starting
<acronym>ACPI</acronym> after a system has been brought up
- often does not work well. If you are experiencing problems,
+ often does not work well. If experiencing problems,
<acronym>ACPI</acronym> can be disabled altogether. This
driver should not and can not be unloaded because the system
bus uses it for various hardware interactions.
- <acronym>ACPI</acronym> can be disabled by setting
- <literal>hint.acpi.0.disabled="1"</literal> in
- <filename>/boot/loader.conf</filename> or at the
- &man.loader.8; prompt.</para>
+ <acronym>ACPI</acronym> can be disabled by rebooting after
+ setting <literal>hint.acpi.0.disabled="1"</literal> in
+ <filename>/boot/loader.conf</filename> or by setting this
+ variable at the &man.loader.8; prompt.</para>
<note>
<para><acronym>ACPI</acronym> and <acronym>APM</acronym>
cannot coexist and should be used separately. The last one
- to load will terminate if the driver notices the other
+ to load will terminate if the driver notices the other is
running.</para>
</note>
<para><acronym>ACPI</acronym> can be used to put the system into
a sleep mode with &man.acpiconf.8;, the <option>-s</option>
- flag, and a <literal>1-5</literal> option. Most users will
- only need <literal>1</literal> or <literal>3</literal>
- (suspend to RAM). Option <literal>5</literal> will do a
- soft-off which is the same action as:</para>
+ flag, and a <literal>1-5</literal> option. Most users
+ only need <literal>1</literal> (quick suspend to
+ <acronym>RAM</acronym>) or <literal>3</literal> (suspend to
+ <acronym>RAM</acronym>). Option <literal>5</literal> performs
+ a soft-off which is the same action as:</para>
<screen>&prompt.root; <userinput>halt -p</userinput></screen>
- <para>Other options are available via &man.sysctl.8;. Check out
- the &man.acpi.4; and &man.acpiconf.8; manual pages for more
- information.</para>
+ <para>Other options are available via &man.sysctl.8;. Refer to
+ &man.acpi.4; and &man.acpiconf.8; for more information.</para>
</sect2>
</sect1>
@@ -2909,16 +2915,16 @@ kern.maxvnodes: 100000</screen>
<para>This section is intended to help users assist the &os;
<acronym>ACPI</acronym> maintainers in identifying the root
- cause of problems you observe and debugging and developing a
+ cause of problems and in debugging and developing a
solution.</para>
<sect2 id="ACPI-submitdebug">
<title>Submitting Debugging Information</title>
<note>
- <para>Before submitting a problem, be sure you are running the
- latest <acronym>BIOS</acronym> version and, if available,
- embedded controller firmware version.</para>
+ <para>Before submitting a problem, ensure the latest
+ <acronym>BIOS</acronym> version is installed and, if
+ available, the embedded controller firmware version.</para>
</note>
<para>When submitting a problem, send the following information
@@ -2934,45 +2940,44 @@ kern.maxvnodes: 100000</screen>
</listitem>
<listitem>
- <para>The &man.dmesg.8; output after
+ <para>The output of &man.dmesg.8; after running
<command>boot -v</command>, including any error messages
generated by the bug.</para>
</listitem>
<listitem>
- <para>The &man.dmesg.8; output from
- <command>boot -v</command> with <acronym>ACPI</acronym>
- disabled, if disabling it helps fix the problem.</para>
+ <para>The &man.dmesg.8; output from <command>boot
+ -v</command> with <acronym>ACPI</acronym> disabled,
+ if disabling it helps to fix the problem.</para>
</listitem>
<listitem>
<para>Output from <command>sysctl hw.acpi</command>. This
- is also a good way of figuring out what features the
- system offers.</para>
+ lists which features the system offers.</para>
</listitem>
<listitem>
- <para><acronym>URL</acronym> where the
+ <para>The <acronym>URL</acronym> to a pasted version of the
<firstterm><acronym>ACPI</acronym> Source
- Language</firstterm> (<acronym>ASL</acronym>) can be
- found. Do <emphasis>not</emphasis> send the
+ Language</firstterm> (<acronym>ASL</acronym>). Do
+ <emphasis>not</emphasis> send the
<acronym>ASL</acronym> directly to the list as it can be
very large. Generate a copy of the
<acronym>ASL</acronym> by running this command:</para>
<screen>&prompt.root; <userinput>acpidump -dt > <replaceable>name</replaceable>-<replaceable>system</replaceable>.asl</userinput></screen>
- <para>(Substitute your login name for
+ <para>Substitute the login name for
<replaceable>name</replaceable> and manufacturer/model for
- <replaceable>system</replaceable>. Example:
- <filename>njl-FooCo6000.asl</filename>)</para>
+ <replaceable>system</replaceable>. For example, use
+ <filename>njl-FooCo6000.asl</filename>.</para>
</listitem>
</itemizedlist>
<para>Most &os; developers watch &a.current;, but one should
- submit problems to &a.acpi.name; to be sure it is
- seen. Be patient when waiting for a response. If the bug is
- not immediately apparent, you may be asked to submit a
+ submit problems to &a.acpi.name; to be sure it is seen. Be
+ patient when waiting for a response. If the bug is not
+ immediately apparent, submit a
<acronym>PR</acronym> using &man.send-pr.1;. When entering a
<acronym>PR</acronym>, include the same information as
requested above. This helps developers to track the problem
@@ -2985,7 +2990,7 @@ kern.maxvnodes: 100000</screen>
<title>Background</title>
<indexterm>
- <primary>ACPI</primary>
+ <primary><acronym>ACPI</acronym></primary>
</indexterm>
<para><acronym>ACPI</acronym> is present in all modern computers
@@ -2995,33 +3000,32 @@ kern.maxvnodes: 100000</screen>
planes control, thermal zones, various battery systems,
embedded controllers, and bus enumeration. Most systems
implement less than the full standard. For instance, a
- desktop system usually only implements the bus enumeration
- parts while a laptop might have cooling and battery management
+ desktop system usually only implements bus enumeration
+ while a laptop might have cooling and battery management
support as well. Laptops also have suspend and resume, with
their own associated complexity.</para>
<para>An <acronym>ACPI</acronym>-compliant system has various
components. The <acronym>BIOS</acronym> and chipset vendors
- provide various fixed tables (e.g., <acronym>FADT</acronym>)
+ provide various fixed tables, such as <acronym>FADT</acronym>,
in memory that specify things like the <acronym>APIC</acronym>
map (used for <acronym>SMP</acronym>), config registers, and
- simple configuration values. Additionally, a table of
- bytecode (the <firstterm>Differentiated System Description
- Table</firstterm> <acronym>DSDT</acronym>) is provided that
- specifies a tree-like name space of devices and
- methods.</para>
+ simple configuration values. Additionally, a bytecode table,
+ the <firstterm>Differentiated System Description
+ Table</firstterm> <acronym>DSDT</acronym>, specifies a
+ tree-like name space of devices and methods.</para>
<para>The <acronym>ACPI</acronym> driver must parse the fixed
tables, implement an interpreter for the bytecode, and modify
device drivers and the kernel to accept information from the
<acronym>ACPI</acronym> subsystem. For &os;, &intel; has
provided an interpreter (<acronym>ACPI-CA</acronym>) that is
- shared with Linux and NetBSD. The path to the
+ shared with &linux; and NetBSD. The path to the
<acronym>ACPI-CA</acronym> source code is <filename
class="directory">src/sys/contrib/dev/acpica</filename>.
The glue code that allows <acronym>ACPI-CA</acronym> to work
- on &os; is in
- <filename class="directory">src/sys/dev/acpica/Osd</filename>.
+ on &os; is in <filename
+ class="directory">src/sys/dev/acpica/Osd</filename>.
Finally, drivers that implement various
<acronym>ACPI</acronym> devices are found in <filename
class="directory">src/sys/dev/acpica</filename>.</para>
@@ -3046,8 +3050,8 @@ kern.maxvnodes: 100000</screen>
<para>In some cases, resuming from a suspend operation will
cause the mouse to fail. A known work around is to add
<literal>hint.psm.0.flags="0x3000"</literal> to
- <filename>/boot/loader.conf</filename>. If this does
- not work, consider sending a bug report using
+ <filename>/boot/loader.conf</filename>. If this does not
+ work, consider sending a bug report using
&man.send-pr.1;.</para>
</sect3>
@@ -3061,9 +3065,9 @@ kern.maxvnodes: 100000</screen>
<literal>S4</literal>. <literal>S5</literal> is
<quote>soft off</quote> and is the normal state the system
is in when plugged in but not powered up.
- <literal>S4</literal> can actually be implemented two
- separate ways. <literal>S4</literal><acronym>BIOS</acronym>
- is a <acronym>BIOS</acronym>-assisted suspend to disk.
+ <literal>S4</literal> can be implemented in two separate
+ ways. <literal>S4</literal><acronym>BIOS</acronym> is a
+ <acronym>BIOS</acronym>-assisted suspend to disk.
<literal>S4</literal><acronym>OS</acronym> is implemented
entirely by the operating system.</para>
@@ -3085,13 +3089,13 @@ hw.acpi.s4bios: 0</screen>
<para>When testing suspend/resume, start with
<literal>S1</literal>, if supported. This state is most
likely to work since it does not require much driver
- support. No one has implemented <literal>S2</literal> which
- is similar to <literal>S1</literal>. The next thing to try
- is <literal>S3</literal>. This is the deepest
+ support. No one has implemented <literal>S2</literal>,
+ which is similar to <literal>S1</literal>. Next, try
+ <literal>S3</literal>. This is the deepest
<acronym>STR</acronym> state and requires a lot of driver
- support to properly reinitialize the hardware. If you have
- problems resuming, feel free to email &a.acpi.name;, but do
- not expect the problem to be resolved since there are a lot
+ support to properly reinitialize the hardware. If there are
+ problems resuming, email &a.acpi.name;. However, the
+ problem may not be resolved quickly since due to the amount
of drivers and hardware that need more testing and
work.</para>
@@ -3104,70 +3108,67 @@ hw.acpi.s4bios: 0</screen>
&prompt.root; <userinput>sysctl debug.acpi.suspend_bounce=1</userinput>
&prompt.root; <userinput>acpiconf -s 3</userinput></screen>
- <para>This test emulates suspend/resume cycle of all device
- drivers without actually going into <literal>S3</literal>
- state. In some cases, problems such as losing firmware
- state, device watchdog time out, and retrying forever, can
- be captured with this method. Note that the system will
- not really enter <literal>S3</literal> state, which means
- devices may not lose power, and many will work fine even if
- suspend/resume methods are totally missing, unlike real
- <literal>S3</literal> state.</para>
+ <para>This test emulates the suspend/resume cycle of all
+ device drivers without actually going into
+ <literal>S3</literal> state. In some cases, problems such
+ as losing firmware state, device watchdog time out, and
+ retrying forever, can be captured with this method. Note
+ that the system will not really enter <literal>S3</literal>
+ state, which means devices may not lose power, and many
+ will work fine even if suspend/resume methods are totally
+ missing, unlike real <literal>S3</literal> state.</para>
<para>Harder cases require additional hardware, such as a
- serial port/cable for serial console or a Firewire
- port/cable for &man.dcons.4;, and kernel debugging
- skills.</para>
+ serial port and cable for debugging through a serial
+ console, a Firewire port and cable for using &man.dcons.4;,
+ and kernel debugging skills.</para>
- <para>To help isolate the problem, remove as many drivers from
- the kernel as possible. If it works, narrow down which
+ <para>To help isolate the problem, remove as many drivers
+ from the kernel as possible. If it works, narrow down which
driver is the problem by loading drivers until it fails
- again. Typically binary drivers like
+ again. Typically, binary drivers like
<filename>nvidia.ko</filename>, display drivers, and
<acronym>USB</acronym> will have the most problems while
- Ethernet interfaces usually work fine. If you can properly
- load/unload the drivers, automate this by putting the
+ Ethernet interfaces usually work fine. If drivers can be
+ properly loaded and unloaded, automate this by putting the
appropriate commands in
<filename>/etc/rc.suspend</filename> and
- <filename>/etc/rc.resume</filename>. There is a
- commented-out example for unloading and loading a driver.
- Try setting <option>hw.acpi.reset_video</option> to zero
- (<literal>0</literal>) if the display is messed up after
+ <filename>/etc/rc.resume</filename>.
+ Try setting <option>hw.acpi.reset_video</option> to
+ <literal>0</literal> if the display is messed up after
resume. Try setting longer or shorter values for
<option>hw.acpi.sleep_delay</option> to see if that
helps.</para>
- <para>Another thing to try is load a recent Linux distribution
- with <acronym>ACPI</acronym> support and test their
- suspend/resume support on the same hardware. If it works on
- Linux, it is likely a &os; driver problem and narrowing down
- which driver causes the problems will help us fix the
- problem. Note that the <acronym>ACPI</acronym> maintainers
- do not usually maintain other drivers, such as sound or
- <acronym>ATA</acronym>, so any work done on tracking
- down a driver problem should probably eventually be posted
- to the &a.current.name; list and mailed to the driver
- maintainer. Advanced users can start by putting some
- debugging &man.printf.3;s in a problematic driver to track
- down where in its resume function it hangs.</para>
+ <para>Try loading a recent &linux; distribution to see if
+ suspend/resume works on the same hardware. If it works on
+ &linux;, it is likely a &os; driver problem. Narrowing down
+ which driver causes the problem will assist developers in
+ fixing the problem. Since the <acronym>ACPI</acronym>
+ maintainers rarely maintain other drivers, such as sound
+ or <acronym>ATA</acronym>, any driver problems should also
+ be posted to the &a.current.name; list and mailed to the
+ driver maintainer. Advanced users can include debugging
+ &man.printf.3;s in a problematic driver to track down where
+ in its resume function it hangs.</para>
<para>Finally, try disabling <acronym>ACPI</acronym> and
enabling <acronym>APM</acronym> instead. If suspend/resume
- works with <acronym>APM</acronym>, you may be better off
- sticking with <acronym>APM</acronym>, especially on older
- hardware (pre-2000). It took vendors a while to get
+ works with <acronym>APM</acronym>, stick with
+ <acronym>APM</acronym>, especially on older hardware
+ (pre-2000). It took vendors a while to get
<acronym>ACPI</acronym> support correct and older hardware
is more likely to have <acronym>BIOS</acronym> problems with
<acronym>ACPI</acronym>.</para>
</sect3>
<sect3>
- <title>System Hangs (Temporary or Permanent)</title>
+ <title>System Hangs</title>
<para>Most system hangs are a result of lost interrupts or an
- interrupt storm. Chipsets have a lot of problems based on
+ interrupt storm. Chipsets may have problems based on boot,
how the <acronym>BIOS</acronym> configures interrupts before
- boot, correctness of the <acronym>APIC</acronym>
+ correctness of the <acronym>APIC</acronym>
(<acronym>MADT</acronym>) table, and routing of the
<firstterm>System Control Interrupt</firstterm>
(<acronym>SCI</acronym>).</para>
@@ -3178,7 +3179,6 @@ hw.acpi.s4bios: 0</screen>
<para>Interrupt storms can be distinguished from lost
interrupts by checking the output of
-
<command>vmstat -i</command> and looking at the line that
has <literal>acpi0</literal>. If the counter is increasing
at more than a couple per second, there is an interrupt
@@ -3195,10 +3195,10 @@ hw.acpi.s4bios: 0</screen>
<secondary>disabling</secondary>
</indexterm>
- <para>When dealing with interrupt problems try disabling
+ <para>When dealing with interrupt problems, try disabling
<acronym>APIC</acronym> support with
<literal>hint.apic.0.disabled="1"</literal> in
- <filename>loader.conf</filename>.</para>
+ <filename>/boot/loader.conf</filename>.</para>
</sect3>
<sect3>
@@ -3206,14 +3206,14 @@ hw.acpi.s4bios: 0</screen>
<para>Panics are relatively rare for <acronym>ACPI</acronym>
and are the top priority to be fixed. The first step is to
- isolate the steps to reproduce the panic (if possible) and
+ isolate the steps to reproduce the panic, if possible, and
get a backtrace. Follow the advice for enabling
<literal>options DDB</literal> and setting up a serial
- console (see <xref linkend="serialconsole-ddb"/>) or setting
+ console in <xref linkend="serialconsole-ddb"/> or setting
up a &man.dump.8; partition. To get a backtrace in
<acronym>DDB</acronym>, use <literal>tr</literal>. When
- handwriting the backtrace, get at least the lowest five (5)
- and top five (5) lines in the trace.</para>
+ handwriting the backtrace, get at least the last five
+ and the top five lines in the trace.</para>
<para>Then, try to isolate the problem by booting with
<acronym>ACPI</acronym> disabled. If that works, isolate
@@ -3226,8 +3226,8 @@ hw.acpi.s4bios: 0</screen>
<title>System Powers Up After Suspend or Shutdown</title>
<para>First, try setting
- <literal>hw.acpi.disable_on_poweroff="0"</literal>
- in &man.loader.conf.5;. This keeps <acronym>ACPI</acronym>
+ <literal>hw.acpi.disable_on_poweroff="0"</literal> in
+ &man.loader.conf.5;. This keeps <acronym>ACPI</acronym>
from disabling various events during the shutdown process.
Some systems need this value set to <literal>1</literal>
(the default) for the same reason. This usually fixes the
@@ -3238,9 +3238,9 @@ hw.acpi.s4bios: 0</screen>
<sect3>
<title>Other Problems</title>
- <para>For other problems with <acronym>ACPI</acronym> such as
+ <para>For other problems with <acronym>ACPI</acronym>, such as
it not working with a docking station or devices not being
- detected, email a description to the mailing list. Some
+ detected, email a description to &a.acpi.name;. Some
issues may be related to unfinished parts of the
<acronym>ACPI</acronym> subsystem which might take a while
to be implemented. Be patient and prepared to test
@@ -3249,38 +3249,35 @@ hw.acpi.s4bios: 0</screen>
</sect2>
<sect2 id="ACPI-aslanddump">
- <title><acronym>ASL</acronym>, <command>acpidump</command>, and
+ <title><acronym>ASL</acronym>, &man.acpidump.8;, and
<acronym>IASL</acronym></title>
<indexterm>
- <primary>ACPI</primary>
- <secondary>ASL</secondary>
+ <primary><acronym>ACPI</acronym></primary>
+ <secondary><acronym>ASL</acronym></secondary>
</indexterm>
- <para>The most common problem is the <acronym>BIOS</acronym>
- vendors providing incorrect (or outright buggy!) bytecode.
- This is usually manifested by kernel console messages like
- this:</para>
+ <para>Some <acronym>BIOS</acronym> vendors provide incorrect
+ or buggy bytecode. This is usually manifested by kernel
+ console messages like this:</para>
<screen>ACPI-1287: *** Error: Method execution failed [\\_SB_.PCI0.LPC0.FIGD._STA] \\
(Node 0xc3f6d160), AE_NOT_FOUND</screen>
<para>Often, these problems may be resolved by updating the
<acronym>BIOS</acronym> to the latest revision. Most console
- messages are harmless but if when there are other problems
- like the battery status is not working, these messages are a
- good place to start looking for problems in the
- <acronym>AML</acronym>. The bytecode, known as
- <acronym>AML</acronym>, is compiled from a source language
- called <acronym>ASL</acronym>. The <acronym>AML</acronym> is
- found in the table known as the <acronym>DSDT</acronym>. To
- get a copy of the system's <acronym>ASL</acronym>, use
- &man.acpidump.8;. Include both <option>-t</option>, to
- show the contents of the fixed tables, and
- <option>-d</option>, to disassemble the
- <acronym>AML</acronym>. Refer to <link
- linkend="ACPI-submitdebug">Submitting Debugging
- Information</link> for an example syntax.</para>
+ messages are harmless, but if there are other problems like
+ the battery status is not working, these messages are a
+ good place to start looking for problems. The bytecode,
+ known as <acronym>AML</acronym>, is compiled from a source
+ language called <acronym>ASL</acronym>. The
+ <acronym>AML</acronym> is found in the table known as the
+ <acronym>DSDT</acronym>. To get a copy of the system's
+ <acronym>ASL</acronym>, use &man.acpidump.8;. Include both
+ <option>-t</option>, to show the contents of the fixed tables,
+ and <option>-d</option>, to disassemble the
+ <acronym>AML</acronym>. Refer to <xref
+ linkend="ACPI-submitdebug"/> for an example syntax.</para>
<para>The simplest first check is to recompile the
<acronym>ASL</acronym> to check for errors. Warnings can
@@ -3293,36 +3290,34 @@ hw.acpi.s4bios: 0</screen>
</sect2>
<sect2 id="ACPI-fixasl">
- <title>Fixing Your <acronym>ASL</acronym></title>
+ <title>Fixing the <acronym>ASL</acronym></title>
<indexterm>
- <primary>ACPI</primary>
- <secondary>ASL</secondary>
+ <primary><acronym>ACPI</acronym></primary>
+ <secondary><acronym>ASL</acronym></secondary>
</indexterm>
- <para>In the long run, the goal of &os; is for almost everyone
- to have working <acronym>ACPI</acronym> without any user
- intervention. At this point, workarounds are still being
- developed for common mistakes made by the
- <acronym>BIOS</acronym> vendors. The µsoft; interpreter
- (<filename>acpi.sys</filename> and
+ <para>The goal of &os; is for everyone to have working
+ <acronym>ACPI</acronym> without any user intervention. At
+ this point, workarounds are still being developed for common
+ mistakes made by <acronym>BIOS</acronym> vendors. The
+ µsoft; interpreter (<filename>acpi.sys</filename> and
<filename>acpiec.sys</filename>) does not strictly check for
adherence to the standard, and thus many
<acronym>BIOS</acronym> vendors who only test
<acronym>ACPI</acronym> under &windows; never fix their
<acronym>ASL</acronym>. &os; developers continue to identify
- and document exactly what non-standard behavior is allowed by
- µsoft;'s interpreter and replicate it so &os; can work
- without forcing users to fix the <acronym>ASL</acronym>. As a
- workaround, and to help identify behavior, fix the
+ and document which non-standard behavior is allowed by
+ µsoft;'s interpreter and replicate it so that &os; can
+ work without forcing users to fix the <acronym>ASL</acronym>.
+ As a workaround, and to help identify behavior, fix the
<acronym>ASL</acronym> manually. If this works, send a
&man.diff.1; of the old and new <acronym>ASL</acronym> so
developers can possibly work around the buggy behavior in
- <acronym>ACPI-CA</acronym> and thus make the unnecessary
- fix.</para>
+ <acronym>ACPI-CA</acronym>.</para>
<indexterm>
- <primary>ACPI</primary>
+ <primary><acronym>ACPI</acronym></primary>
<secondary>error messages</secondary>
</indexterm>
@@ -3330,15 +3325,14 @@ hw.acpi.s4bios: 0</screen>
how to fix them:</para>
<sect3>
- <title>_OS Dependencies</title>
+ <title>Operating System Dependencies</title>
- <para>Some <acronym>AML</acronym> assumes the world consists
- of various &windows; versions. You can tell &os; to claim
- it is any <acronym>OS</acronym> to see if this fixes
- problems you may have. An easy way to override this is to
- set <literal>hw.acpi.osname="Windows 2001"</literal> in
- <filename>/boot/loader.conf</filename> or other similar
- strings you find in the <acronym>ASL</acronym>.</para>
+ <para>Some <acronym>AML</acronym> versions assume the user is
+ running &windows;. To override this, set
+ <literal>hw.acpi.osname=<replaceable>"Windows
+ 2001"</replaceable></literal> in
+ <filename>/boot/loader.conf</filename>, using the strings
+ in the <acronym>ASL</acronym>.</para>
</sect3>
<sect3>
@@ -3347,9 +3341,9 @@ hw.acpi.s4bios: 0</screen>
<para>Some methods do not explicitly return a value as the
standard requires. While <acronym>ACPI-CA</acronym>
does not handle this, &os; has a workaround that allows it
- to return the value implicitly. Explicit Return statements
- can be added where required if you know what value should be
- returned. To force <command>iasl</command> to compile the
+ to return the value implicitly. Explicit return statements
+ can be added where required if the value which should be
+ returned is known. To force &man.iasl.8; to compile the
<acronym>ASL</acronym>, use the <option>-f</option>
flag.</para>
</sect3>
@@ -3362,18 +3356,17 @@ hw.acpi.s4bios: 0</screen>
<screen>&prompt.root; <userinput>iasl your.asl</userinput></screen>
- <para>Adding the <option>-f</option> flag will force creation
+ <para>Adding the <option>-f</option> flag forces creation
of the <acronym>AML</acronym>, even if there are errors
- during compilation. Some errors, such as missing Return
+ during compilation. Some errors, such as missing return
statements, are automatically worked around by the
interpreter.</para>
- <para><filename>DSDT.aml</filename> is the default output
- filename for <command>iasl</command>. Load this file
- instead of the <acronym>BIOS</acronym>'s buggy copy, which
- is still present in flash memory, by editing
- <filename>/boot/loader.conf</filename> as
- follows:</para>
+ <para>The default output filename for &man.iasl.8; is
+ <filename>DSDT.aml</filename>. Load this file instead of
+ the <acronym>BIOS</acronym>'s buggy copy, which is still
+ present in flash memory, by editing
+ <filename>/boot/loader.conf</filename> as follows:</para>
<programlisting>acpi_dsdt_load="YES"
acpi_dsdt_name="/boot/DSDT.aml"</programlisting>
@@ -3397,7 +3390,7 @@ acpi_dsdt_name="/boot/DSDT.aml"</programlisting>
<secondary>debugging</secondary>
</indexterm>
- <para>The <acronym>ACPI</acronym> driver has a very flexible
+ <para>The <acronym>ACPI</acronym> driver has a flexible
debugging facility. A set of subsystems and the level of
verbosity can be specified. The subsystems to debug are
specified as <quote>layers</quote> and are broken down into
@@ -3408,29 +3401,29 @@ acpi_dsdt_name="/boot/DSDT.aml"</programlisting>
ACPI_LV_ERROR (just report errors) to ACPI_LV_VERBOSE
(everything). The <quote>level</quote> is a bitmask so
multiple options can be set at once, separated by spaces. In
- practice, a serial console should be used to log the output if
- it is so long it flushes the console message buffer. A full
- list of the individual layers and levels is found in
+ practice, a serial console should be used to log the output
+ so it is not lost as the console message buffer flushes.
+ A full list of the individual layers and levels is found in
&man.acpi.4;.</para>
<para>Debugging output is not enabled by default. To enable it,
add <literal>options ACPI_DEBUG</literal> to the kernel
configuration file if <acronym>ACPI</acronym> is compiled into
the kernel. Add <literal>ACPI_DEBUG=1</literal> to
- <filename>/etc/make.conf</filename> to enable it
- globally. If it is a module, recompile just the
+ <filename>/etc/make.conf</filename> to enable it globally.
+ If it is a module, recompile just the
<filename>acpi.ko</filename> module as follows:</para>
<screen>&prompt.root; <userinput>cd /sys/modules/acpi/acpi
&& make clean &&
make ACPI_DEBUG=1</userinput></screen>
- <para>Install <filename>acpi.ko</filename> in
- <filename class="directory">/boot/kernel</filename> and add
- the desired level and layer to
- <filename>loader.conf</filename>. This example enables debug
- messages for all <acronym>ACPI-CA</acronym> components and all
- <acronym>ACPI</acronym> hardware drivers such as
+ <para>Install <filename>acpi.ko</filename> in <filename
+ class="directory">/boot/kernel</filename> and add the
+ desired level and layer to
+ <filename>/boot/loader.conf</filename>. This example enables
+ debug messages for all <acronym>ACPI-CA</acronym> components
+ and all <acronym>ACPI</acronym> hardware drivers such as
(<acronym>CPU</acronym> and <acronym>LID</acronym>. It only
outputs error messages at the least verbose level.</para>
@@ -3439,11 +3432,12 @@ debug.acpi.level="ACPI_LV_ERROR"</programlisting>
<para>If the required information is triggered by a specific
event, such as a suspend and then resume, leave out changes to
- <filename>loader.conf</filename> and instead use
- <command>sysctl</command> to specify the layer and level after
- booting and preparing the system for the specific event. The
- <command>sysctl</command>s are named the same as the tunables
- in <filename>loader.conf</filename>.</para>
+ <filename>/boot/loader.conf</filename> and instead use
+ &man.sysctl.8; to specify the layer and level after booting
+ and preparing the system for the specific event. The
+ variables which can be set using &man.sysctl.8; are named
+ the same as the tunables in
+ <filename>/boot/loader.conf</filename>.</para>
</sect2>
<sect2 id="ACPI-References">
@@ -3475,16 +3469,16 @@ debug.acpi.level="ACPI_LV_ERROR"</programlisting>
</listitem>
<listitem>
- <para>&os; Manual pages: &man.acpi.4;,
+ <para>&man.acpi.4;,
&man.acpi.thermal.4;, &man.acpidump.8;, &man.iasl.8;,
- &man.acpidb.8;</para>
+ and &man.acpidb.8;</para>
</listitem>
<listitem>
<para><ulink
url="http://www.cpqlinux.com/acpi-howto.html#fix_broken_dsdt">
- <acronym>DSDT</acronym> debugging resource</ulink>.
- (Uses Compaq as an example but generally useful.)</para>
+ <acronym>DSDT</acronym> debugging
+ resource</ulink>.</para>
</listitem>
</itemizedlist>
</sect2>
diff --git a/en_US.ISO8859-1/books/handbook/disks/chapter.xml b/en_US.ISO8859-1/books/handbook/disks/chapter.xml
index 182fd40c3d..b92339ed4c 100644
--- a/en_US.ISO8859-1/books/handbook/disks/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/disks/chapter.xml
@@ -3690,42 +3690,33 @@ geli_da2_flags="-p -k /root/da2.key"</programlisting>
<secondary>encrypting</secondary>
</indexterm>
- <para>Swap encryption in &os; is easy to configure. Depending on
- which version of &os; is being used, different options are
- available and configuration can vary slightly. The &man.gbde.8;
- or &man.geli.8; encryption systems can be used for swap
- encryption. Both systems use the <filename>encswap</filename>
+ <para>Like the encryption of disk partitions, encryption of swap
+ space is used to protect sensitive information. Consider an
+ application that deals with passwords. As long as these
+ passwords stay in physical memory, these passwords will not
+ be written to disk and be cleared after a reboot. If &os;
+ starts swapping out memory pages to free
+ space for other applications, the passwords may be written to
+ the disk platters unencrypted. Encrypting swap space can be a
+ solution for this scenario.</para>
+
+ <para>The &man.gbde.8; or &man.geli.8; encryption systems may be
+ used for swap encryption. Both systems use the
+ <filename>encswap</filename>
<link linkend="configtuning-rcd">rc.d</link> script.</para>
- <sect2>
- <title>Why Should Swap be Encrypted?</title>
+ <note>
+ <para>For the remainder of this section,
+ <devicename>ad0s1b</devicename> will be the swap
+ partition.</para>
+ </note>
- <para>Like the encryption of disk partitions, encryption of swap
- space is used to protect sensitive information. Consider an
- application that deals with passwords. As long as these
- passwords stay in physical memory, all is well. However, if
- the operating system starts swapping out memory pages to free
- space for other applications, the passwords may be written to
- the disk platters unencrypted. Encrypting swap space can be a
- solution for this scenario.</para>
- </sect2>
+ <para>Swap partitions are not encrypted by default and should
+ be cleared of any sensitive data before continuing. To
+ overwrite the current swap parition with random garbage,
+ execute the following command:</para>
- <sect2>
- <title>Preparation</title>
-
- <note>
- <para>For the remainder of this section,
- <devicename>ad0s1b</devicename> will be the swap
- partition.</para>
- </note>
-
- <para>By default, swap is unencrypted. It is possible that it
- contains passwords or other sensitive data in cleartext. To
- rectify this, the data on the swap partition should be
- overwritten with random garbage:</para>
-
- <screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/ad0s1b bs=1m</userinput></screen>
- </sect2>
+ <screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/<replaceable>ad0s1b</replaceable> bs=1m</userinput></screen>
<sect2>
<title>Swap Encryption with &man.gbde.8;</title>
@@ -3767,7 +3758,7 @@ geli_da2_flags="-p -k /root/da2.key"</programlisting>
</sect2>
<sect2>
- <title>Verifying That it Works</title>
+ <title>Encrypted Swap Verification</title>
<para>Once the system has rebooted, proper operation of the
encrypted swap can be verified using
diff --git a/en_US.ISO8859-1/books/handbook/eresources/chapter.xml b/en_US.ISO8859-1/books/handbook/eresources/chapter.xml
index af585cf8b8..0ea9b6e6a0 100644
--- a/en_US.ISO8859-1/books/handbook/eresources/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/eresources/chapter.xml
@@ -8,18 +8,18 @@
<appendix id="eresources">
<title>Resources on the Internet</title>
- <para>The rapid pace of FreeBSD progress makes print media
+ <para>The rapid pace of &os; progress makes print media
impractical as a means of following the latest developments.
Electronic resources are the best, if not often the only, way
- to stay informed of the latest advances. Since FreeBSD is a
+ to stay informed of the latest advances. Since &os; is a
volunteer effort, the user community itself also generally serves
as a <quote>technical support department</quote> of sorts, with
electronic mail, web forums, and USENET news being the most
effective way of reaching that community.</para>
- <para>The most important points of contact with the FreeBSD user
- community are outlined below. If you are aware of other resources
- not mentioned here, please send them to the &a.doc; so that they
+ <para>The most important points of contact with the &os; user
+ community are outlined below. Please send other resources
+ not mentioned here to the &a.doc; so that they
may also be included.</para>
<sect1 id="eresources-mail">
@@ -27,23 +27,23 @@
<para>The mailing lists are the most direct way of addressing
questions or opening a technical discussion to a concentrated
- FreeBSD audience. There are a wide variety of lists on a number
- of different FreeBSD topics. Addressing your questions to the
+ &os; audience. There are a wide variety of lists on a number
+ of different &os; topics. Sending questions to the
most appropriate mailing list will invariably assure a faster
and more accurate response.</para>
<para>The charters for the various lists are given at the bottom
of this document. <emphasis>Please read the charter before
- joining or sending mail to any list</emphasis>. Most of our
- list subscribers now receive many hundreds of FreeBSD related
- messages every day, and by setting down charters and rules for
- proper use we are striving to keep the signal-to-noise ratio
+ joining or sending mail to any list</emphasis>. Most
+ list subscribers receive many hundreds of &os; related
+ messages every day, and the charters and rules for
+ use are meant to keep the signal-to-noise ratio
of the lists high. To do less would see the mailing lists
ultimately fail as an effective communications medium for the
- project.</para>
+ Project.</para>
<note>
- <para><emphasis>If you wish to test your ability to send to
+ <para><emphasis>To test the ability to send email to
&os; lists, send a test message to &a.test.name;.</emphasis>
Please do not send test messages to any other list.</para>
</note>
@@ -61,11 +61,11 @@
<para>Archives are kept for all of the mailing lists and can be
searched using the <ulink
- url="&url.base;/search/index.html">FreeBSD World Wide Web
+ url="&url.base;/search/index.html">&os; World Wide Web
server</ulink>. The keyword searchable archive offers an
excellent way of finding answers to frequently asked questions
and should be consulted before posting a question. Note that
- this also means that messages sent to FreeBSD mailing lists
+ this also means that messages sent to &os; mailing lists
are archived in perpetuity. When protecting privacy is a
concern, consider using a disposable secondary email address
and posting only public information.</para>
@@ -89,12 +89,13 @@
<tbody>
<row>
<entry>&a.advocacy.name;</entry>
- <entry>FreeBSD Evangelism</entry>
+ <entry>&os; Evangelism</entry>
</row>
<row>
<entry>&a.announce.name;</entry>
- <entry>Important events and project milestones (moderated)</entry>
+ <entry>Important events and Project milestones
+(moderated)</entry>
</row>
<row>
@@ -105,7 +106,7 @@
<row>
<entry>&a.bugbusters.name;</entry>
<entry>Discussions pertaining to the maintenance of
- the FreeBSD problem report database and related
+ the &os; problem report database and related
tools</entry>
</row>
@@ -116,13 +117,13 @@
<row>
<entry>&a.chat.name;</entry>
- <entry>Non-technical items related to the FreeBSD
+ <entry>Non-technical items related to the &os;
community</entry>
</row>
<row>
<entry>&a.chromium.name;</entry>
- <entry>FreeBSD-specific Chromium issues</entry>
+ <entry>&os;-specific Chromium issues</entry>
</row>
<row>
@@ -134,12 +135,12 @@
<row>
<entry>&a.isp.name;</entry>
<entry>Issues for Internet Service Providers using
- FreeBSD</entry>
+ &os;</entry>
</row>
<row>
<entry>&a.jobs.name;</entry>
- <entry>FreeBSD employment and consulting
+ <entry>&os; employment and consulting
opportunities</entry>
</row>
@@ -161,7 +162,7 @@
<row>
<entry>&a.test.name;</entry>
- <entry>Where to send your test messages instead of
+ <entry>Where to send test messages instead of to
one of the actual lists</entry>
</row>
</tbody>
@@ -169,7 +170,7 @@
</informaltable>
<para><emphasis>Technical lists:</emphasis> The following
- lists are for technical discussion. You should read the
+ lists are for technical discussion. Read the
charter for each list carefully before joining or sending
mail to one as there are firm guidelines for their use and
content.</para>
@@ -191,7 +192,7 @@
<row>
<entry>&a.afs.name;</entry>
- <entry>Porting AFS to FreeBSD</entry>
+ <entry>Porting AFS to &os;</entry>
</row>
<row>
@@ -202,7 +203,7 @@
<row>
<entry>&a.amd64.name;</entry>
- <entry>Porting FreeBSD to AMD64 systems (moderated)</entry>
+ <entry>Porting &os; to AMD64 systems (moderated)</entry>
</row>
<row>
@@ -214,22 +215,22 @@
<row>
<entry>&a.arm.name;</entry>
- <entry>Porting FreeBSD to &arm; processors</entry>
+ <entry>Porting &os; to &arm; processors</entry>
</row>
<row>
<entry>&a.atm.name;</entry>
- <entry>Using ATM networking with FreeBSD</entry>
+ <entry>Using ATM networking with &os;</entry>
</row>
<row>
<entry>&a.bluetooth.name;</entry>
- <entry>Using &bluetooth; technology in FreeBSD</entry>
+ <entry>Using &bluetooth; technology in &os;</entry>
</row>
<row>
<entry>&a.cluster.name;</entry>
- <entry>Using FreeBSD in a clustered environment</entry>
+ <entry>Using &os; in a clustered environment</entry>
</row>
<row>
@@ -240,7 +241,7 @@
<row>
<entry>&a.database.name;</entry>
<entry>Discussing database use and development under
- FreeBSD</entry>
+ &os;</entry>
</row>
<row>
@@ -250,7 +251,7 @@
<row>
<entry>&a.doc.name;</entry>
- <entry>Creating FreeBSD related documents</entry>
+ <entry>Creating &os; related documents</entry>
</row>
<row>
@@ -265,19 +266,19 @@
<row>
<entry>&a.eclipse.name;</entry>
- <entry>FreeBSD users of Eclipse IDE, tools, rich client
+ <entry>&os; users of Eclipse IDE, tools, rich client
applications and ports.</entry>
</row>
<row>
<entry>&a.embedded.name;</entry>
- <entry>Using FreeBSD in embedded applications</entry>
+ <entry>Using &os; in embedded applications</entry>
</row>
<row>
<entry>&a.eol.name;</entry>
- <entry>Peer support of FreeBSD-related software that
- is no longer supported by the FreeBSD project.</entry>
+ <entry>Peer support of &os;-related software that
+ is no longer supported by the &os; Project.</entry>
</row>
<row>
@@ -288,7 +289,7 @@
<row>
<entry>&a.firewire.name;</entry>
- <entry>FreeBSD &firewire; (iLink, IEEE 1394) technical
+ <entry>&os; &firewire; (iLink, IEEE 1394) technical
discussion</entry>
</row>
@@ -323,29 +324,29 @@
<row>
<entry>&a.hardware.name;</entry>
<entry>General discussion of hardware for running
- FreeBSD</entry>
+ &os;</entry>
</row>
<row>
<entry>&a.i18n.name;</entry>
- <entry>FreeBSD Internationalization</entry>
+ <entry>&os; Internationalization</entry>
</row>
<row>
<entry>&a.ia32.name;</entry>
- <entry>FreeBSD on the IA-32 (&intel; x86)
+ <entry>&os; on the IA-32 (&intel; x86)
platform</entry>
</row>
<row>
<entry>&a.ia64.name;</entry>
- <entry>Porting FreeBSD to &intel;'s upcoming IA64
+ <entry>Porting &os; to &intel;'s upcoming IA64
systems</entry>
</row>
<row>
<entry>&a.infiniband.name;</entry>
- <entry>Infiniband on FreeBSD</entry>
+ <entry>Infiniband on &os;</entry>
</row>
<row>
@@ -368,23 +369,17 @@
<row>
<entry>&a.java.name;</entry>
<entry>&java; developers and people porting &jdk;s to
- FreeBSD</entry>
- </row>
-
- <row>
- <entry>&a.kde.name;</entry>
- <entry>Porting <application>KDE</application> and
- <application>KDE</application> applications</entry>
+ &os;</entry>
</row>
<row>
<entry>&a.lfs.name;</entry>
- <entry>Porting LFS to FreeBSD</entry>
+ <entry>Porting LFS to &os;</entry>
</row>
<row>
<entry>&a.mips.name;</entry>
- <entry>Porting FreeBSD to &mips;</entry>
+ <entry>Porting &os; to &mips;</entry>
</row>
<row>
@@ -394,13 +389,13 @@
<row>
<entry>&a.mono.name;</entry>
- <entry>Mono and C# applications on FreeBSD</entry>
+ <entry>Mono and C# applications on &os;</entry>
</row>
<row>
<entry>&a.mozilla.name;</entry>
<entry>Porting <application>Mozilla</application> to
- FreeBSD</entry>
+ &os;</entry>
</row>
<row>
@@ -473,18 +468,18 @@
<row>
<entry>&a.ppc.name;</entry>
- <entry>Porting FreeBSD to the &powerpc;</entry>
+ <entry>Porting &os; to the &powerpc;</entry>
</row>
<row>
<entry>&a.proliant.name;</entry>
- <entry>Technical discussion of FreeBSD on HP ProLiant
+ <entry>Technical discussion of &os; on HP ProLiant
server platforms</entry>
</row>
<row>
<entry>&a.python.name;</entry>
- <entry>FreeBSD-specific Python issues</entry>
+ <entry>&os;-specific Python issues</entry>
</row>
<row>
@@ -497,12 +492,12 @@
<row>
<entry>&a.realtime.name;</entry>
<entry>Development of realtime extensions to
- FreeBSD</entry>
+ &os;</entry>
</row>
<row>
<entry>&a.ruby.name;</entry>
- <entry>FreeBSD-specific Ruby discussions</entry>
+ <entry>&os;-specific Ruby discussions</entry>
</row>
<row>
@@ -512,12 +507,12 @@
<row>
<entry>&a.security.name;</entry>
- <entry>Security issues affecting FreeBSD</entry>
+ <entry>Security issues affecting &os;</entry>
</row>
<row>
<entry>&a.small.name;</entry>
- <entry>Using FreeBSD in embedded applications
+ <entry>Using &os; in embedded applications
(obsolete; use &a.embedded.name; instead)</entry>
</row>
@@ -528,12 +523,12 @@
<row>
<entry>&a.sparc.name;</entry>
- <entry>Porting FreeBSD to &sparc; based systems</entry>
+ <entry>Porting &os; to &sparc; based systems</entry>
</row>
<row>
<entry>&a.standards.name;</entry>
- <entry>FreeBSD's conformance to the C99 and the &posix;
+ <entry>&os;'s conformance to the C99 and the &posix;
standards</entry>
</row>
@@ -544,7 +539,7 @@
<row>
<entry>&a.tcltk.name;</entry>
- <entry>FreeBSD-specific Tcl/Tk discussions</entry>
+ <entry>&os;-specific Tcl/Tk discussions</entry>
</row>
<row>
@@ -561,18 +556,18 @@
<row>
<entry>&a.threads.name;</entry>
- <entry>Threading in FreeBSD</entry>
+ <entry>Threading in &os;</entry>
</row>
<row>
<entry>&a.tilera.name;</entry>
- <entry>Porting FreeBSD to the Tilera family of
+ <entry>Porting &os; to the Tilera family of
CPUs</entry>
</row>
<row>
<entry>&a.tokenring.name;</entry>
- <entry>Support Token Ring in FreeBSD</entry>
+ <entry>Support Token Ring in &os;</entry>
</row>
<row>
@@ -599,7 +594,7 @@
<row>
<entry>&a.x11.name;</entry>
- <entry>Maintenance and support of X11 on FreeBSD</entry>
+ <entry>Maintenance and support of X11 on &os;</entry>
</row>
<row>
@@ -627,7 +622,7 @@
are for more specialized (and demanding) audiences and are
probably not of interest to the general public. It is also
a good idea to establish a presence in the technical lists
- before joining one of these limited lists so that you will
+ before joining one of these limited lists in order to
understand the communications etiquette involved.</para>
<informaltable frame="none" pgwide="1">
@@ -653,7 +648,7 @@
<row>
<entry>&a.wip-status.name;</entry>
- <entry>FreeBSD Work-In-Progress Status</entry>
+ <entry>&os; Work-In-Progress Status</entry>
</row>
<row>
@@ -667,7 +662,7 @@
<para><emphasis>Digest lists:</emphasis> All of the above lists
are available in a digest format. Once subscribed to a list,
- you can change your digest options in your account options
+ the digest options can be changed in the account options
section.</para>
<para><emphasis>SVN lists:</emphasis> The following lists
@@ -851,38 +846,38 @@
<sect2 id="eresources-subscribe">
<title>How to Subscribe</title>
- <para>To subscribe to a list, click on the list name above or
- go to &a.mailman.lists.link; and click on the list that you
- are interested in. The list page should contain all of the
- necessary subscription instructions.</para>
+ <para>To subscribe to a list, click the list name at
+ &a.mailman.lists.link;.
+ The page that is displayed should contain all of the
+ necessary subscription instructions for that list.</para>
<para>To actually post to a given list, send mail to
<email><replaceable>listname</replaceable>@FreeBSD.org</email>.
It will then be redistributed to mailing list members
world-wide.</para>
- <para>To unsubscribe yourself from a list, click on the URL
+ <para>To unsubscribe from a list, click on the URL
found at the bottom of every email received from the list.
It is also possible to send an email to
<email><replaceable>listname</replaceable>-unsubscribe@FreeBSD.org</email>
- to unsubscribe yourself.</para>
+ to unsubscribe.</para>
- <para>Again, we would like to request that you keep discussion
- in the technical mailing lists on a technical track. If you
- are only interested in important announcements then it is
- suggested that you join the &a.announce;, which is intended
- only for infrequent traffic.</para>
+ <para>It is important to keep discussion
+ in the technical mailing lists on a technical track. To
+ only receive important announcements, instead
+ join the &a.announce;, which is intended
+ for infrequent traffic.</para>
</sect2>
<sect2 id="eresources-charters">
<title>List Charters</title>
- <para><emphasis>All</emphasis> FreeBSD mailing lists have
+ <para><emphasis>All</emphasis> &os; mailing lists have
certain basic rules which must be adhered to by anyone using
them. Failure to comply with these guidelines will result
- in two (2) written warnings from the FreeBSD Postmaster
+ in two (2) written warnings from the &os; Postmaster
<email>postmaster@FreeBSD.org</email>, after which, on a
- third offense, the poster will removed from all FreeBSD
+ third offense, the poster will removed from all &os;
mailing lists and filtered from further posting to them. We
regret that such rules and measures are necessary at all,
but today's Internet is a pretty harsh environment, it would
@@ -894,8 +889,8 @@
<itemizedlist>
<listitem>
<para>The topic of any posting should adhere to the basic
- charter of the list it is posted to, e.g., if the list
- is about technical issues then your posting should contain
+ charter of the list it is posted to. If the list
+ is about technical issues, the posting should contain
technical discussion. Ongoing irrelevant chatter or
flaming only detracts from the value of the mailing list
for everyone on it and will not be tolerated. For
@@ -910,11 +905,11 @@
a great deal of subscriber overlap and except for the most
esoteric mixes (say <quote>-stable & -scsi</quote>),
there really is no reason to post to more than one list at
- a time. If a message is sent to you in such a way that
- multiple mailing lists appear on the <literal>Cc</literal>
- line then the <literal>Cc</literal> line should also be
- trimmed before sending it out again. <emphasis>You are
- still responsible for your own cross-postings, no matter
+ a time. If a message is received with
+ multiple mailing lists on the <literal>Cc</literal>
+ line, trim the <literal>Cc</literal> line
+ before replying. <emphasis>The person who replies is
+ still responsible for cross-posting, no matter
who the originator might have been.</emphasis></para>
</listitem>
@@ -932,7 +927,7 @@
</listitem>
<listitem>
- <para>Advertising of non-FreeBSD related products or
+ <para>Advertising of non-&os; related products or
services is strictly prohibited and will result in an
immediate ban if it is clear that the offender is
advertising by spam.</para>
@@ -971,10 +966,10 @@
milestones</emphasis></para>
<para>This is the mailing list for people interested
- only in occasional announcements of significant FreeBSD
+ only in occasional announcements of significant &os;
events. This includes announcements about snapshots
and other releases. It contains announcements of new
- FreeBSD capabilities. It may contain calls for
+ &os; capabilities. It may contain calls for
volunteers etc. This is a low volume, strictly
moderated mailing list.</para>
</listitem>
@@ -987,7 +982,7 @@
<para><emphasis>Architecture and design
discussions</emphasis></para>
- <para>This list is for discussion of the FreeBSD
+ <para>This list is for discussion of the &os;
architecture. Messages will mostly be kept strictly
technical in nature. Examples of suitable topics
are:</para>
@@ -1020,9 +1015,9 @@
<term>&a.bluetooth.name;</term>
<listitem>
- <para><emphasis>&bluetooth; in FreeBSD</emphasis></para>
+ <para><emphasis>&bluetooth; in &os;</emphasis></para>
- <para>This is the forum where FreeBSD's &bluetooth; users
+ <para>This is the forum where &os;'s &bluetooth; users
congregate. Design issues, implementation details,
patches, bug reports, status reports, feature requests,
and all matters related to &bluetooth; are fair
@@ -1052,7 +1047,7 @@
<para><emphasis>Bug reports</emphasis></para>
<para>This is the mailing list for reporting bugs in
- FreeBSD. Whenever possible, bugs should be submitted
+ &os;. Whenever possible, bugs should be submitted
using the &man.send-pr.1; command or the <ulink
url="&url.base;/send-pr.html">WEB
interface</ulink> to it.</para>
@@ -1063,7 +1058,7 @@
<term>&a.chat.name;</term>
<listitem>
- <para><emphasis>Non technical items related to the FreeBSD
+ <para><emphasis>Non technical items related to the &os;
community</emphasis></para>
<para>This list contains the overflow from the other
@@ -1083,11 +1078,11 @@
<term>&a.chromium.name;</term>
<listitem>
- <para><emphasis>FreeBSD-specific Chromium
+ <para><emphasis>&os;-specific Chromium
issues</emphasis></para>
<para>This is a list for the discussion of Chromium
- support for FreeBSD. This is a technical list to
+ support for &os;. This is a technical list to
discuss development and installation of Chromium.</para>
</listitem>
</varlistentry>
@@ -1096,11 +1091,11 @@
<term>&a.core.name;</term>
<listitem>
- <para><emphasis>FreeBSD core team</emphasis></para>
+ <para><emphasis>&os; core team</emphasis></para>
<para>This is an internal mailing list for use by the core
members. Messages can be sent to it when a serious
- FreeBSD-related matter requires arbitration or
+ &os;-related matter requires arbitration or
high-level scrutiny.</para>
</listitem>
</varlistentry>
@@ -1126,10 +1121,10 @@
<term>&a.cvsweb.name;</term>
<listitem>
- <para><emphasis>FreeBSD CVSweb Project</emphasis></para>
+ <para><emphasis>&os; CVSweb Project</emphasis></para>
<para>Technical discussions about use, development and
- maintenance of FreeBSD-CVSweb.</para>
+ maintenance of &os;-CVSweb.</para>
</listitem>
</varlistentry>
@@ -1151,12 +1146,12 @@
<term>&a.doc.name;</term>
<listitem>
- <para><emphasis>Documentation project</emphasis></para>
+ <para><emphasis>Documentation Project</emphasis></para>
<para>This mailing list is for the discussion of issues
and projects related to the creation of documentation
- for FreeBSD. The members of this mailing list are
- collectively referred to as <quote>The FreeBSD
+ for &os;. The members of this mailing list are
+ collectively referred to as <quote>The &os;
Documentation Project</quote>. It is an open list;
feel free to join and contribute!</para>
</listitem>
@@ -1221,13 +1216,13 @@
<term>&a.embedded.name;</term>
<listitem>
- <para><emphasis>Using FreeBSD in embedded
+ <para><emphasis>Using &os; in embedded
applications</emphasis></para>
- <para>This list discusses topics related to using FreeBSD
+ <para>This list discusses topics related to using &os;
in embedded systems. This is a technical mailing list
for which strictly technical content is expected. For
- the purpose of this list we define embedded systems as
+ the purpose of this list, embedded systems are
those computing devices which are not desktops and which
usually serve a single purpose as opposed to being
general computing environments. Examples include, but
@@ -1255,15 +1250,15 @@
<term>&a.eol.name;</term>
<listitem>
- <para><emphasis>Peer support of FreeBSD-related software
- that is no longer supported by the FreeBSD
- project.</emphasis></para>
+ <para><emphasis>Peer support of &os;-related software
+ that is no longer supported by the &os;
+ Project.</emphasis></para>
<para>This list is for those interested in providing or
- making use of peer support of FreeBSD-related software
- for which the FreeBSD project no longer provides
- official support (e.g., in the form of security
- advisories and patches).</para>
+ making use of peer support of &os;-related software
+ for which the &os; Project no longer provides
+ official support in the form of security
+ advisories and patches.</para>
</listitem>
</varlistentry>
@@ -1276,7 +1271,7 @@
<para>This is a mailing list for discussion of the design
and implementation of a &firewire; (aka IEEE 1394 aka
- iLink) subsystem for FreeBSD. Relevant topics
+ iLink) subsystem for &os;. Relevant topics
specifically include the standards, bus devices and
their protocols, adapter boards/cards/chips sets, and
the architecture and implementation of code for their
@@ -1290,7 +1285,7 @@
<listitem>
<para><emphasis>File systems</emphasis></para>
- <para>Discussions concerning FreeBSD file systems.
+ <para>Discussions concerning &os; filesystems.
This is a technical mailing list for which strictly
technical content is expected.</para>
</listitem>
@@ -1332,7 +1327,7 @@
<para>Discussions concerning The
<application>GNOME</application> Desktop Environment
- for FreeBSD systems. This is a technical mailing list
+ for &os; systems. This is a technical mailing list
for which strictly technical content is expected.</para>
</listitem>
</varlistentry>
@@ -1356,7 +1351,7 @@
<para>This is the forum for technical discussions
concerning the redesign of the IP firewall code in
- FreeBSD. This is a technical mailing list for which
+ &os;. This is a technical mailing list for which
strictly technical content is expected.</para>
</listitem>
</varlistentry>
@@ -1365,10 +1360,10 @@
<term>&a.ia64.name;</term>
<listitem>
- <para><emphasis>Porting FreeBSD to IA64</emphasis></para>
+ <para><emphasis>Porting &os; to IA64</emphasis></para>
<para>This is a technical mailing list for individuals
- actively working on porting FreeBSD to the IA-64
+ actively working on porting &os; to the IA-64
platform from &intel;, to bring up problems or discuss
alternative solutions. Individuals interested in
following the technical discussion are also
@@ -1383,7 +1378,7 @@
<para><emphasis>ISDN Communications</emphasis></para>
<para>This is the mailing list for people discussing the
- development of ISDN support for FreeBSD.</para>
+ development of ISDN support for &os;.</para>
</listitem>
</varlistentry>
@@ -1395,7 +1390,7 @@
<para>This is the mailing list for people discussing the
development of significant &java; applications for
- FreeBSD and the porting and maintenance of
+ &os; and the porting and maintenance of
&jdk;s.</para>
</listitem>
</varlistentry>
@@ -1407,17 +1402,17 @@
<para><emphasis>Jobs offered and sought</emphasis></para>
<para>This is a forum for posting employment notices
- and resumes specifically related to &os;, e.g., if you
- are seeking &os;-related employment or have a job
- involving &os; to advertise then this is the right
- place. This is <emphasis>not</emphasis> a mailing list
+ specifically related to &os; and resumes from those
+ seeking &os;-related employment. This is
+ <emphasis>not</emphasis> a mailing list
for general employment issues since adequate forums
for that already exist elsewhere.</para>
<para>Note that this list, like other <hostid
role="domainname">FreeBSD.org</hostid> mailing lists,
- is distributed worldwide. Thus, you need to be clear
- about location and the extent to which telecommuting or
+ is distributed worldwide. Be clear
+ about the geographic location and the extent to which
+ telecommuting or
assistance with relocation is available.</para>
<para>Email should use open formats only —
@@ -1436,7 +1431,7 @@
<para><emphasis>KDE</emphasis></para>
<para>Discussions concerning
- <application>KDE</application> on FreeBSD systems.
+ <application>KDE</application> on &os; systems.
This is a technical mailing list for which strictly
technical content is expected.</para>
</listitem>
@@ -1449,8 +1444,8 @@
<para><emphasis>Technical discussions</emphasis></para>
<para>This is a forum for technical discussions related
- to FreeBSD. This is the primary technical mailing list.
- It is for individuals actively working on FreeBSD, to
+ to &os;. This is the primary technical mailing list.
+ It is for individuals actively working on &os;, to
bring up problems or discuss alternative solutions.
Individuals interested in following the technical
discussion are also welcome. This is a technical
@@ -1463,11 +1458,11 @@
<term>&a.hardware.name;</term>
<listitem>
- <para><emphasis>General discussion of FreeBSD
+ <para><emphasis>General discussion of &os;
hardware</emphasis></para>
<para>General discussion about the types of hardware
- that FreeBSD runs on, various problems and suggestions
+ that &os; runs on, various problems and suggestions
concerning what to buy or avoid.</para>
</listitem>
</varlistentry>
@@ -1479,7 +1474,7 @@
<para><emphasis>Mirror sites</emphasis></para>
<para>Announcements and discussion for people who run
- FreeBSD mirror sites.</para>
+ &os; mirror sites.</para>
</listitem>
</varlistentry>
@@ -1491,7 +1486,7 @@
Providers</emphasis></para>
<para>This mailing list is for discussing topics relevant
- to Internet Service Providers (ISPs) using FreeBSD.
+ to Internet Service Providers (ISPs) using &os;.
This is a technical mailing list for which strictly
technical content is expected.</para>
</listitem>
@@ -1502,7 +1497,7 @@
<listitem>
<para><emphasis>Mono and C# applications on
- FreeBSD</emphasis></para>
+ &os;</emphasis></para>
<para>This is a list for discussions related to the Mono
development framework on &os;. This is a technical
@@ -1535,7 +1530,7 @@
Announcements</emphasis></para>
<para>This is the mailing list for people interested in
- changes and issues related to the FreeBSD.org project
+ changes and issues related to the FreeBSD.org Project
infrastructure.</para>
<para>This moderated list is strictly for announcements: no replies,
@@ -1547,21 +1542,21 @@
<term>&a.performance.name;</term>
<listitem>
- <para><emphasis>Discussions about tuning or speedingup
- FreeBSD</emphasis></para>
+ <para><emphasis>Discussions about tuning or speeding up
+ &os;</emphasis></para>
<para>This mailing list exists to provide a place for
hackers, administrators, and/or concerned parties to
discuss performance related topics pertaining to
- FreeBSD. Acceptable topics includes talking about
- FreeBSD installations that are either under high load,
+ &os;. Acceptable topics includes talking about
+ &os; installations that are either under high load,
are experiencing performance problems, or are pushing
- the limits of FreeBSD. Concerned parties that are
+ the limits of &os;. Concerned parties that are
willing to work toward improving the performance of
- FreeBSD are highly encouraged to subscribe to this list.
+ &os; are highly encouraged to subscribe to this list.
This is a highly technical list ideally suited for
- experienced FreeBSD users, hackers, or administrators
- interested in keeping FreeBSD fast, robust, and
+ experienced &os; users, hackers, or administrators
+ interested in keeping &os; fast, robust, and
scalable. This list is not a question-and-answer list
that replaces reading through documentation, but it is a
place to make contributions or inquire about unanswered
@@ -1578,7 +1573,7 @@
filter firewall system</emphasis></para>
<para>Discussion concerning the packet filter (pf)
- firewall system in terms of FreeBSD. Technical
+ firewall system in terms of &os;. Technical
discussion and user questions are both welcome. This
list is also a place to discuss the ALTQ QoS
framework.</para>
@@ -1613,8 +1608,8 @@
<para><emphasis>Porting to Non &intel;
platforms</emphasis></para>
- <para>Cross-platform FreeBSD issues, general discussion
- and proposals for non &intel; FreeBSD ports. This is
+ <para>Cross-platform &os; issues, general discussion
+ and proposals for non &intel; &os; ports. This is
a technical mailing list for which strictly technical
content is expected.</para>
</listitem>
@@ -1627,7 +1622,7 @@
<para><emphasis>Discussion of
<quote>ports</quote></emphasis></para>
- <para>Discussions concerning FreeBSD's <quote>ports
+ <para>Discussions concerning &os;'s <quote>ports
collection</quote> (<filename>/usr/ports</filename>),
ports infrastructure, and general ports coordination
efforts. This is a technical mailing list for which
@@ -1660,7 +1655,7 @@
<para><emphasis>Discussion of
<quote>ports</quote> bugs</emphasis></para>
- <para>Discussions concerning problem reports for FreeBSD's
+ <para>Discussions concerning problem reports for &os;'s
<quote>ports collection</quote>
(<filename>/usr/ports</filename>), proposed ports, or
modifications to ports. This is a technical mailing
@@ -1673,11 +1668,11 @@
<term>&a.proliant.name;</term>
<listitem>
- <para><emphasis>Technical discussion of FreeBSD on HP
+ <para><emphasis>Technical discussion of &os; on HP
ProLiant server platforms</emphasis></para>
<para>This mailing list is to be used for the technical
- discussion of the usage of FreeBSD on HP ProLiant
+ discussion of the usage of &os; on HP ProLiant
servers, including the discussion of ProLiant-specific
drivers, management software, configuration tools, and
BIOS updates. As such, this is the primary place to
@@ -1690,13 +1685,13 @@
<term>&a.python.name;</term>
<listitem>
- <para><emphasis>Python on FreeBSD</emphasis></para>
+ <para><emphasis>Python on &os;</emphasis></para>
<para>This is a list for discussions related to improving
- Python-support on FreeBSD. This is a technical mailing
+ Python-support on &os;. This is a technical mailing
list. It is for individuals working on porting Python,
its 3rd party modules and
- <application>Zope</application> stuff to FreeBSD.
+ <application>Zope</application> stuff to &os;.
Individuals interested in following the technical
discussion are also welcome.</para>
</listitem>
@@ -1709,9 +1704,9 @@
<para><emphasis>User questions</emphasis></para>
<para>This is the mailing list for questions about
- FreeBSD. You should not send <quote>how to</quote>
- questions to the technical lists unless you consider
- the question to be pretty technical.</para>
+ &os;. Do not send <quote>how to</quote>
+ questions to the technical lists unless
+ the question is quite technical.</para>
</listitem>
</varlistentry>
@@ -1719,11 +1714,11 @@
<term>&a.ruby.name;</term>
<listitem>
- <para><emphasis>FreeBSD-specific Ruby
+ <para><emphasis>&os;-specific Ruby
discussions</emphasis></para>
<para>This is a list for discussions related to the Ruby
- support on FreeBSD. This is a technical mailing
+ support on &os;. This is a technical mailing
list. It is for individuals working on Ruby ports,
3rd party libraries and frameworks.</para>
@@ -1739,7 +1734,7 @@
<para><emphasis>SCSI subsystem</emphasis></para>
<para>This is the mailing list for people working on
- the SCSI subsystem for FreeBSD. This is a technical
+ the SCSI subsystem for &os;. This is a technical
mailing list for which strictly technical content is
expected.</para>
</listitem>
@@ -1751,7 +1746,7 @@
<listitem>
<para><emphasis>Security issues</emphasis></para>
- <para>FreeBSD computer security issues (DES, Kerberos,
+ <para>&os; computer security issues (DES, Kerberos,
known security holes and fixes, etc). This is a
technical mailing list for which strictly technical
discussion is expected. Note that this is not a
@@ -1766,7 +1761,7 @@
<listitem>
<para><emphasis>Security Notifications</emphasis></para>
- <para>Notifications of FreeBSD security problems and
+ <para>Notifications of &os; security problems and
fixes. This is not a discussion list. The discussion
list is FreeBSD-security.</para>
</listitem>
@@ -1776,11 +1771,11 @@
<term>&a.small.name;</term>
<listitem>
- <para><emphasis>Using FreeBSD in embedded
+ <para><emphasis>Using &os; in embedded
applications</emphasis></para>
<para>This list discusses topics related to unusually
- small and embedded FreeBSD installations. This is a
+ small and embedded &os; installations. This is a
technical mailing list for which strictly technical
content is expected.</para>
@@ -1799,7 +1794,8 @@
<para><emphasis>&os; Development Snapshot
Announcements</emphasis></para>
- <para>This list will notify you about the availability
+ <para>This list provides notifications about the
+ availability
of new &os; development snapshots for the head/ and
stable/ branches.</para>
</listitem>
@@ -1830,7 +1826,7 @@
Conformance</emphasis></para>
<para>This is a forum for technical discussions related
- to FreeBSD Conformance to the C99 and the POSIX
+ to &os; Conformance to the C99 and the POSIX
standards.</para>
</listitem>
</varlistentry>
@@ -1868,7 +1864,7 @@
<term>&a.toolchain.name;</term>
<listitem>
- <para><emphasis>Maintenance of FreeBSD's integrated
+ <para><emphasis>Maintenance of &os;'s integrated
toolchain</emphasis></para>
<para>This is the mailing list for discussions related
@@ -1930,11 +1926,12 @@
<para><emphasis>&os; Work-In-Progress
Status</emphasis></para>
- <para>This mailing list can be used to announce creation
- and progress of your &os; related work. Messages
+ <para>This mailing list can be used by developers to
+ announce the creation
+ and progress of &os; related work. Messages
will be moderated. It is suggested to send the message
"To:" a more topical &os; list and only "BCC:"
- this list. This way your WIP can also be discussed on
+ this list. This way the WIP can also be discussed on
the topical list, as no discussion is allowed on this
list.</para>
@@ -1942,12 +1939,11 @@
messages.</para>
<para>An editorial digest of the messages to this list
- might be posted to the &os; website every few month
+ might be posted to the &os; website every few months
as part of the Status Reports
<footnote><para><ulink
url="http://www.freebsd.org/news/status/"></ulink></para></footnote>.
- You can find more examples and past reports there,
- too.</para>
+ Past reports are archived.</para>
</listitem>
</varlistentry>
@@ -2094,9 +2090,9 @@
<sect1 id="eresources-news">
<title>Usenet Newsgroups</title>
- <para>In addition to two FreeBSD specific newsgroups, there are
- many others in which FreeBSD is discussed or are otherwise
- relevant to FreeBSD users.</para>
+ <para>In addition to two &os; specific newsgroups, there are
+ many others in which &os; is discussed or are otherwise
+ relevant to &os; users.</para>
<sect2>
<title>BSD Specific Newsgroups</title>
@@ -2247,14 +2243,14 @@
<itemizedlist>
<listitem><para><ulink url="http://forums.freebsd.org/">The
- FreeBSD Forums</ulink> provide a web based discussion
- forum for FreeBSD questions and technical
+ &os; Forums</ulink> provide a web based discussion
+ forum for &os; questions and technical
discussion.</para></listitem>
<listitem><para><ulink
- url="http://planet.freebsdish.org/">Planet FreeBSD</ulink>
+ url="http://planet.freebsdish.org/">Planet &os;</ulink>
offers an aggregation feed of dozens of blogs written by
- FreeBSD developers. Many developers use this to post quick
+ &os; developers. Many developers use this to post quick
notes about what they are working on, new patches, and other
works in progress.</para></listitem>
@@ -2263,7 +2259,7 @@
YouTube Channel</ulink> provides a collection of high
quality videos from BSD Conferences around the world. This
is a great way to watch key developers give presentations
- about new work in FreeBSD.</para></listitem>
+ about new work in &os;.</para></listitem>
</itemizedlist>
</sect2>
@@ -2281,7 +2277,7 @@
<sect1 id="eresources-email">
<title>Email Addresses</title>
- <para>The following user groups provide FreeBSD related email
+ <para>The following user groups provide &os; related email
addresses for their members. The listed administrator reserves
the right to revoke the address if it is abused in any
way.</para>
diff --git a/en_US.ISO8859-1/books/handbook/install/chapter.xml b/en_US.ISO8859-1/books/handbook/install/chapter.xml
index d13933520c..b98ebd28c9 100644
--- a/en_US.ISO8859-1/books/handbook/install/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/install/chapter.xml
@@ -27,39 +27,40 @@
<!-- January 2000 -->
</chapterinfo>
- <title>Installing &os; 8.<replaceable>X</replaceable> and Earlier</title>
+ <title>Installing &os; 8.<replaceable>X</replaceable></title>
<sect1 id="install-synopsis">
<title>Synopsis</title>
<indexterm><primary>installation</primary></indexterm>
- <para>FreeBSD is provided with a text-based, easy to use installation
+ <para>&os; provides a text-based, easy to use installation
program. &os; 9.0-RELEASE and later use the installation program
- known as <application>bsdinstall</application>, with releases prior
- to 9.0-RELEASE using <application>sysinstall</application> for
- installation. This chapter describes the use of <application>sysinstall</application>
- to install &os;. The use of <application>bsdinstall</application>
+ known as &man.bsdinstall.8;
+ while &os; 8.<replaceable>X</replaceable> uses
+ &man.sysinstall.8;. This chapter describes
+ how to use &man.sysinstall.8;.
+ The use of &man.bsdinstall.8;
is covered in <xref linkend="bsdinstall"/>.</para>
<para>After reading this chapter, you will know:</para>
<itemizedlist>
<listitem>
- <para>How to create the FreeBSD installation disks.</para>
+ <para>How to create the &os; installation media.</para>
</listitem>
<listitem>
- <para>How FreeBSD refers to, and subdivides, your hard disks.</para>
+ <para>How &os; refers to and subdivides hard disks.</para>
</listitem>
<listitem>
- <para>How to start <application>sysinstall</application>.</para>
+ <para>How to start &man.sysinstall.8;.</para>
</listitem>
<listitem>
- <para>The questions <application>sysinstall</application> will ask
- you, what they mean, and how to answer them.</para>
+ <para>The questions &man.sysinstall.8; asks,
+ what they mean, and how to answer them.</para>
</listitem>
</itemizedlist>
@@ -68,19 +69,18 @@
<itemizedlist>
<listitem>
<para>Read the supported hardware list that shipped with the version
- of FreeBSD you are installing, and verify that your hardware is
+ of &os; to install, and verify that the system's hardware is
supported.</para>
</listitem>
</itemizedlist>
<note>
<para>In general, these installation instructions are written
- for &i386; (<quote>PC compatible</quote>) architecture
- computers. Where applicable, instructions specific to other
- platforms will be listed. Although this
- guide is kept as up to date as possible, you may find minor
- differences between the installer and what is shown here. It is
- suggested that you use this chapter as a general guide rather
+ for the &i386; and &os;/&arch.amd64; architectures.
+ Where applicable, instructions specific to other
+ platforms will be listed. There may be minor
+ differences between the installer and what is shown here.
+ This chapter should be used as a general guide rather
than a literal installation manual.</para>
</note>
@@ -96,23 +96,24 @@
&os; version and the hardware architecture.</para>
<para>A summary of this information is given in the following sections.
- Depending on the method you choose to install &os;, you may
- also need a floppy drive, a supported CDROM drive, and in some
- case a network adapter. This will be covered by the <xref
- linkend="install-boot-media"/>.</para>
+ Depending on the method chosen to install &os;,
+ a floppy drive, CDROM drive, or
+ network adapter may be needed. Instructions on how to
+ prepare the installation media can be found in
+ <xref linkend="install-boot-media"/>.</para>
<sect3>
<title>&os;/&arch.i386; and &os;/&arch.pc98;</title>
<para>Both &os;/&arch.i386; and &os;/&arch.pc98; require a 486 or
- better processor and at least 24 MB of RAM. You will
- need at least 150 MB of free hard drive space for the
+ better processor, at least 24 MB of RAM, and at
+ least 150 MB of free hard drive space for the
most minimal installation.</para>
<note>
- <para>In case of old configurations, most of time, getting
- more RAM and more hard drive space is more important than
- getting a faster processor.</para>
+ <para>In the case of older hardware, installing more RAM and
+ more hard drive space is often more important than
+ a faster processor.</para>
</note>
</sect3>
@@ -122,33 +123,32 @@
<para>There are two classes of processors capable of running
&os;/&arch.amd64;. The first are AMD64 processors,
including the &amd.athlon;64,
- &amd.athlon;64-FX, &amd.opteron; or better
+ &amd.athlon;64-FX, and &amd.opteron; or better
processors.</para>
- <para>The second class of processors that can use
- &os;/&arch.amd64; includes those using the &intel; EM64T
+ <para>The second class of processors
+ includes those using the &intel; EM64T
architecture. Examples of these processors include the
&intel; &core; 2 Duo, Quad, Extreme processor
families, and the &intel; &xeon; 3000, 5000, and 7000
sequences of processors.</para>
- <para>If you have a machine based on an nVidia nForce3
- Pro-150, you <emphasis>must</emphasis> use the BIOS setup to
- disable the IO APIC. If you do not have an option to do
- this, you will likely have to disable ACPI instead. There
- are bugs in the Pro-150 chipset that we have not found a
- workaround for yet.</para>
+ <para>If the machine is based on an nVidia nForce3
+ Pro-150, the BIOS setup <emphasis>must</emphasis> be used to
+ disable the IO APIC. If this option does not exist,
+ disable ACPI instead as there
+ are bugs in the Pro-150 chipset.</para>
</sect3>
<sect3>
<title>&os;/&arch.sparc64;</title>
- <para>To install &os;/&arch.sparc64;, you will need a supported
+ <para>To install &os;/&arch.sparc64;, use a supported
platform (see <xref
linkend="install-hardware-supported"/>).</para>
- <para>You will need a dedicated disk for &os;/&arch.sparc64;. It
- is not possible to share a disk with another operating
+ <para>A dedicated disk is needed for &os;/&arch.sparc64; as
+ it is not possible to share a disk with another operating
system at this time.</para>
</sect3>
</sect2>
@@ -159,14 +159,14 @@
<para>A list of supported hardware is provided with each &os;
release in the &os; Hardware Notes. This document can usually
be found in a file named <filename>HARDWARE.TXT</filename>, in
- the top-level directory of a CDROM or FTP distribution or in
- <application>sysinstall</application>'s documentation menu.
- It lists, for a given architecture, what hardware devices are
+ the top-level directory of a CDROM or FTP distribution, or in
+ &man.sysinstall.8;'s documentation menu.
+ It lists, for a given architecture, which hardware devices are
known to be supported by each release of &os;. Copies of the
supported hardware list for various releases and architectures
can also be found on the <ulink
url="http://www.FreeBSD.org/releases/index.html">Release
- Information</ulink> page of the &os; Web site.</para>
+ Information</ulink> page of the &os; website.</para>
</sect2>
</sect1>
@@ -174,28 +174,35 @@
<title>Pre-installation Tasks</title>
<sect2 id="install-inventory">
- <title>Inventory Your Computer</title>
+ <title>Inventory the Computer</title>
- <para>Before installing &os; you should attempt to inventory the
- components in your computer. The &os; installation routines will
- show you the components (hard disks, network cards, CDROM drives, and
- so forth) with their model number and manufacturer. &os; will also
+ <para>Before installing &os; it is recommended to inventory the
+ components in the computer. The &os; installation routines
+ will show components such as hard disks, network cards,
+ and CDROM drives with their model number and manufacturer.
+ &os; will also
attempt to determine the correct configuration for these devices,
- which includes information about IRQ and IO port usage. Due to the
- vagaries of PC hardware this process is not always completely
- successful, and you may need to correct &os;'s determination of
- your configuration.</para>
+ including information about IRQ and I/O port usage. Due
+ to the
+ vagaries of computer hardware, this process is not always
+ completely
+ successful, and &os; may need some manual
+ configuration.</para>
- <para>If you already have another operating system installed, such as
- &windows; or Linux, it is a good idea to use the facilities provided
- by those operating systems to see how your hardware is already
- configured. If you are not sure what settings an expansion
- card is using, you may find it printed on the card itself. Popular IRQ
- numbers are 3, 5, and 7, and IO port addresses are normally written as
- hexadecimal numbers, such as 0x330.</para>
+ <para>If another operating system is already installed,
+ use the facilities provided
+ by that operating systems to view the hardware configuration.
+ If the settings of an expansion
+ card are not obvious, check if they are printed on the
+ card itself. Popular IRQ
+ numbers are 3, 5, and 7, and I/O port addresses are normally
+ written as
+ hexadecimal numbers, such as <literal>0x330</literal>.</para>
- <para>We recommend you print or write down this information before
- installing &os;. It may help to use a table, like this:</para>
+ <para>It is recommended to print or write down this information
+ before
+ installing &os;. It may help to use a table, as seen in this
+ example:</para>
<table pgwide="1" frame="none">
<title>Sample Device Inventory</title>
@@ -211,7 +218,7 @@
<entry>IRQ</entry>
- <entry>IO port(s)</entry>
+ <entry>I/O port(s)</entry>
<entry>Notes</entry>
</row>
@@ -285,43 +292,44 @@
</tgroup>
</table>
- <para>Once the inventory of the components in your computer is
- done, you have to check if they match the hardware
- requirements of the &os; release you want to install.</para>
+ <para>Once the inventory of the components in the computer is
+ complete, check if it matches the hardware
+ requirements of the &os; release to install.</para>
</sect2>
<sect2>
- <title>Backup Your Data</title>
+ <title>Make a Backup</title>
- <para>If the computer you will be installing &os; on contains
- valuable data, then ensure you have it backed up, and that you have
- tested the backups before installing &os;. The &os;
- installation routine will prompt you before writing any
- data to your disk, but once that process has started it cannot be
+ <para>If the computer contains
+ valuable data, ensure it is backed up, and that the backup
+ has been
+ tested before installing &os;. The &os;
+ installer will prompt before writing any
+ data to disk, but once that process has started, it cannot be
undone.</para>
</sect2>
<sect2 id="install-where">
<title>Decide Where to Install &os;</title>
- <para>If you want &os; to use your entire hard disk, then there is nothing
- more to concern yourself with at this point — you can skip this
+ <para>If &os; is to be installed on the entire hard disk,
+ skip this
section.</para>
- <para>However, if you need &os; to co-exist with other operating
- systems then you need to have a rough understanding of how data is
- laid out on the disk, and how this affects you.</para>
+ <para>However, if &os; will co-exist with other operating
+ systems, a rough understanding of how data is
+ laid out on the disk is useful.</para>
<sect3 id="install-where-i386">
<title>Disk Layouts for &os;/&arch.i386;</title>
- <para>A PC disk can be divided into discrete chunks. These chunks are
- called <firstterm>partitions</firstterm>. Since
- &os; internally also has partitions, the naming
- can become confusing very quickly, therefore these
- disk chunks are referred to as disk slices or simply slices
- in &os; itself. For example, the &os; utility
- <command>fdisk</command> which operates on the PC disk partitions,
+ <para>A PC disk can be divided into discrete chunks known as
+ <firstterm>partitions</firstterm>. Since
+ &os; also has partitions, naming
+ can quickly become confusing. Therefore, these
+ disk chunks are referred to as slices
+ in &os;. For example, the &os; version of
+ &man.fdisk.8;
refers to slices instead of partitions. By design, the PC only
supports four partitions per disk. These partitions are called
<firstterm>primary partitions</firstterm>. To work around this
@@ -335,37 +343,39 @@
a number used to identify the type of data on the partition. &os;
partitions have the partition ID of <literal>165</literal>.</para>
- <para>In general, each operating system that you use will identify
- partitions in a particular way. For example, &ms-dos;, and its
- descendants, like &windows;, assign each primary and logical partition a
+ <para>In general, each operating system will identify
+ partitions in a particular way. For example,
+ &windows;, assigns each primary and logical partition a
<firstterm>drive letter</firstterm>, starting with
<devicename>C:</devicename>.</para>
- <para>&os; must be installed into a primary partition. &os; can
- keep all its data, including any files that you create, on this one
- partition. However, if you have multiple disks, then you can create a
- &os; partition on all, or some, of them. When you install &os;,
- you must have one partition available. This might be a blank
- partition that you have prepared, or it might be an existing partition
- that contains data that you no longer care about.</para>
+ <para>&os; must be installed into a primary partition. If
+ there are multiple disks, a &os;
+ partition can be created
+ on all, or some, of them. When &os; is installed, at least
+ one partition must be available. This might be a blank
+ partition or it might be an existing partition whose
+ data can be overwritten.</para>
- <para>If you are already using all the partitions on all your disks, then
- you will have to free one of them for &os; using the tools
- provided by the other operating systems you use (e.g.,
- <command>fdisk</command> on &ms-dos; or &windows;).</para>
+ <para>If all the partitions on all the disks are in use,
+ free one of them for &os; using the tools
+ provided by an existing operating system, such as &windows;
+ <command>fdisk</command>.</para>
- <para>If you have a spare partition then you can use that. However, you
- may need to shrink one or more of your existing partitions
- first.</para>
+ <para>If there is a spare partition, use that. If it is too
+ small,
+ shrink one or more existing partitions to create more
+ available space.</para>
<para>A minimal installation of &os; takes as little as 100 MB
of disk
space. However, that is a <emphasis>very</emphasis> minimal install,
- leaving almost no space for your own files. A more realistic minimum
+ leaving almost no space for files. A more realistic minimum
is 250 MB without a graphical environment, and 350 MB or
- more if you
- want a graphical user interface. If you intend to install a lot of
- third-party software as well, then you will need more space.</para>
+ more for
+ a graphical user interface. If other
+ third-party software will be installed,
+ even more space is needed.</para>
<para>You can use a tool such as <application>GParted</application>
to resize your partitions and make space for
@@ -374,32 +384,29 @@
is available on a number of Live CD Linux distributions, such as
<ulink url="http://www.sysresccd.org/">SystemRescueCD</ulink>.</para>
- <para>Problems have been reported resizing µsoft; Vista
- partitions. Having a Vista installation CDROM handy when
- attempting such an operation is recommended. As with all
- such disk maintenance tasks, a current set of backups is
- also strongly advised.</para>
-
<warning>
- <para>Incorrect use of these tools can delete the data on your disk.
- Be sure that you have recent, working backups before using
- them.</para>
+ <para>Incorrect use of a shrinking tool can delete the data
+ on the disk.
+ Always have a recent, working backup before using this
+ type of tool.</para>
</warning>
<example>
<title>Using an Existing Partition Unchanged</title>
- <para>Suppose that you have a computer with a single 4 GB disk
+ <para>Consider a computer with a single 4 GB disk
that
- already has a version of &windows; installed, and you have split the
- disk into two drive letters, <devicename>C:</devicename> and
+ already has a version of &windows; installed, where the
+ disk has been split into two drive letters,
+ <devicename>C:</devicename> and
<devicename>D:</devicename>, each of which is 2 GB in size.
- You have 1 GB of data on <devicename>C:</devicename>, and
+ There is 1 GB of data on <devicename>C:</devicename>,
+ and
0.5 GB of data on
<devicename>D:</devicename>.</para>
- <para>This means that your disk has two partitions on it, one per
- drive letter. You can copy all your existing data from
+ <para>This disk has two partitions, one per
+ drive letter. Copy all existing data from
<devicename>D:</devicename> to <devicename>C:</devicename>, which
will free up the second partition, ready for &os;.</para>
</example>
@@ -407,18 +414,21 @@
<example>
<title>Shrinking an Existing Partition</title>
- <para>Suppose that you have a computer with a single 4 GB disk
- that already has a version of &windows; installed. When you installed
- &windows; you created one large partition, giving you a
- <devicename>C:</devicename> drive that is 4 GB in size. You are
- currently using 1.5 GB of space, and want &os; to have 2 GB
+ <para>Consider a computer with a single 4 GB disk
+ that already has a version of &windows; installed. When
+ &windows; was installed, it created one large partition,
+ a
+ <devicename>C:</devicename> drive that is 4 GB in size.
+ Currently, 1.5 GB of space is used, and &os; should
+ have 2 GB
of space.</para>
- <para>In order to install &os; you will need to either:</para>
+ <para>In order to install &os;, either:</para>
<orderedlist>
<listitem>
- <para>Backup your &windows; data, and then reinstall &windows;,
+ <para>Backup the &windows; data and then reinstall
+ &windows;,
asking for a 2 GB partition at install time.</para>
</listitem>
@@ -433,21 +443,24 @@
</sect2>
<sect2>
- <title>Collect Your Network Configuration Details</title>
+ <title>Collect the Network Configuration Details</title>
- <para>If you intend to connect to a network as part of your &os;
- installation (for example, if you will be installing from an FTP
+ <para>Before
+ installing from an FTP
site or an
- NFS server), then you need to know your network configuration. You
- will be prompted for this information during the installation so that
- &os; can connect to the network to complete the install.</para>
+ <acronym>NFS</acronym> server, make note of the network
+ configuration. The
+ installer
+ will prompt for this information so that
+ it can connect to the network to complete the
+ installation.</para>
<sect3>
<title>Connecting to an Ethernet Network or Cable/DSL Modem</title>
- <para>If you connect to an Ethernet network, or you have an Internet
- connection using an Ethernet adapter via cable or DSL, then you will
- need the following information:</para>
+ <para>If using an Ethernet network or an Internet
+ connection using an Ethernet adapter via cable or DSL, the
+ following information is needed:</para>
<orderedlist>
<listitem>
@@ -471,32 +484,35 @@
</listitem>
</orderedlist>
- <para>If you do not know this information, then ask your system
- administrator or service provider. They may say that this
- information is assigned automatically, using
- <firstterm>DHCP</firstterm>. If so, make a note of this.</para>
+ <para>If this information is unknown, ask the system
+ administrator or service provider. Make note if this
+ information is assigned automatically using
+ <firstterm>DHCP</firstterm>.</para>
</sect3>
<sect3>
<title>Connecting Using a Modem</title>
- <para>If you dial up to an ISP using a regular modem then you can
- still install &os; over the Internet, it will just take a very
+ <para>If using a dialup modem,
+ &os; can still be installed over the Internet, it will just
+ take a very
long time.</para>
<para>You will need to know:</para>
<orderedlist>
<listitem>
- <para>The phone number to dial for your ISP</para>
+ <para>The phone number to dial the Internet Service
+ Provider (<acronym>ISP</acronym>)</para>
</listitem>
<listitem>
- <para>The COM: port your modem is connected to</para>
+ <para>The COM: port the modem is connected to</para>
</listitem>
<listitem>
- <para>The username and password for your ISP account</para>
+ <para>The username and password for the
+ <acronym>ISP</acronym> account</para>
</listitem>
</orderedlist>
</sect3>
@@ -504,28 +520,30 @@
<sect2>
<title>Check for &os; Errata</title>
- <para>Although the &os; project strives to ensure that each release
+ <para>Although the &os; Project strives to ensure that each
+ release
of &os; is as stable as possible, bugs do occasionally creep into
- the process. On very rare occasions those bugs affect the
+ the process. On rare occasions those bugs affect the
installation process. As these problems are discovered and fixed, they
are noted in the <ulink url="http://www.FreeBSD.org/releases/&rel.current;R/errata.html">&os; Errata</ulink>,
- which is found on the &os; web site. You
- should check the errata before installing to make sure that there are
- no late-breaking problems which you should be aware of.</para>
+ which is found on the &os; website.
+ Check the errata before installing to make sure that there are
+ no late-breaking problems to be aware of.</para>
- <para>Information about all the releases, including the errata for each
+ <para>Information about all releases, including the errata for
+ each
release, can be found on the
<ulink
url="&url.base;/releases/index.html">release
information</ulink> section of the
<ulink
- url="&url.base;/index.html">&os; web site</ulink>.</para>
+ url="&url.base;/index.html">&os; website</ulink>.</para>
</sect2>
<sect2>
<title>Obtain the &os; Installation Files</title>
- <para>The &os; installation process can install &os; from files
+ <para>The &os; installer can install &os; from files
located in any of the following places:</para>
<itemizedlist>
@@ -544,11 +562,7 @@
</listitem>
<listitem>
- <para>A SCSI or QIC tape</para>
- </listitem>
-
- <listitem>
- <para>Floppy disks</para>
+ <para>Floppy disks (&os;/&arch.pc98; only)</para>
</listitem>
</itemizedlist>
@@ -556,8 +570,8 @@
<title>Network</title>
<listitem>
- <para>An FTP site, going through a firewall, or using an HTTP proxy,
- as necessary</para>
+ <para>An FTP site through a firewall or using an HTTP
+ proxy</para>
</listitem>
<listitem>
@@ -569,14 +583,14 @@
</listitem>
</itemizedlist>
- <para>If you have purchased &os; on CD or DVD then you already have
- everything you need, and should proceed to the next section
- (<xref linkend="install-boot-media"/>).</para>
+ <para>If installing from a purchased &os; CD/DVD,
+ skip ahead to
+ <xref linkend="install-boot-media"/>.</para>
- <para>If you have not obtained the &os; installation files you should
+ <para>To obtain the &os; installation files,
skip ahead to <xref linkend="install-diff-media"/> which explains how
- to prepare to install &os; from any of the above. After reading
- that section, you should come back here, and read on to
+ to prepare the installation media. After reading
+ that section, come back here and read on to
<xref linkend="install-boot-media"/>.</para>
</sect2>
@@ -584,18 +598,19 @@
<title>Prepare the Boot Media</title>
<para>The &os; installation process is started by booting the
- computer into the &os; installer—it is not a program you run
+ computer into the &os; installer. It is not a program that
+ can be run
within another operating system. The computer normally boots
using the operating system installed on the hard disk, but it
can also be configured to boot from a CDROM or from a USB
disk.</para>
<tip>
- <para>If you have &os; on CDROM or DVD (either one you purchased
- or you prepared yourself), and your computer allows you to boot from
- the CDROM or DVD (typically a BIOS option called <quote>Boot
- Order</quote> or similar), then you can skip this section. The
- &os; CDROM and DVD images are bootable and can be used to install
+ <para>If installing from a CD/DVD to a
+ computer whose BIOS supports booting from
+ the CD/DVD, skip this section. The
+ &os; CD/DVD images are bootable and can be used to
+ install
&os; without any other special preparation.</para>
</tip>
@@ -607,36 +622,38 @@
<title>Acquire the Memory Stick Image</title>
<para>Memory stick images for
- &os; 8.<replaceable>X</replaceable> and earlier can be downloaded from
+ &os; 8.<replaceable>X</replaceable> can be downloaded
+ from
the <filename class="directory">ISO-IMAGES/</filename>
directory at
<literal>ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/<replaceable>arch</replaceable>/ISO-IMAGES/<replaceable>version</replaceable>/&os;-<replaceable>version</replaceable>-RELEASE-<replaceable>arch</replaceable>-memstick.img</literal>.
Replace <replaceable>arch</replaceable> and
<replaceable>version</replaceable> with the
- architecture and the version number which you want to
- install, respectively. For example, the memory stick
+ architecture and the version number to
+ install. For example, the memory stick
images for &os;/&arch.i386; &rel2.current;-RELEASE are
available from <ulink
url="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/&arch.i386;/ISO-IMAGES/&rel2.current;/&os;-&rel2.current;-RELEASE-&arch.i386;-memstick.img"></ulink>.</para>
<tip>
<para>A different directory path is used for
- &os; 9.0-RELEASE and later versions. Details of
- download and installation of &os; 9.0-RELEASE and
- later is covered in <xref linkend="bsdinstall"/>.</para>
+ &os; 9.0-RELEASE and later versions. How to
+ download and install
+ &os; 9.<replaceable>X</replaceable>
+ is covered in <xref linkend="bsdinstall"/>.</para>
</tip>
<para>The memory stick image has a <filename>.img</filename>
extension. The <filename
class="directory">ISO-IMAGES/</filename> directory
- contains a number of different images, and the one you
- will need to use will depend on the version of &os; you
- are installing, and in some cases, the hardware you are
- installing to.</para>
+ contains a number of different images and the one to
+ use depends on the version of &os; and the
+ type of media supported by the hardware being installed
+ to.</para>
<important>
<para>Before proceeding, <emphasis>back up</emphasis> the
- data you currently have on your USB stick, as this
+ data on the USB stick, as this
procedure will <emphasis>erase</emphasis> it.</para>
</important>
</step>
@@ -659,19 +676,20 @@
<title>Writing the Image with &man.dd.1;</title>
<para>The <filename>.img</filename> file
- is <emphasis>not</emphasis> a regular file you copy to the
+ is <emphasis>not</emphasis> a regular file that can
+ just be copied to the
memory stick. It is an image of the complete contents of the
- disk. This means that you <emphasis>cannot</emphasis> simply
- copy files from one disk to another. Instead, you must use
- &man.dd.1; to write the image directly to the disk:</para>
+ disk. This means that
+ &man.dd.1; must be used to write the image directly to
+ the disk:</para>
<screen>&prompt.root; <userinput>dd if=&os;-&rel2.current;-RELEASE-&arch.i386;-memstick.img of=/dev/<replaceable>da0</replaceable> bs=64k</userinput></screen>
<para>If an
<computeroutput>Operation not permitted</computeroutput>
error is displayed, make certain that the target device
- is not in use, mounted, or being automounted by some
- well-intentioned utility program. Then try
+ is not in use, mounted, or being automounted by
+ another program. Then try
again.</para>
</step>
</procedure>
@@ -680,8 +698,10 @@
<title>Using &windows; to Write the Image</title>
<warning>
- <para>Make sure you use the correct drive letter as the output
- target, or you may overwrite and destroy existing data.</para>
+ <para>Make sure to use the correct drive letter as the
+ output
+ target, as this command will overwrite and destroy
+ any existing data on the specified device.</para>
</warning>
<step>
@@ -736,29 +756,32 @@
<literal>kern*</literal>.</para>
<important>
- <para>Your FTP program must use <emphasis>binary mode</emphasis>
- to download these disk images. Some web browsers have been
- known to use <emphasis>text</emphasis> (or
- <emphasis>ASCII</emphasis>) mode, which will be apparent if you
- cannot boot from the disks.</para>
+ <para>The FTP program must use <emphasis>binary
+ mode</emphasis>
+ to download these disk images. Some web browsers
+ use <emphasis>text</emphasis> or
+ <emphasis>ASCII</emphasis> mode, which will be apparent
+ if
+ the disks are not bootable.</para>
</important>
</step>
<step>
<title>Prepare the Floppy Disks</title>
- <para>Prepare one floppy disk per image file you had to
- download. It is imperative that these disks are free from
- defects. The easiest way to test this is to format the disks
- for yourself. Do not trust pre-formatted floppies. The format
+ <para>Prepare one floppy disk per downloaded image file.
+ It is imperative that these disks are free from
+ defects. The easiest way to test this is to reformat the
+ disks.
+ Do not trust pre-formatted floppies. The format
utility in &windows; will not tell about the presence of
bad blocks, it simply marks them as <quote>bad</quote>
- and ignores them. It is advised that you use brand new
- floppies if choosing this installation route.</para>
+ and ignores them. It is advised to use brand new
+ floppies.</para>
<important>
- <para>If you try to install &os; and the installation
- program crashes, freezes, or otherwise misbehaves, one of
+ <para>If the installer
+ crashes, freezes, or otherwise misbehaves, one of
the first things to suspect is the floppies. Write
the floppy image files to new disks and try
again.</para>
@@ -769,47 +792,44 @@
<title>Write the Image Files to the Floppy Disks</title>
<para>The <filename>.flp</filename> files are
- <emphasis>not</emphasis> regular files you copy to the disk.
+ <emphasis>not</emphasis> regular files that can be copied
+ to the disk.
They are images of the complete contents of the
- disk. This means that you <emphasis>cannot</emphasis> simply
- copy files from one disk to another.
- Instead, you must use specific tools to write the
+ disk.
+ Specific tools must be used to write the
images directly to the disk.</para>
<indexterm><primary>DOS</primary></indexterm>
- <para>If you are creating the floppies on a computer running
- &ms-dos; / &windows;, then we provide a tool to do
- this called <command>fdimage</command>.</para>
+ <para>&os; provides a tool called
+ <command>rawrite</command> for creating the floppies on a
+ computer running
+ &windows;. This tool can be downloaded from
+ <literal>ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/pc98/<replaceable>
+ version</replaceable>-RELEASE/tools/</literal>
+ on the &os; FTP site. Download this tool, insert a
+ floppy, then specify the filename to write to the floppy
+ drive:</para>
- <para>If you are using the floppies from the CDROM, and your
- CDROM is the <devicename>E:</devicename> drive, then you would
- run this:</para>
-
- <screen><prompt>E:\></prompt> <userinput>tools\fdimage floppies\boot.flp A:</userinput></screen>
+ <screen><prompt>C:\></prompt> <userinput>rawrite boot.flp A:</userinput></screen>
<para>Repeat this command for each <filename>.flp</filename>
file, replacing the floppy disk each time, being sure to label
- the disks with the name of the file that you copied to them.
- Adjust the command line as necessary, depending on where you have
- placed the <filename>.flp</filename> files. If you do not have
- the CDROM, then <command>fdimage</command> can be downloaded from
- the <ulink
- url="ftp://ftp.FreeBSD.org/pub/FreeBSD/tools/"><filename class="directory">tools</filename>
- directory</ulink> on the &os; FTP site.</para>
+ the disks with the name of the file.
+ Adjust the command line as necessary, depending on where
+ the <filename>.flp</filename> files are located.</para>
- <para>If you are writing the floppies on a &unix; system (such as
- another &os; system) you can use the &man.dd.1; command to
- write the image files directly to disk. On &os;, you would
+ <para>When writing the floppies on a &unix;-like system,
+ such as
+ another &os; system, use &man.dd.1; to
+ write the image files directly to disk. On &os;,
run:</para>
<screen>&prompt.root; <userinput>dd if=boot.flp of=/dev/fd0</userinput></screen>
<para>On &os;, <filename>/dev/fd0</filename> refers to the
- first floppy disk (the <devicename>A:</devicename> drive).
- <filename>/dev/fd1</filename> would be the
- <devicename>B:</devicename> drive, and so on. Other &unix;
+ first floppy disk. Other &unix;
variants might have different names for the floppy disk
- devices, and you will need to check the documentation for the
+ device, so check the documentation for the
system as necessary.</para>
</step>
</procedure>
@@ -822,8 +842,9 @@
<title>Starting the Installation</title>
<important>
- <para>By default, the installation will not make any changes to your
- disk(s) until you see the following message:</para>
+ <para>By default, the installer will not make any changes to
+ the
+ disk(s) until after the following message:</para>
<literallayout class="monospaced">Last Chance: Are you SURE you want continue the installation?
@@ -832,10 +853,12 @@ STRONGLY ENCOURAGE YOU TO MAKE PROPER BACKUPS before proceeding!
We can take no responsibility for lost disk contents!</literallayout>
- <para>The install can be exited at any time prior to the final
- warning without changing the contents of the hard drive. If you are
- concerned that you have configured something incorrectly you can just
- turn the computer off before this point, and no damage will be
+ <para>The install can be exited at any time prior to this final
+ warning without changing the contents of the hard drive. If
+ there is a
+ concern that something is configured incorrectly,
+ turn the computer off before this point, and no damage
+ will be
done.</para>
</important>
@@ -846,10 +869,6 @@ We can take no responsibility for lost disk contents!</literallayout>
<title>Booting for the &i386;</title>
<procedure>
- <step>
- <para>Start with your computer turned off.</para>
- </step>
-
<step>
<para>Turn on the computer. As it starts it should display an
option to enter the system set up menu, or BIOS, commonly reached
@@ -859,9 +878,10 @@ We can take no responsibility for lost disk contents!</literallayout>
<keycap>Alt</keycap>
<keycap>S</keycap>
</keycombo>. Use whichever keystroke is indicated on screen. In
- some cases your computer may display a graphic while it starts.
+ some cases the computer may display a graphic while it
+ starts.
Typically, pressing <keycap>Esc</keycap> will dismiss the graphic
- and allow you to see the necessary messages.</para>
+ and display the boot messages.</para>
</step>
<step>
@@ -871,11 +891,10 @@ We can take no responsibility for lost disk contents!</literallayout>
<literal>Floppy</literal>, <literal>CDROM</literal>,
<literal>First Hard Disk</literal>, and so on.</para>
- <para>If you are booting from the CDROM then make sure that
- the CDROM is selected. If you are booting from a USB disk or
- a floppy disk then
- make sure that is selected instead. In case of doubt, you
- should consult the manual that came with your computer, and/or its
+ <para>If booting from the CD/DVD, make sure that
+ the CDROM drive is selected. If booting from a USB disk,
+ make sure that it is selected instead. When in doubt,
+ consult the manual that came with the computer or its
motherboard.</para>
<para>Make the change, then save and exit. The computer should now
@@ -883,12 +902,13 @@ We can take no responsibility for lost disk contents!</literallayout>
</step>
<step>
- <para>If you prepared a <quote>bootable</quote> USB stick, as described in
- <xref linkend="install-boot-media"/>, then plug in your USB
+ <para>If using a prepared a <quote>bootable</quote> USB
+ stick, as described in
+ <xref linkend="install-boot-media"/>, plug in the USB
stick before turning on the computer.</para>
- <para>If you are booting from CDROM, then you will need to turn on
- the computer, and insert the CDROM at the first
+ <para>If booting from CD/DVD, turn on
+ the computer, and insert the CD/DVD at the first
opportunity.</para>
<note>
@@ -900,32 +920,33 @@ We can take no responsibility for lost disk contents!</literallayout>
installer.</para>
</note>
- <para>If your computer starts up as normal and loads your existing
+ <para>If the computer starts up as normal and loads the
+ existing
operating system, then either:</para>
<orderedlist>
<listitem>
<para>The disks were not inserted early enough in the boot
- process. Leave them in, and try restarting your
+ process. Leave them in, and try restarting the
computer.</para>
</listitem>
<listitem>
- <para>The BIOS changes earlier did not work correctly. You
- should redo that step until you get the right option.</para>
+ <para>The BIOS changes did not work correctly.
+ Redo that step until the right option is
+ selected.</para>
</listitem>
<listitem>
- <para>Your particular BIOS does not support booting from
+ <para>That particular BIOS does not support booting from
the desired media.</para>
</listitem>
</orderedlist>
</step>
<step>
- <para>&os; will start to boot. If you are booting from CDROM you
- will see a display similar to this (version information
- omitted):</para>
+ <para>&os; will start to boot. If booting from CD/DVD,
+ messages will be displayed, similar to these:</para>
<screen>Booting from CD-Rom...
645MB medium detected
@@ -949,8 +970,8 @@ Loading /boot/defaults/loader.conf
/boot/kernel/kernel text=0x64daa0 data=0xa4e80+0xa9e40 syms=[0x4+0x6cac0+0x4+0x88e9d]
\</screen>
- <para>If you are booting from floppy disc, you will see a display
- similar to this (version information omitted):</para>
+ <para>If booting from floppy disc, a display
+ similar to this will be shown:</para>
<screen>Booting from Floppy...
Uncompressing ... done
@@ -968,16 +989,16 @@ Loading /boot/defaults/loader.conf
Insert disk labelled "Kernel floppy 1" and press any key...</screen>
- <para>Follow these instructions by removing the
- <filename>boot.flp</filename> disc, insert the
- <filename>kern1.flp</filename> disc, and press
- <keycap>Enter</keycap>. Boot from first floppy;
- when prompted, insert the other disks as required.</para>
+ <para>Remove the
+ <filename>boot.flp</filename> floppy, insert the
+ next floppy, and press
+ <keycap>Enter</keycap>.
+ When prompted, insert the other disks as required.</para>
</step>
<step>
- <para>Whether you booted from CDROM, USB stick or floppy, the
- boot process will then get to the &os; boot loader
+ <para>The
+ boot process will then display the &os; boot loader
menu:</para>
<figure id="boot-loader-menu">
@@ -999,28 +1020,25 @@ Insert disk labelled "Kernel floppy 1" and press any key...</screen>
<sect3>
<title>Booting for &sparc64;</title>
- <para>Most &sparc64; systems are set up to boot automatically
- from disk. To install &os;, you need to boot over the
- network or from a CDROM, which requires you to break into
- the PROM (OpenFirmware).</para>
-
- <para>To do this, reboot the system, and wait until the boot
- message appears. It depends on the model, but should look
- about like:</para>
+ <para>Most &sparc64; systems are set to boot automatically
+ from disk. To install &os;, boot over the
+ network or from a CD/DVD and wait until the boot
+ message appears. The message depends on the model, but
+ should look similar to:</para>
<screen>Sun Blade 100 (UltraSPARC-IIe), Keyboard Present
Copyright 1998-2001 Sun Microsystems, Inc. All rights reserved.
OpenBoot 4.2, 128 MB memory installed, Serial #51090132.
Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</screen>
- <para>If your system proceeds to boot from disk at this point,
- you need to press
+ <para>If the system proceeds to boot from disk,
+ press
<keycombo action="simul"><keycap>L1</keycap><keycap>A</keycap></keycombo>
or
<keycombo action="simul"><keycap>Stop</keycap><keycap>A</keycap></keycombo>
on the keyboard, or send a <command>BREAK</command> over the
- serial console (using for example <command>~#</command> in
- &man.tip.1; or &man.cu.1;) to get to the PROM prompt. It
+ serial console using <command>~#</command> in
+ &man.tip.1; or &man.cu.1; to get to the PROM prompt. It
looks like this:</para>
<screen><prompt>ok </prompt><co id="prompt-single"/>
@@ -1033,12 +1051,13 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</screen>
</callout>
<callout arearefs="prompt-smp">
- <para>This is the prompt used on SMP systems, the digit
+ <para>This is the prompt used on SMP systems and the
+ digit
indicates the number of the active CPU.</para>
</callout>
</calloutlist>
- <para>At this point, place the CDROM into your drive, and from
+ <para>At this point, place the CD/DVD into the drive and from
the PROM prompt, type <command>boot cdrom</command>.</para>
</sect3>
@@ -1051,16 +1070,18 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</screen>
<para>The last few hundred lines that have been displayed on screen are
stored and can be reviewed.</para>
- <para>To review the buffer, press <keycap>Scroll Lock</keycap>. This
- turns on scrolling in the display. You can then use the arrow keys, or
+ <para>To review this buffer, press <keycap>Scroll Lock</keycap>
+ to
+ turn on scrolling in the display. Use the arrow keys or
<keycap>PageUp</keycap> and <keycap>PageDown</keycap> to view the
results. Press <keycap>Scroll Lock</keycap> again to stop
scrolling.</para>
<para>Do this now, to review the text that scrolled off the screen when
- the kernel was carrying out the device probes. You will see text
- similar to <xref linkend="install-dev-probe"/>, although the precise
- text will differ depending on the devices that you have in your
+ the kernel was carrying out the device probes. Text
+ similar to <xref linkend="install-dev-probe"/> will be
+ displayed, although
+ it will differ depending on the devices in the
computer.</para>
<figure id="install-dev-probe">
@@ -1130,16 +1151,16 @@ Mounting root from ufs:/dev/md0c
</figure>
<para>Check the probe results carefully to make sure that &os; found
- all the devices you expected. If a device was not found, then it will
+ all the devices. If a device was not found, it will
not be listed. A <link linkend="kernelconfig">custom kernel</link>
- allows you to add in support for devices which are not in the
- <filename>GENERIC</filename> kernel, such as sound cards.</para>
+ can be used to add in support for devices which are not in the
+ <filename>GENERIC</filename> kernel.</para>
- <para>After the procedure of device
- probing, you will see <xref linkend="config-country"/>. Use the
+ <para>After the device
+ probe, the menu shown in <xref linkend="config-country"/>
+ will be displayed. Use the
arrow key to choose a country, region, or group. Then press
- <keycap>Enter</keycap>, it will set your country
- easily.</para>
+ <keycap>Enter</keycap> to set the country.</para>
<figure id="config-country">
<title>Selecting Country Menu</title>
@@ -1151,9 +1172,10 @@ Mounting root from ufs:/dev/md0c
</mediaobject>
</figure>
- <para>If you selected <guimenuitem>United States</guimenuitem>
- as country, the standard American keyboard map will be used,
- if a different country is chosen the following menu will be
+ <para>If <guimenuitem>United States</guimenuitem> is selected
+ as the country, the standard American keyboard map will be
+ used.
+ If a different country is chosen, the following menu will be
displayed. Use the arrow keys to choose the correct keyboard
map and press <keycap>Enter</keycap>.</para>
@@ -1167,27 +1189,25 @@ Mounting root from ufs:/dev/md0c
</mediaobject>
</figure>
- <para>After the country selecting, the <application>sysinstall</application>
+ <para>After the country selection, the &man.sysinstall.8;
main menu will display.</para>
</sect2>
</sect1>
<sect1 id="using-sysinstall">
- <title>Introducing Sysinstall</title>
+ <title>Introducing &man.sysinstall.8;</title>
- <para>The <application>sysinstall</application> utility is the installation
- application provided by the &os; Project. It is console based and is
- divided into a number of menus and screens that you can use to
+ <para>The &os; 8.<replaceable>X</replaceable> installer,
+ &man.sysinstall.8;, is console based and
+ is
+ divided into a number of menus and screens that can be used to
configure and control the installation process.</para>
- <para>The <application>sysinstall</application> menu system is controlled
+ <para>This menu system is controlled
by the arrow keys, <keycap>Enter</keycap>, <keycap>Tab</keycap>,
<keycap>Space</keycap>, and
- other keys. A detailed description of these keys and what they do is
- contained in <application>sysinstall</application>'s usage
- information.</para>
-
- <para>To review this information, ensure that the
+ other keys. To view a detailed description of these keys and
+ what they do, ensure that the
<guimenuitem>Usage</guimenuitem> entry is highlighted and that the
<guibutton>[Select]</guibutton> button is selected, as shown in <xref
linkend="sysinstall-main3"/>, then press <keycap>Enter</keycap>.</para>
@@ -1235,11 +1255,10 @@ Mounting root from ufs:/dev/md0c
</mediaobject>
</figure>
- <para>It is important to read the documents provided.</para>
-
- <para>To view a document, select it with the arrow keys and
+ <para>It is important to read the documents provided. To view a
+ document, select it with the arrow keys and
press <keycap>Enter</keycap>. When finished reading a document,
- pressing <keycap>Enter</keycap> will return to the Documentation
+ press <keycap>Enter</keycap> to return to the Documentation
Menu.</para>
<para>To return to the Main Installation Menu, select
@@ -1252,7 +1271,7 @@ Mounting root from ufs:/dev/md0c
<para>To change the keyboard mapping, use the arrow keys to select
<guimenuitem>Keymap</guimenuitem> from the menu and press
- <keycap>Enter</keycap>. This is only required if you are
+ <keycap>Enter</keycap>. This is only required when
using a non-standard or non-US keyboard.</para>
<figure id="sysinstall-keymap">
@@ -1266,7 +1285,8 @@ Mounting root from ufs:/dev/md0c
</figure>
<para>A different keyboard mapping may be chosen by selecting the
- menu item using up/down arrow keys and pressing <keycap>Space</keycap>.
+ menu item using the up and down arrow keys and pressing
+ <keycap>Space</keycap>.
Pressing <keycap>Space</keycap> again will unselect the item.
When finished, choose the &gui.ok; using the arrow keys and press
<keycap>Enter</keycap>.</para>
@@ -1325,7 +1345,7 @@ Mounting root from ufs:/dev/md0c
<para>Press <keycap>F1</keycap> to read the help screen about the
various options.</para>
- <para>Pressing <keycap>Q</keycap> will return to the Main Install
+ <para>Press <keycap>Q</keycap> to return to the Main Install
menu.</para>
</sect2>
@@ -1352,8 +1372,8 @@ Mounting root from ufs:/dev/md0c
<sect1 id="install-steps">
<title>Allocating Disk Space</title>
- <para>Your first task is to allocate disk space for &os;, and label
- that space so that <application>sysinstall</application> can prepare
+ <para>The first task is to allocate disk space for &os;, and label
+ that space so that &man.sysinstall.8; can prepare
it. In order to do this you need to know how &os; expects to find
information on the disk.</para>
@@ -1366,8 +1386,8 @@ Mounting root from ufs:/dev/md0c
<indexterm><primary>MS-DOS</primary></indexterm>
<indexterm><primary>Microsoft Windows</primary></indexterm>
<para>In a PC running a BIOS-dependent operating system such as
- &ms-dos; or µsoft.windows;, the BIOS is able to abstract the
- normal disk drive order, and
+ µsoft.windows;, the BIOS is able to abstract the
+ normal disk drive order and
the operating system goes along with the change. This allows the user
to boot from a disk drive other than the "primary
master". This is especially convenient for users
@@ -1377,24 +1397,27 @@ Mounting root from ufs:/dev/md0c
first drive fails, is attacked by a virus, or is scribbled upon by an
operating system defect, they can easily recover by instructing the BIOS
to logically swap the drives. It is like switching the cables on the
- drives, but without having to open the case.</para>
+ drives, without having to open the case.</para>
<indexterm><primary>SCSI</primary></indexterm>
<indexterm><primary>BIOS</primary></indexterm>
- <para>More expensive systems with SCSI controllers often include BIOS
+ <para>Systems with SCSI controllers often include BIOS
extensions which allow the SCSI drives to be re-ordered in a similar
fashion for up to seven drives.</para>
<para>A user who is accustomed to taking advantage of these features may
become surprised when the results with &os; are not as expected.
&os; does not use the BIOS, and does not know the <quote>logical BIOS
- drive mapping</quote>. This can lead to very perplexing situations,
- especially when drives are physically identical in geometry, and have
- also been made as data clones of one another.</para>
+ drive mapping</quote>. This can lead to perplexing
+ situations,
+ especially when drives are physically identical in geometry
+ and have
+ been made as data clones of one another.</para>
<para>When using &os;, always restore the BIOS to natural drive
- numbering before installing &os;, and then leave it that way. If you
- need to switch drives around, then do so, but do it the hard way, and
+ numbering before installing &os;, and then leave it that way.
+ If drives
+ need to be switched around, take the time to
open the case and move the jumpers and cables.</para>
<sidebar>
@@ -1406,57 +1429,59 @@ Mounting root from ufs:/dev/md0c
installs &os; on it.</para>
<para>Fred begins using the system, but after several days notices that
- the older SCSI drive is reporting numerous soft errors and reports
- this fact to Bill.</para>
+ the older SCSI drive is reporting numerous
+ errors.</para>
- <para>After several more days, Bill decides it is time to address the
- situation, so he grabs an identical SCSI drive from the disk drive
- <quote>archive</quote> in the back room. An initial surface scan
- indicates that
- this drive is functioning well, so Bill installs this drive as SCSI
+ <para>To address the
+ situation, Bill grabs an identical SCSI drive and installs
+ this drive as SCSI
unit four and makes an image copy from drive zero to drive four. Now
- that the new drive is installed and functioning nicely, Bill decides
- that it is a good idea to start using it, so he uses features in the
+ that the new drive is installed and functioning, Bill
+ decides
+ to start using it, so he uses features in the
SCSI BIOS to re-order the disk drives so that the system boots from
SCSI unit four. &os; boots and runs just fine.</para>
- <para>Fred continues his work for several days, and soon Bill and Fred
- decide that it is time for a new adventure — time to upgrade
+ <para>Fred continues his work and soon
+ decides that it is time to upgrade
to a
newer version of &os;. Bill removes SCSI unit zero because it was
- a bit flaky and replaces it with another identical disk drive from
- the <quote>archive</quote>. Bill then installs the new version of
- &os; onto the new SCSI unit zero using Fred's magic Internet FTP
- floppies. The installation goes well.</para>
+ a bit flaky and replaces it with another identical disk
+ drive. Bill then installs the new version of
+ &os; onto the new SCSI unit zero and the installation goes
+ well.</para>
<para>Fred uses the new version of &os; for a few days, and certifies
that it is good enough for use in the engineering department. It is
- time to copy all of his work from the old version. So Fred mounts
- SCSI unit four (the latest copy of the older &os; version). Fred
- is dismayed to find that none of his precious work is present on SCSI
+ time to copy all of his work from the old version, so Fred
+ mounts
+ SCSI unit four which should contain the latest copy of the
+ older
+ &os; version. Fred
+ is dismayed to find that none of his work is present on SCSI
unit four.</para>
- <para>Where did the data go?</para>
-
- <para>When Bill made an image copy of the original SCSI unit zero onto
+ <para>It turns out that when Bill made an image copy of the
+ original SCSI unit zero onto
SCSI unit four, unit four became the <quote>new clone</quote>.
When Bill re-ordered the SCSI BIOS so that he could boot from
- SCSI unit four, he was only fooling himself.
+ SCSI unit four,
&os; was still running on SCSI unit zero.
- Making this kind of BIOS change will cause some or all of the Boot and
- Loader code to be fetched from the selected BIOS drive, but when the
- &os; kernel drivers take-over, the BIOS drive numbering will be
- ignored, and &os; will transition back to normal drive numbering.
- In the illustration at hand, the system continued to operate on the
+ Making this kind of BIOS change causes some or all of the
+ boot and
+ loader code to be fetched from the selected BIOS drive. But
+ when the
+ &os; kernel drivers take over, the BIOS drive numbering is
+ ignored, and &os; transitions back to normal drive
+ numbering.
+ In this example, the system continued to operate on the
original SCSI unit zero, and all of Fred's data was there, not on SCSI
unit four. The fact that the system appeared to be running on SCSI
unit four was simply an artifact of human expectations.</para>
- <para>We are delighted to mention that no data bytes were killed or
- harmed in any way by our discovery of this phenomenon. The older SCSI
- unit zero was retrieved from the bone pile, and all of Fred's work was
- returned to him, (and now Bill knows that he can count as high as
- zero).</para>
+ <para>Fortunately, the older SCSI
+ unit zero was retrieved and all of Fred's work was
+ restored.</para>
<para>Although SCSI drives were used in this illustration, the concepts
apply equally to IDE drives.</para>
@@ -1466,19 +1491,9 @@ Mounting root from ufs:/dev/md0c
<sect2 id="main-fdisk">
<title>Creating Slices Using FDisk</title>
- <note>
- <para>No changes you make at this point will be written to the disk.
- If you think you have made a mistake and want to start again you can
- use the menus to exit <application>sysinstall</application> and try
- again or press <keycap>U</keycap> to use the
- <guimenuitem>Undo</guimenuitem> option.
- If you get confused and can not see how to exit you can
- always turn your computer off.</para>
- </note>
-
<para>After choosing to begin a standard installation in
- <application>sysinstall</application> you will be shown this
- message:</para>
+ &man.sysinstall.8;, this
+ message will appear:</para>
<screen> Message
In the next menu, you will need to set up a DOS-style ("fdisk")
@@ -1492,11 +1507,11 @@ Mounting root from ufs:/dev/md0c
[ Press enter or space ]</screen>
- <para>Press <keycap>Enter</keycap> as instructed. You will then be
- shown a list of all the hard drives that the kernel found when it
- carried out the device probes.
+ <para>Press <keycap>Enter</keycap> and
+ a list of all the hard drives that the kernel found when it
+ carried out the device probes will be displayed.
<xref linkend="sysinstall-fdisk-drive1"/> shows an example from a
- system with two IDE disks. They have been called
+ system with two IDE disks called
<devicename>ad0</devicename> and <devicename>ad2</devicename>.</para>
<figure id="sysinstall-fdisk-drive1">
@@ -1509,39 +1524,43 @@ Mounting root from ufs:/dev/md0c
</mediaobject>
</figure>
- <para>You might be wondering why <devicename>ad1</devicename> is not
- listed here. Why has it been missed?</para>
+ <para>Note that <devicename>ad1</devicename> is not
+ listed here.</para>
- <para>Consider what would happen if you had two IDE hard disks, one
- as the master on the first IDE controller, and one as the master on
- the second IDE controller. If &os; numbered these as it found
- them, as <devicename>ad0</devicename> and
- <devicename>ad1</devicename> then everything would work.</para>
+ <para>Consider two IDE hard disks where one
+ is the master on the first IDE controller and one is the
+ master on
+ the second IDE controller. If &os; numbered these as
+ <devicename>ad0</devicename> and
+ <devicename>ad1</devicename>, everything would work.</para>
- <para>But if you then added a third disk, as the slave device on the
+ <para>But if a third disk is later added as the slave device on
+ the
first IDE controller, it would now be <devicename>ad1</devicename>,
and the previous <devicename>ad1</devicename> would become
- <devicename>ad2</devicename>. Because device names (such as
- <devicename>ad1s1a</devicename>) are used to find filesystems, you
- may suddenly discover that some of your filesystems no longer
- appear correctly, and you would need to change your &os;
+ <devicename>ad2</devicename>. Because device names
+ are used to find filesystems,
+ some filesystems may no longer
+ appear correctly, requiring a change to the &os;
configuration.</para>
<para>To work around this, the kernel can be configured to name IDE
- disks based on where they are, and not the order in which they were
- found. With this scheme the master disk on the second IDE
+ disks based on where they are and not the order in which they
+ were
+ found. With this scheme, the master disk on the second IDE
controller will <emphasis>always</emphasis> be
<devicename>ad2</devicename>, even if there are no
<devicename>ad0</devicename> or <devicename>ad1</devicename>
devices.</para>
<para>This configuration is the default for the &os; kernel, which
- is why this display shows <devicename>ad0</devicename> and
+ is why the display in this example shows
+ <devicename>ad0</devicename> and
<devicename>ad2</devicename>. The machine on which this screenshot
was taken had IDE disks on both master channels of the IDE
- controllers, and no disks on the slave channels.</para>
+ controllers and no disks on the slave channels.</para>
- <para>You should select the disk on which you want to install &os;,
+ <para>Select the disk on which to install &os;,
and then press &gui.ok;.
<application>FDisk</application> will start, with a display similar to
that shown in <xref linkend="sysinstall-fdisk1"/>.</para>
@@ -1556,17 +1575,19 @@ Mounting root from ufs:/dev/md0c
<para>The second section shows the slices that are currently on the
disk, where they start and end, how large they are, the name &os;
gives them, and their description and sub-type. This example shows two
- small unused slices, which are artifacts of disk layout schemes on the
+ small unused slices which are artifacts of disk layout schemes
+ on the
PC. It also shows one large <acronym>FAT</acronym> slice, which
- almost certainly appears as <devicename>C:</devicename> in
- &ms-dos; / &windows;, and an extended slice, which may contain other
- drive letters for &ms-dos; / &windows;.</para>
+ appears as <devicename>C:</devicename> in
+ &windows;, and an extended slice, which may contain other
+ drive letters in &windows;.</para>
<para>The third section shows the commands that are available in
<application>FDisk</application>.</para>
<figure id="sysinstall-fdisk1">
- <title>Typical <command>fdisk</command> Partitions Before Editing</title>
+ <title>Typical Default <application>FDisk</application>
+ Partitions</title>
<mediaobject>
<imageobject>
@@ -1575,31 +1596,32 @@ Mounting root from ufs:/dev/md0c
</mediaobject>
</figure>
- <para>What you do now will depend on how you want to slice up your
- disk.</para>
+ <para>This step varies, depending on how the disk is to be
+ sliced.</para>
- <para>If you want to use &os; for the entire disk (which will delete
- all the other data on this disk when you confirm that you want
- <application>sysinstall</application> to continue later in the
- installation process) then you can press <keycap>A</keycap>, which
+ <para>To install &os; to the entire disk, which will delete
+ all the other data on this disk, press <keycap>A</keycap>,
+ which
corresponds to the <guimenuitem>Use Entire Disk</guimenuitem> option.
- The existing slices will be removed, and replaced with a small area
- flagged as <literal>unused</literal> (again, an artifact of PC disk
- layout), and then one large slice for &os;. If you do this, then
- you should select the newly created &os; slice using the arrow
- keys, and press <keycap>S</keycap> to mark the slice as being
- bootable. The screen will then look very similar to
+ The existing slices will be removed and replaced with a small
+ area
+ flagged as <literal>unused</literal>
+ and one large slice for &os;. Then,
+ select the newly created &os; slice using the arrow
+ keys and press <keycap>S</keycap> to mark the slice as being
+ bootable. The screen will then look similar to
<xref linkend="sysinstall-fdisk2"/>. Note the
<literal>A</literal> in the <literal>Flags</literal> column, which
indicates that this slice is <emphasis>active</emphasis>, and will be
booted from.</para>
- <para>If you will be deleting an existing slice to make space for
- &os; then you should select the slice using the arrow keys, and
- then press <keycap>D</keycap>. You can then press <keycap>C</keycap>,
- and be prompted for size of slice you want to create. Enter the
- appropriate figure and press <keycap>Enter</keycap>. The default
- value in this box represents the largest possible slice you can
+ <para>If an existing slice needs to be deleted to make space for
+ &os;, select the slice using the arrow keys and
+ press <keycap>D</keycap>. Then, press <keycap>C</keycap> to
+ be prompted for the size of the slice to create. Enter the
+ appropriate value and press <keycap>Enter</keycap>. The
+ default
+ value in this box represents the largest possible slice to
make, which could be the largest contiguous block of unallocated
space or the size of the entire hard disk.</para>
@@ -1618,37 +1640,42 @@ Mounting root from ufs:/dev/md0c
</mediaobject>
</figure>
- <para>When finished, press <keycap>Q</keycap>. Your changes will be
- saved in <application>sysinstall</application>, but will not yet be
+ <para>When finished, press <keycap>Q</keycap>. Any changes will
+ be
+ saved in &man.sysinstall.8;, but will not yet be
written to disk.</para>
</sect2>
<sect2 id="bootmgr">
<title>Install a Boot Manager</title>
- <para>You now have the option to install a boot manager. In general,
- you should choose to install the &os; boot manager if:</para>
+ <para>The next menu provides the option to install a boot
+ manager. In general,
+ install the &os; boot manager if:</para>
<itemizedlist>
<listitem>
- <para>You have more than one drive, and have installed &os; onto
+ <para>There is more than one drive and &os; will be
+ installed onto
a drive other than the first one.</para>
</listitem>
<listitem>
- <para>You have installed &os; alongside another operating system
+ <para>&os; will be installed alongside another operating
+ system
on the same disk, and you want to choose whether to start &os;
- or the other operating system when you start the computer.</para>
+ or the other operating system when the computer
+ starts.</para>
</listitem>
</itemizedlist>
<para>If &os; is going to be the only operating system on
this machine, installed on the first hard disk, then the
<guimenuitem>Standard</guimenuitem> boot manager will suffice.
- Choose <guimenuitem>None</guimenuitem> if you are using a
+ Choose <guimenuitem>None</guimenuitem> if using a
third-party boot manager capable of booting &os;.</para>
- <para>Make your choice and press <keycap>Enter</keycap>.</para>
+ <para>Make a selection and press <keycap>Enter</keycap>.</para>
<figure id="sysinstall-bootmgr">
<title>Sysinstall Boot Manager Menu</title>
@@ -1669,14 +1696,14 @@ Mounting root from ufs:/dev/md0c
<title>Creating Slices on Another Drive</title>
<para>If there is more than one drive, it will return to the
- Select Drives screen after the boot manager selection. If you wish to
- install &os; on to more than one disk, then you can select another
- disk here and repeat the slice process using
+ Select Drives screen after the boot manager selection. To
+ install &os; on to more than one disk, select another
+ disk and repeat the slice process using
<application>FDisk</application>.</para>
<important>
- <para>If you are installing &os; on a drive other than your
- first, then the &os; boot manager needs to be installed on
+ <para>If installing &os; on a drive other than the
+ first drive, the &os; boot manager needs to be installed on
both drives.</para>
</important>
@@ -1690,11 +1717,11 @@ Mounting root from ufs:/dev/md0c
</mediaobject>
</figure>
- <para>The <keycap>Tab</keycap> key toggles between the last drive
+ <para>Use <keycap>Tab</keycap> to toggle between the last drive
selected, &gui.ok;, and
&gui.cancel;.</para>
- <para>Press the <keycap>Tab</keycap> once to toggle to the
+ <para>Press <keycap>Tab</keycap> once to toggle to
&gui.ok;, then
press <keycap>Enter</keycap>
to continue with the installation.</para>
@@ -1704,22 +1731,27 @@ Mounting root from ufs:/dev/md0c
<title>Creating Partitions Using
<application>Disklabel</application></title>
- <para>You must now create some partitions inside each slice that you
- have just created. Remember that each partition is lettered, from
+ <para>Next, create some partitions inside each slice.
+ Remember that each partition is lettered, from
<literal>a</literal> through to <literal>h</literal>, and that
partitions <literal>b</literal>, <literal>c</literal>, and
- <literal>d</literal> have conventional meanings that you should adhere
+ <literal>d</literal> have conventional meanings that should
+ be adhered
to.</para>
<para>Certain applications can benefit from particular partition
- schemes, especially if you are laying out partitions across more than
- one disk. However, for this, your first &os; installation, you do
- not need to give too much thought to how you partition the disk. It
- is more important that you install &os; and start learning how to
- use it. You can always re-install &os; to change your partition
- scheme when you are more familiar with the operating system.</para>
+ schemes, especially when laying out partitions across more
+ than
+ one disk. However, for a first &os; installation, do
+ not give too much thought to how to partition the disk. It
+ is more important to install &os; and start learning how to
+ use it. You can always re-install &os; to change the
+ partition
+ scheme after becoming more familiar with the operating
+ system.</para>
- <para>This scheme features four partitions—one for swap space, and
+ <para>The following scheme features four partitions: one
+ for swap space and
three for filesystems.</para>
<table frame="none" pgwide="1">
@@ -1747,18 +1779,16 @@ Mounting root from ufs:/dev/md0c
<row>
<entry><literal>a</literal></entry>
- <entry><filename>/</filename></entry>
+ <entry><filename class="directory">/</filename></entry>
<entry>1 GB</entry>
<entry>This is the root filesystem. Every other filesystem
will be mounted somewhere under this one. 1 GB is a
- reasonable size for this filesystem. You will not be storing
- too much data on it, as a regular &os; install will put
- about 128 MB of data here. The remaining space is for
- temporary data, and also leaves expansion space if future
- versions of
- &os; need more space in <filename>/</filename>.</entry>
+ reasonable size for this filesystem as user files
+ should not be stored here and
+ a regular &os; install will put
+ about 128 MB of data here.</entry>
</row>
<row>
@@ -1770,34 +1800,37 @@ Mounting root from ufs:/dev/md0c
<entry><para>The system's swap space is kept on the <literal>b</literal> partition.
Choosing the right amount of swap space can be a bit of an
- art. A good rule of thumb is that your swap
+ art. A good rule of thumb is that swap
space should be two or three times as much as the
available physical memory (RAM).
- You should also have at least 64 MB of swap, so if you
- have less than 32 MB of RAM in your computer then set
- the swap amount to 64 MB.</para><para>
-
- If you have more than one disk then you can put swap
- space on each disk. &os; will then use each disk for
+ There should be at least 64 MB of swap, so if
+ there is
+ less than 32 MB of RAM in the computer, set
+ the swap amount to 64 MB.
+ If there is more than one disk, swap
+ space can be put on each disk. &os; will then use
+ each disk for
swap, which effectively speeds up the act of swapping. In
- this case, calculate the total amount of swap you need
- (e.g., 128 MB), and then divide this by the number of
- disks you have (e.g., two disks) to give the amount of swap
- you should put on each disk, in this example, 64 MB of
- swap per disk.</para></entry>
+ this case, calculate the total amount of swap needed
+ and divide this by the number of
+ disks to give the amount of swap
+ to put on each disk.</para></entry>
</row>
<row>
<entry><literal>e</literal></entry>
- <entry><filename>/var</filename></entry>
+ <entry><filename
+ class="directory">/var</filename></entry>
<entry>512 MB to 4096 MB</entry>
- <entry>The <filename>/var</filename> directory contains
- files that are constantly varying;
- log files, and other administrative files. Many
- of these files are read-from or written-to extensively during
+ <entry><filename class="directory">/var</filename>
+ contains
+ files that are constantly varying, such as
+ log files and other administrative files. Many
+ of these files are read from or written to extensively
+ during
&os;'s day-to-day running. Putting these files on another
filesystem allows &os; to optimize the access of these
files without affecting other files in other directories that
@@ -1807,12 +1840,14 @@ Mounting root from ufs:/dev/md0c
<row>
<entry><literal>f</literal></entry>
- <entry><filename>/usr</filename></entry>
+ <entry><filename
+ class="directory">/usr</filename></entry>
<entry>Rest of disk (at least 8 GB)</entry>
- <entry>All your other files will typically be stored in
- <filename>/usr</filename> and its subdirectories.</entry>
+ <entry>All other files will typically be stored in
+ <filename class="directory">/usr</filename> and its
+ subdirectories.</entry>
</row>
</tbody>
</tgroup>
@@ -1825,9 +1860,9 @@ Mounting root from ufs:/dev/md0c
Defaults</literal> by the &os; partition editor.</para>
</warning>
- <para>If you will be installing &os; on to more than one disk then
- you must also create partitions in the other slices that you
- configured. The easiest way to do this is to create two partitions on
+ <para>If installing &os; on to more than one disk,
+ create partitions in the other configured slices.
+ The easiest way to do this is to create two partitions on
each disk, one for the swap space, and one for a filesystem.</para>
<table frame="none" pgwide="1">
@@ -1859,7 +1894,7 @@ Mounting root from ufs:/dev/md0c
<entry>See description</entry>
- <entry>As already discussed, you can split swap space across
+ <entry>Swap space can be split across
each disk. Even though the <literal>a</literal> partition is
free, convention dictates that swap space stays on the
<literal>b</literal> partition.</entry>
@@ -1877,23 +1912,25 @@ Mounting root from ufs:/dev/md0c
partition, instead of the <literal>e</literal> partition.
However, convention says that the <literal>a</literal>
partition on a slice is reserved for the filesystem that will
- be the root (<filename>/</filename>) filesystem. You do not
- have to follow this convention, but
- <application>sysinstall</application> does, so following it
- yourself makes the installation slightly cleaner. You can
- choose to mount this filesystem anywhere; this example
- suggests that you mount them as directories
- <filename>/disk<replaceable>n</replaceable></filename>, where
+ be the root (<filename class="directory">/</filename>)
+ filesystem. Following
+ this convention is not necessary, but
+ &man.sysinstall.8; uses it, so following it
+ makes the installation slightly cleaner.
+ This filesystem can be mounted anywhere; this example
+ mounts it as
+ <filename
+ class="directory">/disk<replaceable>n</replaceable></filename>,
+ where
<replaceable>n</replaceable> is a number that changes for each
- disk. But you can use another scheme if you prefer.</entry>
+ disk.</entry>
</row>
</tbody>
</tgroup>
</table>
- <para>Having chosen your partition layout you can now create it using
- <application>sysinstall</application>. You will see this
- message:</para>
+ <para>Having chosen the partition layout, create it using
+ &man.sysinstall.8;.</para>
<screen> Message
Now, you need to create BSD partitions inside of the fdisk
@@ -1906,17 +1943,19 @@ Mounting root from ufs:/dev/md0c
[ OK ]
[ Press enter or space ]</screen>
- <para>Press <keycap>Enter</keycap> to start the FreeBSD partition
+ <para>Press <keycap>Enter</keycap> to start the &os; partition
editor, called <application>Disklabel</application>.</para>
- <para><xref linkend="sysinstall-label"/> shows the display when you first
- start <application>Disklabel</application>. The display is divided in
- to three sections.</para>
+ <para><xref linkend="sysinstall-label"/> shows the display when
+ <application>Disklabel</application> starts. The display is
+ divided into three sections.</para>
- <para>The first few lines show the name of the disk you are currently
- working on, and the slice that contains the partitions you are
- creating (at this point <application>Disklabel</application> calls
- this the <literal>Partition name</literal> rather than slice name).
+ <para>The first few lines show the name of the disk being
+ worked on and the slice that contains the partitions to
+ create. At this point, <application>Disklabel</application>
+ calls
+ this the <literal>Partition name</literal> rather than slice
+ name.
This display also shows the amount of free space within the slice;
that is, space that was set aside in the slice, but that has not yet
been assigned to a partition.</para>
@@ -1940,20 +1979,21 @@ Mounting root from ufs:/dev/md0c
</figure>
<para><application>Disklabel</application> can automatically create
- partitions for you and assign them default sizes. The default sizes
+ partitions and assign them default sizes. The default sizes
are calculated with the help of an internal partition sizing algorithm
- based on the disk size. Try this now, by
- Pressing <keycap>A</keycap>. You will see a display similar to that
+ based on the disk size.
+ Press <keycap>A</keycap> to see a display similar to that
shown in <xref linkend="sysinstall-label2"/>. Depending on the size of
- the disk you are using, the defaults may or may not be appropriate.
- This does not matter, as you do not have to accept the
- defaults.</para>
+ the disk, the defaults may or may not be appropriate.</para>
<note>
<para>The default partitioning assigns
- the <filename>/tmp</filename> directory its own partition instead
- of being part of the <filename>/</filename> partition. This
- helps avoid filling the <filename>/</filename> partition with
+ <filename class="directory">/tmp</filename> its own
+ partition instead
+ of being part of the <filename
+ class="directory">/</filename> partition. This
+ helps avoid filling the <filename
+ class="directory">/</filename> partition with
temporary files.</para>
</note>
@@ -1967,19 +2007,23 @@ Mounting root from ufs:/dev/md0c
</mediaobject>
</figure>
- <para>If you choose to not use the default partitions and wish to
- replace them with your
- own, use the arrow keys to select the first partition, and press
+ <para>To
+ replace the default partitions,
+ use the arrow keys to select the first partition and press
<keycap>D</keycap> to delete it. Repeat this to delete all the
suggested partitions.</para>
- <para>To create the first partition (<literal>a</literal>, mounted as
- <filename>/</filename> — root), make sure the proper disk slice
+ <para>To create the first partition, <literal>a</literal>,
+ mounted as
+ <filename class="directory">/</filename>, make sure the
+ proper disk slice
at the top of
the screen is selected and press <keycap>C</keycap>. A dialog box
- will appear prompting you for the size of the new partition (as shown
- in <xref linkend="sysinstall-label-add"/>). You can enter the size as
- the number of disk blocks you want to use, or as a
+ will appear, prompting for the size of the new partition,
+ as shown
+ in <xref linkend="sysinstall-label-add"/>. The size can
+ be entered as
+ the number of disk blocks to use or as a
number followed by either <literal>M</literal> for megabytes,
<literal>G</literal> for gigabytes, or <literal>C</literal> for
cylinders.</para>
@@ -1995,8 +2039,8 @@ Mounting root from ufs:/dev/md0c
</figure>
<para>The default size shown will create a partition that takes up the
- rest of the slice. If you are using the partition sizes described
- in the earlier example, then delete the existing figure using
+ rest of the slice. If using the partition sizes described
+ in the earlier example, delete the existing figure using
<keycap>Backspace</keycap>, and then type in
<userinput>512M</userinput>, as shown in
<xref linkend="sysinstall-label-add2"/>. Then press
@@ -2012,7 +2056,8 @@ Mounting root from ufs:/dev/md0c
</mediaobject>
</figure>
- <para>Having chosen the partition's size you will then be asked whether
+ <para>After choosing the partition's size, the installer will
+ ask whether
this partition will contain a filesystem or swap space. The dialog
box is shown in <xref linkend="sysinstall-label-type"/>. This first
partition will contain a filesystem, so check that
@@ -2029,11 +2074,12 @@ Mounting root from ufs:/dev/md0c
</mediaobject>
</figure>
- <para>Finally, because you are creating a filesystem, you must tell
- <application>Disklabel</application> where the filesystem is to be
+ <para>Finally, tell
+ <application>Disklabel</application> where the filesystem will
+ be
mounted. The dialog box is shown in
- <xref linkend="sysinstall-label-mount"/>. The root filesystem's mount
- point is <filename>/</filename>, so type <userinput>/</userinput>, and
+ <xref linkend="sysinstall-label-mount"/>. Type
+ <userinput>/</userinput>, and
then press <keycap>Enter</keycap>.</para>
<figure id="sysinstall-label-mount">
@@ -2046,16 +2092,19 @@ Mounting root from ufs:/dev/md0c
</mediaobject>
</figure>
- <para>The display will then update to show you the newly created
- partition. You should repeat this procedure for the other
- partitions. When you create the swap partition, you will not be
- prompted for the filesystem mount point, as swap partitions are never
- mounted. When you create the final partition,
- <filename>/usr</filename>, you can leave the suggested size as is, to
+ <para>The display will then update to show the newly created
+ partition. Repeat this procedure for the other
+ partitions. When creating the swap partition, it will not
+ prompt for the filesystem mount point. When creating the
+ final partition,
+ <filename class="directory">/usr</filename>, leave the
+ suggested size as is to
use the rest of the slice.</para>
- <para>Your final &os; DiskLabel Editor screen will appear similar to
- <xref linkend="sysinstall-label4"/>, although your values chosen may
+ <para>The final &os; DiskLabel Editor screen will appear similar
+ to
+ <xref linkend="sysinstall-label4"/>, although the values
+ chosen may
be different. Press <keycap>Q</keycap> to finish.</para>
<figure id="sysinstall-label4">
@@ -2080,32 +2129,36 @@ Mounting root from ufs:/dev/md0c
on the intended use of the system and the amount of disk space
available. The predefined options range from installing the
smallest possible configuration to everything. Those who are
- new to &unix; and/or &os; should almost certainly select one
+ new to &unix; or &os; should select one
of these canned options. Customizing a distribution set is
typically for the more experienced user.</para>
<para>Press <keycap>F1</keycap> for more information on the
distribution set options and what they contain. When finished
- reviewing the help, pressing <keycap>Enter</keycap> will return
+ reviewing the help, press <keycap>Enter</keycap> to return
to the Select Distributions Menu.</para>
- <para>If a graphical user interface is desired then the
- configuration of the X server and selection of a default
+ <para>If a graphical user interface is desired, the
+ configuration of <application>&xorg;</application> and
+ selection of a default
desktop must be done after the installation of &os;. More
information regarding the installation and configuration of a
- X server can be found in <xref linkend="x11"/>.</para>
+ <application>&xorg;</application> can be found in <xref
+ linkend="x11"/>.</para>
<para>If compiling a custom kernel is anticipated, select an option
which includes the source code. For more information on why a
custom kernel should be built or how to build a custom kernel, see
<xref linkend="kernelconfig"/>.</para>
- <para>Obviously, the most versatile system is one that includes
+ <para>The most versatile system is one that includes
everything. If there is adequate disk space, select
- <guimenuitem>All</guimenuitem> as shown in
- <xref linkend="distribution-set1"/> by using the arrow keys and
- press <keycap>Enter</keycap>. If there is a concern about disk
- space consider using an option that is more suitable for the
+ <guimenuitem>All</guimenuitem>, as shown in
+ <xref linkend="distribution-set1"/>, by using the arrow keys
+ and
+ pressing <keycap>Enter</keycap>. If there is a concern about
+ disk
+ space, consider using an option that is more suitable for the
situation.
Do not fret over the perfect choice, as other distributions can be
added after installation.</para>
@@ -2125,14 +2178,13 @@ Mounting root from ufs:/dev/md0c
<title>Installing the Ports Collection</title>
<para>After selecting the desired distribution, an opportunity to
- install the &os; Ports Collection is presented. The ports
- collection is an easy and convenient way to install software.
- The Ports Collection does not contain the source code necessary
- to compile the software. Instead, it is a collection of files which
- automates the downloading, compiling and installation
+ install the &os; Ports Collection is presented. The Ports
+ Collection is an easy and convenient way to install software
+ as it provides a collection of files that
+ automate the downloading, compiling, and installation
of third-party software packages.
- <xref linkend="ports"/> discusses how to use the ports
- collection.</para>
+ <xref linkend="ports"/> discusses how to use the Ports
+ Collection.</para>
<para>The installation program does not check to see if you have
adequate space. Select this option only if you have
@@ -2175,19 +2227,19 @@ Mounting root from ufs:/dev/md0c
</mediaobject>
</figure>
- <para>If satisfied with the options, select
+ <para>Once satisfied with the options, select
<guimenuitem>Exit</guimenuitem> with the arrow keys, ensure that
- &gui.ok; is highlighted, and pressing
+ &gui.ok; is highlighted, and press
<keycap>Enter</keycap> to continue.</para>
</sect2>
</sect1>
<sect1 id="install-media">
- <title>Choosing Your Installation Media</title>
+ <title>Choosing the Installation Media</title>
- <para>If Installing from a CDROM or DVD, use the arrow keys to highlight
- <guimenuitem>Install from a FreeBSD CD/DVD</guimenuitem>. Ensure
+ <para>If installing from a CD/DVD, use the arrow keys to highlight
+ <guimenuitem>Install from a &os; CD/DVD</guimenuitem>. Ensure
that &gui.ok; is highlighted, then press
<keycap>Enter</keycap> to proceed with the installation.</para>
@@ -2217,7 +2269,7 @@ Mounting root from ufs:/dev/md0c
<tertiary>FTP</tertiary>
</indexterm>
- <para>There are three FTP installation modes you can choose from:
+ <para>There are three FTP installation modes to choose from:
active FTP, passive FTP, or via a HTTP proxy.</para>
<variablelist>
@@ -2226,12 +2278,12 @@ Mounting root from ufs:/dev/md0c
server</guimenuitem></term>
<listitem>
- <para>This option will make all FTP transfers
+ <para>This option makes all FTP transfers
use <quote>Active</quote>
mode. This will not work through firewalls, but will
often work with older FTP servers that do not support
- passive mode. If your connection hangs with passive
- mode (the default), try active!</para>
+ passive mode. If the connection hangs with passive
+ mode (the default), try using active mode.</para>
</listitem>
</varlistentry>
@@ -2245,8 +2297,9 @@ Mounting root from ufs:/dev/md0c
<secondary>passive mode</secondary>
</indexterm>
- <para>This option instructs <application>sysinstall</application>
- to <quote>Passive</quote> mode for all FTP operations.
+ <para>This option instructs &man.sysinstall.8;
+ to use passive mode for all FTP
+ operations.
This allows the user to pass through firewalls
that do not allow incoming connections on random TCP ports.
</para>
@@ -2263,40 +2316,40 @@ Mounting root from ufs:/dev/md0c
<secondary>via a HTTP proxy</secondary>
</indexterm>
- <para>This option instructs <application>sysinstall</application>
+ <para>This option instructs &man.sysinstall.8;
to use the HTTP
- protocol (like a web browser) to connect to a proxy
+ protocol to connect to a proxy
for all FTP operations. The proxy will translate
the requests and send them to the FTP server.
This allows the user to pass through firewalls
- that do not allow FTP at all, but offer a HTTP
+ that do not allow FTP, but offer a HTTP
proxy.
- In this case, you have to specify the proxy in
+ In this case, specify the proxy in
addition to the FTP server.</para>
</listitem>
</varlistentry>
</variablelist>
- <para>For a proxy FTP server, you should usually give the name of the
- server you really want as a part of the username, after an
+ <para>For a proxy FTP server, give the name of the
+ server as part of the username, after an
<quote>@</quote> sign. The proxy server then <quote>fakes</quote>
- the real server. For example, assuming you want to install from
+ the real server. For example, to install from
<hostid role="fqdn">ftp.FreeBSD.org</hostid>, using the proxy FTP
server <hostid role="fqdn">foo.example.com</hostid>, listening on port
- 1234.</para>
-
- <para>In this case, you go to the options menu, set the FTP username
- to <literal>ftp@ftp.FreeBSD.org</literal>, and the password to your
- email address. As your installation media, you specify FTP (or
+ 1234, go to the options menu, set the FTP username
+ to <literal>ftp@ftp.FreeBSD.org</literal> and the password to
+ an
+ email address. As the installation media, specify FTP (or
passive FTP, if the proxy supports it), and the URL
<literal>ftp://foo.example.com:1234/pub/FreeBSD</literal>.</para>
- <para>Since <filename>/pub/FreeBSD</filename> from
+ <para>Since <filename class="directory">/pub/FreeBSD</filename>
+ from
<hostid role="fqdn">ftp.FreeBSD.org</hostid> is proxied under
- <hostid role="fqdn">foo.example.com</hostid>, you are able to install
- from <emphasis>that</emphasis> machine (which will fetch the files
- from <hostid role="fqdn">ftp.FreeBSD.org</hostid> as your
- installation requests them).</para>
+ <hostid role="fqdn">foo.example.com</hostid>, the proxy
+ will fetch the files
+ from <hostid role="fqdn">ftp.FreeBSD.org</hostid> as the
+ installer requests them.</para>
</note>
</sect1>
@@ -2323,7 +2376,7 @@ Mounting root from ufs:/dev/md0c
<para>The installation time will vary according to the distribution
chosen, installation media, and the speed of the computer.
There will be a series of
- messages displayed indicating the status.</para>
+ messages displayed, indicating the status.</para>
<para>The installation is complete when the following message is
displayed:</para>
@@ -2347,7 +2400,7 @@ do so by typing: /usr/sbin/sysinstall.
<para>Selecting &gui.no; and pressing
<keycap>Enter</keycap> will abort
- the installation so no changes will be made to your system. The
+ the installation so no changes will be made to the system. The
following message will appear:</para>
<screen> Message
@@ -2366,19 +2419,21 @@ installation menus to retry whichever operations have failed.
<sect1 id="install-post">
<title>Post-installation</title>
- <para>Configuration of various options follows the successful
- installation. An option can be configured by re-entering the
- configuration options before booting the new &os;
- system or after installation using
- <command>sysinstall</command>
- and selecting
- <guimenuitem>Configure</guimenuitem>.</para>
+ <para>Configuration of various options can be performed after a
+ successful installation. An option can be configured by
+ re-entering the
+ configuration menus before booting the new &os;
+ system or after boot using
+ &man.sysinstall.8;
+ and then selecting the
+ <guimenuitem>Configure</guimenuitem> menu.</para>
<sect2 id="inst-network-dev">
<title>Network Device Configuration</title>
- <para>If you previously configured PPP for an FTP install, this screen
- will not display and can be configured later as described
+ <para>If PPP was previously configured for an FTP install, this
+ screen
+ will not display and can be configured after boot as described
above.</para>
<para>For detailed information on Local Area Networks and
@@ -2418,8 +2473,9 @@ installation menus to retry whichever operations have failed.
was selected with the arrow keys and <keycap>Enter</keycap>
pressed.</para>
- <para>If you are connected to an existing <acronym>IPv6</acronym> network
- with an <acronym>RA</acronym> server, then choose
+ <para>If connected to an existing <acronym>IPv6</acronym>
+ network
+ with an <acronym>RA</acronym> server, choose
&gui.yes; and press <keycap>Enter</keycap>.
It will take several seconds to scan for RA servers.</para>
@@ -2428,12 +2484,13 @@ installation menus to retry whichever operations have failed.
Yes [ No ]</screen>
- <para>If DHCP (Dynamic Host Configuration Protocol) is not required
+ <para>If Dynamic Host Configuration Protocol
+ <acronym>DHCP</acronym>) is not required,
select &gui.no; with the arrow keys and press
<keycap>Enter</keycap>.</para>
<para>Selecting &gui.yes; will execute
- <application>dhclient</application>, and if successful, will fill
+ &man.dhclient.8; and, if successful, will fill
in the network configuration information automatically. Refer to
<xref linkend="network-dhcp"/> for more information.</para>
@@ -2469,7 +2526,7 @@ installation menus to retry whichever operations have failed.
<term>Domain</term>
<listitem>
- <para>The name of the domain that your machine is
+ <para>The name of the domain that the machine is
in, such as <hostid role="domainname">example.com</hostid>
for this case.</para>
</listitem>
@@ -2480,7 +2537,8 @@ installation menus to retry whichever operations have failed.
<listitem>
<para>IP address of host forwarding packets to non-local
- destinations. You must fill this in if the machine is a node
+ destinations. This must be filled in if the machine is
+ a node
on the network. <emphasis>Leave this field blank</emphasis>
if the machine is the gateway to the Internet for the
network. The IPv4 Gateway is also known as the default
@@ -2492,7 +2550,8 @@ installation menus to retry whichever operations have failed.
<term>Name server</term>
<listitem>
- <para>IP address of your local DNS server. There is no local
+ <para>IP address of the local DNS server. There is no
+ local
DNS server on this private local area network so the IP
address of the provider's DNS server
(<hostid role="ipaddr">208.163.10.2</hostid>) was used.</para>
@@ -2522,11 +2581,11 @@ installation menus to retry whichever operations have failed.
</varlistentry>
<varlistentry>
- <term>Extra options to ifconfig</term>
+ <term>Extra options to &man.ifconfig.8;</term>
<listitem>
- <para>Any interface-specific options to <command>ifconfig</command>
- you would like to add. There were none in this case.</para>
+ <para>Any additional interface-specific options to
+ &man.ifconfig.8;. There were none in this case.</para>
</listitem>
</varlistentry>
@@ -2543,7 +2602,8 @@ installation menus to retry whichever operations have failed.
<para>Choosing &gui.yes; and pressing
<keycap>Enter</keycap> will bring
- the machine up on the network and be ready for use. However,
+ the machine up on the network so it is ready for use.
+ However,
this does not accomplish much during installation, since
the machine still needs to be rebooted.</para>
</sect2>
@@ -2557,9 +2617,9 @@ installation menus to retry whichever operations have failed.
[ Yes ] No</screen>
<para>If the machine will be acting as the gateway for a local area
- network and forwarding packets between other machines then select
+ network and forwarding packets between other machines, select
&gui.yes; and press <keycap>Enter</keycap>.
- If the machine is a node on a network then
+ If the machine is a node on a network,
select &gui.no; and press
<keycap>Enter</keycap> to continue.</para>
</sect2>
@@ -2573,17 +2633,12 @@ Do you want to configure inetd and the network services that it provides?
Yes [ No ]</screen>
<para>If &gui.no; is selected, various services
- such <application>telnetd</application> will not be enabled. This
- means that remote users will not be able to
- <application>telnet</application> into this machine. Local users
- will still be able to access remote machines with
- <application>telnet</application>.</para>
-
- <para>These services can be enabled after installation by editing
- <filename>/etc/inetd.conf</filename> with your favorite text editor.
+ will not be enabled. These services can be enabled after
+ installation by editing
+ <filename>/etc/inetd.conf</filename> with a text editor.
See <xref linkend="network-inetd-overview"/> for more information.</para>
- <para>Select &gui.yes; if you wish to
+ <para>Otherwise, select &gui.yes; to
configure these services during install. An additional
confirmation will display:</para>
@@ -2612,9 +2667,9 @@ use the current settings.
[ Yes ] No</screen>
- <para>Selecting &gui.yes; will allow adding
- services by deleting the <literal>#</literal> at the beginning
- of a line.</para>
+ <para>Selecting &gui.yes; allows services to be enabled
+ by deleting the <literal>#</literal> at the beginning
+ of the lines representing those services.</para>
<figure id="inetd-edit">
<title>Editing <filename>inetd.conf</filename></title>
@@ -2626,8 +2681,8 @@ use the current settings.
</mediaobject>
</figure>
- <para>After adding the desired services, pressing <keycap>Esc</keycap>
- will display a menu which will allow exiting and saving
+ <para>Once the edits are complete, press <keycap>Esc</keycap>
+ to display a menu which will exit the editor and save
the changes.</para>
</sect2>
@@ -2645,10 +2700,10 @@ use the current settings.
Yes [ No ]</screen>
<para>Selecting &gui.yes; will enable &man.sshd.8;, the daemon
- program for <application>OpenSSH</application>. This will
- allow secure remote access to your machine. For more
- information about <application>OpenSSH</application> see <xref
- linkend="openssh"/>.</para>
+ for <application>OpenSSH</application>. This
+ allows secure remote access to the machine. For more
+ information about <application>OpenSSH</application>, see
+ <xref linkend="openssh"/>.</para>
</sect2>
<sect2 id="ftpanon">
@@ -2675,10 +2730,11 @@ use the current settings.
<sect3 id="ftpallow">
<title>Allow Anonymous FTP</title>
- <para>Anyone can access your machine if you elect to allow
- anonymous FTP connections. The security implications should be
+ <para>Anyone can access the machine if
+ anonymous FTP connections are allowed. The security
+ implications should be
considered before enabling this option. For more information
- about security see <xref linkend="security"/>.</para>
+ about security, see <xref linkend="security"/>.</para>
<para>To allow anonymous FTP, use the arrow keys to select
&gui.yes; and press <keycap>Enter</keycap>.
@@ -2702,11 +2758,11 @@ use the current settings.
[ Yes ] No</screen>
- <para>This message informs you that the FTP service will also
+ <para>This message indicates that the FTP service will also
have to be enabled in <filename>/etc/inetd.conf</filename>
- if you want to allow anonymous FTP connections, see <xref
- linkend="inetd-services"/>. Select &gui.yes; and press
- <keycap>Enter</keycap> to continue; the following screen
+ to allow anonymous FTP connections. Select &gui.yes; and
+ press
+ <keycap>Enter</keycap> to continue. The following screen
will display:</para>
<figure id="anon-ftp2">
@@ -2727,7 +2783,7 @@ use the current settings.
<term>UID</term>
<listitem>
- <para>The user ID you wish to assign to the anonymous
+ <para>The user ID to assign to the anonymous
FTP user. All files uploaded will be owned by this
ID.</para>
</listitem>
@@ -2737,8 +2793,8 @@ use the current settings.
<term>Group</term>
<listitem>
- <para>Which group you wish the anonymous FTP user to be
- in.</para>
+ <para>Which group to place the anonymous FTP user
+ into.</para>
</listitem>
</varlistentry>
@@ -2770,13 +2826,15 @@ use the current settings.
</varlistentry>
</variablelist>
- <para>The FTP root directory will be put in <filename>/var</filename>
- by default. If you do not have enough room there for the
- anticipated FTP needs, the <filename>/usr</filename> directory
- could be used by setting the FTP root directory to
- <filename>/usr/ftp</filename>.</para>
+ <para>The FTP root directory will be put in <filename
+ class="directory">/var</filename>
+ by default. If there is not enough room there for the
+ anticipated FTP needs, use <filename
+ class="directory">/usr</filename> instead
+ by setting the FTP root directory to
+ <filename class="directory">/usr/ftp</filename>.</para>
- <para>When you are satisfied with the values, press
+ <para>Once satisfied with the values, press
<keycap>Enter</keycap> to continue.</para>
<screen> User Confirmation Requested
@@ -2784,9 +2842,9 @@ use the current settings.
[ Yes ] No</screen>
- <para>If you select &gui.yes; and press
- <keycap>Enter</keycap>, an editor will automatically start
- allowing you to edit the message.</para>
+ <para>If &gui.yes; is selected, press
+ <keycap>Enter</keycap> and the &man.cu.1; editor
+ will automatically start.</para>
<figure id="anon-ftp4">
<title>Edit the FTP Welcome Message</title>
@@ -2798,25 +2856,26 @@ use the current settings.
</mediaobject>
</figure>
- <para>This is a text editor called <command>ee</command>. Use the
- instructions to change the message or change the message later
- using a text editor of your choice. Note the file name/location
+ <para>Use the
+ instructions to change the message. Note the file name
+ location
at the bottom of the editor screen.</para>
<para>Press <keycap>Esc</keycap> and a pop-up menu will default
to <guimenuitem>a) leave editor</guimenuitem>. Press
<keycap>Enter</keycap> to exit and continue. Press
- <keycap>Enter</keycap> again to save changes if you made
- any.</para>
+ <keycap>Enter</keycap> again to save any changes.</para>
</sect3>
</sect2>
<sect2 id="nfsconf">
- <title>Configure Network File System</title>
+ <title>Configure the Network File System</title>
- <para>Network File System (NFS) allows sharing of files across a
+ <para>The Network File System (<acronym>NFS</acronym>) allows
+ sharing of files across a
network. A machine can be configured as a server, a client, or
- both. Refer to <xref linkend="network-nfs"/> for a more information.</para>
+ both. Refer to <xref linkend="network-nfs"/> for more
+ information.</para>
<sect3 id="nsf-server-options">
<title>NFS Server</title>
@@ -2826,12 +2885,13 @@ use the current settings.
Yes [ No ]</screen>
- <para>If there is no need for a Network File System server,
+ <para>If there is no need for a <acronym>NFS</acronym> server,
select &gui.no; and press
<keycap>Enter</keycap>.</para>
<para>If &gui.yes; is chosen, a message will
- pop-up indicating that the <filename>exports</filename> file must be
+ pop-up indicating that <filename>/etc/exports</filename>
+ must be
created.</para>
<screen> Message
@@ -2842,8 +2902,8 @@ Press [Enter] now to invoke an editor on /etc/exports
[ OK ]</screen>
<para>Press <keycap>Enter</keycap> to continue. A text editor will
- start allowing the <filename>exports</filename> file to be created
- and edited.</para>
+ start, allowing <filename>/etc/exports</filename> to be
+ edited.</para>
<figure id="nfs-server-edit">
<title>Editing <filename>exports</filename></title>
@@ -2855,9 +2915,10 @@ Press [Enter] now to invoke an editor on /etc/exports
</mediaobject>
</figure>
- <para>Use the instructions to add the actual exported filesystems
- now or later using a text editor of your choice. Note the
- file name/location at the bottom of the editor screen.</para>
+ <para>Use the instructions to add the exported filesystems.
+ Note the
+ file name location at the bottom of the editor
+ screen.</para>
<para>Press <keycap>Esc</keycap> and a pop-up menu will default to
<guimenuitem>a) leave editor</guimenuitem>. Press
@@ -2865,9 +2926,10 @@ Press [Enter] now to invoke an editor on /etc/exports
</sect3>
<sect3 id="nfs-client-options">
- <title>NFS Client</title>
+ <title><acronym>NFS</acronym> Client</title>
- <para>The NFS client allows your machine to access NFS servers.</para>
+ <para>The <acronym>NFS</acronym> client allows the machine to
+ access <acronym>NFS</acronym> servers.</para>
<screen> User Confirmation Requested
Do you want to configure this machine as an NFS client?
@@ -2953,21 +3015,22 @@ Press [Enter] now to invoke an editor on /etc/exports
</mediaobject>
</figure>
- <para>Selecting <guimenuitem>Exit</guimenuitem> and pressing
- <keycap>Enter</keycap> will continue with the post-installation
- configurations.</para>
+ <para>Select <guimenuitem>Exit</guimenuitem> and press
+ <keycap>Enter</keycap> to continue with the post-installation
+ configuration.</para>
</sect2>
<sect2 id="timezone">
<title>Setting the Time Zone</title>
- <para>Setting the time zone for your machine will allow it to
+ <para>Setting the time zone allows the system to
automatically correct for any regional time changes and perform
other time zone related functions properly.</para>
<para>The example shown is for a machine located in the Eastern
- time zone of the United States. Your selections will vary according
- to your geographical location.</para>
+ time zone of the United States. The selections will vary
+ according
+ to the geographic location.</para>
<screen> User Confirmation Requested
Would you like to set this machine's time zone now?
@@ -2985,10 +3048,10 @@ Press [Enter] now to invoke an editor on /etc/exports
<para>Select &gui.yes;
or &gui.no; according to how the machine's
- clock is configured and press <keycap>Enter</keycap>.</para>
+ clock is configured, then press <keycap>Enter</keycap>.</para>
<figure id="set-timezone-region">
- <title>Select Your Region</title>
+ <title>Select the Region</title>
<mediaobject>
<imageobject>
@@ -3001,7 +3064,7 @@ Press [Enter] now to invoke an editor on /etc/exports
and then pressing <keycap>Enter</keycap>.</para>
<figure id="set-timezone-country">
- <title>Select Your Country</title>
+ <title>Select the Country</title>
<mediaobject>
<imageobject>
@@ -3014,7 +3077,7 @@ Press [Enter] now to invoke an editor on /etc/exports
and press <keycap>Enter</keycap>.</para>
<figure id="set-timezone-locality">
- <title>Select Your Time Zone</title>
+ <title>Select the Time Zone</title>
<mediaobject>
<imageobject>
@@ -3031,7 +3094,8 @@ Press [Enter] now to invoke an editor on /etc/exports
[ Yes ] No</screen>
- <para>Confirm the abbreviation for the time zone is correct.
+ <para>Confirm that the abbreviation for the time zone is
+ correct.
If it looks okay, press <keycap>Enter</keycap> to continue with
the post-installation configuration.</para>
</sect2>
@@ -3039,19 +3103,20 @@ Press [Enter] now to invoke an editor on /etc/exports
<sect2 id="mouse">
<title>Mouse Settings</title>
- <para>This option will allow you to cut and paste text in the
- console and user programs with a 3-button mouse. If using a 2-button
- mouse, refer to manual page, &man.moused.8;, after installation for
+ <para>This option allows cut and paste in the
+ console and user programs using a 3-button mouse. If using a
+ 2-button
+ mouse, refer to &man.moused.8; for
details on emulating the 3-button style. This example depicts a
- non-USB mouse configuration (such as a PS/2 or COM port mouse):</para>
+ non-USB mouse configuration:</para>
<screen> User Confirmation Requested
Does this system have a PS/2, serial, or bus mouse?
[ Yes ] No </screen>
- <para>Select &gui.yes; for a PS/2, serial or bus mouse, or
- &gui.no; for a USB mouse and press
+ <para>Select &gui.yes; for a PS/2, serial, or bus mouse, or
+ &gui.no; for a USB mouse, then press
<keycap>Enter</keycap>.</para>
<figure id="mouse-protocol">
@@ -3078,7 +3143,8 @@ Press [Enter] now to invoke an editor on /etc/exports
</figure>
<para>The mouse used in this example is a PS/2 type, so the default
- <guimenuitem>Auto</guimenuitem> was appropriate. To change protocol,
+ <guimenuitem>Auto</guimenuitem> is appropriate. To change the
+ mouse protocol,
use the arrow keys to select another option. Ensure that &gui.ok; is
highlighted and press <keycap>Enter</keycap> to exit this menu.</para>
@@ -3106,7 +3172,8 @@ Press [Enter] now to invoke an editor on /etc/exports
</figure>
<para>This system had a PS/2 mouse, so the default
- <guimenuitem>PS/2</guimenuitem> was appropriate. To change the port,
+ <guimenuitem>PS/2</guimenuitem> is appropriate. To change the
+ port,
use the arrow keys and then press <keycap>Enter</keycap>.</para>
<figure id="test-daemon">
@@ -3135,15 +3202,15 @@ Press [Enter] now to invoke an editor on /etc/exports
</mediaobject>
</figure>
- <para>Move the mouse around the screen and verify the cursor
- shown responds properly. If it does, select
+ <para>Move the mouse around the screen to verify that the cursor
+ responds properly. If it does, select
&gui.yes; and press <keycap>Enter</keycap>. If
- not, the mouse has not been configured correctly — select
+ not, the mouse has not been configured correctly. Select
&gui.no; and try using different configuration
options.</para>
<para>Select <guimenuitem>Exit</guimenuitem> with the arrow keys
- and press <keycap>Enter</keycap> to return to continue with the
+ and press <keycap>Enter</keycap> to continue with the
post-installation configuration.</para>
</sect2>
@@ -3155,8 +3222,8 @@ Press [Enter] now to invoke an editor on /etc/exports
<para>Installation of one package is shown for purposes of
illustration. Additional packages can also be added at this
- time if desired. After installation
- <command>sysinstall</command> can be used to add additional
+ time if desired. After installation,
+ &man.sysinstall.8; can be used to add additional
packages.</para>
<screen> User Confirmation Requested
@@ -3166,9 +3233,9 @@ Press [Enter] now to invoke an editor on /etc/exports
[ Yes ] No</screen>
- <para>Selecting &gui.yes; and pressing
- <keycap>Enter</keycap> will be
- followed by the Package Selection screens:</para>
+ <para>Select &gui.yes; and press
+ <keycap>Enter</keycap> to be presented with
+ the Package Selection screens:</para>
<figure id="package-category">
<title>Select Package Category</title>
@@ -3184,8 +3251,9 @@ Press [Enter] now to invoke an editor on /etc/exports
available for installation at any given time.</para>
<para>All packages available will be displayed if
- <guimenuitem>All</guimenuitem> is selected or you can select a
- particular category. Highlight your selection with the arrow
+ <guimenuitem>All</guimenuitem> is selected. Otherwise, select
+ a
+ particular category. Highlight the selection with the arrow
keys and press <keycap>Enter</keycap>.</para>
<para>A menu will display showing all the packages available for
@@ -3201,16 +3269,20 @@ Press [Enter] now to invoke an editor on /etc/exports
</mediaobject>
</figure>
- <para>The <application>bash</application> shell is shown selected.
- Select as many as desired by highlighting the package and pressing the
- <keycap>Space</keycap> key. A short description of each package will
+ <para>The <application>bash</application> shell is shown as
+ selected.
+ Select as many packages as desired by highlighting the package
+ and pressing
+ <keycap>Space</keycap>. A short description of each package
+ will
appear in the lower left corner of the screen.</para>
- <para>Pressing the <keycap>Tab</keycap> key will toggle between the last
+ <para>Press <keycap>Tab</keycap> to toggle between the last
selected package, &gui.ok;, and &gui.cancel;.</para>
- <para>When you have finished marking the packages for installation,
- press <keycap>Tab</keycap> once to toggle to the &gui.ok; and press
+ <para>Once finished marking the packages for installation,
+ press <keycap>Tab</keycap> once to toggle to &gui.ok; and
+ press
<keycap>Enter</keycap> to return to the Package Selection menu.</para>
<para>The left and right arrow keys will also toggle between &gui.ok;
@@ -3229,8 +3301,8 @@ Press [Enter] now to invoke an editor on /etc/exports
</figure>
<para>Use the <keycap>Tab</keycap> and arrow keys to select <guibutton>[ Install ]</guibutton>
- and press <keycap>Enter</keycap>. You will then need to confirm
- that you want to install the packages:</para>
+ and press <keycap>Enter</keycap> to see the installation
+ confirmation message:</para>
<figure id="package-install-confirm">
<title>Confirm Package Installation</title>
@@ -3242,21 +3314,22 @@ Press [Enter] now to invoke an editor on /etc/exports
</mediaobject>
</figure>
- <para>Selecting &gui.ok; and pressing <keycap>Enter</keycap> will start
- the package installation. Installing messages will appear until
+ <para>Select &gui.ok; and press <keycap>Enter</keycap> to start
+ the package installation. Installation messages will appear
+ until all of the installations have
completed. Make note if there are any error messages.</para>
<para>The final configuration continues after packages are
- installed. If you end up not selecting any packages, and wish
- to return to the final configuration, select
- <guibutton>Install</guibutton> anyways.</para>
+ installed. If no packages are selected, select
+ <guibutton>Install</guibutton> to return to the final
+ configuration.</para>
</sect2>
<sect2 id="addusers">
<title>Add Users/Groups</title>
- <para>You should add at least one user during the installation so
- that you can use the system without being logged in as
+ <para>Add at least one user during the installation so
+ that the system can be used without logging in as
<username>root</username>. The root partition is generally small
and running applications as <username>root</username> can quickly
fill it. A bigger danger is noted below:</para>
@@ -3347,8 +3420,7 @@ Press [Enter] now to invoke an editor on /etc/exports
<term>Member groups</term>
<listitem>
- <para>The groups this user belongs to (i.e., gets access
- rights for).</para>
+ <para>The groups this user belongs to.</para>
</listitem>
</varlistentry>
@@ -3365,24 +3437,26 @@ Press [Enter] now to invoke an editor on /etc/exports
<term>Login shell</term>
<listitem>
<para>The user's login shell (leave blank for
- default, e.g., <filename>/bin/sh</filename>).</para>
+ default of <filename>/bin/sh</filename>).</para>
</listitem>
</varlistentry>
</variablelist>
- <para>The login shell was changed from <filename>/bin/sh</filename> to
+ <para>In this example, the login shell was changed from
+ <filename>/bin/sh</filename> to
<filename>/usr/local/bin/bash</filename> to use the
<application>bash</application> shell that was previously installed as
- a package. Do not try to use a shell that does not exist or you will
- not be able to login. The most common shell used in the
- BSD-world is the C shell, which can be indicated as
+ a package. Do not use a shell that does not exist or the user
+ will
+ not be able to login. The most common shell used in &os;
+ is the C shell,
<filename>/bin/tcsh</filename>.</para>
<para>The user was also added to the <groupname>wheel</groupname> group
to be able to become a superuser with <username>root</username>
privileges.</para>
- <para>When you are satisfied, press &gui.ok; and
+ <para>Once satisfied, press &gui.ok; and
the User and Group Management menu will redisplay:</para>
<figure id="add-user4">
@@ -3395,13 +3469,12 @@ Press [Enter] now to invoke an editor on /etc/exports
</mediaobject>
</figure>
- <para>Groups can also be added at this time if specific needs
- are known. Otherwise, this may be accessed through using
- <command>sysinstall</command>
- after installation is
- completed.</para>
+ <para>Groups can also be added at this time. Otherwise, this
+ menu may be accessed using
+ &man.sysinstall.8;
+ at a later time.</para>
- <para>When you are finished adding users, select
+ <para>When finished adding users, select
<guimenuitem>Exit</guimenuitem> with the arrow keys and press
<keycap>Enter</keycap> to continue the installation.</para>
</sect2>
@@ -3420,9 +3493,9 @@ Press [Enter] now to invoke an editor on /etc/exports
<para>Press <keycap>Enter</keycap> to set the <username>root</username>
password.</para>
- <para>The password will need to be typed in twice correctly. Needless to
- say, make sure you have a way of finding the password if you
- forget. Notice that the password you type in is not echoed, nor
+ <para>The password will need to be typed in twice correctly.
+ Do not forget this password.
+ Notice that the typed password is not echoed, nor
are asterisks displayed.</para>
<screen>New password:
@@ -3435,10 +3508,8 @@ Retype new password :</screen>
<sect2 id="exit-inst">
<title>Exiting Install</title>
- <para>If you need to configure
- <link linkend="network-services">additional network services</link>
- or any other configuration, you can do it at this point or
- after installation with <command>sysinstall</command>.</para>
+ <para>A message will ask if
+ configuration is complete:</para>
<screen> User Confirmation Requested
Visit the general configuration menu for a chance to set any last
@@ -3461,7 +3532,8 @@ Retype new password :</screen>
</figure>
<para>Select <guibutton>[X Exit Install]</guibutton> with the arrow
- keys and press <keycap>Enter</keycap>. You will be asked to
+ keys and press <keycap>Enter</keycap>. The installer will
+ prompt to
confirm exiting the installation:</para>
<screen> User Confirmation Requested
@@ -3469,7 +3541,7 @@ Retype new password :</screen>
[ Yes ] No</screen>
- <para>Select &gui.yes;. If you are booting from the CDROM drive
+ <para>Select &gui.yes;. If booting from the CDROM drive,
the following message will remind you to remove the
disk:</para>
@@ -3480,8 +3552,8 @@ Retype new password :</screen>
[ Press enter or space ]</screen>
<para>The CDROM drive is locked until the machine
- starts to reboot then the disk can
- be removed from drive (quickly). Press &gui.ok; to reboot.</para>
+ starts to reboot, then the disk can quickly
+ be removed from the drive. Press &gui.ok; to reboot.</para>
<para>The system will reboot so watch for any error messages that
may appear, see <xref linkend="freebsdboot"/> for more
@@ -3501,26 +3573,22 @@ Retype new password :</screen>
<title>Configure Additional Network Services</title>
<para>Configuring network services can be a daunting
- task for new users if they lack previous
- knowledge in this area. Networking, including the Internet,
- is critical to all modern operating systems including &os;;
- as a result, it is very useful to have some understanding
- &os;'s extensive networking capabilities. Doing this
- during the installation will ensure users have some
- understanding of the various services available to them.</para>
+ task for users that lack previous
+ knowledge in this area. Since networking and the Internet
+ are critical to all modern operating systems,
+ it is useful to have some understanding of
+ &os;'s extensive networking capabilities.</para>
<para>Network services are programs that accept input from
- anywhere on the network. Every effort is made to make sure
- these programs will not do anything <quote>harmful</quote>.
- Unfortunately, programmers are not perfect and through time
+ anywhere on the network. Since
there have been cases where bugs in network services have been
- exploited by attackers to do bad things. It is important that
- you only enable the network services you know that you need. If
- in doubt it is best if you do not enable a network service until
- you find out that you do need it. You can always enable it
- later by re-running <application>sysinstall</application> or by
- using the features provided by the
- <filename>/etc/rc.conf</filename> file.</para>
+ exploited by attackers, it is important to
+ only enable needed network services. If
+ in doubt, do not enable a network service until
+ it is needed. Services can be enabled
+ with &man.sysinstall.8; or by
+ editing
+ <filename>/etc/rc.conf</filename>.</para>
<para>Selecting the <guimenu>Networking</guimenu> option will display
a menu similar to the one below:</para>
@@ -3535,37 +3603,35 @@ Retype new password :</screen>
</mediaobject>
</figure>
- <para>The first option, <guimenuitem>Interfaces</guimenuitem>, was
- previously covered during the <xref linkend="inst-network-dev"/>,
- thus this option can safely be ignored.</para>
+ <para>The first option, <guimenuitem>Interfaces</guimenuitem>,
+ is covered in <xref linkend="inst-network-dev"/>.</para>
<para>Selecting the <guimenuitem>AMD</guimenuitem> option adds
- support for the <acronym>BSD</acronym> automatic mount utility.
- This is usually used in conjunction with the
- <acronym>NFS</acronym> protocol (see below)
- for automatically mounting remote file systems.
- No special configuration is required here.</para>
+ support for &man.amd.8;.
+ This is usually used in conjunction with
+ <acronym>NFS</acronym>
+ for automatically mounting remote filesystems.</para>
- <para>Next in line is the <guimenuitem>AMD Flags</guimenuitem>
- option. When selected, a menu will pop up for you
- to enter specific <acronym>AMD</acronym> flags.
+ <para>Next is the <guimenuitem>AMD Flags</guimenuitem>
+ option. When selected, a menu will pop up where
+ specific <acronym>AMD</acronym> flags can be entered.
The menu already contains a set of default options:</para>
<screen>-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map</screen>
- <para>The <option>-a</option> option sets the default mount
+ <para><option>-a</option> sets the default mount
location which is specified here as
- <filename>/.amd_mnt</filename>. The <option>-l</option>
- option specifies the default <filename>log</filename> file;
- however, when <literal>syslogd</literal> is used all log
- activity will be sent to the system log daemon. The
- <filename class="directory">/host</filename> directory is used
+ <filename>/.amd_mnt</filename>. <option>-l</option>
+ specifies the default <filename>log</filename>;
+ however, when &man.syslogd.8; is used, all log
+ activity will be sent to the system log daemon.
+ <filename class="directory">/host</filename> is used
to mount an exported file system from a remote
host, while <filename class="directory">/net</filename>
- directory is used to mount an exported file system from an
- <acronym>IP</acronym> address. The
- <filename>/etc/amd.map</filename> file defines the default
- options for <acronym>AMD</acronym> exports.</para>
+ is used to mount an exported filesystem from an
+ <acronym>IP</acronym> address. The default
+ options for <acronym>AMD</acronym> exports are defined in
+ <filename>/etc/amd.map</filename>.</para>
<indexterm>
<primary>FTP</primary>
@@ -3579,17 +3645,17 @@ Retype new password :</screen>
Another menu will be displayed to explain the security risks
and configuration in depth.</para>
- <para>The <guimenuitem>Gateway</guimenuitem> configuration menu will set
- the machine up to be a gateway as explained previously. This
- can be used to unset the <guimenuitem>Gateway</guimenuitem> option if
- you accidentally selected it during the installation process.</para>
+ <para>The <guimenuitem>Gateway</guimenuitem> menu will configure
+ the machine to be a gateway. This menu
+ can also be used to unset the
+ <guimenuitem>Gateway</guimenuitem> option if
+ it was accidentally selected during installation.</para>
<para>The <guimenuitem>Inetd</guimenuitem> option can be used to configure
- or completely disable the &man.inetd.8; daemon as discussed
- above.</para>
+ or completely disable &man.inetd.8;.</para>
<para>The <guimenuitem>Mail</guimenuitem> option is used to configure the
- system's default <acronym>MTA</acronym> or Mail Transfer Agent.
+ system's default Mail Transfer Agent (<acronym>MTA</acronym>).
Selecting this option will bring up the following menu:</para>
<figure id="mta-selection">
@@ -3602,44 +3668,41 @@ Retype new password :</screen>
</mediaobject>
</figure>
- <para>Here you are offered a choice as to which
+ <para>This menu offers a choice as to which
<acronym>MTA</acronym> to install
- and set as the default. An <acronym>MTA</acronym> is nothing
- more than a mail server which delivers email to users on the
+ and set as the default. An <acronym>MTA</acronym> is
+ a mail server which delivers email to users on the
system or the Internet.</para>
- <para>Selecting <guimenuitem>Sendmail</guimenuitem> will install
- the popular <application>sendmail</application> server which
- is the &os; default. The <guimenuitem>Sendmail local</guimenuitem>
- option will set <application>sendmail</application> to be the default
+ <para>Select <guimenuitem>Sendmail</guimenuitem> to install
+ <application>Sendmail</application> as the default
+ <acronym>MTA</acronym>. Select
+ <guimenuitem>Sendmail local</guimenuitem>
+ to set <application>Sendmail</application> as the
+ default
<acronym>MTA</acronym>, but disable its ability to receive
- incoming email from the Internet. The other options here,
+ incoming email from the Internet. The other options,
<guimenuitem>Postfix</guimenuitem> and
- <guimenuitem>Exim</guimenuitem> act similar to
- <guimenuitem>Sendmail</guimenuitem>. They both deliver
- email; however, some users prefer these alternatives to the
- <application>sendmail</application>
- <acronym>MTA</acronym>.</para>
+ <guimenuitem>Exim</guimenuitem>, provide
+ alternatives to
+ <application>Sendmail</application>.</para>
- <para>After selecting an <acronym>MTA</acronym>, or choosing
- not to select an MTA, the network configuration menu will appear
- with the next option being <guimenuitem>NFS client</guimenuitem>.</para>
-
- <para>The <guimenuitem>NFS client</guimenuitem> option will
- configure the system to communicate with a server via
- <acronym>NFS</acronym>. An <acronym>NFS</acronym> server
- makes file systems available to other machines on the
- network via the <acronym>NFS</acronym> protocol. If this is
- a stand-alone machine, this option can remain unselected.
- The system may require more configuration later; see
+ <para>The next menu after the <acronym>MTA</acronym> menu is
+ <guimenuitem>NFS client</guimenuitem>. This menu is used to
+ configure the system to communicate with a
+ <acronym>NFS</acronym> server which in turn is used to
+ make filesystems available to other machines on the
+ network over the <acronym>NFS</acronym> protocol.
+ See
<xref linkend="network-nfs"/> for more
information about client and server configuration.</para>
<para>Below that option is the <guimenuitem>NFS server</guimenuitem>
- option, permitting you to set the system up as an
+ option, for setting the system up as an
<acronym>NFS</acronym> server. This adds the required
- information to start up the <acronym>RPC</acronym> remote
- procedure call services. <acronym>RPC</acronym> is used to
+ information to start up the Remote Procedure
+ Call <acronym>RPC</acronym>
+ services. <acronym>RPC</acronym> is used to
coordinate connections between hosts and programs.</para>
<para>Next in line is the <guimenuitem>Ntpdate</guimenuitem> option,
@@ -3656,10 +3719,11 @@ Retype new password :</screen>
</mediaobject>
</figure>
- <para>From this menu, select the server which is the closest
- to your location. Selecting a close one will make the time
- synchronization more accurate as a server further from your
- location may have more connection latency.</para>
+ <para>From this menu, select the server which is geographically
+ closest.
+ This will make the time
+ synchronization more accurate as a farther server
+ may have more connection latency.</para>
<para>The next option is the <acronym>PCNFSD</acronym> selection.
This option will install the
@@ -3669,7 +3733,7 @@ Retype new password :</screen>
are unable to provide their own, such as Microsoft's
&ms-dos; operating system.</para>
- <para>Now you must scroll down a bit to see the other
+ <para>Now, scroll down a bit to see the other
options:</para>
<figure id="Network-configuration-cont">
@@ -3682,69 +3746,69 @@ Retype new password :</screen>
</mediaobject>
</figure>
- <para>The &man.rpcbind.8;, &man.rpc.statd.8;, and
- &man.rpc.lockd.8; utilities are all used for Remote Procedure
- Calls (<acronym>RPC</acronym>).
- The <command>rpcbind</command> utility manages communication
- between <acronym>NFS</acronym> servers and clients, and is
+ <para><acronym>RPC</acronym>.
+ communication
+ between <acronym>NFS</acronym> servers and clients is managed
+ by &man.rpcbind.8; which is
required for <acronym>NFS</acronym> servers to operate
- correctly. The <application>rpc.statd</application> daemon interacts
- with the <application>rpc.statd</application> daemon on other hosts to
- provide status monitoring. The reported status is usually held
- in the <filename>/var/db/statd.status</filename> file. The
- next option listed here is the <guimenuitem>rpc.lockd</guimenuitem>
- option, which, when selected, will provide file locking
+ correctly. Status monitoring is provided by
+ &man.rpc.statd.8; and the reported status is usually held
+ in <filename>/var/db/statd.status</filename>. The
+ next option is for &man.rpc.lockd.8;
+ which provides file locking
services. This is usually used with
- <application>rpc.statd</application> to monitor what hosts are
+ &man.rpc.statd.8; to monitor which hosts are
requesting locks and how frequently they request them.
- While these last two options are marvelous for debugging, they
+ While these last two options are useful for debugging, they
are not required for <acronym>NFS</acronym> servers and clients
to operate correctly.</para>
- <para>As you progress down the list the next item here is
- <guimenuitem>Routed</guimenuitem>, which is the routing daemon. The
- &man.routed.8; utility manages network routing tables,
+ <para>The next menu,
+ <guimenuitem>Routed</guimenuitem>, configures the routing
+ daemon.
+ &man.routed.8;, manages network routing tables,
discovers multicast routers, and supplies a copy of the routing
tables to any physically connected host on the network upon
request. This is mainly used for machines which act as a
- gateway for the local network. When selected, a menu will be
- presented requesting the default location of the utility.
- The default location is already defined for you and can be
- selected with the <keycap>Enter</keycap> key. You will then
- be presented with yet another menu, this time asking for the
- flags you wish to pass on to <application>routed</application>. The
- default is <option>-q</option> and it should already appear
+ gateway for the local network. If selected, a menu will
+ request the default location of the utility.
+ To accept the default location,
+ press <keycap>Enter</keycap>. Yet
+ another menu will ask for the
+ flags to pass to &man.routed.8;. The
+ default of <option>-q</option> should appear
on the screen.</para>
- <para>Next in line is the <guimenuitem>Rwhod</guimenuitem> option which,
- when selected, will start the &man.rwhod.8; daemon
- during system initialization. The <command>rwhod</command>
+ <para>The next menu, <guimenuitem>Rwhod</guimenuitem>,
+ starts &man.rwhod.8;
+ during system initialization. This
utility broadcasts system messages across the network
periodically, or collects them when in <quote>consumer</quote>
- mode. More information can be found in the &man.ruptime.1; and
- &man.rwho.1; manual pages.</para>
+ mode. More information can be found in &man.ruptime.1; and
+ &man.rwho.1;.</para>
- <para>The next to the last option in the list is for the
- &man.sshd.8; daemon. This is the secure shell server for
- <application>OpenSSH</application> and it is highly recommended
- over the standard <application>telnet</application> and
- <acronym>FTP</acronym> servers. The <application>sshd</application>
- server is used to create a secure connection from one host to
- another by using encrypted connections.</para>
+ <para>The next to last option in the list is for
+ &man.sshd.8;, the secure shell server for
+ <application>OpenSSH</application>. It is highly recommended
+ over the standard &man.telnetd.8; and
+ &man.ftpd.8; servers as it
+ is used to create a secure, encrypted connection from one host
+ to
+ another.</para>
- <para>Finally there is the <guimenuitem>TCP Extensions</guimenuitem>
- option. This enables the <acronym>TCP</acronym> Extensions
+ <para>The final option is <guimenuitem>TCP
+ Extensions</guimenuitem> which are
defined in <acronym>RFC</acronym> 1323 and
<acronym>RFC</acronym> 1644. While on many hosts this can
speed up connections, it can also cause some connections to be
dropped. It is not recommended for servers, but may be
beneficial for stand alone machines.</para>
- <para>Now that you have configured the network services, you can
+ <para>Once the network services are configured,
scroll up to the very top item which is
<guimenuitem>X Exit</guimenuitem>
and continue on to the next configuration item or simply exit
- <application>sysinstall</application> in selecting
+ &man.sysinstall.8; by selecting
<guimenuitem>X Exit</guimenuitem> twice then <guibutton>[X
Exit Install]</guibutton>.</para>
@@ -3756,19 +3820,21 @@ Retype new password :</screen>
<sect3 id="freebsdboot-i386">
<title>&os;/&arch.i386; Bootup</title>
- <para>If everything went well, you will see messages scroll
- off the screen and you will arrive at a login prompt. You can view
- the content of the messages by pressing <keycap>Scroll-Lock</keycap>
- and using <keycap>PgUp</keycap> and <keycap>PgDn</keycap>.
- Pressing <keycap>Scroll-Lock</keycap> again will return
+ <para>If everything went well, messages will scroll along
+ the screen and a login prompt will appear. To view
+ these messages, press
+ <keycap>Scroll-Lock</keycap>
+ then use <keycap>PgUp</keycap> and <keycap>PgDn</keycap>.
+ Press <keycap>Scroll-Lock</keycap> again to return
to the prompt.</para>
- <para>The entire message may not display (buffer limitation) but
- it can be viewed from the command line after logging in by typing
- <command>dmesg</command> at the prompt.</para>
+ <para>All of the messages may not display due to buffer
+ limitations, but
+ they can be read after logging using
+ &man.dmesg.8;.</para>
- <para>Login using the username/password you set during installation
- (<username>rpratt</username>, in this example). Avoid logging in as
+ <para>Login using the username and password which were set
+ during installation. Avoid logging in as
<username>root</username> except when necessary.</para>
<para>Typical boot messages (version information omitted):</para>
@@ -3904,7 +3970,8 @@ Password:</screen>
machines. This happens only on the initial boot-up of a new
installation. Subsequent boots will be faster.</para>
- <para>If the X server has been configured and a Default Desktop
+ <para>If <application>&xorg;</application> has been configured
+ and a default desktop
chosen, it can be started by typing <command>startx</command> at
the command line.</para>
@@ -3915,11 +3982,13 @@ Password:</screen>
<title>&os; Shutdown</title>
<para>It is important to properly shutdown the operating
- system. Do not just turn off power. First, become a superuser by
- typing <command>su</command> at the command line and entering the
+ system. Do not just turn off the power. First, become the
+ superuser using
+ &man.su.1; and entering the
<username>root</username> password. This will work only if the user
- is a member of the <groupname>wheel</groupname> group.
- Otherwise, login as <username>root</username> and use
+ is a member of <groupname>wheel</groupname>.
+ Otherwise, login as <username>root</username>. To shutdown
+ the system, type
<command>shutdown -h now</command>.</para>
<screen>The operating system has halted.
@@ -3931,14 +4000,14 @@ Please press any key to reboot.</screen>
appears. If any key is pressed instead of turning off the power
switch, the system will reboot.</para>
- <para>You could also use the
+ <para>The
<keycombo action="simul">
<keycap>Ctrl</keycap>
<keycap>Alt</keycap>
<keycap>Del</keycap>
</keycombo>
- key combination to reboot the system, however this is not recommended
- during normal operation.</para>
+ key combination can also be used to reboot the system;
+ however, this is not recommended.</para>
</sect2>
</sect1>
@@ -3950,35 +4019,39 @@ Please press any key to reboot.</screen>
<primary>installation</primary>
<secondary>troubleshooting</secondary>
</indexterm>
- <para>The following section covers basic installation troubleshooting,
- such as common problems people have reported. There are also a few
+ <para>This section covers basic installation troubleshooting of
+ common problems. There are also a few
questions and answers for people wishing to dual-boot &os; with
- &ms-dos; or &windows;.</para>
+ &windows;.</para>
<sect2>
- <title>What to Do If Something Goes Wrong</title>
+ <title>If Something Goes Wrong</title>
<para>Due to various limitations of the PC architecture, it is
- impossible for probing to be 100% reliable, however, there are a
- few things you can do if it fails.</para>
+ impossible for device probing to be 100% reliable. However,
+ there are a
+ few things to try if it fails.</para>
<para>Check the <ulink
url="http://www.FreeBSD.org/releases/index.html">Hardware Notes
- </ulink> document for your version of &os; to make sure your
+ </ulink> document for the version of &os; to make sure the
hardware is supported.</para>
- <para>If your hardware is supported and you still experience
- lock-ups or other problems, you will need to build a <link
- linkend="kernelconfig">custom kernel</link>. This will
- allow you to add in support for devices which are not present in the
- <filename>GENERIC</filename> kernel. The kernel on the boot disks
- is configured assuming that most hardware devices are in their
- factory default configuration in terms of IRQs, IO addresses, and
- DMA channels. If your hardware has been reconfigured, you will most
- likely need to edit the kernel configuration and recompile to tell
+ <para>If the hardware is supported but still experiences
+ lock-ups or other problems, build a <link
+ linkend="kernelconfig">custom kernel</link>
+ to add in support for devices which are not present in the
+ <filename>GENERIC</filename> kernel. The default kernel
+ assumes that most hardware devices are in their
+ factory default configuration in terms of IRQs, I/O addresses,
+ and
+ DMA channels. If the hardware has been reconfigured,
+ create a custom kernel configuration file and recompile to
+ tell
&os; where to find things.</para>
- <para>It is also possible that a probe for a device not present will
+ <para>It is also possible that a probe for a device not present
+ will
cause a later probe for another device that is present to fail. In
that case, the probes for the conflicting driver(s) should be
disabled.</para>
@@ -3986,22 +4059,22 @@ Please press any key to reboot.</screen>
<note>
<para>Some installation problems can be avoided or alleviated
by updating the firmware on various hardware components, most notably
- the motherboard. The motherboard firmware may also be referred to
- as <acronym>BIOS</acronym> and most of the motherboard or computer
- manufactures have a website where the upgrades and upgrade
+ the motherboard
+ <acronym>BIOS</acronym>. Most motherboard and computer
+ manufacturers have a website where upgrade
information may be located.</para>
<para>Most manufacturers strongly advise against upgrading the
motherboard <acronym>BIOS</acronym> unless there is a good reason
- for doing so, which
- could possibly be a critical update of sorts. The upgrade process
+ for doing so, such as
+ a critical update. The upgrade process
<emphasis>can</emphasis> go wrong, causing permanent damage to the
<acronym>BIOS</acronym> chip.</para>
</note>
</sect2>
<sect2>
- <title>Using &ms-dos; and &windows; File Systems</title>
+ <title>Using &windows; Filesystems</title>
<para>At this time, &os; does not support file systems compressed with
the <application>Double Space™</application> application.
@@ -4018,37 +4091,40 @@ Please press any key to reboot.</screen>
system's contents to be accessed. The &man.mount.msdosfs.8; program
is not usually
invoked directly; instead, it is called by the system through a line
- in <filename>/etc/fstab</filename> or by a call to the &man.mount.8;
- utility with the appropriate parameters.</para>
+ in <filename>/etc/fstab</filename> or by using
+ &man.mount.8;
+ with the appropriate parameters.</para>
<para>A typical line in <filename>/etc/fstab</filename> is:</para>
<programlisting>/dev/ad0sN /dos msdosfs rw 0 0</programlisting>
- <note><para>The <filename>/dos</filename> directory must already
+ <note><para><filename class="directory">/dos</filename> must
+ already
exist for this to work. For details about the format of
<filename>/etc/fstab</filename>, see &man.fstab.5;.</para></note>
- <para>A typical call to &man.mount.8; for a &ms-dos; file system
+ <para>A typical call to &man.mount.8; for a FAT filesystem
looks like:</para>
<screen>&prompt.root; <userinput>mount -t msdosfs /dev/ad0s1 /mnt</userinput></screen>
- <para>In this example, the &ms-dos; file system is located on the first
- partition of the primary hard disk. Your situation may be different,
- check the output from the <command>dmesg</command>, and
- <command>mount</command> commands. They should produce enough
+ <para>In this example, the FAT filesystem is located on the
+ first
+ partition of the primary hard disk. The
+ output from &man.dmesg.8; and
+ &man.mount.8; should produce enough
information to give an idea of the partition layout.</para>
- <note><para>&os; may number disk slices (that is, &ms-dos; partitions)
+ <note><para>&os; may number FAT partitions
differently than other operating systems. In particular, extended
- &ms-dos; partitions are usually given higher slice numbers than
- primary &ms-dos; partitions. The &man.fdisk.8; utility can help
+ partitions are usually given higher slice numbers than
+ primary partitions. Use &man.fdisk.8; to help
determine which slices belong to &os; and which belong to other
operating systems.</para></note>
<para>NTFS partitions can also be mounted in a similar manner
- using the &man.mount.ntfs.8; command.</para>
+ using &man.mount.ntfs.8;.</para>
</sect2>
<sect2>
@@ -4057,166 +4133,141 @@ Please press any key to reboot.</screen>
<qandaset>
<qandaentry>
<question>
- <para>My system hangs while probing hardware during boot,
- or it behaves strangely during install, or the floppy
- drive is not probed.</para>
+ <para>My system hangs while probing hardware during boot
+ or it behaves strangely during install.</para>
</question>
<answer>
<para>&os; makes extensive use of the system
- ACPI service on the i386, amd64 and ia64 platforms to
+ ACPI service on the i386, amd64, and ia64 platforms to
aid in system configuration if it is detected during
- boot. Unfortunately, some bugs still exist in both the
- ACPI driver and within system motherboards and BIOS.
+ boot. Unfortunately, some bugs still exist in the
+ ACPI driver and various system motherboards.
The use of ACPI can be disabled by setting
- the <literal>hint.acpi.0.disabled</literal> hint in the
+ <literal>hint.acpi.0.disabled</literal> in the
third stage boot loader:</para>
<screen><userinput>set hint.acpi.0.disabled="1"</userinput></screen>
<para>This is reset each time the system is booted, so it
is necessary to
- add <literal>hint.acpi.0.disabled="1"</literal> to the
- file
- <filename>/boot/loader.conf</filename>. More
+ add <literal>hint.acpi.0.disabled="1"</literal> to
+ <filename>/boot/loader.conf</filename> to make this
+ change permanent. More
information about the boot loader can be found
in <xref linkend="boot-synopsis"/>.</para>
</answer>
</qandaentry>
<qandaentry>
<question>
- <para>I go to boot from the hard disk for the first time
- after installing &os;, the kernel loads and probes my
+ <para>When booting from the hard disk for the first time
+ after installing &os;, the kernel loads and probes
hardware, but stops with messages like:</para>
<screen>changing root device to ad1s1a panic: cannot mount root</screen>
- <para>What is wrong? What can I do?</para>
-
- <para>What is this
- <literal>bios_drive:interface(unit,partition)kernel_name</literal>
- thing that is displayed with the boot help?</para>
+ <para>What is wrong?</para>
</question>
<answer>
- <para>There is a longstanding problem in the case where
+ <para>This can occur when
the boot disk is not the first disk in the system. The
BIOS uses a different numbering scheme to &os;, and
working out which numbers correspond to which is
difficult to get right.</para>
- <para>In the case where the boot disk is not the first
- disk in the system, &os; can need some help finding it.
- There are two common situations here, and in both of
- these cases, you need to tell &os; where the root
- filesystem is. You do this by specifying the BIOS disk
- number, the disk type and the &os; disk number for that
+ <para>If this occurs,
+ tell &os; where the root
+ filesystem is by specifying the BIOS disk
+ number, the disk type, and the &os; disk number for that
type.</para>
- <para>The first situation is where you have two IDE disks,
+ <para>Consider two IDE disks,
each configured as the master on their respective IDE
- busses, and wish to boot &os; from the second disk. The
+ bus, where &os; should be booted from the second disk.
+ The
BIOS sees these as disk 0 and disk 1, while &os; sees
them as <devicename>ad0</devicename> and
<devicename>ad2</devicename>.</para>
- <para>&os; is on BIOS disk 1, of type
- <literal>ad</literal> and the &os; disk number is 2, so
- you would say:</para>
+ <para>If &os; is on BIOS disk 1, of type
+ <literal>ad</literal> and the &os; disk number is 2,
+ this is the correct value:</para>
<screen><userinput>1:ad(2,a)kernel</userinput></screen>
- <para>Note that if you have a slave on the primary bus,
- the above is not necessary (and is effectively
- wrong).</para>
+ <para>Note that if there is a slave on the primary bus,
+ the above is not necessary and is effectively
+ wrong.</para>
<para>The second situation involves booting from a SCSI
- disk when you have one or more IDE disks in the system.
+ disk when there are one or more IDE disks in the system.
In this case, the &os; disk number is lower than the
- BIOS disk number. If you have two IDE disks as well as
- the SCSI disk, the SCSI disk is BIOS disk 2,
- type <literal>da</literal> and &os; disk number 0, so
- you would say:</para>
+ BIOS disk number. For two IDE disks and a
+ SCSI disk, where the SCSI disk is BIOS disk 2,
+ type <literal>da</literal>, and &os; disk number 0, the
+ correct value is:</para>
<screen><userinput>2:da(0,a)kernel</userinput></screen>
- <para>To tell &os; that you want to boot from BIOS disk 2,
- which is the first SCSI disk in the system. If you only
- had one IDE disk, you would use <literal>1:</literal>
+ <para>This tells &os; to boot from BIOS disk 2,
+ which is the first SCSI disk in the system. If there
+ is only IDE disk, use <literal>1:</literal>
instead.</para>
- <para>Once you have determined the correct values to use,
- you can put the command exactly as you would have typed
- it in the <filename>/boot.config</filename> file using a
- standard text editor. Unless instructed otherwise, &os;
+ <para>Once the correct value to use is determined,
+ put the command
+ in <filename>/boot.config</filename> using a
+ text editor. Unless instructed otherwise, &os;
will use the contents of this file as the default
response to the <literal>boot:</literal> prompt.</para>
</answer>
</qandaentry>
<qandaentry>
<question>
- <para>I go to boot from the hard disk for the first time
- after installing &os;, but the Boot Manager prompt just
- prints <literal>F?</literal> at the boot menu each time
- but the boot will not go any further.</para>
+ <para>When booting from the hard disk for the first time
+ after installing &os;, the Boot Manager prompt just
+ prints <literal>F?</literal> at the boot menu and
+ the boot will not go any further.</para>
</question>
<answer>
<para>The hard disk geometry was set incorrectly in the
- partition editor when you installed &os;. Go back into
+ partition editor when &os; was installed. Go back into
the partition editor and specify the actual geometry of
- your hard disk. You must reinstall &os; again from the
+ the hard disk. &os; must be reinstalled again from the
beginning with the correct geometry.</para>
- <para>If you are failing entirely in figuring out the
- correct geometry for your machine, here is a tip: Install
- a small &ms-dos; partition at the beginning of the disk and
- install &os; after that. The install program will see
- the &ms-dos; partition and try to infer the correct geometry
- from it, which usually works.</para>
-
- <para>The following tip is no longer recommended, but is
- left here for reference:</para>
-
- <blockquote>
- <para>If you are setting up a truly dedicated &os;
- server or workstation where you do not care for
- (future) compatibility with &ms-dos;, Linux or another
- operating system, you also have got the option to use
- the entire disk (<guimenuitem>A</guimenuitem> in the partition
- editor), selecting the non-standard option where &os; occupies
- the entire disk from the very first to the very last
- sector. This will leave all geometry considerations
- aside, but is somewhat limiting unless you're never
- going to run anything other than &os; on a
- disk.</para>
- </blockquote>
+ <para>For a dedicated &os; system that does not need
+ future compatibility with another operating system,
+ use the entire disk by selecting
+ <guimenuitem>A</guimenuitem> in the installer's
+ partition editor.</para>
</answer>
</qandaentry>
<qandaentry>
<question>
- <para>The system finds my &man.ed.4; network card, but I
- keep getting device timeout errors.</para>
+ <para>The system finds the &man.ed.4; network card but
+ continuously displays device timeout errors.</para>
</question>
<answer>
- <para>Your card is probably on a different IRQ from what
+ <para>The card is probably on a different IRQ from what
is specified in
- the <filename>/boot/device.hints</filename> file. The
- &man.ed.4; driver does not use the <quote>soft</quote>
- configuration by default (values entered using EZSETUP in
- &ms-dos;),
- but it will use the software configuration if you
- specify <literal>-1</literal> in the hints for the
+ <filename>/boot/device.hints</filename>. The
+ &man.ed.4; driver does not use software
+ configuration by default,
+ but it will if
+ <literal>-1</literal> is specified in the hints for the
interface.</para>
- <para>Either move the jumper on the card to a hard
- configuration setting (altering the kernel settings if
- necessary), or specify the IRQ as <literal>-1</literal>
+ <para>Either move the jumper on the card to the
+ configuration setting or specify the IRQ as
+ <literal>-1</literal>
by setting the hint <literal>hint.ed.0.irq="-1"</literal>.
- This will tell the kernel to use the soft
+ This tells the kernel to use the software
configuration.</para>
- <para>Another possibility is that your card is at IRQ 9,
+ <para>Another possibility is that the card is at IRQ 9,
which is shared by IRQ 2 and frequently a cause of
- problems (especially when you have a VGA card using IRQ
- 2!). You should not use IRQ 2 or 9 if at all
+ problems, especially if a VGA card is using IRQ
+ 2. Do not use IRQ 2 or 9 if at all
possible.</para>
</answer>
</qandaentry>
@@ -4228,16 +4279,20 @@ Please press any key to reboot.</screen>
<primary>color</primary>
<secondary>contrast</secondary>
</indexterm>
- <para>When <application>sysinstall</application> is used
- in an X11 terminal, the yellow font is difficult to read
+ <para>When &man.sysinstall.8; is used
+ in an <application>&xorg;</application> terminal, the
+ yellow font is difficult to read
against the light gray background. Is there a way to
provide higher contrast for this application?</para>
</question>
<answer>
- <para>If you already have X11 installed and the default
- colors chosen by <application>sysinstall</application>
- make text illegible while using &man.xterm.1; or &man.rxvt.1;,
- add the following to your <filename>~/.Xdefaults</filename> to
+ <para>If the default
+ colors chosen by &man.sysinstall.8;
+ make text illegible while using <filename
+ role="package">x11/xterm</filename> or <filename
+ role="package">x11/rxvt</filename>,
+ add the following to <filename>~/.Xdefaults</filename>
+ to
get a darker background gray: <literal>XTerm*color7:
#c0c0c0</literal></para>
</answer>
@@ -4282,19 +4337,20 @@ Please press any key to reboot.</screen>
</indexterm>
<indexterm><primary>serial console</primary></indexterm>
<para>This type of installation is called a <quote>headless
- install</quote>, because the machine that you are trying to install
- &os; on either does not have a monitor attached to it, or does not
- even have a VGA output. How is this possible you ask? Using a
- serial console. A serial console is basically using another
- machine to act as the main display and keyboard for a
- system. To do this, just follow the steps to create
- an installation USB memstick, explained in <xref
- linkend="install-boot-media"/> or download the correct
- installation ISO image, see <xref
+ install</quote> because the machine to be installed
+ does not have either an attached monitor or a
+ VGA output. This type of installation is possible using a
+ serial console, another
+ machine which acts as the main display and keyboard.
+ To do this, follow the steps to create
+ an installation USB stick, explained in <xref
+ linkend="install-boot-media"/>, or download the correct
+ installation ISO image as described in <xref
linkend="install-cdrom"/>.</para>
- <para>To modify these media to boot into a serial console, follow
- these steps (If you want to use a CDROM you can skip the first
+ <para>To modify the installation media to boot into a serial
+ console, follow
+ these steps. If using a CD/DVD media, skip the first
step):</para>
<procedure>
@@ -4303,116 +4359,107 @@ Please press any key to reboot.</screen>
Serial Console</title>
<indexterm>
- <primary><command>mount</command></primary>
+ <primary>&man.mount.8;</primary>
</indexterm>
- <para>If you were to boot into the USB stick that you just
- made, &os; would boot into its normal install mode. We
- want &os; to boot into a serial console for our
- install. To do this, you have to mount the
- USB disk onto your &os;
- system using the &man.mount.8; command.</para>
+ <para>By default, booting into the USB stick
+ boots into the installer.
+ To instead boot into a serial console, mount the
+ USB disk onto a &os;
+ system using &man.mount.8;:</para>
<screen>&prompt.root; <userinput>mount /dev/<replaceable>da0a</replaceable> <replaceable>/mnt</replaceable></userinput></screen>
<note>
- <para>Adapt the device node and the mount point to your
+ <para>Adapt the device node and the mount point to the
situation.</para>
</note>
- <para>Now that you have the stick mounted, you must set
- the USB stick to boot into a serial console. You have
- to add to the <filename>loader.conf</filename> file of
- the USB stick file system a line setting the serial
- console as the system console:</para>
+ <para>Once the USB stick is mounted, set
+ it to boot into a serial console.
+ Add this line to <filename>/boot/loader.conf</filename>
+ on the USB stick:</para>
<screen>&prompt.root; <userinput>echo 'console="comconsole"' >> <replaceable>/mnt</replaceable>/boot/loader.conf</userinput></screen>
- <para>Now that you have your USB stick configured correctly,
- you must unmount the disk using the &man.umount.8;
- command:</para>
+ <para>Now that the USB is stick configured correctly,
+ unmount the disk using &man.umount.8;:</para>
<screen>&prompt.root; <userinput>umount <replaceable>/mnt</replaceable></userinput></screen>
- <para>Now you can unplug the USB stick and jump directly
+ <para>Now, unplug the USB stick and jump directly
to the third step of this procedure.</para>
</step>
<step>
- <title>Enabling the Installation CD to Boot into a
+ <title>Enabling the Installation CD/DVD to Boot into a
Serial Console</title>
<indexterm>
- <primary><command>mount</command></primary>
+ <primary>&man.mount.8;</primary>
</indexterm>
- <para>If you were to boot into the CD that you just
- made from the installation ISO image (see <xref
- linkend="install-cdrom"/>), &os; would boot into its
- normal install mode. We want &os; to boot into a serial
- console for our install. To do this, you have to
- extract, modify and regenerate the ISO image before
- burning it on a CD-R media.</para>
+ <para>By default, when booting into the installation
+ CD/DVD, &os; boots into its
+ normal install mode. To instead boot into a serial
+ console,
+ extract, modify, and regenerate the ISO image before
+ burning it to the CD/DVD media.</para>
- <para>From the &os; system where is saved the installation
- ISO image, for example
- <filename>&os;-<replaceable>&rel.current;</replaceable>-RELEASE-<replaceable>i386</replaceable>-disc1.iso</filename>,
- use the &man.tar.1; utility to extract all the files:</para>
+ <para>From the &os; system with the saved installation
+ ISO image,
+ use &man.tar.1; to extract all the files:</para>
<screen>&prompt.root; <userinput>mkdir <replaceable>/path/to/headless-iso</replaceable></userinput>
&prompt.root; <userinput>tar -C <replaceable>/path/to/headless-iso</replaceable> -pxvf &os;-<replaceable>&rel.current;</replaceable>-RELEASE-<replaceable>i386</replaceable>-disc1.iso</userinput></screen>
- <para>Now you must set the installation media to boot into a
- serial console. You have to add to the
- <filename>loader.conf</filename> file from the extracted
- ISO image a line setting the serial console as the
- system console:</para>
+ <para>Next, set the installation media to boot into a
+ serial console. Add this line to the
+ <filename>/boot/loader.conf</filename> of the extracted
+ ISO image:</para>
<screen>&prompt.root; <userinput>echo 'console="comconsole"' >> <replaceable>/path/to/headless-iso</replaceable>/boot/loader.conf</userinput></screen>
- <para>Then we can create a new ISO image from the modified
- tree. The &man.mkisofs.8; tool from the <filename
- role="package">sysutils/cdrtools</filename> port is
- used:</para>
+ <para>Then, create a new ISO image from the modified
+ tree. This example uses &man.mkisofs.8; from the
+ <filename role="package">sysutils/cdrtools</filename>
+ package or port:</para>
<screen>&prompt.root; <userinput>mkisofs -v -b boot/cdboot -no-emul-boot -r -J -V "<replaceable>Headless_install</replaceable>" \
- -o <replaceable>Headless-</replaceable>&os;-<replaceable>&rel.current;</replaceable>-RELEASE-<replaceable>i386</replaceable>-disc1.iso <replaceable>/path/to/headless-iso</replaceable></userinput></screen>
+ -o <replaceable>Headless-</replaceable>&os;-<replaceable>&rel2.current;</replaceable>-RELEASE-<replaceable>i386</replaceable>-disc1.iso<replaceable>/path/to/headless-iso</replaceable></userinput></screen>
- <para>Now that you have your ISO image configured correctly,
- you can burn it on a CD-R with your favorite burning
+ <para>Now that the ISO image is configured correctly,
+ burn it to a CD/DVD media using a burning
application.</para>
</step>
<step>
- <title>Connecting Your Null-modem Cable</title>
+ <title>Connecting the Null-modem Cable</title>
<indexterm><primary>null-modem cable</primary></indexterm>
- <para>You now need to connect a
- <link linkend="term-cables-null">null-modem cable</link> between
- the two machines. Just connect the cable to the serial
- ports of the 2 machines. <emphasis>A normal serial cable
- will not work here</emphasis>, you need a null-modem
- cable because it has some of the wires inside crossed
- over.</para>
+ <para>Connect a
+ <link linkend="term-cables-null">null-modem cable</link>
+ to the serial
+ ports of the two machines. <emphasis>A normal serial
+ cable will not work</emphasis>. A null-modem
+ cable is required.</para>
</step>
<step>
<title>Booting Up for the Install</title>
<para>It is now time to go ahead and start the install. Plug in
- the USB memstick on
- the machine you are doing the headless install
- on, and power on the machine. If you are using a
- prepared CDROM, power on the machine and insert the disk
- to boot on.</para>
+ the USB stick or insert the CD/DVD media in
+ the headless install machine
+ and power it on.</para>
</step>
<step>
- <title>Connecting to Your Headless Machine</title>
+ <title>Connecting to the Headless Machine</title>
<indexterm>
- <primary><command>cu</command></primary>
+ <primary>&man.cu.1;</primary>
</indexterm>
- <para>Now you have to connect to that machine with
+ <para>Next, connect to that machine with
&man.cu.1;:</para>
<screen>&prompt.root; <userinput>cu -l /dev/cuau0</userinput></screen>
@@ -4420,79 +4467,75 @@ Please press any key to reboot.</screen>
</step>
</procedure>
- <para>That's it! You should now be able to control the headless machine
- through your <command>cu</command> session. It will load the kernel
- and then it will come up
- with a selection of what kind of terminal to use. Select the
- &os; color console and proceed with your install!</para>
+ <para>The headless machine can now be controlled
+ using &man.cu.1;. It will load the kernel
+ and then dispaly
+ a selection of which type of terminal to use. Select the
+ &os; color console and proceed with the installation.</para>
</sect2>
</sect1>
<sect1 id="install-diff-media">
- <title>Preparing Your Own Installation Media</title>
+ <title>Preparing Custom Installation Media</title>
- <note>
- <para>To prevent repetition, <quote>&os; disc</quote> in this context
- means a &os; CDROM or DVD that you have purchased or produced
- yourself.</para>
- </note>
-
- <para>There may be some situations in which you need to create your own
- &os; installation media and/or source. This might be physical media,
- such as a tape, or a source that <application>sysinstall</application>
- can use to retrieve the files, such as a local FTP site, or an &ms-dos;
- partition.</para>
-
- <para>For example:</para>
+ <para>Some situations may require a customized
+ &os; installation media and/or source. This might be physical
+ media
+ or a source that &man.sysinstall.8;
+ can use to retrieve the installation files. Some example
+ situations include:</para>
<itemizedlist>
<listitem>
- <para>You have many machines connected to your local network, and one
- &os; disc. You want to create a local FTP site using the
- contents of the &os; disc, and then have your machines use this
- local FTP site instead of needing to connect to the Internet.</para>
+ <para>A local network with many machines has a private
+ FTP server hosting the
+ &os; installation files which the machines should
+ use for installation.</para>
</listitem>
<listitem>
- <para>You have a &os; disc, and &os; does not recognize your
- CD/DVD drive, but &ms-dos; / &windows; does. You want to copy the
- &os; installation files to a &ms-dos; partition on the same
+ <para>&os; does not recognize the
+ CD/DVD drive but &windows; does. In this case, copy the
+ &os; installation files to a &windows; partition on the same
computer, and then install &os; using those files.</para>
</listitem>
<listitem>
- <para>The computer you want to install on does not have a CD/DVD
- drive or a network card, but you can connect a
- <quote>Laplink-style</quote> serial or parallel cable to a computer
+ <para>The computer to install does not have a CD/DVD
+ drive or a network card, but can be connected using a
+ null-printer cable to a computer
that does.</para>
</listitem>
<listitem>
- <para>You want to create a tape that can be used to install
+ <para>A tape will be be used to install
&os;.</para>
</listitem>
</itemizedlist>
<sect2 id="install-cdrom">
- <title>Creating an Installation CDROM</title>
+ <title>Creating an Installation ISO</title>
- <para>As part of each release, the &os; project makes available at
- least two CDROM images (<quote>ISO images</quote>) per supported
+ <para>As part of each release, the &os; Project provides ISO
+ images for each supported
architecture. These images can be written
- (<quote>burned</quote>) to CDs if you have a CD writer, and then used
- to install &os;. If you have a CD writer, and bandwidth is cheap,
- then this is the easiest way to install &os;.</para>
+ (<quote>burned</quote>) to CD or DVD media using a burning
+ application, and then used
+ to install &os;. If a CD/DVD writer is available,
+ this is the easiest way to install &os;.</para>
<procedure>
<step>
<title>Download the Correct ISO Images</title>
<para>The ISO images for each release can be downloaded from <filename>ftp://ftp.FreeBSD.org/pub/FreeBSD/ISO-IMAGES-<replaceable>arch</replaceable>/<replaceable>version</replaceable></filename> or the closest mirror.
- Substitute <replaceable>arch</replaceable> and
+ or the closest mirror. Substitute
+ <replaceable>arch</replaceable> and
<replaceable>version</replaceable> as appropriate.</para>
- <para>That directory will normally contain the following images:</para>
+ <para>An image directory normally contains the following
+ images:</para>
<table frame="none">
<title>&os;
@@ -4511,11 +4554,12 @@ Please press any key to reboot.</screen>
<row>
<entry><filename>&os;-<replaceable>version</replaceable>-RELEASE-<replaceable>arch</replaceable>-bootonly.iso</filename></entry>
- <entry>This CD image allows you to start the installation
+ <entry>This CD image starts the installation
process by booting from a CD-ROM drive but it does not
contain the support for installing &os; from the CD
- itself. You would need to perform a network based install
- (e.g. from an FTP server) after booting from this CD.</entry>
+ itself. Perform a network based install, such as
+ from an FTP server, after booting from this
+ CD.</entry>
</row>
<row>
@@ -4532,18 +4576,18 @@ Please press any key to reboot.</screen>
<entry><filename>&os;-<replaceable>version</replaceable>-RELEASE-<replaceable>arch</replaceable>-memstick.img</filename></entry>
<entry>This image can be written to an USB memory stick
- and used to do an install on machines capable of booting
- off USB drives. It also supports booting into a
- <quote>livefs</quote> based rescue mode. The
- documentation packages are provided but no other
- packages.</entry>
+ in order to install machines capable of booting
+ from USB drives. It also supports booting into a
+ <quote>livefs</quote> based rescue mode. The only
+ included package is the documentation
+ package.</entry>
</row>
<row>
<entry><filename>&os;-<replaceable>version</replaceable>-RELEASE-<replaceable>arch</replaceable>-disc1.iso</filename></entry>
<entry>This CD image contains the base &os; operating
- system and the documentation packages but no other
+ system and the documentation package but no other
packages.</entry>
</row>
@@ -4574,47 +4618,42 @@ Please press any key to reboot.</screen>
</tgroup>
</table>
- <para>You <emphasis>must</emphasis> download one of either
- the <literal>bootonly</literal> ISO image,
- or the image of <literal>disc1</literal>. Do not download
- both of them, since the <literal>disc1</literal> image
+ <para>When performing a CD installation, download either
+ the <literal>bootonly</literal> ISO image
+ or <literal>disc1</literal>. Do not download
+ both, since <literal>disc1</literal>
contains everything that the <literal>bootonly</literal>
ISO image contains.</para>
- <para>Use the <literal>bootonly</literal> ISO if Internet
- access is cheap for you. It will let you install &os;, and
- you can then install third-party
- packages by downloading them using the ports/packages system (see
- <xref linkend="ports"/>) as
- necessary.</para>
+ <para>Use the <literal>bootonly</literal> ISO to perform a
+ network install over the Internet. Additional software
+ can be installed as needed using
+ the Ports Collection as described in
+ <xref linkend="ports"/>.</para>
- <para>Use the image of <literal>dvd1</literal> if you want to
- install a &os;
- release and want a reasonable selection of third-party packages
- on the disc as well.</para>
-
- <para>The additional disc images are useful, but not essential,
- especially if you have high-speed access to the Internet.</para>
+ <para>Use <literal>dvd1</literal> to
+ install &os;
+ and a selection of third-party packages
+ from the disc.</para>
</step>
<step>
- <title>Write the CDs</title>
+ <title>Burn the Media</title>
- <para>You must then write the CD images to disc. If you will be
- doing this on another &os; system then see
- <xref linkend="creating-cds"/> for more information (in
- particular, <xref linkend="burncd"/> and
- <xref linkend="cdrecord"/>).</para>
+ <para>Next, write the downloaded image(s) to disc. If using
+ another &os; system, refer to
+ <xref linkend="burncd"/> and
+ <xref linkend="cdrecord"/> for instructions.</para>
- <para>If you will be doing this on another platform then you will
- need to use whatever utilities exist to control your CD writer on
- that platform. The images provided are in the standard ISO format,
- which many CD writing applications support.</para>
+ <para>If using another platform,
+ use any burning utility that exists for
+ that platform. The images are in the standard ISO format
+ which most CD writing applications support.</para>
</step>
</procedure>
- <note><para>If you are interested in building a customized
- release of &os;, please see the <ulink
+ <note><para>To build a customized
+ release of &os;, refer to the <ulink
url="&url.articles.releng;">Release Engineering
Article</ulink>.</para></note>
@@ -4630,22 +4669,20 @@ Please press any key to reboot.</screen>
</indexterm>
<para>&os; discs are laid out in the same way as the FTP site. This
- makes it very easy for you to create a local FTP site that can be used
- by other machines on your network when installing &os;.</para>
+ makes it easy to create a local FTP site that can be used
+ by other machines on a network to install &os;.</para>
<procedure>
<step>
<para>On the &os; computer that will host the FTP site, ensure
- that the CDROM is in the drive, and mounted on
- <filename>/cdrom</filename>.</para>
+ that the CD/DVD is in the drive and mounted:</para>
<screen>&prompt.root; <userinput>mount /cdrom</userinput></screen>
</step>
<step>
- <para>Create an account for anonymous FTP in
- <filename>/etc/passwd</filename>. Do this by editing
- <filename>/etc/passwd</filename> using &man.vipw.8; and adding
+ <para>Create an account for anonymous FTP. Use &man.vipw.8;
+ to insert
this line:</para>
<programlisting>ftp:*:99:99::0:0:FTP:/cdrom:/nonexistent</programlisting>
@@ -4657,169 +4694,79 @@ Please press any key to reboot.</screen>
</step>
</procedure>
- <para>Anyone with network connectivity to your machine can now
+ <para>Anyone with network connectivity to the machine can now
chose a media type of FTP and type in
<userinput>ftp://<replaceable>your machine</replaceable></userinput>
after picking <quote>Other</quote> in the FTP sites menu during
the install.</para>
<note>
- <para>If the boot media (floppy disks, usually) for your FTP
+ <para>If the boot media for the FTP
clients is not precisely the same version as that provided
- by the local FTP site, then <application>sysinstall</application>
- will not let you
- complete the installation. If the versions are not similar and
- you want to override this, you must go into the
- <guimenu>Options</guimenu> menu and change distribution name to
+ by the local FTP site, &man.sysinstall.8;
+ will not
+ complete the installation.
+ To override this, go into the
+ <guimenu>Options</guimenu> menu and change the distribution
+ name to
<guimenuitem>any</guimenuitem>.</para>
</note>
<warning>
- <para>This approach is OK for a machine that is on your local network,
- and that is protected by your firewall. Offering up FTP services to
- other machines over the Internet (and not your local network)
- exposes your computer to the attention of crackers and other
- undesirables. We strongly recommend that you follow good security
- practices if you do this.</para>
+ <para>This approach is acceptable for a machine on the local
+ network which
+ is protected by a firewall. Offering anonymous FTP services
+ to
+ other machines over the Internet
+ exposes the computer to increased security risks.
+ It is strongly recommended to follow good security
+ practices when providing services over the Internet.</para>
</warning>
</sect2>
- <sect2>
- <title>Creating Installation Floppies</title>
-
- <indexterm>
- <primary>installation</primary>
- <secondary>floppies</secondary>
- </indexterm>
-
- <para>If you must install from floppy disk (which we suggest you
- do <emphasis>not</emphasis> do), either due to unsupported
- hardware or simply because you insist on doing things the hard
- way, you must first prepare some floppies for the installation.</para>
-
- <para>At a minimum, you will need as many 1.44 MB floppies
- as it takes to hold all the files in the
- <filename>base</filename> (base distribution) directory. If
- you are preparing the floppies from &ms-dos;, then they
- <emphasis>must</emphasis> be formatted using the &ms-dos;
- <command>FORMAT</command> command. If you are using &windows;,
- use Explorer to format the disks (right-click on the
- <devicename>A:</devicename> drive, and select
- <quote>Format</quote>).</para>
-
- <para>Do <emphasis>not</emphasis> trust factory pre-formatted
- floppies. Format them again yourself, just to be sure. Many
- problems reported by our users in the past have resulted from
- the use of improperly formatted media, which is why we are
- making a point of it now.</para>
-
- <para>If you are creating the floppies on another &os; machine,
- a format is still not a bad idea, though you do not need to put
- a &ms-dos; filesystem on each floppy. You can use the
- <command>bsdlabel</command> and <command>newfs</command>
- commands to put a UFS filesystem on them instead, as the
- following sequence of commands (for a 3.5" 1.44 MB floppy)
- illustrates:</para>
-
- <screen>&prompt.root; <userinput>fdformat -f 1440 fd0.1440</userinput>
-&prompt.root; <userinput>bsdlabel -w fd0.1440 floppy3</userinput>
-&prompt.root; <userinput>newfs -t 2 -u 18 -l 1 -i 65536 /dev/fd0</userinput></screen>
-
- <para>Then you can mount and write to them like any other
- filesystem.</para>
-
- <para>After you have formatted the floppies, you will need to copy
- the files to them. The distribution files are split into chunks
- conveniently sized so that five of them will fit on a conventional
- 1.44 MB floppy. Go through all your floppies, packing as many
- files as will fit on each one, until you have all of the
- distributions you want packed up in this fashion. Each
- distribution should go into a subdirectory on the floppy, e.g.:
- <filename>a:\base\base.aa</filename>,
- <filename>a:\base\base.ab</filename>, and so on.</para>
-
- <important>
- <para>The <filename>base.inf</filename> file also needs to go on the
- first floppy of the <filename>base</filename> set since it is read
- by the installation program in order to figure out how many
- additional pieces to look for when fetching and concatenating the
- distribution.</para>
- </important>
-
- <para>Once you come to the Media screen during the install
- process, select <guimenuitem>Floppy</guimenuitem> and you
- will be prompted for the rest.</para>
- </sect2>
-
<sect2 id="install-msdos">
- <title>Installing from an &ms-dos; Partition</title>
+ <title>Installing from an &windows; Partition</title>
<indexterm>
<primary>installation</primary>
- <secondary>from MS-DOS</secondary>
+ <secondary>from &windows;</secondary>
</indexterm>
- <para>To prepare for an installation from an &ms-dos; partition,
+ <para>To prepare for an installation from a &windows;
+ partition,
copy the files from the distribution into a directory
- called <filename>freebsd</filename> in the root directory of the
- partition. For example, <filename>c:\freebsd</filename>. The
- directory structure of the CDROM or FTP site must be partially
- reproduced within this directory, so we suggest using the &ms-dos;
- <command>xcopy</command> command if you are copying it from a CD.
+ in the root directory of the
+ partition, such as <filename
+ class="directory">c:\freebsd</filename>. Since the
+ directory structure must be
+ reproduced, it is recommended to use
+ <command>robocopy</command> when copying from a CD/DVD.
For example, to prepare for a minimal installation of
&os;:</para>
<screen><prompt>C:\></prompt> <userinput>md c:\freebsd</userinput>
-<prompt>C:\></prompt> <userinput>xcopy e:\bin c:\freebsd\bin\ /s</userinput>
-<prompt>C:\></prompt> <userinput>xcopy e:\manpages c:\freebsd\manpages\ /s</userinput></screen>
+<prompt>C:\></prompt> <userinput>robocopy e:\bin c:\freebsd\bin\ /s</userinput>
+<prompt>C:\></prompt> <userinput>robocopy e:\manpages c:\freebsd\manpages\ /s</userinput></screen>
- <para>Assuming that <devicename>C:</devicename> is where you have
- free space and <devicename>E:</devicename> is where your CDROM
+ <para>This example assumes that <devicename>C:</devicename>
+ has enough
+ free space and <devicename>E:</devicename> is where the
+ CD/DVD
is mounted.</para>
- <para>If you do not have a CDROM drive, you can download the
+ <para>Alternatively, download the
distribution from <ulink
- url="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/&rel.current;-RELEASE/">ftp.FreeBSD.org</ulink>.
+ url="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/&rel2.current;-RELEASE/">ftp.FreeBSD.org</ulink>.
Each distribution is in its own directory; for example, the
<emphasis>base</emphasis> distribution can be found in the <ulink
- url="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/&rel.current;-RELEASE/base/">&rel.current;/base/</ulink>
+ url="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/&rel2.current;-RELEASE/base/">&rel2.current;/base/</ulink>
directory.</para>
- <para>For as many distributions you wish to install from an &ms-dos;
- partition (and you have the free space for), install each one
- under <filename>c:\freebsd</filename> — the
- <literal>BIN</literal> distribution is the only one required for
- a minimum installation.</para>
- </sect2>
-
- <sect2>
- <title>Creating an Installation Tape</title>
-
- <indexterm>
- <primary>installation</primary>
- <secondary>from QIC/SCSI Tape</secondary>
- </indexterm>
- <para>Installing from tape is probably the easiest method, short
- of an online FTP install or CDROM install. The installation
- program expects the files to be simply tarred onto the tape.
- After getting all of the distribution files you are interested
- in, simply tar them onto the tape:</para>
-
- <screen>&prompt.root; <userinput>cd /freebsd/distdir</userinput>
-&prompt.root; <userinput>tar cvf /dev/rwt0 dist1 ... dist2</userinput></screen>
-
- <para>When you perform the installation, you should make
- sure that you leave enough room in some temporary directory
- (which you will be allowed to choose) to accommodate the
- <emphasis>full</emphasis> contents of the tape you have created.
- Due to the non-random access nature of tapes, this method of
- installation requires quite a bit of temporary storage.</para>
-
- <note>
- <para>When starting the installation, the tape must be in the
- drive <emphasis>before</emphasis> booting from the boot
- floppy. The installation probe may otherwise fail to find
- it.</para>
- </note>
+ <para>Copy the distributions to install from a &windows;
+ partition to <filename
+ class="directory">c:\freebsd</filename>. Both the
+ <literal>base</literal> and <literal>kernel</literal>
+ distributions are needed for
+ the most minimal installation.</para>
</sect2>
<sect2>
@@ -4840,97 +4787,103 @@ Please press any key to reboot.</screen>
<secondary>network</secondary>
<tertiary>Ethernet</tertiary>
</indexterm>
- <para>There are three types of network installations available.
- Ethernet (a standard Ethernet controller), Serial port (PPP), or
- Parallel port (PLIP (laplink cable)).</para>
+ <para>There are three types of network installations
+ available:
+ Ethernet, PPP, and
+ PLIP.</para>
- <para>For the fastest possible network installation, an
- Ethernet adapter is always a good choice! &os; supports most
- common PC Ethernet cards; a table of supported cards (and their
- required settings) is provided in the Hardware Notes for each
- release of &os;. If you are using one of the supported PCMCIA
- Ethernet cards, also be sure that it is plugged in
- <emphasis>before</emphasis> the laptop is powered on! &os; does
- not, unfortunately, currently support hot insertion of PCMCIA cards
+ <para>For the fastest possible network installation, use an
+ Ethernet adapter. &os; supports most
+ common Ethernet cards. A list of supported cards
+ is provided in the Hardware Notes for each
+ release of &os;. If using a supported PCMCIA
+ Ethernet card, be sure that it is plugged in
+ <emphasis>before</emphasis> the system is powered on as
+ &os; does
+ not support hot insertion of PCMCIA cards
during installation.</para>
- <para>You will also need to know your IP address on the network,
- the netmask value for your address class, and the name of your
- machine. If you are installing over a PPP connection and do not
- have a static IP, fear not, the IP address can be dynamically
- assigned by your ISP. Your system administrator can tell you
- which values to use for your particular network setup. If you
- will be referring to other hosts by name rather than IP address,
- you will also need a name server and possibly the address of a
- gateway (if you are using PPP, it is your provider's IP address)
- to use in talking to it. If you want to install by FTP via a
- HTTP proxy, you will also need the proxy's address.
- If you do not know the answers to all or most of these questions,
- then you should really probably talk to your system administrator
+ <para>Make note of the system's IP address,
+ subnet mask, hostname, default gateway address, and DNS
+ server addresses if these values are statically assigned.
+ If installing by FTP through a
+ HTTP proxy, make note of the proxy's address.
+ If you do not know these values, ask the system
+ administrator
or ISP <emphasis>before</emphasis> trying this type of
installation.</para>
- <para>If you are using a modem, then PPP is almost certainly
- your only choice. Make sure that you have your service
- provider's information handy as you will need to know it fairly
+ <para>If using a dialup modem, have the service
+ provider's PPP information handy as it is needed
early in the installation process.</para>
- <para>If you use PAP or CHAP to connect your ISP (in other words, if
- you can connect to the ISP in &windows; without using a script), then
- all you will need to do is type in <command>dial</command> at the
- <application>ppp</application> prompt. Otherwise, you will need to
- know how to dial your ISP using the <quote>AT commands</quote>
- specific to your modem, as the PPP dialer provides only a very
- simple terminal emulator. Please refer to the user-ppp <link
- linkend="userppp">handbook</link> and <ulink
- url="&url.books.faq;/ppp.html">FAQ</ulink>
- entries for further information.
- If you have problems, logging can be directed to the screen using
- the command <command>set log local ...</command>.</para>
+ <para>If PAP or CHAP are used to connect to the
+ <acronym>ISP</acronym> without using a script,
+ type <command>dial</command> at the &os;
+ <application>ppp</application> prompt. Otherwise,
+ know how to dial the <acronym>ISP</acronym> using the
+ <quote>AT commands</quote>
+ specific to the modem, as the PPP dialer provides only a
+ simple terminal emulator. Refer to <xref
+ linkend="userppp"/> and <ulink
+ url="&url.books.faq;/ppp.html"></ulink>
+ for further information.
+ Logging can be directed to the screen using
+ <command>set log local ...</command>.</para>
<para>If a hard-wired connection to another &os;
- machine is available, you might also consider installing
- over a <quote>laplink</quote> parallel port cable. The data rate
- over the parallel port is much higher than what is typically
- possible over a serial line (up to 50 kbytes/sec), thus
- resulting in a quicker installation.</para>
+ machine is available, the installation can occur
+ over a null-modem parallel port cable. The data rate
+ over the parallel port is higher than what is typically
+ possible over a serial line.</para>
<sect3>
- <title>Before Installing via NFS</title>
+ <title>Before Installing via <acronym>NFS</acronym></title>
<indexterm>
<primary>installation</primary>
<secondary>network</secondary>
<tertiary>NFS</tertiary>
</indexterm>
- <para>The NFS installation is fairly straight-forward. Simply
- copy the &os; distribution files you want onto an NFS server
- and then point the NFS media selection at it.</para>
+ <para>To perform an <acronym>NFS</acronym> installation,
+ copy the needed &os; distribution files to an
+ <acronym>NFS</acronym> server
+ and then point the installer's <acronym>NFS</acronym>
+ media selection to it.</para>
- <para>If this server supports only <quote>privileged port</quote>
- (as is generally the default for Sun workstations), you will
- need to set the option <literal>NFS Secure</literal> in the
- <guimenu>Options</guimenu> menu before installation can
+ <para>If the server supports only a <quote>privileged
+ port</quote>,
+ set the option <literal>NFS Secure</literal> in the
+ <guimenu>Options</guimenu> menu so that the installation
+ can
proceed.</para>
- <para>If you have a poor quality Ethernet card which suffers
- from very slow transfer rates, you may also wish to toggle the
- <literal>NFS Slow</literal> flag.</para>
+ <para>If using a poor quality Ethernet card which suffers
+ from slow transfer rates, toggle the
+ <literal>NFS Slow</literal> flag to on.</para>
- <para>In order for NFS installation to work, the server must
- support subdir mounts, for example, if your
- &os; &rel.current; distribution directory lives on:
- <filename>ziggy:/usr/archive/stuff/FreeBSD</filename>, then
+ <para>In order for an <acronym>NFS</acronym> installation to
+ work, the server must
+ support subdir mounts. For example, if the
+ &os; &rel.current; distribution lives on:
+ <filename
+ class="directory">ziggy:/usr/archive/stuff/FreeBSD</filename>,
<hostid>ziggy</hostid> will have to allow the direct mounting
- of <filename>/usr/archive/stuff/FreeBSD</filename>, not just
- <filename>/usr</filename> or
- <filename>/usr/archive/stuff</filename>.</para>
+ of <filename
+ class="directory">/usr/archive/stuff/FreeBSD</filename>,
+ not just
+ <filename class="directory">/usr</filename> or
+ <filename
+ class="directory">/usr/archive/stuff</filename>.</para>
- <para>In &os;'s <filename>/etc/exports</filename> file, this
- is controlled by the <option>-alldirs</option> options. Other NFS
- servers may have different conventions. If you are getting
- <errorname>permission denied</errorname> messages from the
- server, then it is likely that you do not have this enabled
+ <para>In &os;, this
+ is controlled by using <option>-alldirs</option> in
+ <filename>/etc/exports</filename>. Other
+ <acronym>NFS</acronym>
+ servers may have different conventions. If the server is
+ displaying
+ <errorname>permission denied</errorname> messages,
+ it is likely that this is not enabled
properly.</para>
</sect3>
</sect2>
diff --git a/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.xml b/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.xml
index 9f6bb1c207..e3ac479e91 100644
--- a/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.xml
@@ -695,7 +695,7 @@ options NFS_ROOT # NFS usable as /, requires NFSCLIENT</progra
<para>Adds support for <ulink
url="http://en.wikipedia.org/wiki/GUID_Partition_Table">GUID
- Partition Tables</ulink> (<acronym>GPT</acronym>. GPT
+ Partition Tables</ulink> (<acronym>GPT</acronym>). GPT
provides the ability to have a large number of partitions per
disk, 128 in the standard configuration.</para>
@@ -778,29 +778,6 @@ options NFS_ROOT # NFS usable as /, requires NFSCLIENT</progra
device nodes in <filename
class="directory">/dev</filename>.</para>
- <programlisting>options ADAPTIVE_GIANT # Giant mutex is adaptive.</programlisting>
-
- <para>Giant is the name of a mutual exclusion mechanism, a
- sleep mutex, that protects a large set of kernel resources.
- Today, this is an unacceptable performance bottleneck which
- is actively being replaced with locks that protect individual
- resources. The <literal>ADAPTIVE_GIANT</literal> option causes
- Giant to be included in the set of mutexes adaptively spun on.
- When a thread wants to lock the Giant mutex, but it is already
- locked by a thread on another CPU, the first thread will keep
- running and wait for the lock to be released. Normally, the
- thread would instead go back to sleep and wait for its next
- chance to run. If unsure, leave this in.</para>
-
- <note>
- <para>Beginning with &os; 8.0, all mutexes are adaptive by
- default, unless explicitly set to non-adaptive by compiling
- with the <literal>NO_ADAPTIVE_MUTEXES</literal> option. As a
- result, Giant is adaptive by default now, and the
- <literal>ADAPTIVE_GIANT</literal> option has been removed
- from the kernel configuration.</para>
- </note>
-
<indexterm>
<primary>kernel options</primary>
<secondary>SMP</secondary>
@@ -1441,7 +1418,7 @@ device fwe # Ethernet over FireWire (non-standard!)</programl
mechanism for recovering from incompatible kernels.
Simply choose the kernel to boot from at the &os; boot
loader. This can be accessed when the system boot menu
- appears by selecting the <quote>Escape to a loader
+ appears by selecting the <quote>Escape to a loader
prompt</quote> option. At the prompt, type
<command>boot
<replaceable>kernel.old</replaceable></command>, or
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.xml b/en_US.ISO8859-1/books/handbook/mac/chapter.xml
index facf372522..835959f2ab 100644
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.xml
@@ -769,7 +769,7 @@ test: biba/high</screen>
</sect1>
<sect1 id="mac-seeotheruids">
- <title>The &man.mac.seeotheruids.4; Module</title>
+ <title>The MAC See Other UIDs Policy</title>
<indexterm>
<primary>MAC See Other UIDs Policy</primary>
@@ -824,7 +824,7 @@ test: biba/high</screen>
</sect1>
<sect1 id="mac-bsdextended">
- <title>The &man.mac.bsdextended.4; Module</title>
+ <title>The MAC BSD Extended Policy</title>
<indexterm>
<primary>MAC</primary>
@@ -904,7 +904,7 @@ test: biba/high</screen>
</sect1>
<sect1 id="mac-ifoff">
- <title>The &man.mac.ifoff.4; Module</title>
+ <title>The MAC Interface Silencing Policy</title>
<indexterm>
<primary>MAC Interface Silencing Policy</primary>
@@ -955,7 +955,7 @@ test: biba/high</screen>
</sect1>
<sect1 id="mac-portacl">
- <title>The &man.mac.portacl.4; Module</title>
+ <title>The MAC Port Access Control List Policy</title>
<indexterm>
<primary>MAC Port Access Control List Policy</primary>
@@ -1069,7 +1069,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
</sect1>
<sect1 id="mac-partition">
- <title>The &man.mac.partition.4; Module</title>
+ <title>The MAC Partition Policy</title>
<indexterm>
<primary>MAC Process Partition Policy</primary>
@@ -1807,141 +1807,137 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
<para>This section discusses common configuration issues.</para>
- <sect2>
- <title><option>multilabel</option> cannot be enabled on
- <filename>/</filename></title>
+ <itemizedlist>
+ <listitem>
+ <para>The <option>multilabel</option> flag does not stay
+ enabled on my root (<filename>/</filename>) partition!</para>
- <para>The<option>multilabel</option> flag does not stay
- enabled on my root (<filename>/</filename>) partition!</para>
+ <para>The following steps may resolve this transient
+ error:</para>
+ <procedure>
+ <step>
+ <para>Edit <filename>/etc/fstab</filename> and set the root
+ partition to <option>ro</option> for read-only.</para>
+ </step>
- <para>The following steps may resolve this transient
- error:</para>
+ <step>
+ <para>Reboot into single user mode.</para>
+ </step>
- <procedure>
- <step>
- <para>Edit <filename>/etc/fstab</filename> and set the root
- partition to <option>ro</option> for read-only.</para>
- </step>
-
- <step>
- <para>Reboot into single user mode.</para>
- </step>
-
- <step>
- <para>Run <command>tunefs</command> <option>-l
+ <step>
+ <para>Run <command>tunefs</command> <option>-l
enable</option>
- on <filename>/</filename>.</para>
- </step>
+ on <filename>/</filename>.</para>
+ </step>
- <step>
- <para>Reboot the system.</para>
- </step>
+ <step>
+ <para>Reboot the system.</para>
+ </step>
- <step>
- <para>Run <command>mount</command> <option>-urw</option>
- <filename>/</filename> and change the <option>ro</option>
- back to <option>rw</option> in
- <filename>/etc/fstab</filename> and reboot the system
- again.</para>
- </step>
+ <step>
+ <para>Run <command>mount</command> <option>-urw</option>
+ <filename>/</filename> and change the <option>ro</option>
+ back to <option>rw</option> in
+ <filename>/etc/fstab</filename> and reboot the system
+ again.</para>
+ </step>
- <step>
- <para>Double-check the output from
- <command>mount</command> to ensure that
- <option>multilabel</option> has been properly set on the
- root file system.</para>
- </step>
- </procedure>
- </sect2>
+ <step>
+ <para>Double-check the output from
+ <command>mount</command> to ensure that
+ <option>multilabel</option> has been properly set on the
+ root file system.</para>
+ </step>
+ </procedure>
+ </listitem>
- <sect2>
- <title>Xorg Server Will Not Start After
- <acronym>MAC</acronym></title>
+ <listitem>
+ <para>After establishing a secure environment with
+ <acronym>MAC</acronym>, I am no longer able to start
+ Xorg!</para>
- <para>After establishing a secure environment with
- <acronym>MAC</acronym>, I am no longer able to start
- Xorg!</para>
+ <para>This could be caused by the <acronym>MAC</acronym>
+ <literal>partition</literal> policy or by a mislabeling in
+ one of the <acronym>MAC</acronym> labeling policies. To
+ debug, try the following:</para>
- <para>This could be caused by the <acronym>MAC</acronym>
- <literal>partition</literal> policy or by a mislabeling in
- one of the <acronym>MAC</acronym> labeling policies. To
- debug, try the following:</para>
+ <procedure>
+ <step>
+ <para>Check the error message; if the user is in the
+ <literal>insecure</literal> class, the
+ <literal>partition</literal> policy may be the culprit.
+ Try setting the user's class back to the
+ <literal>default</literal> class and rebuild the database
+ with <command>cap_mkdb</command>. If this does not
+ alleviate the problem, go to step two.</para>
+ </step>
- <procedure>
- <step>
- <para>Check the error message; if the user is in the
- <literal>insecure</literal> class, the
- <literal>partition</literal> policy may be the culprit.
- Try setting the user's class back to the
- <literal>default</literal> class and rebuild the database
- with <command>cap_mkdb</command>. If this does not
- alleviate the problem, go to step two.</para>
- </step>
+ <step>
+ <para>Double-check the label policies. Ensure that the
+ policies are set correctly for the user, the Xorg
+ application, and the <filename
+ class="directory">/dev</filename> entries.</para>
+ </step>
- <step>
- <para>Double-check the label policies. Ensure that the
- policies are set correctly for the user, the Xorg
- application, and the <filename
- class="directory">/dev</filename> entries.</para>
- </step>
+ <step>
+ <para>If neither of these resolve the problem, send the
+ error message and a description of the environment to
+ the &a.questions; mailing list.</para>
+ </step>
+ </procedure>
+ </listitem>
- <step>
- <para>If neither of these resolve the problem, send the
- error message and a description of the environment to
- the &a.questions; mailing list.</para>
- </step>
- </procedure>
- </sect2>
+ <listitem>
+ <para>The error: <errorname>_secure_path: unable to stat
+ .login_conf</errorname> shows up.</para>
- <sect2>
- <title>Error: &man..secure.path.3; cannot stat
- <filename>.login_conf</filename></title>
-
- <para>When a user attempts to switch from the
- <username>root</username> user to another user in the system,
- the error message <errorname>_secure_path: unable to state
+ <para>When a user attempts to switch from the
+ <username>root</username> user to another user in the system,
+ the error message <errorname>_secure_path: unable to stat
.login_conf</errorname> appears.</para>
- <para>This message is usually shown when the user has a higher
- label setting than that of the user they are attempting to
- become. For instance, <username>joe</username> has a default
- label of <option>biba/low</option>. The
- <username>root</username> user, who has a label of
- <option>biba/high</option>, cannot view
- <username>joe</username>'s home directory. This will happen
- whether or not <username>root</username> has used
- <command>su</command> to become <username>joe</username> as
- the Biba integrity model will not permit
- <username>root</username> to view objects set at a lower
- integrity level.</para>
- </sect2>
+ <para>This message is usually shown when the user has a higher
+ label setting than that of the user they are attempting to
+ become. For instance, <username>joe</username> has a default
+ label of <option>biba/low</option>. The
+ <username>root</username> user, who has a label of
+ <option>biba/high</option>, cannot view
+ <username>joe</username>'s home directory. This will happen
+ whether or not <username>root</username> has used
+ <command>su</command> to become <username>joe</username> as
+ the Biba integrity model will not permit
+ <username>root</username> to view objects set at a lower
+ integrity level.</para>
+ </listitem>
- <sect2>
- <title>The <username>root</username> username is broken!</title>
+ <listitem>
+ <para>The system no longer recognizes the
+ <username>root</username> user.</para>
- <para>In normal or even single user mode, the
- <username>root</username> is not recognized,
- <command>whoami</command> returns 0 (zero), and
- <command>su</command> returns <errorname>who are
+ <para>In normal or even single user mode, the
+ <username>root</username> is not recognized,
+ <command>whoami</command> returns 0 (zero), and
+ <command>su</command> returns <errorname>who are
you?</errorname>.</para>
- <para>This can happen if a labeling policy has been disabled,
- either by a &man.sysctl.8; or the policy module was unloaded.
- If the policy is disabled, the login capabilities database
- needs to be reconfigured with <option>label</option> removed.
- Double check <filename>login.conf</filename> to ensure that
- all <option>label</option> options have been removed and
- rebuild the database with <command>cap_mkdb</command>.</para>
+ <para>This can happen if a labeling policy has been disabled,
+ either by a &man.sysctl.8; or the policy module was unloaded.
+ If the policy is disabled, the login capabilities database
+ needs to be reconfigured with <option>label</option> removed.
+ Double check <filename>login.conf</filename> to ensure that
+ all <option>label</option> options have been removed and
+ rebuild the database with <command>cap_mkdb</command>.</para>
- <para>This may also happen if a policy restricts access to
- <filename>master.passwd</filename>. This is usually caused by
- an administrator altering the file under a label which
- conflicts with the general policy being used by the system.
- In these cases, the user information would be read by the
- system and access would be blocked as the file has inherited
- the new label. Disable the policy using &man.sysctl.8; and
- everything should return to normal.</para>
- </sect2>
+ <para>This may also happen if a policy restricts access to
+ <filename>master.passwd</filename>. This is usually caused by
+ an administrator altering the file under a label which
+ conflicts with the general policy being used by the system.
+ In these cases, the user information would be read by the
+ system and access would be blocked as the file has inherited
+ the new label. Disable the policy using &man.sysctl.8; and
+ everything should return to normal.</para>
+ </listitem>
+ </itemizedlist>
</sect1>
</chapter>
diff --git a/en_US.ISO8859-1/books/handbook/mail/chapter.xml b/en_US.ISO8859-1/books/handbook/mail/chapter.xml
index eb088d55f3..308d952042 100644
--- a/en_US.ISO8859-1/books/handbook/mail/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/mail/chapter.xml
@@ -35,38 +35,37 @@
one of the most widely used forms of communication today.
This chapter provides a basic introduction to running a mail
server on &os;, as well as an introduction to sending and
- receiving email using &os;; however, it is not a complete
- reference and in fact many important considerations are omitted.
- For more complete coverage of the subject, the reader is
- referred to the many excellent books listed in
+ receiving email using &os;.
+ For more complete coverage of this subject,
+ refer to the books listed in
<xref linkend="bibliography"/>.</para>
<para>After reading this chapter, you will know:</para>
<itemizedlist>
<listitem>
- <para>What software components are involved in sending and
+ <para>Which software components are involved in sending and
receiving electronic mail.</para>
</listitem>
<listitem>
<para>Where basic <application>sendmail</application>
- configuration files are located in FreeBSD.</para>
+ configuration files are located in &os;.</para>
</listitem>
<listitem>
- <para>The difference between remote and
- local mailboxes.</para>
+ <para>The difference between remote and local
+ mailboxes.</para>
</listitem>
<listitem>
- <para>How to block spammers from illegally using your mail
+ <para>How to block spammers from illegally using a mail
server as a relay.</para>
</listitem>
<listitem>
<para>How to install and configure an alternate Mail Transfer
- Agent on your system, replacing
+ Agent, replacing
<application>sendmail</application>.</para>
</listitem>
@@ -83,18 +82,18 @@
</listitem>
<listitem>
- <para>How to configure SMTP Authentication for added
+ <para>How to configure SMTP authentication for added
security.</para>
</listitem>
<listitem>
<para>How to install and use a Mail User Agent, such as
- <application>mutt</application> to send and receive
+ <application>mutt</application>, to send and receive
email.</para>
</listitem>
<listitem>
- <para>How to download your mail from a remote
+ <para>How to download mail from a remote
<acronym>POP</acronym> or <acronym>IMAP</acronym>
server.</para>
</listitem>
@@ -109,13 +108,13 @@
<itemizedlist>
<listitem>
- <para>Properly set up your network connection
- (<xref linkend="advanced-networking"/>).</para>
+ <para>Properly set up a network connection (<xref
+ linkend="advanced-networking"/>).</para>
</listitem>
<listitem>
- <para>Properly set up the DNS information for your mail host
- (<xref linkend="network-servers"/>).</para>
+ <para>Properly set up the <acronym>DNS</acronym> information
+ for a mail host (<xref linkend="network-servers"/>).</para>
</listitem>
<listitem>
@@ -132,41 +131,42 @@
<indexterm><primary>IMAP</primary></indexterm>
<indexterm><primary>DNS</primary></indexterm>
- <para>There are five major parts involved in an email exchange.
- They are: <link linkend="mail-mua">the user program</link>,
- <link linkend="mail-mta">the server daemon</link>, <link
- linkend="mail-dns">DNS</link>, <link linkend="mail-receive">a
- remote or local mailbox</link>, and of course, <link
- linkend="mail-host">the mailhost itself</link>.</para>
+ <para>There are five major parts involved in an email exchange:
+ <link linkend="mail-mua">the Mail User Agent
+ <acronym>MUA></acronym></link>, <link linkend="mail-mta">the
+ Mail Transfer Agent<acronym>MTA</acronym></link>, <link
+ linkend="mail-dns"><acronym>DNS</acronym></link>, <link
+ linkend="mail-receive">a remote or local mailbox</link>, and
+ <link linkend="mail-host">the mail host</link>.</para>
<sect2 id="mail-mua">
- <title>The User Program</title>
+ <title>The Mail User Agent</title>
<para>This includes command line programs such as
<application>mutt</application>,
<application>alpine</application>,
<application>elm</application>, and
- <command>mail</command>, and <acronym>GUI</acronym>
- programs such as <application>balsa</application>,
- <application>xfmail</application> to name a few, and something
- more <quote>sophisticated</quote> like a WWW browser. These
- programs simply pass off the email transactions to the local
- <link linkend="mail-host"><quote>mailhost</quote></link>,
- either by calling one of the <link linkend="mail-mta">server
- daemons</link> available, or delivering it over
- <acronym>TCP</acronym>.</para>
+ <command>mail</command>, <acronym>GUI</acronym> programs such
+ as <application>balsa</application> or
+ <application>xfmail</application>, and web mail programs
+ which can be accessed from a web browser. User programs pass
+ the email transactions to the local <link
+ linkend="mail-host"><quote>mail host</quote></link>, either
+ by a <link
+ linkend="mail-mta"><acronym>MTA</acronym></link>, or by
+ delivering it over <acronym>TCP</acronym>.</para>
</sect2>
<sect2 id="mail-mta">
- <title>Mailhost Server Daemon</title>
+ <title>The Mail Transfer Agent</title>
<indexterm>
<primary>mail server daemons</primary>
- <secondary><application>sendmail</application></secondary>
+ <secondary><application>Sendmail</application></secondary>
</indexterm>
<indexterm>
<primary>mail server daemons</primary>
- <secondary><application>postfix</application></secondary>
+ <secondary><application>Postfix</application></secondary>
</indexterm>
<indexterm>
<primary>mail server daemons</primary>
@@ -174,20 +174,20 @@
</indexterm>
<indexterm>
<primary>mail server daemons</primary>
- <secondary><application>exim</application></secondary>
+ <secondary><application>Exim</application></secondary>
</indexterm>
- <para>&os; ships with <application>sendmail</application> by
- default, but also support numerous other mail server daemons,
- just some of which include:</para>
+ <para>&os; ships with <application>Sendmail</application> as the
+ default <acronym>MTA</acronym>, but it also supports numerous
+ other mail server daemons, including:</para>
<itemizedlist>
<listitem>
- <para><application>exim</application>;</para>
+ <para><application>Exim</application>;</para>
</listitem>
<listitem>
- <para><application>postfix</application>;</para>
+ <para><application>Postfix</application>;</para>
</listitem>
<listitem>
@@ -195,37 +195,38 @@
</listitem>
</itemizedlist>
- <para>The server daemon usually has two functions—it is
- responsible for receiving incoming mail as well as delivering
- outgoing mail. It is <emphasis>not</emphasis> responsible
- for the collection of mail using protocols such as
- <acronym>POP</acronym> or <acronym>IMAP</acronym> to read
- your email, nor does it allow connecting to local
- <filename>mbox</filename> or Maildir mailboxes. You may
- require an additional <link
- linkend="mail-receive">daemon</link> for that.</para>
+ <para>The <acronym>MTA</acronym> usually has two functions. It
+ is responsible for receiving incoming mail as well as
+ delivering outgoing mail. It is <emphasis>not</emphasis>
+ responsible for the collection of mail using protocols such as
+ <acronym>POP</acronym> or <acronym>IMAP</acronym>, nor does it
+ allow connecting to local <filename>mbox</filename> or Maildir
+ mailboxes. An additional <link
+ linkend="mail-receive">daemon</link> may be required for
+ these functions.</para>
<warning>
- <para>Older versions of <application>sendmail</application>
- have some serious security issues which may result in an
- attacker gaining local and/or remote access to your machine.
- Make sure that you are running a current version to avoid
- these problems. Optionally, install an alternative
- <acronym>MTA</acronym> from the <link linkend="ports">&os;
- Ports Collection</link>.</para>
+ <para>Older versions of <application>Sendmail</application>
+ contain serious security issues which may result in an
+ attacker gaining local or remote access to the system.
+ Run a current version to &os; to avoid these problems.
+ Optionally, install an alternative <acronym>MTA</acronym>
+ from the <link linkend="ports">&os; Ports
+ Collection</link>.</para>
</warning>
</sect2>
<sect2 id="mail-dns">
<title>Email and DNS</title>
- <para>The Domain Name System (DNS) and its daemon
- <command>named</command> play a large role in the delivery
- of email. In order to deliver mail from your site to another,
- the server daemon will look up the remote site in the DNS
- to determine the host that will receive mail for the
- destination. This process also occurs when mail is sent from
- a remote host to your mail server.</para>
+ <para>The Domain Name System (<acronym>DNS</acronym>) and its
+ daemon <command>named</command> play a large role in the
+ delivery of email. In order to deliver mail from one site to
+ another, the <acronym>MTA</acronym> will look up the remote
+ site in <acronym>DNS</acronym> to determine which host will
+ receive mail for the destination. This process also occurs
+ when mail is sent from a remote host to the
+ <acronym>MTA</acronym>.</para>
<indexterm>
<primary>MX record</primary>
@@ -233,18 +234,21 @@
<para><acronym>DNS</acronym> is responsible for mapping
hostnames to IP addresses, as well as for storing information
- specific to mail delivery, known as MX records. The MX (Mail
- eXchanger) record specifies which host, or hosts, will receive
- mail for a particular domain. If you do not have an MX record
- for your hostname or domain, the mail will be delivered
- directly to your host provided you have an A record pointing
- your hostname to your IP address.</para>
+ specific to mail delivery, known as Mail eXchanger
+ <acronym>MX</acronym> records. The <acronym>MX</acronym>
+ record specifies which host, or hosts, will receive mail for a
+ particular domain. If there is no <acronym>MX</acronym>
+ record for the hostname or domain, the mail will be delivered
+ directly to the host, provided there is an
+ <literal>A</literal> record pointing the hostname to the IP
+ address.</para>
- <para>You may view the MX records for any domain by using the
- &man.host.1; command, as seen in the example below:</para>
+ <para>To view the <acronym>MX</acronym> records for a domain,
+ specify the type of record using &man.host.1;, as seen in the
+ example below:</para>
<screen>&prompt.user; <userinput>host -t mx FreeBSD.org</userinput>
-FreeBSD.org mail is handled (pri=10) by mx1.FreeBSD.org</screen>
+FreeBSD.org mail is handled by 10 mx1.FreeBSD.org</screen>
</sect2>
<sect2 id="mail-receive">
@@ -255,33 +259,30 @@ FreeBSD.org mail is handled (pri=10) by mx1.FreeBSD.org</screen>
<secondary>receiving</secondary>
</indexterm>
- <para>Receiving mail for your domain is done by the mail host.
- It will collect all mail sent to your domain and store it
- either in <filename>mbox</filename> (the default method for
- storing mail) or Maildir format, depending on your
- configuration. Once mail has been stored, it may either be
- read locally using applications such as &man.mail.1; or
- <application>mutt</application>, or remotely accessed and
- collected using protocols such as <acronym>POP</acronym> or
- <acronym>IMAP</acronym>. This means that should you only
- wish to read mail locally, you are not required to install
- a <acronym>POP</acronym> or <acronym>IMAP</acronym>
- server.</para>
+ <para>Receiving mail for a domain is done by the mail host.
+ It will collect all mail sent to the domain and store it
+ either in the default <filename>mbox</filename> or the
+ alternative Maildir format, depending on the configuration.
+ Once mail has been stored, it may either be read locally using
+ a <acronym>MUA</acronym>, or remotely accessed and collected
+ using protocols such as <acronym>POP</acronym> or
+ <acronym>IMAP</acronym>. In order to read mail locally,
+ a <acronym>POP</acronym> or <acronym>IMAP</acronym> server
+ does not need to be installed.</para>
<sect3 id="pop-and-imap">
- <title>Accessing remote mailboxes using <acronym>POP</acronym>
+ <title>Accessing Remote Mailboxes Using <acronym>POP</acronym>
and <acronym>IMAP</acronym></title>
<indexterm><primary>POP</primary></indexterm>
<indexterm><primary>IMAP</primary></indexterm>
- <para>In order to access mailboxes remotely, you are required
- to have access to a <acronym>POP</acronym> or
- <acronym>IMAP</acronym> server. These protocols allow users
- to connect to their mailboxes from remote locations with
- ease. Though both <acronym>POP</acronym> and
- <acronym>IMAP</acronym> allow users to remotely access
- mailboxes, <acronym>IMAP</acronym> offers many advantages,
- some of which are:</para>
+ <para>To access mailboxes remotely, access to a
+ <acronym>POP</acronym> or <acronym>IMAP</acronym> server is
+ required. These protocols allow users to connect to their
+ mailboxes from remote locations. Though both
+ <acronym>POP</acronym> and <acronym>IMAP</acronym> allow
+ users to remotely access mailboxes, <acronym>IMAP</acronym>
+ offers many advantages, including:</para>
<itemizedlist>
<listitem>
@@ -295,9 +296,9 @@ FreeBSD.org mail is handled (pri=10) by mx1.FreeBSD.org</screen>
</listitem>
<listitem>
- <para><acronym>IMAP</acronym> can be extremely useful over
+ <para><acronym>IMAP</acronym> can be useful over
low-speed links as it allows users to fetch the
- structure of messages without downloading them; it can
+ structure of messages without downloading them. It can
also perform tasks such as searching on the server in
order to minimize data transfer between clients and
servers.</para>
@@ -311,70 +312,70 @@ FreeBSD.org mail is handled (pri=10) by mx1.FreeBSD.org</screen>
<procedure>
<step>
- <para>Choose an <acronym>IMAP</acronym> or
- <acronym>POP</acronym> server that best suits your
- needs. The following <acronym>POP</acronym> and
- <acronym>IMAP</acronym> servers are well known and serve
- as some good examples:</para>
+ <para>Use the Ports Collection to install an
+ <acronym>IMAP</acronym> or <acronym>POP</acronym>
+ server. The following <acronym>POP</acronym> and
+ <acronym>IMAP</acronym> servers are well known:</para>
<itemizedlist>
<listitem>
- <para><application>qpopper</application>;</para>
+ <para><filename
+ role="package">mail/qpopper</filename></para>
</listitem>
<listitem>
- <para><application>teapop</application>;</para>
+ <para><filename
+ role="package">mail/teapop</filename></para>
</listitem>
<listitem>
- <para><application>imap-uw</application>;</para>
+ <para><filename
+ role="package">mail/imap-uw</filename></para>
</listitem>
<listitem>
- <para><application>courier-imap</application>;</para>
+ <para><filename
+ role="package">mail/courier-imap</filename></para>
</listitem>
<listitem>
- <para><application>dovecot</application>;</para>
+ <para><filename
+ role="package">mail/dovecot2</filename></para>
</listitem>
</itemizedlist>
</step>
<step>
- <para>Install the <acronym>POP</acronym> or
- <acronym>IMAP</acronym> daemon of your choosing from
- the ports collection.</para>
- </step>
-
- <step>
- <para>Where required, modify
- <filename>/etc/inetd.conf</filename> to load the
- <acronym>POP</acronym> or <acronym>IMAP</acronym>
- server.</para>
+ <para>Where required, use the startup script that came
+ with the application to load the <acronym>POP</acronym>
+ or <acronym>IMAP</acronym> server. Those programs will
+ also provide a variable which can be added to
+ <filename>/etc/rc.conf</filename> to automate the
+ startup of the application's daemon whenever the system
+ boots.</para>
</step>
</procedure>
<warning>
<para>It should be noted that both <acronym>POP</acronym>
and <acronym>IMAP</acronym> transmit information,
- including username and password credentials in clear-text.
- This means that if you wish to secure the transmission
- of information across these protocols, you should consider
- tunneling sessions over &man.ssh.1; or using SSL.
- Tunneling sessions is described in
- <xref linkend="security-ssh-tunneling"/> and SSL is
- described in <xref linkend="openssl"/>.</para>
+ including username and password credentials, in
+ clear-text. To secure the transmission of information
+ across these protocols, consider tunneling sessions over
+ &man.ssh.1; (<xref linkend="security-ssh-tunneling"/>) or
+ using SSL (<xref linkend="openssl"/>).</para>
</warning>
</sect3>
<sect3 id="local">
<title>Accessing Local Mailboxes</title>
- <para>Mailboxes may be accessed locally by directly utilizing
- <acronym>MUA</acronym>s on the server on which the mailbox
- resides. This can be done using applications such as
- <application>mutt</application> or &man.mail.1;.</para>
+ <para>Mailboxes may be accessed locally by directly using an
+ <acronym>MUA</acronym> on the server on which the mailbox
+ resides. This can be done using a built-in application
+ such as &man.mail.1; or by installing a
+ <acronym>MUA</acronym> from the Ports Collection..</para>
</sect3>
</sect2>
@@ -383,9 +384,8 @@ FreeBSD.org mail is handled (pri=10) by mx1.FreeBSD.org</screen>
<indexterm><primary>mail host</primary></indexterm>
- <para>The mail host is the name given to a server that is
- responsible for delivering and receiving mail for your host,
- and possibly your network.</para>
+ <para>The mail host is a server that is responsible for
+ delivering and receiving mail for a host, or a network.</para>
</sect2>
</sect1>
@@ -399,22 +399,24 @@ FreeBSD.org mail is handled (pri=10) by mx1.FreeBSD.org</screen>
</author>
</authorgroup>
</sect1info>
- <title><application>sendmail</application> Configuration</title>
+ <title><application>Sendmail</application> Configuration</title>
<indexterm>
- <primary><application>sendmail</application></primary>
+ <primary><application>Sendmail</application></primary>
</indexterm>
- <para>&man.sendmail.8; is the default Mail Transfer Agent (MTA)
- in FreeBSD. <application>sendmail</application>'s job is to
- accept mail from Mail User Agents (<acronym>MUA</acronym>) and
- deliver it to the appropriate mailer as defined by its
- configuration file. <application>sendmail</application> can
- also accept network connections and deliver mail to local
- mailboxes or deliver it to another program.</para>
+ <para>&man.sendmail.8; is the default <acronym>MTA</acronym>
+ which is installed with &os;.
+ <application>Sendmail</application> accepts mail from
+ <acronym>MUA</acronym>s and delivers it to the appropriate
+ mailer as defined by its configuration file.
+ <application>Sendmail</application> can also accept network
+ connections and deliver mail to local mailboxes or to another
+ program.</para>
- <para><application>sendmail</application> uses the following
- configuration files:</para>
+ <para><application>Sendmail</application> uses the following
+ configuration files. This section describes these files in more
+ detail.</para>
<indexterm>
<primary><filename>/etc/mail/access</filename></primary>
@@ -449,8 +451,8 @@ FreeBSD.org mail is handled (pri=10) by mx1.FreeBSD.org</screen>
<row>
<entry>
<filename>/etc/mail/access</filename></entry>
- <entry><application>sendmail</application> access database
- file</entry>
+ <entry><application>Sendmail</application> access database
+ file.</entry>
</row>
<row>
@@ -462,33 +464,33 @@ FreeBSD.org mail is handled (pri=10) by mx1.FreeBSD.org</screen>
<row>
<entry>
<filename>/etc/mail/local-host-names</filename></entry>
- <entry>Lists of hosts <application>sendmail</application>
- accepts mail for</entry>
+ <entry>Lists of hosts <application>Sendmail</application>
+ accepts mail for.</entry>
</row>
<row>
<entry>
<filename>/etc/mail/mailer.conf</filename></entry>
- <entry>Mailer program configuration</entry>
+ <entry>Mailer program configuration.</entry>
</row>
<row>
<entry>
<filename>/etc/mail/mailertable</filename></entry>
- <entry>Mailer delivery table</entry>
+ <entry>Mailer delivery table.</entry>
</row>
<row>
<entry>
<filename>/etc/mail/sendmail.cf</filename></entry>
- <entry><application>sendmail</application> master
- configuration file</entry>
+ <entry><application>Sendmail</application> master
+ configuration file.</entry>
</row>
<row>
<entry>
<filename>/etc/mail/virtusertable</filename></entry>
- <entry>Virtual users and domain tables</entry>
+ <entry>Virtual users and domain tables.</entry>
</row>
</tbody>
</tgroup>
@@ -497,22 +499,22 @@ FreeBSD.org mail is handled (pri=10) by mx1.FreeBSD.org</screen>
<sect2>
<title><filename>/etc/mail/access</filename></title>
- <para>The access database defines what host(s) or IP addresses
+ <para>This database defines which host(s) or IP addresses
have access to the local mail server and what kind of access
they have. Hosts can be listed as <option>OK</option>,
- <option>REJECT</option>, <option>RELAY</option> or simply
- passed to <application>sendmail</application>'s error
+ <option>REJECT</option>, or <option>RELAY</option>, or can be
+ passed to <application>Sendmail</application>'s error
handling routine with a given mailer error. Hosts that
- are listed as <option>OK</option>, which is the default,
- are allowed to send mail to this host as long as the mail's
- final destination is the local machine. Hosts that are
+ are listed as <option>OK</option>, which is the default
+ option, are allowed to send mail to this host as long as the
+ mail's final destination is the local machine. Hosts that are
listed as <option>REJECT</option> are rejected for all mail
- connections. Hosts that have the <option>RELAY</option>
- option for their hostname are allowed to send mail for any
- destination through this mail server.</para>
+ connections. Hosts that are listed as <option>RELAY</option>
+ are allowed to send mail for any
+ destination using this mail server.</para>
<example>
- <title>Configuring the <application>sendmail</application>
+ <title>Configuring the <application>Sendmail</application>
Access Database</title>
<programlisting>cyberspammer.com 550 We do not accept mail from spammers
@@ -522,36 +524,37 @@ okay.cyberspammer.com OK
128.32 RELAY</programlisting>
</example>
- <para>In this example we have five entries. Mail senders that
- match the left hand side of the table are affected by the
- action on the right side of the table. The first two examples
- give an error code to <application>sendmail</application>'s
- error handling routine. The message is printed to the remote
- host when a mail matches the left hand side of the table.
- The next entry rejects mail from a specific host on the
- Internet, <hostid>another.source.of.spam</hostid>. The next
- entry accepts mail connections from a host <hostid
+ <para>This example shows five entries. Mail senders that match
+ the left side of the table are affected by the action on the
+ right side of the table. The first two examples give an error
+ code to <application>Sendmail</application>'s error handling
+ routine. The message is sent to the remote host when a mail
+ matches the left side of the table. The third entry rejects
+ mail from a specific host on the Internet,
+ <hostid>another.source.of.spam</hostid>. The fourth entry
+ accepts mail connections from <hostid
role="fqdn">okay.cyberspammer.com</hostid>, which is
- more exact than the <hostid
+ more specific than the <hostid
role="domainname">cyberspammer.com</hostid> line above.
More specific matches override less exact matches. The last
- entry allows relaying of electronic mail from hosts with an
- IP address that begins with <hostid>128.32</hostid>. These
- hosts would be able to send mail through this mail server
- that are destined for other mail servers.</para>
+ entry allows relaying of email from hosts with an IP address
+ that begins with <hostid>128.32</hostid>. These hosts can
+ send mail through this mail server that is destined for other
+ mail servers.</para>
- <para>When this file is updated, you need to run
- <command>make</command> in <filename>/etc/mail/</filename>
- to update the database.</para>
+ <para>Whenever this file is updated, run
+ <command>make</command> in <filename
+ class="directory">/etc/mail/</filename> to update the
+ database.</para>
</sect2>
<sect2>
<title><filename>/etc/mail/aliases</filename></title>
- <para>The aliases database contains a list of virtual mailboxes
- that are expanded to other user(s), files, programs or other
- aliases. Here are a few examples that can be used in
- <filename>/etc/mail/aliases</filename>:</para>
+ <para>This database contains a list of virtual mailboxes that
+ are expanded to other user(s), files, programs, or other
+ aliases. Here are a few examples to illustrate the
+ file format:</para>
<example>
<title>Mail Aliases</title>
@@ -562,72 +565,69 @@ bit.bucket: /dev/null
procmail: "|/usr/local/bin/procmail"</programlisting>
</example>
- <para>The file format is simple; the mailbox name on the left
- side of the colon is expanded to the target(s) on the right.
- The first example expands the mailbox
- <username>root</username> to the mailbox
+ <para>The mailbox name on the left side of the colon is expanded
+ to the target(s) on the right. The first entry expands the
+ mailbox <username>root</username> to the mailbox
<username>localuser</username>, which is then looked up again
- in the aliases database. If no match is found, then the
- message is delivered to the local user
- <username>localuser</username>. The next example shows a
+ in the <filename>aliases</filename> database. If no match is
+ found, the message is delivered to
+ <username>localuser</username>. The second entry shows a
mail list. Mail to the mailbox <username>ftp-bugs</username>
is expanded to the three local mailboxes
<username>joe</username>, <username>eric</username>, and
- <username>paul</username>. Note that a remote mailbox could
- be specified as <email>user@example.com</email>. The next
- example shows writing mail to a file, in this case
- <filename>/dev/null</filename>. The last example shows
- sending mail to a program, in this case the mail message is
- written to the standard input of
- <filename>/usr/local/bin/procmail</filename> through a &unix;
+ <username>paul</username>. A remote mailbox could be
+ specified as <email>user@example.com</email>. The third
+ entry shows how to write mail to a file, in this case
+ <filename>/dev/null</filename>. The last entry demonstrates
+ how to send mail to a program,
+ <filename>/usr/local/bin/procmail</filename>, through a &unix;
pipe.</para>
- <para>When this file is updated, you need to run
- <command>make</command> in <filename>/etc/mail/</filename>
- to update the database.</para>
+ <para>Whenever this file is updated, run
+ <command>make</command> in <filename
+ class="directory">/etc/mail/</filename> to update the
+ database.</para>
</sect2>
<sect2>
<title><filename>/etc/mail/local-host-names</filename></title>
<para>This is a list of hostnames &man.sendmail.8; is to accept
as the local host name. Place any domains or hosts that
- <application>sendmail</application> is to be receiving mail
- for. For example, if this mail server was to accept mail for
- the domain <hostid role="domainname">example.com</hostid> and
- the host <hostid role="fqdn">mail.example.com</hostid>, its
- <filename>local-host-names</filename> might look something
- like this:</para>
+ <application>Sendmail</application> will receive mail
+ for. For example, to configure a mail server to accept mail
+ for the domain <hostid role="domainname">example.com</hostid>
+ and the host <hostid role="fqdn">mail.example.com</hostid>,
+ add these entries to
+ <filename>local-host-names</filename>:</para>
<programlisting>example.com
mail.example.com</programlisting>
- <para>When this file is updated, &man.sendmail.8; needs to be
- restarted to read the changes.</para>
+ <para>Whenever this file is updated, &man.sendmail.8; needs to be
+ restarted so that it will read the changes.</para>
</sect2>
<sect2>
<title><filename>/etc/mail/sendmail.cf</filename></title>
- <para><application>sendmail</application>'s master configuration
- file, <filename>sendmail.cf</filename> controls the overall
- behavior of <application>sendmail</application>, including
- everything from rewriting e-mail addresses to printing rejection
- messages to remote mail servers. Naturally, with such a diverse
- role, this configuration file is quite complex and its details
- are a bit out of the scope of this section. Fortunately, this
- file rarely needs to be changed for standard mail
- servers.</para>
+ <para>This is the master configuration file for
+ <application>Sendmail</application>. It controls the overall
+ behavior of <application>Sendmail</application>, including
+ everything from rewriting email addresses to printing rejection
+ messages to remote mail servers. Accordingly, this
+ configuration file is quite complex. Fortunately, this file
+ rarely needs to be changed for standard mail servers.</para>
- <para>The master <application>sendmail</application> configuration
+ <para>The master <application>Sendmail</application> configuration
file can be built from &man.m4.1; macros that define the
- features and behavior of <application>sendmail</application>.
- Please see
+ features and behavior of <application>Sendmail</application>.
+ Refer to
<filename>/usr/src/contrib/sendmail/cf/README</filename> for
some of the details.</para>
- <para>When changes to this file are made,
- <application>sendmail</application> needs to be restarted for
+ <para>Whenever changes to this file are made,
+ <application>Sendmail</application> needs to be restarted for
the changes to take effect.</para>
</sect2>
@@ -637,7 +637,7 @@ mail.example.com</programlisting>
<para>The <filename>virtusertable</filename> maps mail addresses
for virtual domains and mailboxes to real mailboxes. These
mailboxes can be local, remote, aliases defined in
- <filename>/etc/mail/aliases</filename> or files.</para>
+ <filename>/etc/mail/aliases</filename>, or files.</para>
<example>
<title>Example Virtual Domain Mail Map</title>
@@ -647,20 +647,19 @@ postmaster@example.com postmaster@noc.example.net
@example.com joe</programlisting>
</example>
- <para>In the above example, we have a mapping for a domain
+ <para>The above example contains a mapping for the domain
<hostid role="domainname">example.com</hostid>. This file
- is processed in a first match order down the file. The first
- item maps <email>root@example.com</email> to the local mailbox
- <username>root</username>. The next entry maps
+ is processed in a first match order. The first item maps
+ <email>root@example.com</email> to the local mailbox
+ <username>root</username>. The second entry maps
<email>postmaster@example.com</email> to the mailbox
- <username>postmaster</username> on the host
- <hostid role="fqdn">noc.example.net</hostid>. Finally, if
+ <username>postmaster</username> on the host <hostid
+ role="fqdn">noc.example.net</hostid>. Finally, if
nothing from <hostid role="domainname">example.com</hostid>
has matched so far, it will match the last mapping, which
matches every other mail message addressed to someone at
- <hostid role="domainname">example.com</hostid>. This will
- be mapped to the local mailbox
- <username>joe</username>.</para>
+ <hostid role="domainname">example.com</hostid> to the local
+ mailbox <username>joe</username>.</para>
</sect2>
</sect1>
@@ -678,137 +677,121 @@ postmaster@example.com postmaster@noc.example.net
<author>
<firstname>Gregory</firstname>
<surname>Neil Shapiro</surname>
- <contrib>Information taken from e-mails written
+ <contrib>Information taken from emails written
by</contrib>
</author>
</authorgroup>
</sect1info>
- <title>Changing Your Mail Transfer Agent</title>
+ <title>Changing the Mail Transfer Agent</title>
<indexterm>
<primary>email</primary>
<secondary>change mta</secondary>
</indexterm>
- <para>As already mentioned, FreeBSD comes with
- <application>sendmail</application> already installed as your
- MTA (Mail Transfer Agent). Therefore by default it is
- in charge of your outgoing and incoming mail.</para>
+ <para>&os; comes with <application>Sendmail</application> already
+ installed as the <acronym>MTA</acronym> which is in charge of
+ outgoing and incoming mail.</para>
- <para>However, for a variety of reasons, some system
- administrators want to change their system's MTA. These
- reasons range from merely wanting to try out another MTA to
- needing a specific feature or package which relies on another
- mailer. Fortunately, whatever the reason, FreeBSD makes it
+ <para>However, the system administrator can change the system's
+ <acronym>MTA</acronym>. The reasons for doing so range from
+ wanting to try out another <acronym>MTA</acronym> to needing a
+ specific feature or package which relies on another
+ <acronym>MTA</acronym>. Whatever the reason, &os; makes it
easy to make the change.</para>
<sect2>
- <title>Install a New MTA</title>
+ <title>Install a New <acronym>MTA</acronym></title>
- <para>You have a wide choice of MTAs available. A good
- starting point is the
- <link linkend="ports">FreeBSD Ports Collection</link> where
- you will be able to find many. Of course you are free to use
- any MTA you want from any location, as long as you can make
- it run under FreeBSD.</para>
+ <para>A wide choice of <acronym>MTA</acronym>s is available
+ from the <literal>mail</literal> category of the <link
+ linkend="ports">&os; Ports Collection</link>.</para>
- <para>Start by installing your new MTA. Once it is installed
- it gives you a chance to decide if it really fulfills your
- needs, and also gives you the opportunity to configure your
- new software before getting it to take over from
- <application>sendmail</application>. When doing this, you
- should be sure that installing the new software will not
- attempt to overwrite system binaries such as
- <filename>/usr/bin/sendmail</filename>. Otherwise, your new
- mail software has essentially been put into service before
- you have configured it.</para>
+ <para>Once a new <acronym>MTA</acronym> is installed, configure
+ the new software and decide if it really fulfills your needs
+ before replacing <application>Sendmail</application>.</para>
- <para>Please refer to your chosen MTA's documentation for
- information on how to configure the software you have
- chosen.</para>
+ <para>Refer to the new chosen <acronym>MTA</acronym>'s
+ documentation for information on how to configure the
+ software.</para>
</sect2>
<sect2 id="mail-disable-sendmail">
- <title>Disable <application>sendmail</application></title>
+ <title>Disable <application>Sendmail</application></title>
<warning>
- <para>If you disable <application>sendmail</application>'s
- outgoing mail service, it is important that you replace it
- with an alternative mail delivery system. If
- you choose not to, system functions such as
- &man.periodic.8; will be unable to deliver their results
- by e-mail as they would normally expect to. Many parts of
- your system may expect to have a functional
- <application>sendmail</application>-compatible system. If
- applications continue to use
- <application>sendmail</application>'s binaries to try to
- send e-mail after you have disabled them, mail could go
- into an inactive <application>sendmail</application> queue,
- and never be delivered.</para>
+ <para>If <application>Sendmail</application>'s outgoing mail
+ service is disabled, it is important that it is replaced
+ with an alternative mail delivery system. Otherwise, system
+ functions such as &man.periodic.8; will be unable to deliver
+ their results by email. Many parts of the system expect a
+ functional <acronym>MTA</acronym>. If applications continue
+ to use <application>Sendmail</application>'s binaries to try
+ to send email they are disabled, mail could go into an
+ inactive <application>Sendmail</application> queue, and
+ never be delivered.</para>
</warning>
<para>In order to completely disable
- <application>sendmail</application>, including the outgoing
- mail service, you must use</para>
+ <application>Sendmail</application>, including the outgoing
+ mail service, add or edit the following lines in
+ <filename>/etc/rc.conf</filename>:</para>
<programlisting>sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"</programlisting>
- <para>in <filename>/etc/rc.conf.</filename></para>
-
- <para>If you only want to disable
- <application>sendmail</application>'s incoming mail service,
- you should set</para>
+ <para>To only disable <application>Sendmail</application>'s
+ incoming mail service, set</para>
<programlisting>sendmail_enable="NO"</programlisting>
<para>in <filename>/etc/rc.conf</filename>. More information
- on <application>sendmail</application>'s startup options
- is available from the &man.rc.sendmail.8; manual
- page.</para>
+ on <application>Sendmail</application>'s startup options
+ is available in &man.rc.sendmail.8;.</para>
</sect2>
<sect2>
- <title>Running Your New MTA on Boot</title>
+ <title>Running the New <acronym>MTA</acronym> on Boot</title>
- <para>The new MTA can be started during boot by adding a
- configuration line to <filename>/etc/rc.conf</filename>
- like the following example for postfix:</para>
+ <para>The new <acronym>MTA</acronym> can be started during
+ boot by adding a configuration line to
+ <filename>/etc/rc.conf</filename>. This example enables the
+ Postfix <acronym>MTA</acronym>:</para>
<screen>&prompt.root; echo
'<replaceable>postfix</replaceable>_enable=<quote>YES</quote>'
>> /etc/rc.conf</screen>
- <para>The MTA will now be automatically started during
- boot.</para>
+ <para>The specified <acronym>MTA</acronym> will now be
+ automatically started during boot.</para>
</sect2>
<sect2>
- <title>Replacing <application>sendmail</application> as
+ <title>Replacing <application>Sendmail</application> as
the System's Default Mailer</title>
- <para>The program <application>sendmail</application> is so
- ubiquitous as standard software on &unix; systems that some
- software just assumes it is already installed and configured.
- For this reason, many alternative MTA's provide their own
+ <para><application>Sendmail</application> is so ubiquitous as
+ standard software on &unix; systems that some software assumes
+ it is already installed and configured. For this reason, many
+ alternative <acronym>MTA</acronym>s provide their own
compatible implementations of the
- <application>sendmail</application> command-line interface;
- this facilitates using them as <quote>drop-in</quote>
- replacements for <application>sendmail</application>.</para>
+ <application>Sendmail</application> command-line interface in
+ order to facilitate using them as <quote>drop-in</quote>
+ replacements for <application>Sendmail</application>.</para>
- <para>Therefore, if you are using an alternative mailer,
- you will need to make sure that software trying to execute
- standard <application>sendmail</application> binaries such as
- <filename>/usr/bin/sendmail</filename> actually executes
- your chosen mailer instead. Fortunately, FreeBSD provides
- a system called &man.mailwrapper.8; that does this job for
- you.</para>
+ <para>When using an alternative <acronym>MTA</acronym>,
+ make sure that software trying to execute standard
+ <application>Sendmail</application> binaries, such as
+ <filename>/usr/bin/sendmail</filename>, actually execute
+ the chosen mailer instead. Fortunately, &os; provides a
+ system called &man.mailwrapper.8; for this purpose.</para>
- <para>When <application>sendmail</application> is operating
- as installed, you will find something like the following
- in <filename>/etc/mail/mailer.conf</filename>:</para>
+ <para>When <application>Sendmail</application> is operating
+ as installed,
+ <filename>/etc/mail/mailer.conf</filename> will look like
+ this:</para>
<programlisting>sendmail /usr/libexec/sendmail/sendmail
send-mail /usr/libexec/sendmail/sendmail
@@ -817,21 +800,17 @@ newaliases /usr/libexec/sendmail/sendmail
hoststat /usr/libexec/sendmail/sendmail
purgestat /usr/libexec/sendmail/sendmail</programlisting>
- <para>This means that when any of these common commands
- (such as <filename>sendmail</filename> itself) are run,
- the system actually invokes a copy of mailwrapper named
- <filename>sendmail</filename>, which checks
- <filename>mailer.conf</filename> and executes
- <filename>/usr/libexec/sendmail/sendmail</filename>
- instead. This system makes it easy to change what binaries
- are actually executed when these default
- <filename>sendmail</filename> functions are invoked.</para>
+ <para>When any of the commands listed on the left are run,
+ the system actually executes the associated command shown on
+ the right instead. This system makes it easy to change what
+ binaries are executed when these default
+ <filename>Sendmail</filename> functions are invoked.</para>
- <para>Therefore if you wanted
+ <para>As an example, to run
<filename>/usr/local/supermailer/bin/sendmail-compat</filename>
- to be run instead of <application>sendmail</application>, you
- could change <filename>/etc/mail/mailer.conf</filename> to
- read:</para>
+ instead of <application>Sendmail</application>, specify the
+ paths to the installed applications in
+ <filename>/etc/mail/mailer.conf</filename>:</para>
<programlisting>sendmail /usr/local/supermailer/bin/sendmail-compat
send-mail /usr/local/supermailer/bin/sendmail-compat
@@ -845,14 +824,12 @@ purgestat /usr/local/supermailer/bin/purgestat-compat</programlisting>
<sect2>
<title>Finishing</title>
- <para>Once you have everything configured the way you want
- it, you should either kill the
- <application>sendmail</application> processes that you
- no longer need and start the processes belonging to your
- new software, or simply reboot. Rebooting will also
- give you the opportunity to ensure that you have correctly
- configured your system to start your new MTA automatically
- on boot.</para>
+ <para>Once everything is configured, either kill the
+ unneeded <application>sendmail</application> processes and
+ start the processes belonging to the new software, or
+ reboot. Rebooting provides the opportunity to ensure that
+ the system is correctly configured to start the new
+ <acronym>MTA</acronym> automatically on boot.</para>
</sect2>
</sect1>
@@ -873,37 +850,35 @@ purgestat /usr/local/supermailer/bin/purgestat-compat</programlisting>
</question>
<answer>
- <para>You will probably find that the host is actually
- in a different domain; for example, if you are in
- <hostid role="fqdn">foo.bar.edu</hostid> and you wish
- to reach a host called <hostid>mumble</hostid> in the
- <hostid role="domainname">bar.edu</hostid> domain,
- you will have to refer to it by the fully-qualified
- domain name, <hostid
+ <para>The host may actually be in a different domain.
+ For example, in order for a host in <hostid
+ role="fqdn">foo.bar.edu</hostid> to reach a host
+ called <hostid>mumble</hostid> in the <hostid
+ role="domainname">bar.edu</hostid> domain, refer to
+ it by the Fully-Qualified Domain Name
+ <acronym>FQDN</acronym>, <hostid
role="fqdn">mumble.bar.edu</hostid>, instead of just
<hostid>mumble</hostid>.</para>
<indexterm><primary>BIND</primary></indexterm>
- <para>Traditionally, this was allowed by BSD BIND
- resolvers. However the current version of
- <application>BIND</application> that ships with
- FreeBSD no longer provides default abbreviations
- for non-fully qualified domain names other than the
- domain you are in. So an unqualified host
+ <para>This is because the version of
+ <application>BIND</application> which ships with
+ &os; no longer provides default abbreviations
+ for non-FQDNs other than the local domain. An
+ unqualified host such as
<hostid>mumble</hostid> must either be found as
<hostid role="fqdn">mumble.foo.bar.edu</hostid>,
- or it will be searched for in the root
- domain.</para>
+ or it will be searched for in the root domain.</para>
- <para>This is different from the previous behavior,
- where the search continued across <hostid
+ <para>In older versions of
+ <application>BIND</application>,
+ the search continued across <hostid
role="domainname">mumble.bar.edu</hostid>, and
- <hostid role="domainname">mumble.edu</hostid>. Have
- a look at RFC 1535 for why this was considered bad
- practice, or even a security hole.</para>
+ <hostid role="domainname">mumble.edu</hostid>. RFC
+ 1535 details why this is considered bad practice or
+ even a security hole.</para>
- <para>As a good workaround, you can place the
- line:</para>
+ <para>As a good workaround, place the line:</para>
<programlisting>search foo.bar.edu bar.edu</programlisting>
@@ -911,7 +886,7 @@ purgestat /usr/local/supermailer/bin/purgestat-compat</programlisting>
<programlisting>domain foo.bar.edu</programlisting>
- <para>into your <filename>/etc/resolv.conf</filename>.
+ <para>into <filename>/etc/resolv.conf</filename>.
However, make sure that the search order does not go
beyond the <quote>boundary between local and public
administration</quote>, as RFC 1535 calls it.</para>
@@ -920,13 +895,15 @@ purgestat /usr/local/supermailer/bin/purgestat-compat</programlisting>
<qandaentry>
<question>
- <para><application>sendmail</application> says
- <errorname>mail loops back to myself</errorname></para>
+ <para><application>Sendmail</application> says
+ <errorname>mail loops back to myself</errorname>.</para>
</question>
<answer>
- <para>This is answered in the
- <application>sendmail</application> FAQ as follows:</para>
+ <para>This is answered in the <ulink
+ url="http://www.sendmail.org/faq/">Sendmail
+ FAQ</ulink> as follows. This FAQ is recommended reading
+ when <quote>tweaking</quote> the mail setup.</para>
<programlisting>I'm getting these error messages:
@@ -943,10 +920,6 @@ itself as domain.net. Add domain.net to /etc/mail/local-host-names
(if you are using FEATURE(use_cw_file)) or add <quote>Cw domain.net</quote>
to /etc/mail/sendmail.cf.</programlisting>
- <para>The <application>sendmail</application> FAQ can be
- found at <ulink url="http://www.sendmail.org/faq/"></ulink>
- and is recommended reading if you want to do any
- <quote>tweaking</quote> of your mail setup.</para>
</answer>
</qandaentry>
@@ -957,47 +930,44 @@ to /etc/mail/sendmail.cf.</programlisting>
</question>
<answer>
- <para>You want to connect a FreeBSD box on a LAN to the
- Internet. The FreeBSD box will be a mail gateway for the
- LAN. The PPP connection is non-dedicated.</para>
+ <para>Connect to a &os; mail gateway on the LAN. The PPP
+ connection is non-dedicated.</para>
- <indexterm><primary>UUCP</primary></indexterm>
<indexterm>
<primary>MX record</primary>
</indexterm>
- <para>There are at least two ways to do this. One way is
- to use UUCP.</para>
-
- <para>Another way is to get a full-time Internet server to
- provide secondary MX services for your domain. For example,
- if your company's domain is <hostid
- role="domainname">example.com</hostid> and your Internet
- service provider has set <hostid
- role="domainname">example.net</hostid> up to provide
- secondary MX services to your domain:</para>
+ <para>One way to do this is to get a full-time Internet server
+ to provide secondary <acronym>MX</acronym> services for the
+ domain. In this example, the domain is <hostid
+ role="domainname">example.com</hostid> and the ISP has
+ configured <hostid
+ role="domainname">example.net</hostid> to provide
+ secondary <acronym>MX</acronym> services to the
+ domain:</para>
<programlisting>example.com. MX 10 example.com.
MX 20 example.net.</programlisting>
- <para>Only one host should be specified as the final recipient
- (add <literal>Cw example.com</literal> in
+ <para>Only one host should be specified as the final
+ recipient. For <application>Sendmail</application>, add
+ <literal>Cw example.com</literal> in
<filename>/etc/mail/sendmail.cf</filename> on
- <hostid role="domainname">example.com</hostid>).</para>
+ <hostid role="domainname">example.com</hostid>.</para>
- <para>When the sending <command>sendmail</command> is trying
- to deliver the mail it will try to connect to you (<hostid
- role="domainname">example.com</hostid>) over the modem
- link. It will most likely time out because you are not
- online. The program <application>sendmail</application>
- will automatically deliver it to the secondary MX site,
- i.e., your Internet provider (<hostid
- role="domainname">example.net</hostid>). The secondary
- MX site will then periodically try to connect to
- your host and deliver the mail to the primary MX host
- (<hostid role="domainname">example.com</hostid>).</para>
+ <para>When the sending <acronym>MTA</acronym> attempts
+ to deliver mail, it will try to connect to the system,
+ <hostid role="domainname">example.com</hostid>, over the PPP
+ link. This will time out if the destination is offline.
+ The <acronym>MTA</acronym> will automatically deliver it to
+ the secondary <acronym>MX</acronym> site at the Internet
+ Service Provider (<acronym>ISP</acronym>), <hostid
+ role="domainname">example.net</hostid>. The secondary
+ <acronym>MX</acronym> site will periodically try to connect
+ to the primary <acronym>MX</acronym> host, <hostid
+ role="domainname">example.com</hostid>.</para>
- <para>You might want to use something like this as a login
+ <para>Use something like this as a login
script:</para>
<programlisting>#!/bin/sh
@@ -1005,17 +975,14 @@ to /etc/mail/sendmail.cf.</programlisting>
( sleep 60 ; /usr/sbin/sendmail -q ) &
/usr/sbin/ppp -direct pppmyisp</programlisting>
- <para>If you are going to create a separate login script for
- a user you could use <command>sendmail
- -qRexample.com</command> instead in the script above.
- This will force all mail in your queue for <hostid
+ <para>When creating a separate login script for users, instead
+ use <command>sendmail -qRexample.com</command> in the script
+ above. This will force all mail in the queue for <hostid
role="domainname">example.com</hostid> to be processed
immediately.</para>
- <para>A further refinement of the situation is as
- follows:</para>
-
- <para>Message stolen from the &a.isp;.</para>
+ <para>A further refinement of the situation can be seen from
+ this example from the &a.isp;:</para>
<programlisting>> we provide the secondary MX for a customer. The customer connects to
> our services several times a day automatically to get the mails to
@@ -1055,46 +1022,42 @@ the DNS for <quote>customer.com</quote>.</programlisting>
</question>
<answer>
- <para>In default FreeBSD installations,
- <application>sendmail</application> is configured to only
+ <para>In a default &os; installation,
+ <application>Sendmail</application> is configured to only
send mail from the host it is running on. For example,
- if a <acronym>POP</acronym> server is available, then
- users will be able to check mail from school, work, or
- other remote locations but they still will not be able
- to send outgoing emails from outside locations.
- Typically, a few moments after the attempt, an email will
- be sent from <application>MAILER-DAEMON</application>
- with a <errorname>5.7 Relaying Denied</errorname> error
- message.</para>
+ if a <acronym>POP</acronym> server is available, users
+ will be able to check mail from remote locations but they
+ will not be able to send outgoing emails from outside
+ locations. Typically, a few moments after the attempt, an
+ email will be sent from <literal>MAILER-DAEMON</literal>
+ with a <errorname>5.7 Relaying Denied</errorname>.</para>
- <para>There are several ways to get around this. The most
- straightforward solution is to put your ISP's address in
- a relay-domains file at
- <filename>/etc/mail/relay-domains</filename>. A quick way
- to do this would be:</para>
+ <para>The most straightforward solution is to add the ISP's
+ FQDN to <filename>/etc/mail/relay-domains</filename>, as
+ seen in this example:</para>
<screen>&prompt.root; <userinput>echo "your.isp.example.com" > /etc/mail/relay-domains</userinput></screen>
- <para>After creating or editing this file you must restart
- <application>sendmail</application>. This works great if
- you are a server administrator and do not wish to send
- mail locally, or would like to use a point and click
- client/system on another machine or even another ISP. It
- is also very useful if you only have one or two email
- accounts set up. If there are a large number of addresses
- to add, open this file in your favorite
- text editor and then add the domains, one per line:</para>
+ <para>After creating or editing this file, restart
+ <application>Sendmail</application>. This works great if
+ the server administrator does not wish to send mail
+ locally, would like to use a <acronym>MUA</acronym> on a
+ remote machine, or would like to use another
+ <acronym>ISP</acronym> for remote connections. It is also
+ useful when there is only one or two email accounts. If
+ there are a large number of addresses, add them one per
+ line:</para>
<programlisting>your.isp.example.com
other.isp.example.net
users-isp.example.org
www.example.org</programlisting>
- <para>Now any mail sent through your system, by any host in
- this list (provided the user has an account on your
- system), will succeed. This is a very nice way to allow
- users to send mail from your system remotely without
- allowing people to send SPAM through your system.</para>
+ <para>Now any mail sent through the system by any host in
+ this list, provided the user has an account on the system,
+ will succeed. This allows users to send mail from the
+ system remotely without opening the system up to relaying
+ SPAM from the Internet.</para>
</answer>
</qandaentry>
@@ -1104,9 +1067,8 @@ www.example.org</programlisting>
<sect1 id="mail-advanced">
<title>Advanced Topics</title>
- <para>The following section covers more involved topics such as
- mail configuration and setting up mail for your entire
- domain.</para>
+ <para>This section covers more involved topics such as mail
+ configuration and setting up mail for an entire domain.</para>
<sect2 id="mail-config">
<title>Basic Configuration</title>
@@ -1116,53 +1078,49 @@ www.example.org</programlisting>
<secondary>configuration</secondary>
</indexterm>
- <para>Out of the box, you should be able to send email to
- external hosts as long as you have set up
- <filename>/etc/resolv.conf</filename> or are running your own
- name server. If you would like to have mail for your host
- delivered to the MTA (e.g.,
- <application>sendmail</application>) on your own FreeBSD host,
- there are two methods:</para>
+ <para>Out of the box, one can send email to external hosts as
+ long as <filename>/etc/resolv.conf</filename> is configured or
+ the network has access to a configured
+ <acronym>DNS</acronym> server. If order to have mail
+ delivered to the <acronym>MTA</acronym> on the &os; host,
+ do one of the following:</para>
<itemizedlist>
<listitem>
- <para>Run your own name server and have your own domain.
- For example, <hostid
- role="domainname">FreeBSD.org</hostid></para>
+ <para>Run a <acronym>DNS</acronym> server for the
+ domain.</para>
</listitem>
<listitem>
- <para>Get mail delivered directly to your host. This is
- done by delivering mail directly to the current DNS name
- for your machine. For example, <hostid
- role="fqdn">example.FreeBSD.org</hostid>.</para>
+ <para>Get mail delivered directly to to the
+ <acronym>FQDN</acronym> for the machine.</para>
</listitem>
</itemizedlist>
<indexterm><primary>SMTP</primary></indexterm>
- <para>Regardless of which of the above you choose, in order
- to have mail delivered directly to your host, it must have
- a permanent static IP address (not a dynamic address, as with
- most PPP dial-up configurations). If you are behind a
- firewall, it must pass SMTP traffic on to you. If you want
- to receive mail directly at your host, you need to be sure
- of either of two things:</para>
+ <para>In order to have mail delivered directly to a host, it
+ must have a permanent static IP address, not a dynamic IP
+ address. If the system is behind a firewall, it must be
+ configured to allow SMTP traffic. To receive mail directly at
+ a host, one of these two must be configured:</para>
<itemizedlist>
<indexterm><primary>MX record</primary></indexterm>
<listitem>
- <para>Make sure that the (lowest-numbered) MX record in
- your DNS points to your host's IP address.</para>
+ <para>Make sure that the lowest-numbered
+ <acronym>MX</acronym> record in
+ <acronym>DNS</acronym> points to the host's static IP
+ address.</para>
</listitem>
<listitem>
- <para>Make sure there is no MX entry in your DNS for your
- host.</para>
+ <para>Make sure there is no <acronym>MX</acronym> entry in
+ the <acronym>DNS</acronym> for the host.</para>
</listitem>
</itemizedlist>
- <para>Either of the above will allow you to receive mail
- directly at your host.</para>
+ <para>Either of the above will allow mail to be received
+ directly at the host.</para>
<para>Try this:</para>
@@ -1171,30 +1129,31 @@ example.FreeBSD.org
&prompt.root; <userinput>host example.FreeBSD.org</userinput>
example.FreeBSD.org has address 204.216.27.XX</screen>
- <para>If that is what you see, mail directly to
- <email role="nolink">yourlogin@example.FreeBSD.org</email>
- should work without problems (assuming
- <application>sendmail</application> is running correctly on
- <hostid role="fqdn">example.FreeBSD.org</hostid>).</para>
+ <para>In this example, mail sent directly to <email
+ role="nolink">yourlogin@example.FreeBSD.org</email>
+ should work without problems, assuming
+ <application>Sendmail</application> is running correctly on
+ <hostid role="fqdn">example.FreeBSD.org</hostid>.</para>
- <para>If instead you see something like this:</para>
+ <para>For this example:</para>
<screen>&prompt.root; <userinput>host example.FreeBSD.org</userinput>
example.FreeBSD.org has address 204.216.27.XX
example.FreeBSD.org mail is handled (pri=10) by hub.FreeBSD.org</screen>
- <para>All mail sent to your host (<hostid
- role="fqdn">example.FreeBSD.org</hostid>) will end up being
+ <para>All mail sent to <hostid
+ role="fqdn">example.FreeBSD.org</hostid> will be
collected on <hostid>hub</hostid> under the same username
instead of being sent directly to your host.</para>
- <para>The above information is handled by your DNS server.
- The DNS record that carries mail routing information is the
- <emphasis>M</emphasis>ail e<emphasis>X</emphasis>change entry.
- If no MX record exists, mail will be delivered directly to
- the host by way of its IP address.</para>
+ <para>The above information is handled by the
+ <acronym>DNS</acronym> server. The <acronym>DNS</acronym>
+ record that carries mail routing information is the
+ <acronym>MX</acronym> entry. If no <acronym>MX</acronym>
+ record exists, mail will be delivered directly to the host by
+ way of its IP address.</para>
- <para>The MX entry for <hostid
+ <para>The <acronym>MX</acronym> entry for <hostid
role="fqdn">freefall.FreeBSD.org</hostid> at one time looked
like this:</para>
@@ -1203,94 +1162,88 @@ freefall MX 40 agora.rdrop.com
freefall MX 10 freefall.FreeBSD.org
freefall MX 20 who.cdrom.com</programlisting>
- <para>As you can see, <hostid>freefall</hostid> had many MX
- entries. The lowest MX number is the host that receives mail
- directly if available; if it is not accessible for some
- reason, the others (sometimes called <quote>backup
- MXes</quote>) accept messages temporarily, and pass it
- along when a lower-numbered host becomes available,
- eventually to the lowest-numbered host.</para>
+ <para><hostid>freefall</hostid> had many <acronym>MX</acronym>
+ entries. The lowest <acronym>MX</acronym> number is the host
+ that receives mail directly, if available. If it is not
+ accessible for some reason, the next lower-numbered host will
+ accept messages temporarily, and pass it along when a
+ lower-numbered host becomes available.</para>
- <para>Alternate MX sites should have separate Internet
- connections from your own in order to be most useful. Your
- ISP or another friendly site should have no problem providing
- this service for you.</para>
+ <para>Alternate <acronym>MX</acronym> sites should have separate
+ Internet connections in order to be most useful. Your
+ <acronym>ISP</acronym> can provide this service.</para>
</sect2>
<sect2 id="mail-domain">
- <title>Mail for Your Domain</title>
+ <title>Mail for a Domain</title>
- <para>In order to set up a <quote>mailhost</quote> (aka mail
- server) you need to have any mail sent to various workstations
- directed to it. Basically, you want to <quote>claim</quote>
- any mail for any hostname in your domain (in this case <hostid
- role="fqdn">*.FreeBSD.org</hostid>) and divert it to your
- mail server so your users can receive their mail on the master
- mail server.</para>
+ <para>When configuring a <acronym>MTA</acronym> for a network,
+ any mail sent to hosts in its domain should be diverted to the
+ <acronym>MTA</acronym> so that users can receive their mail on
+ the master mail server.</para>
<indexterm><primary>DNS</primary></indexterm>
<para>To make life easiest, a user account with the same
- <emphasis>username</emphasis> should exist on both machines.
- Use &man.adduser.8; to do this.</para>
+ <emphasis>username</emphasis> should exist on both the
+ <acronym>MTA</acronym> and the system with the
+ <acronym>MUA</acronym>. Use &man.adduser.8; to create the
+ user accounts.</para>
- <para>The mailhost you will be using must be the designated mail
+ <para>The <acronym>MTA</acronym> must be the designated mail
exchanger for each workstation on the network. This is done
- in your DNS configuration like so:</para>
+ in the<acronym>DNS</acronym> configuration with an
+ <acronym>MX</acronym> record:</para>
<programlisting>example.FreeBSD.org A 204.216.27.XX ; Workstation
MX 10 hub.FreeBSD.org ; Mailhost</programlisting>
<para>This will redirect mail for the workstation to the
- mailhost no matter where the A record points. The mail is
- sent to the MX host.</para>
+ <acronym>MTA</acronym> no matter where the A record points.
+ The mail is sent to the <acronym>MX</acronym> host.</para>
- <para>You cannot do this yourself unless you are running a DNS
- server. If you are not, or cannot run your own DNS server,
- talk to your ISP or whoever provides your DNS.</para>
+ <para>This must be configured on a <acronym>DNS</acronym>
+ server. If the network does not run its own
+ <acronym>DNS</acronym> server, talk to the
+ <acronym>ISP</acronym> or <acronym>DNS</acronym>
+ provider.</para>
- <para>If you are doing virtual email hosting, the following
- information will come in handy. For this example, we
- will assume you have a customer with his own domain, in this
- case <hostid role="domainname">customer1.org</hostid>, and
- you want all the mail for <hostid
- role="domainname">customer1.org</hostid> sent to your
- mailhost, <hostid role="fqdn">mail.myhost.com</hostid>. The
- entry in your DNS should look like this:</para>
+ <para>The following is an example of virtual email hosting.
+ Consider a customer with the domain <hostid
+ role="domainname">customer1.org</hostid>, where all the mail
+ for <hostid role="domainname">customer1.org</hostid> should be
+ sent to <hostid role="fqdn">mail.myhost.com</hostid>. The
+ <acronym>DNS</acronym> entry should look like this:</para>
<programlisting>customer1.org MX 10 mail.myhost.com</programlisting>
- <para>You do <emphasis>not</emphasis> need an A record for
- <hostid role="domainname">customer1.org</hostid> if you only
- want to handle email for that domain.</para>
+ <para>An <literal>A</literal>> record is
+ <emphasis>not</emphasis> needed for <hostid
+ role="domainname">customer1.org</hostid> in order to only
+ handle email for that domain. However, running
+ <command>ping</command> against <hostid
+ role="domainname">customer1.org</hostid> will not work
+ unless an <literal>A</literal> record exists for it.</para>
- <note>
- <para>Be aware that pinging <hostid
- role="domainname">customer1.org</hostid> will not work
- unless an A record exists for it.</para>
- </note>
-
- <para>The last thing that you must do is tell
- <application>sendmail</application> on your mailhost what
- domains and/or hostnames it should be accepting mail for.
- There are a few different ways this can be done. Either of
- the following will work:</para>
+ <para>Tell the <acronym>MTA</acronym> which domains and/or
+ hostnames it should accept mail for. Either of the following
+ will work for <application>Sendmail</application>:</para>
<itemizedlist>
<listitem>
- <para>Add the hosts to your
- <filename>/etc/mail/local-host-names</filename> file if
- you are using the <literal>FEATURE(use_cw_file)</literal>.
- If you are using a version of
- <application>sendmail</application> earlier than 8.10,
- the file is <filename>/etc/sendmail.cw</filename>.</para>
+ <para>Add the hosts to
+ <filename>/etc/mail/local-host-names</filename> when
+ using the <literal>FEATURE(use_cw_file)</literal>.
+ For versions of
+ <application>Sendmail</application> earlier than 8.10,
+ edit <filename>/etc/sendmail.cw</filename> instead.</para>
</listitem>
<listitem>
- <para>Add a <literal>Cwyour.host.com</literal> line to your
- <filename>/etc/sendmail.cf</filename> or
- <filename>/etc/mail/sendmail.cf</filename> if you are
- using <application>sendmail</application> 8.10 or
- higher.</para>
+ <para>Add a <literal>Cwyour.host.com</literal> line to
+ <filename>/etc/sendmail.cf</filename>. For
+ <application>Sendmail</application> 8.10 or higher, add
+ that line to
+ <filename>/etc/mail/sendmail.cf</filename>.</para>
</listitem>
</itemizedlist>
</sect2>
@@ -1309,14 +1262,14 @@ freefall MX 20 who.cdrom.com</programlisting>
<title>Setting Up to Send Only</title>
- <para>There are many instances where you may only want to send
+ <para>There are many instances where one may only want to send
mail through a relay. Some examples are:</para>
<itemizedlist>
<listitem>
- <para>Your computer is a desktop machine, but you want
- to use programs such as &man.send-pr.1;. To do so, you
- should use your ISP's mail relay.</para>
+ <para>The computer is a desktop machine that needs to use
+ programs such as &man.send-pr.1;, using the
+ <acronym>ISP</acronym>'s mail relay.</para>
</listitem>
<listitem>
@@ -1326,28 +1279,24 @@ freefall MX 20 who.cdrom.com</programlisting>
</listitem>
</itemizedlist>
- <para>Just about any <acronym>MTA</acronym> is capable of filling
- this particular niche. Unfortunately, it can be very difficult
- to properly configure a full-featured <acronym>MTA</acronym>
- just to handle offloading mail. Programs such as
- <application>sendmail</application> and
- <application>postfix</application> are largely overkill for
- this use.</para>
+ <para>While any <acronym>MTA</acronym> is capable of filling
+ this particular niche, it can be difficult to properly configure
+ a full-featured <acronym>MTA</acronym> just to handle offloading
+ mail. Programs such as <application>Sendmail</application> and
+ <application>Postfix</application> are overkill for this
+ use.</para>
- <para>Additionally, if you are using a typical Internet access
- service, your agreement may forbid you from running a
- <quote>mail server</quote>.</para>
+ <para>Additionally, a typical Internet access service agreement
+ may forbid one from running a <quote>mail server</quote>.</para>
<para>The easiest way to fulfill those needs is to install the
- <filename role="package">mail/ssmtp</filename> port. Execute
- the following commands as <username>root</username>:</para>
+ <filename role="package">mail/ssmtp</filename> port:</para>
<screen>&prompt.root; <userinput>cd /usr/ports/mail/ssmtp</userinput>
&prompt.root; <userinput>make install replace clean</userinput></screen>
- <para>Once installed,
- <filename role="package">mail/ssmtp</filename> can be configured
- with a four-line file located at
+ <para>Once installed, <filename
+ role="package">mail/ssmtp</filename> can be configured with
<filename>/usr/local/etc/ssmtp/ssmtp.conf</filename>:</para>
<programlisting>root=yourrealemail@example.com
@@ -1355,77 +1304,76 @@ mailhub=mail.example.com
rewriteDomain=example.com
hostname=_HOSTNAME_</programlisting>
- <para>Make sure you use your real email address for
- <username>root</username>. Enter your ISP's outgoing mail relay
- in place of <hostid role="fqdn">mail.example.com</hostid>
- (some ISPs call this the <quote>outgoing mail server</quote>
- or <quote>SMTP server</quote>).</para>
+ <para>Use the real email address for <username>root</username>.
+ Enter the <acronym>ISP</acronym>'s outgoing mail relay in place
+ of <hostid role="fqdn">mail.example.com</hostid>. Some
+ <acronym>ISP</acronym>s call this the <quote>outgoing mail
+ server</quote> or <quote>SMTP server</quote>).</para>
- <para>Make sure you disable <application>sendmail</application>,
- including the outgoing mail service. See
- <xref linkend="mail-disable-sendmail"/> for details.</para>
+ <para>Make sure to disable
+ <application>Sendmail</application>, including the outgoing mail
+ service. See <xref linkend="mail-disable-sendmail"/> for
+ details.</para>
<para><filename role="package">mail/ssmtp</filename> has some
- other options available. See the example configuration file
- in <filename>/usr/local/etc/ssmtp</filename> or the manual page
- of <application>ssmtp</application> for some examples and more
- information.</para>
+ other options available. Refer to the examples in
+ <filename>/usr/local/etc/ssmtp</filename> or the manual page
+ of <application>ssmtp</application> for more information.</para>
<para>Setting up <application>ssmtp</application> in this manner
- will allow any software on your computer that needs to send
- mail to function properly, while not violating your ISP's usage
- policy or allowing your computer to be hijacked for
- spamming.</para>
+ allows any software on the computer that needs to send mail to
+ function properly, while not violating the
+ <acronym>ISP</acronym>'s usage policy or allowing the computer
+ to be hijacked for spamming.</para>
</sect1>
<sect1 id="SMTP-dialup">
<title>Using Mail with a Dialup Connection</title>
- <para>If you have a static IP address, you should not need to
- adjust anything from the defaults. Set your host name to your
- assigned Internet name and <application>sendmail</application>
+ <para>When using a static IP address, one should not need to
+ adjust the default configuration. Set the hostname to the
+ assigned Internet name and <application>Sendmail</application>
will do the rest.</para>
- <para>If you have a dynamically assigned IP number and use a
- dialup PPP connection to the Internet, you will probably have
- a mailbox on your ISPs mail server. Let's assume your ISP's
- domain is <hostid role="domainname">example.net</hostid>, and
- that your user name is <username>user</username>, you have
- called your machine <hostid role="fqdn">bsd.home</hostid>, and
- your ISP has told you that you may use <hostid
+ <para>When using a dynamically assigned IP address and a dialup
+ PPP connection to the Internet, one usually has a mailbox on the
+ <acronym>ISP</acronym>'s mail server. In this example, the
+ <acronym>ISP</acronym>'s domain is <hostid
+ role="domainname">example.net</hostid>, the user name is
+ <username>user</username>, the hostname is <hostid
+ role="fqdn">bsd.home</hostid>, and the <acronym>ISP</acronym>
+ has allowed <hostid
role="fqdn">relay.example.net</hostid> as a mail relay.</para>
- <para>In order to retrieve mail from your mailbox, you must
- install a retrieval agent. The
- <application>fetchmail</application> utility is a good choice as
- it supports many different protocols. This program is available
- as a package or from the Ports Collection (<filename
- role="package">mail/fetchmail</filename>). Usually, your
+ <para>In order to retrieve mail from the <acronym>ISP</acronym>'s
+ mailbox, install a retrieval agent from the Ports Collection.
+ <filename role="package">mail/fetchmail</filename> is a good
+ choice as it supports many different protocols. Usually, the
<acronym>ISP</acronym> will provide <acronym>POP</acronym>.
- If you are using user <acronym>PPP</acronym>, you can
- automatically fetch your mail when an Internet connection is
- established with the following entry in
+ When using user <acronym>PPP</acronym>, email can be
+ automatically fetched when an Internet connection is established
+ with the following entry in
<filename>/etc/ppp/ppp.linkup</filename>:</para>
<programlisting>MYADDR:
!bg su user -c fetchmail</programlisting>
- <para>If you are using <application>sendmail</application> (as
- shown below) to deliver mail to non-local accounts, you probably
- want to have <application>sendmail</application> process your
- mailqueue as soon as your Internet connection is established.
- To do this, put this command after the
- <command>fetchmail</command> command in
+ <para>When using <application>Sendmail</application> to deliver
+ mail to non-local accounts, configure
+ <application>Sendmail</application> to process the mail queue as
+ soon as the Internet connection is established. To do this, add
+ this line after the above <command>fetchmail</command> entry in
<filename>/etc/ppp/ppp.linkup</filename>:</para>
<programlisting> !bg su user -c "sendmail -q"</programlisting>
- <para>Assume that you have an account for
+ <para>In this example, there is an account for
<username>user</username> on <hostid
- role="fqdn">bsd.home</hostid>. In the home directory of
+ role="fqdn">bsd.home</hostid>. In the home directory of
<username>user</username> on <hostid
- role="fqdn">bsd.home</hostid>, create a
- <filename>.fetchmailrc</filename> file:</para>
+ role="fqdn">bsd.home</hostid>, create a
+ <filename>.fetchmailrc</filename> which contains this
+ line:</para>
<programlisting>poll example.net protocol pop3 fetchall pass MySecret</programlisting>
@@ -1434,11 +1382,10 @@ hostname=_HOSTNAME_</programlisting>
<literal>MySecret</literal>.</para>
<para>In order to send mail with the correct
- <literal>from:</literal> header, you must tell
- <application>sendmail</application> to use
- <email>user@example.net</email> rather than
- <email role="nolink">user@bsd.home</email>. You may also wish
- to tell <application>sendmail</application> to send all mail
+ <literal>from:</literal> header, configure
+ <application>Sendmail</application> to use
+ <email>user@example.net</email> rather than <email
+ role="nolink">user@bsd.home</email> and to send all mail
via <hostid role="fqdn">relay.example.net</hostid>, allowing
quicker mail transmission.</para>
@@ -1462,10 +1409,10 @@ Dmbsd.home
define(`confDOMAIN_NAME',`bsd.home')dnl
define(`confDELIVERY_MODE',`deferred')dnl</programlisting>
- <para>Refer to the previous section for details of how to turn
- this <filename>.mc</filename> file into a
- <filename>sendmail.cf</filename> file. Also, do not forget to
- restart <application>sendmail</application> after updating
+ <para>Refer to the previous section for details of how to convert
+ this file into the
+ <filename>sendmail.cf</filename> format. Do not forget to
+ restart <application>Sendmail</application> after updating
<filename>sendmail.cf</filename>.</para>
</sect1>
@@ -1482,33 +1429,31 @@ define(`confDELIVERY_MODE',`deferred')dnl</programlisting>
<title>SMTP Authentication</title>
- <para>Having <acronym>SMTP</acronym> Authentication in place on
- your mail server has a number of benefits.
- <acronym>SMTP</acronym> Authentication can add another layer
- of security to <application>sendmail</application>, and has
- the benefit of giving mobile users who switch hosts the ability
- to use the same mail server without the need to reconfigure
- their mail client settings each time.</para>
+ <para>Configuring <acronym>SMTP</acronym> authentication on the
+ <acronym>MTA</acronym> provides a number of benefits.
+ <acronym>SMTP</acronym> authentication adds a layer
+ of security to <application>Sendmail</application>, and provides
+ mobile users who switch hosts the ability to use the same
+ <acronym>MTA</acronym> without the need to reconfigure their
+ mail client's settings each time.</para>
<procedure>
<step>
<para>Install <filename
role="package">security/cyrus-sasl2</filename>
- from the ports. You can find this port in
- <filename role="package">security/cyrus-sasl2</filename>.
- The <filename role="package">security/cyrus-sasl2</filename>
- port supports a number of compile-time options. For the
- SMTP Authentication method we will be using here, make sure
- that the <option>LOGIN</option> option is not
- disabled.</para>
+ from the Ports Collection. This port supports a number of
+ compile-time options. For the SMTP authentication method
+ demonstrated in this example, make sure that
+ <option>LOGIN</option> is not disabled.</para>
</step>
<step>
<para>After installing <filename
role="package">security/cyrus-sasl2</filename>,
- edit <filename>/usr/local/lib/sasl2/Sendmail.conf</filename>
- (or create it if it does not exist) and add the following
+ edit
+ <filename>/usr/local/lib/sasl2/Sendmail.conf</filename>,
+ or create it if it does not exist, and add the following
line:</para>
<programlisting>pwcheck_method: saslauthd</programlisting>
@@ -1516,19 +1461,19 @@ define(`confDELIVERY_MODE',`deferred')dnl</programlisting>
<step>
<para>Next, install <filename
- role="package">security/cyrus-sasl2-saslauthd</filename>,
- edit <filename>/etc/rc.conf</filename> to add the following
- line:</para>
+ role="package">security/cyrus-sasl2-saslauthd</filename>
+ and add the following line to
+ <filename>/etc/rc.conf</filename>:</para>
<programlisting>saslauthd_enable="YES"</programlisting>
- <para>and finally start the saslauthd daemon:</para>
+ <para>Finally, start the saslauthd daemon:</para>
<screen>&prompt.root; <userinput>service saslauthd start</userinput></screen>
<para>This daemon serves as a broker for
<application>sendmail</application> to authenticate against
- your FreeBSD <filename>passwd</filename> database. This
+ the &os; &man.passwd.5; database. This
saves the trouble of creating a new set of usernames and
passwords for each user that needs to use
<acronym>SMTP</acronym> authentication, and keeps the login
@@ -1536,25 +1481,25 @@ define(`confDELIVERY_MODE',`deferred')dnl</programlisting>
</step>
<step>
- <para>Now edit <filename>/etc/make.conf</filename> and add
+ <para>Next, edit <filename>/etc/make.conf</filename> and add
the following lines:</para>
<programlisting>SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2</programlisting>
- <para>These lines will give
- <application>sendmail</application> the proper configuration
+ <para>These lines provide
+ <application>Sendmail</application> the proper configuration
options for linking to <filename
role="package">cyrus-sasl2</filename> at compile time.
Make sure that <filename
role="package">cyrus-sasl2</filename> has been installed
before recompiling
- <application>sendmail</application>.</para>
+ <application>Sendmail</application>.</para>
</step>
<step>
- <para>Recompile <application>sendmail</application> by
+ <para>Recompile <application>Sendmail</application> by
executing the following commands:</para>
<screen>&prompt.root; <userinput>cd /usr/src/lib/libsmutil</userinput>
@@ -1564,58 +1509,55 @@ SENDMAIL_LDADD=-lsasl2</programlisting>
&prompt.root; <userinput>cd /usr/src/usr.sbin/sendmail</userinput>
&prompt.root; <userinput>make cleandir && make obj && make && make install</userinput></screen>
- <para>The compile of <application>sendmail</application>
- should not have any problems if
- <filename>/usr/src</filename> has not been changed
- extensively and the shared libraries it needs are
+ <para>This compile should not have any problems if
+ <filename class="directory">/usr/src</filename> has not
+ changed extensively and the shared libraries it needs are
available.</para>
</step>
<step>
- <para>After <application>sendmail</application> has been
- compiled and reinstalled, edit your
- <filename>/etc/mail/freebsd.mc</filename> file (or whichever
- file you use as your <filename>.mc</filename> file. Many
- administrators choose to use the output from
- &man.hostname.1; as the <filename>.mc</filename> file for
- uniqueness). Add these lines to it:</para>
+ <para>After <application>Sendmail</application> has been
+ compiled and reinstalled, edit
+ <filename>/etc/mail/freebsd.mc</filename> or the local
+ <filename>.mc</filename> file. Many administrators choose
+ to use the output from &man.hostname.1; as the name of the
+ <filename>.mc</filename> file for uniqueness. Add these
+ lines:</para>
<programlisting>dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl</programlisting>
<para>These options configure the different methods available
- to <application>sendmail</application> for authenticating
- users. If you would like to use a method other than
- <application>pwcheck</application>, please see the
- included documentation.</para>
+ to <application>Sendmail</application> for authenticating
+ users. To use a method other than
+ <application>pwcheck</application>, refer to the
+ <application>Sendmail</application> documentation.</para>
</step>
<step>
- <para>Finally, run &man.make.1; while in
- <filename>/etc/mail</filename>. That will run your new
- <filename>.mc</filename> file and create a
- <filename>.cf</filename> file named
- <filename>freebsd.cf</filename> (or whatever name you have
- used for your <filename>.mc</filename> file). Then use
- the command <command>make install restart</command>, which
- will copy the file to <filename>sendmail.cf</filename>,
- and will properly restart
- <application>sendmail</application>. For more information
- about this process, you should refer to
+ <para>Finally, run &man.make.1; while in <filename
+ class="directory">/etc/mail</filename>. That will run the
+ new <filename>.mc</filename> and create a
+ <filename>.cf</filename> named either
+ <filename>freebsd.cf</filename> or the name used for the
+ local <filename>.mc</filename>. Then, run <command>make
+ install restart</command>, which will copy the file to
+ <filename>sendmail.cf</filename>, and properly restart
+ <application>Sendmail</application>. For more information
+ about this process, refer to
<filename>/etc/mail/Makefile</filename>.</para>
</step>
</procedure>
- <para>If all has gone correctly, you should be able to enter your
- login information into the mail client and send a test message.
- For further investigation, set the <option>LogLevel</option>
- of <application>sendmail</application> to 13 and watch
+ <para>To test the configuration, use a <acronym>MUA</acronym> to
+ send a test message. For further investigation, set the
+ <option>LogLevel</option> of <application>Sendmail</application>
+ to <literal>13</literal> and watch
<filename>/var/log/maillog</filename> for any errors.</para>
- <para>For more information, please see the
- <application>sendmail</application> page regarding
- <ulink url="http://www.sendmail.org/~ca/email/auth.html">
+ <para>For more information, refer to <ulink
+ url="http://www.sendmail.org/~ca/email/auth.html">
<acronym>SMTP</acronym> authentication</ulink>.</para>
</sect1>
@@ -1635,50 +1577,45 @@ define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl</programlis
<primary>Mail User Agents</primary>
</indexterm>
- <para>A Mail User Agent (<acronym>MUA</acronym>) is an application
- that is used to send and receive email. Furthermore, as email
- <quote>evolves</quote> and becomes more complex,
- <acronym>MUA</acronym>'s are becoming increasingly powerful
- in the way they interact with email; this gives users increased
- functionality and flexibility. &os; contains support for
- numerous mail user agents, all of which can be easily installed
- using the <link linkend="ports">FreeBSD Ports Collection</link>.
- Users may choose between graphical email clients such as
- <application>evolution</application> or
- <application>balsa</application>, console based clients such
- as <application>mutt</application>,
- <application>alpine</application> or <command>mail</command>,
- or the web interfaces used by some large organizations.</para>
+ <para>A <acronym>MUA</acronym> is an application that is used to
+ send and receive email. As email <quote>evolves</quote> and
+ becomes more complex, <acronym>MUA</acronym>s are becoming
+ increasingly powerful and provide users increased functionality
+ and flexibility. The <literal>mail</literal> category of the
+ &os; Ports Collection contains numerous <acronym>MUA</acronym>s.
+ These include graphical email clients such as
+ <application>Evolution</application> or
+ <application>Balsa</application> and console based clients such
+ as <application>mutt</application> or
+ <application>alpine</application>.</para>
<sect2 id="mail-command">
- <title>mail</title>
+ <title><command>mail</command></title>
- <para>&man.mail.1; is the default Mail User Agent
- (<acronym>MUA</acronym>) in &os;. It is a
- console based <acronym>MUA</acronym> that offers all the basic
- functionality required to send and receive text-based email,
- though it is limited in interaction abilities with attachments
- and can only support local mailboxes.</para>
+ <para>&man.mail.1; is the default
+ <acronym>MUA</acronym> installed with &os;. It is a console
+ based <acronym>MUA</acronym> that offers the basic
+ functionality required to send and receive text-based email.
+ It provides limited attachment support and can only access
+ local mailboxes.</para>
<para>Although <command>mail</command> does not natively support
interaction with <acronym>POP</acronym> or
<acronym>IMAP</acronym> servers, these mailboxes may be
- downloaded to a local <filename>mbox</filename> file using an
- application such as <application>fetchmail</application>,
- which will be discussed later in this chapter (<xref
- linkend="mail-fetchmail"/>).</para>
+ downloaded to a local <filename>mbox</filename> using an
+ application such as
+ <application>fetchmail</application>.</para>
<para>In order to send and receive email, run
<command>mail</command>:</para>
<screen>&prompt.user; <userinput>mail</userinput></screen>
- <para>The contents of the user mailbox in
- <filename class="directory">/var/mail</filename> are
- automatically read by the <command>mail</command> utility.
- Should the mailbox be empty, the utility exits with a
- message indicating that no mails could be found. Once the
- mailbox has been read, the application interface is started,
+ <para>The contents of the user's mailbox in <filename
+ class="directory">/var/mail</filename> are automatically
+ read by <command>mail</command>. Should the mailbox be empty,
+ the utility exits with a message indicating that no mail could
+ be found. If mail exists, the application interface starts,
and a list of messages will be displayed. Messages are
automatically numbered, as can be seen in the following
example:</para>
@@ -1689,10 +1626,9 @@ define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl</programlis
N 2 root@localhost Mon Mar 8 14:05 14/509 "user account"
N 3 root@localhost Mon Mar 8 14:05 14/509 "sample"</screen>
- <para>Messages can now be read by using the <keycap>t</keycap>
- <command>mail</command> command, suffixed by the message
- number that should be displayed. In this example, we will
- read the first email:</para>
+ <para>Messages can now be read by typing <keycap>t</keycap>
+ followed by the message number. This example reads the first
+ email:</para>
<screen>& <userinput>t 1</userinput>
Message 1:
@@ -1706,23 +1642,20 @@ From: root@localhost (Charlie Root)
This is a test message, please reply if you receive it.</screen>
- <para>As can be seen in the example above, the
- <keycap>t</keycap> key will cause the message to be displayed
+ <para>As seen in this example, the message will be displayed
with full headers. To display the list of messages again,
- the <keycap>h</keycap> key should be used.</para>
+ press <keycap>h</keycap>.</para>
- <para>If the email requires a response, you may use
- <command>mail</command> to reply, by using either the
+ <para>If the email requires a reply, press either
<keycap>R</keycap> or <keycap>r</keycap>
- <command>mail</command> keys. The <keycap>R</keycap> key
- instructs <command>mail</command> to reply only to the sender
- of the email, while <keycap>r</keycap> replies not only to
- the sender, but also to other recipients of the message.
- You may also suffix these commands with the mail number which
- you would like make a reply to. Once this has been done, the
- response should be entered, and the end of the message should
- be marked by a single <keycap>.</keycap> on a new line. An
- example can be seen below:</para>
+ <command>mail</command> keys. <keycap>R</keycap> instructs
+ <command>mail</command> to reply only to the sender of the
+ email, while <keycap>r</keycap> replies to all other
+ recipients of the message. These commands can be suffixed
+ with the mail number of the message to reply to. After typing
+ the response, the end of the message should be marked by a
+ single <keycap>.</keycap> on its own line. An example can be
+ seen below:</para>
<screen>& <userinput>R 1</userinput>
To: root@localhost
@@ -1732,13 +1665,13 @@ Subject: Re: test
.</userinput>
EOT</screen>
- <para>In order to send new email, the <keycap>m</keycap>
- key should be used, followed by the recipient email address.
- Multiple recipients may also be specified by separating each
- address with the <keycap>,</keycap> delimiter. The subject
- of the message may then be entered, followed by the message
- contents. The end of the message should be specified by
- putting a single <keycap>.</keycap> on a new line.</para>
+ <para>In order to send a new email, press <keycap>m</keycap>,
+ followed by the recipient email address. Multiple recipients
+ may be specified by separating each address with the
+ <keycap>,</keycap> delimiter. The subject of the message may
+ then be entered, followed by the message contents. The end of
+ the message should be specified by putting a single
+ <keycap>.</keycap> on its own line.</para>
<screen>& <userinput>mail root@localhost</userinput>
Subject: <userinput>I mastered mail
@@ -1747,46 +1680,43 @@ Now I can send and receive email using mail ... :)
.</userinput>
EOT</screen>
- <para>While inside the <command>mail</command> utility, the
- <keycap>?</keycap> command may be used to display help at any
- time, the &man.mail.1; manual page should also be consulted
- for more help with <command>mail</command>.</para>
+ <para>While using <command>mail</command>, press
+ <keycap>?</keycap> to display help at any time. Refer to
+ &man.mail.1; for more help on how to use
+ <command>mail</command>.</para>
<note>
- <para>As previously mentioned, the &man.mail.1; command was
- not originally designed to handle attachments, and thus
- deals with them very poorly. Newer <acronym>MUA</acronym>s
- such as <application>mutt</application> handle attachments
- in a much more intelligent way. But should you still wish
- to use the <command>mail</command> command, the <filename
- role="package">converters/mpack</filename> port may be of
+ <para>&man.mail.1; was not designed to handle attachments and
+ thus deals with them poorly. Newer <acronym>MUA</acronym>s
+ handle attachments in a more intelligent way. Users who
+ prefer to use <command>mail</command> may find the <filename
+ role="package">converters/mpack</filename> port to be of
considerable use.</para>
</note>
</sect2>
<sect2 id="mutt-command">
- <title>mutt</title>
+ <title><application>mutt</application></title>
- <para><application>mutt</application> is a small yet very
- powerful Mail User Agent, with excellent features, just some
- of which include:</para>
+ <para><application>mutt</application> is a powerful
+ <acronym>MUA</acronym>, with many features, including:</para>
<itemizedlist>
<listitem>
- <para>The ability to thread messages;</para>
+ <para>The ability to thread messages.</para>
</listitem>
<listitem>
<para>PGP support for digital signing and encryption of
- email;</para>
+ email.</para>
</listitem>
<listitem>
- <para>MIME Support;</para>
+ <para>MIME support.</para>
</listitem>
<listitem>
- <para>Maildir Support;</para>
+ <para>Maildir support.</para>
</listitem>
<listitem>
@@ -1794,10 +1724,8 @@ EOT</screen>
</listitem>
</itemizedlist>
- <para>All of these features help to make
- <application>mutt</application> one of the most advanced mail
- user agents available. See <ulink
- url="http://www.mutt.org"></ulink> for more
+ <para>Refer to <ulink
+ url="http://www.mutt.org"></ulink> for more
information on <application>mutt</application>.</para>
<para><application>mutt</application>
@@ -1809,11 +1737,10 @@ EOT</screen>
<screen>&prompt.user; <userinput>mutt</userinput></screen>
<para><application>mutt</application> will automatically read
- the contents of the user mailbox in <filename
- class="directory">/var/mail</filename> and display the
- contents if applicable. If no mails are found in the user
- mailbox, then <application>mutt</application> will wait for
- commands from the user. The example below shows
+ and display the contents of the user mailbox in <filename
+ class="directory">/var/mail</filename>. If no mails are
+ found, <application>mutt</application> will wait for commands
+ from the user. The example below shows
<application>mutt</application> displaying a list of
messages:</para>
@@ -1823,8 +1750,8 @@ EOT</screen>
</imageobject>
</mediaobject>
- <para>In order to read an email, select it using the cursor
- keys and press the <keycap>Enter</keycap> key. An example of
+ <para>To read an email, select it using the cursor keys and
+ press <keycap>Enter</keycap>. An example of
<application>mutt</application> displaying email can be seen
below:</para>
@@ -1834,33 +1761,30 @@ EOT</screen>
</imageobject>
</mediaobject>
- <para>As with the &man.mail.1; command,
- <application>mutt</application> allows users to reply only to
- the sender of the message as well as to all recipients. To
- reply only to the sender of the email, use the
- <keycap>r</keycap> keyboard shortcut. To send a group reply,
- which will be sent to the original sender as well as all the
- message recipients, use the <keycap>g</keycap>
- shortcut.</para>
+ <para>Similar to &man.mail.1;, <application>mutt</application>
+ can be used to reply only to the sender of the message as well
+ as to all recipients. To reply only to the sender of the
+ email, press <keycap>r</keycap>. To send a group reply
+ to the original sender as well as all the message recipients,
+ press <keycap>g</keycap>.</para>
<note>
- <para><application>mutt</application> makes use of the
- &man.vi.1; command as an editor for creating and replying
- to emails. This may be customized by the user by creating
- or editing their own <filename>.muttrc</filename> file in
- their home directory and setting the
- <literal>editor</literal> variable or by setting the
- <envar>EDITOR</envar> environment variable. See
+ <para>By default, <application>mutt</application> uses the
+ &man.vi.1; editor for creating and replying to emails. Each
+ user can customize this by creating or editing the
+ <filename>.muttrc</filename> in their home directory and
+ setting the <literal>editor</literal> variable or by setting
+ the <envar>EDITOR</envar> environment variable. Refer to
<ulink url="http://www.mutt.org/"></ulink> for more
information about configuring
<application>mutt</application>.</para>
</note>
- <para>In order to compose a new mail message, press
+ <para>To compose a new mail message, press
<keycap>m</keycap>. After a valid subject has been given,
- <application>mutt</application> will start &man.vi.1; and the
- mail can be written. Once the contents of the mail are
- complete, save and quit from <command>vi</command> and
+ <application>mutt</application> will start &man.vi.1; so the
+ email can be written. Once the contents of the email are
+ complete, save and quit from <command>vi</command>.
<application>mutt</application> will resume, displaying a
summary screen of the mail that is to be delivered. In
order to send the mail, press <keycap>y</keycap>. An example
@@ -1872,30 +1796,29 @@ EOT</screen>
</imageobject>
</mediaobject>
- <para><application>mutt</application> also contains extensive
- help, which can be accessed from most of the menus by pressing
- the <keycap>?</keycap> key. The top line also displays the
- keyboard shortcuts where appropriate.</para>
+ <para><application>mutt</application> contains extensive help
+ which can be accessed from most of the menus by pressing
+ <keycap>?</keycap>. The top line also displays the keyboard
+ shortcuts where appropriate.</para>
</sect2>
<sect2 id="alpine-command">
- <title>alpine</title>
+ <title><application>alpine</application></title>
<para><application>alpine</application> is aimed at a beginner
user, but also includes some advanced features.</para>
<warning>
- <para>The <application>alpine</application> software has had
- several remote vulnerabilities discovered in the past, which
- allowed remote attackers to execute arbitrary code as users
- on the local system, by the action of sending a
- specially-prepared email. All such
- <emphasis>known</emphasis> problems have been fixed, but
- the <application>alpine</application> code is written in
- a very insecure style and the &os; Security Officer believes
- there are likely to be other undiscovered vulnerabilities.
- You install <application>alpine</application> at your own
+ <para><application>alpine</application> has had several remote
+ vulnerabilities discovered in the past, which allowed remote
+ attackers to execute arbitrary code as users on the local
+ system, by the action of sending a specially-prepared email.
+ While <emphasis>known</emphasis> problems have been fixed,
+ <application>alpine</application> code is written in an
+ insecure style and the &os; Security Officer believes there
+ are likely to be other undiscovered vulnerabilities. Users
+ install <application>alpine</application> at their own
risk.</para>
</warning>
@@ -1907,16 +1830,16 @@ EOT</screen>
<screen>&prompt.user; <userinput>alpine</userinput></screen>
- <para>The first time that <application>alpine</application>
- is run it displays a greeting page with a brief introduction,
+ <para>The first time <application>alpine</application>
+ runs, it displays a greeting page with a brief introduction,
as well as a request from the
<application>alpine</application> development team to send
an anonymous email message allowing them to judge how many
users are using their client. To send this anonymous message,
- press <keycap>Enter</keycap>, or alternatively press
+ press <keycap>Enter</keycap>. Alternatively, press
<keycap>E</keycap> to exit the greeting without sending an
- anonymous message. An example of the greeting page can be
- seen below:</para>
+ anonymous message. An example of the greeting page is
+ shown below:</para>
<mediaobject>
<imageobject>
@@ -1924,19 +1847,18 @@ EOT</screen>
</imageobject>
</mediaobject>
- <para>Users are then presented with the main menu, which can
- be easily navigated using the cursor keys. This main menu
- provides shortcuts for the composing new mails, browsing of
- mail directories, and even the administration of address book
- entries. Below the main menu, relevant keyboard shortcuts
- to perform functions specific to the task at hand are
- shown.</para>
+ <para>The main menu is then presented, which can be navigated
+ using the cursor keys. This main menu provides shortcuts for
+ the composing new mails, browsing mail directories, and
+ administering address book entries. Below the main menu,
+ relevant keyboard shortcuts to perform functions specific to
+ the task at hand are shown.</para>
<para>The default directory opened by
- <application>alpine</application> is the <filename
+ <application>alpine</application> is <filename
class="directory">inbox</filename>. To view the message
index, press <keycap>I</keycap>, or select the
- <guimenuitem>MESSAGE INDEX</guimenuitem> option as seen
+ <guimenuitem>MESSAGE INDEX</guimenuitem> option shown
below:</para>
<mediaobject>
@@ -1945,10 +1867,10 @@ EOT</screen>
</imageobject>
</mediaobject>
- <para>The message index shows messages in the current directory,
+ <para>The message index shows messages in the current directory
and can be navigated by using the cursor keys. Highlighted
- messages can be read by pressing the
- <keycap>Enter</keycap> key.</para>
+ messages can be read by pressing
+ <keycap>Enter</keycap>.</para>
<mediaobject>
<imageobject>
@@ -1957,11 +1879,11 @@ EOT</screen>
</mediaobject>
<para>In the screenshot below, a sample message is displayed by
- <application>alpine</application>. Keyboard shortcuts are
- displayed as a reference at the bottom of the screen. An
- example of one of these shortcuts is the <keycap>r</keycap>
- key, which tells the <acronym>MUA</acronym> to reply to the
- current message being displayed.</para>
+ <application>alpine</application>. Contextual keyboard
+ shortcuts are displayed at the bottom of the screen. An
+ example of one of a shortcut is <keycap>r</keycap>, which
+ tells the <acronym>MUA</acronym> to reply to the current
+ message being displayed.</para>
<mediaobject>
<imageobject>
@@ -1972,15 +1894,14 @@ EOT</screen>
<para>Replying to an email in <application>alpine</application>
is done using the <application>pico</application> editor,
which is installed by default with
- <application>alpine</application>. The
- <application>pico</application> utility makes it easy to
- navigate around the message and is slightly more forgiving
- on novice users than &man.vi.1; or &man.mail.1;. Once the
- reply is complete, the message can be sent by pressing
- <keycombo
+ <application>alpine</application>.
+ <application>pico</application> makes it easy to navigate the
+ message and is easier for novice users to use than &man.vi.1;
+ or &man.mail.1;. Once the reply is complete, the message can
+ be sent by pressing <keycombo
action="simul"><keycap>Ctrl</keycap><keycap>X</keycap>
- </keycombo>. The <application>alpine</application> application
- will ask for confirmation.</para>
+ </keycombo>. <application>alpine</application>
+ will ask for confirmation before sending the message.</para>
<mediaobject>
<imageobject>
@@ -1988,9 +1909,9 @@ EOT</screen>
</imageobject>
</mediaobject>
- <para>The <application>alpine</application> application can
- be customized using the <guimenuitem>SETUP</guimenuitem>
- option from the main menu. Consult <ulink
+ <para><application>alpine</application> can be customized using
+ the <guimenuitem>SETUP</guimenuitem> option from the main
+ menu. Consult <ulink
url="http://www.washington.edu/alpine/"></ulink>
for more information.</para>
@@ -2007,24 +1928,24 @@ EOT</screen>
</author>
</authorgroup>
</sect1info>
- <title>Using fetchmail</title>
+ <title>Using <application>fetchmail</application></title>
<indexterm>
<primary>fetchmail</primary>
</indexterm>
<para><application>fetchmail</application> is a full-featured
- <acronym>IMAP</acronym> and <acronym>POP</acronym> client which
+ <acronym>IMAP</acronym> and <acronym>POP</acronym> client. It
allows users to automatically download mail from remote
<acronym>IMAP</acronym> and <acronym>POP</acronym> servers and
- save it into local mailboxes; there it can be accessed more
+ save it into local mailboxes where it can be accessed more
easily. <application>fetchmail</application> can be installed
using the <filename role="package">mail/fetchmail</filename>
- port, and offers various features, some of which include:</para>
+ port, and offers various features, including:</para>
<itemizedlist>
<listitem>
- <para>Support of <acronym>POP3</acronym>,
+ <para>Support for the <acronym>POP3</acronym>,
<acronym>APOP</acronym>, <acronym>KPOP</acronym>,
<acronym>IMAP</acronym>, <acronym>ETRN</acronym> and
<acronym>ODMR</acronym> protocols.</para>
@@ -2042,20 +1963,18 @@ EOT</screen>
</listitem>
<listitem>
- <para>Can retrieve multiple mailboxes and forward them based
+ <para>Can retrieve multiple mailboxes and forward them, based
on configuration, to different local users.</para>
</listitem>
</itemizedlist>
- <para>While it is outside the scope of this document to explain
- all of <application>fetchmail</application>'s features, some
- basic features will be explained. The
- <application>fetchmail</application> utility requires a
- configuration file known as <filename>.fetchmailrc</filename>,
- in order to run correctly. This file includes server
- information as well as login credentials. Due to the sensitive
- nature of the contents of this file, it is advisable to make
- it readable only by the owner, with the following
+ <para>This section explains some of the basic features of
+ <application>fetchmail</application>. This utility requires a
+ <filename>.fetchmailrc</filename> configuration in the user's
+ home directory in order to run correctly. This file includes
+ server information as well as login credentials. Due to the
+ sensitive nature of the contents of this file, it is advisable
+ to make it readable only by the user, with the following
command:</para>
<screen>&prompt.user; <userinput>chmod 600 .fetchmailrc</userinput></screen>
@@ -2067,8 +1986,7 @@ EOT</screen>
role="fqdn">example.com</hostid> using a username of
<username>joesoap</username> and a password of
<literal>XXX</literal>. This example assumes that the user
- <username>joesoap</username> is also a user on the local
- system.</para>
+ <username>joesoap</username> exists on the local system.</para>
<programlisting>poll example.com protocol pop3 username "joesoap" password "XXX"</programlisting>
@@ -2082,13 +2000,13 @@ user "andrea", with password "XXXX";
poll example2.net proto imap:
user "john", with password "XXXXX", is "myth" here;</programlisting>
- <para>The <application>fetchmail</application> utility can be
- run in daemon mode by running it with the <option>-d</option>
- flag, followed by the interval (in seconds) that
- <application>fetchmail</application> should poll servers listed
- in the <filename>.fetchmailrc</filename> file. The following
- example would cause <application>fetchmail</application> to poll
- every 600 seconds:</para>
+ <para><application>fetchmail</application> can be run in daemon
+ mode by running it with <option>-d</option>, followed by the
+ interval (in seconds) that <application>fetchmail</application>
+ should poll servers listed in <filename>.fetchmailrc</filename>.
+ The following example configures
+ <application>fetchmail</application> to poll every 600
+ seconds:</para>
<screen>&prompt.user; <userinput>fetchmail -d 600</userinput></screen>
@@ -2107,47 +2025,46 @@ user "john", with password "XXXXX", is "myth" here;</programlisting>
</author>
</authorgroup>
</sect1info>
- <title>Using procmail</title>
+ <title>Using <application>procmail</application></title>
<indexterm>
<primary>procmail</primary>
</indexterm>
- <para>The <application>procmail</application> utility is an
- incredibly powerful application used to filter incoming mail.
- It allows users to define <quote>rules</quote> which can be
- matched to incoming mails to perform specific functions or to
- reroute mail to alternative mailboxes and/or email addresses.
+ <para><application>procmail</application> is a powerful
+ application used to filter incoming mail. It allows users to
+ define <quote>rules</quote> which can be matched to incoming
+ mails to perform specific functions or to reroute mail to
+ alternative mailboxes or email addresses.
<application>procmail</application> can be installed using the
<filename role="package">mail/procmail</filename> port. Once
installed, it can be directly integrated into most
- <acronym>MTA</acronym>s; consult your <acronym>MTA</acronym>
+ <acronym>MTA</acronym>s. Consult the <acronym>MTA</acronym>
documentation for more information. Alternatively,
<application>procmail</application> can be integrated by adding
the following line to a <filename>.forward</filename> in the
- home directory of the user utilizing
- <application>procmail</application> features:</para>
+ home directory of the user:</para>
<programlisting>"|exec /usr/local/bin/procmail || exit 75"</programlisting>
- <para>The following section will display some basic
+ <para>The following section displays some basic
<application>procmail</application> rules, as well as brief
- descriptions on what they do. These rules, and others must be
- inserted into a <filename>.procmailrc</filename> file, which
- must reside in the user's home directory.</para>
+ descriptions of what they do. Rules must be inserted into a
+ <filename>.procmailrc</filename>, which must reside in the
+ user's home directory.</para>
- <para>The majority of these rules can also be found in the
- &man.procmailex.5; manual page.</para>
+ <para>The majority of these rules can be found in
+ &man.procmailex.5;.</para>
- <para>Forward all mail from <email>user@example.com</email> to an
- external address of <email
+ <para>To forward all mail from <email>user@example.com</email> to
+ an external address of <email
role="nolink">goodmail@example2.com</email>:</para>
<programlisting>:0
* ^From.*user@example.com
! goodmail@example2.com</programlisting>
- <para>Forward all mails shorter than 1000 bytes to an external
+ <para>To forward all mails shorter than 1000 bytes to an external
address of <email
role="nolink">goodmail@example2.com</email>:</para>
@@ -2155,23 +2072,24 @@ user "john", with password "XXXXX", is "myth" here;</programlisting>
* < 1000
! goodmail@example2.com</programlisting>
- <para>Send all mail sent to <email>alternate@example.com</email>
- into a mailbox called <filename>alternate</filename>:</para>
+ <para>To send all mail sent to
+ <email>alternate@example.com</email> to a mailbox called
+ <filename>alternate</filename>:</para>
<programlisting>:0
* ^TOalternate@example.com
alternate</programlisting>
- <para>Send all mail with a subject of <quote>Spam</quote> to
- <filename>/dev/null</filename>:</para>
+ <para>To send all mail with a subject of <quote>Spam</quote> to
+ <devicename>/dev/null</devicename>:</para>
<programlisting>:0
^Subject:.*Spam
/dev/null</programlisting>
<para>A useful recipe that parses incoming <hostid
- role="domainname">&os;.org</hostid> mailing lists
- and places each list in its own mailbox:</para>
+ role="domainname">&os;.org</hostid> mailing lists and places
+ each list in its own mailbox:</para>
<programlisting>:0
* ^Sender:.owner-freebsd-\/[^@]+@FreeBSD.ORG
diff --git a/en_US.ISO8859-1/books/handbook/multimedia/chapter.xml b/en_US.ISO8859-1/books/handbook/multimedia/chapter.xml
index f14f0ea81c..529bd216e4 100644
--- a/en_US.ISO8859-1/books/handbook/multimedia/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/multimedia/chapter.xml
@@ -21,70 +21,62 @@
<sect1 id="multimedia-synopsis">
<title>Synopsis</title>
- <para>FreeBSD supports a wide variety of sound cards, allowing you
- to enjoy high fidelity output from your computer. This includes
+ <para>&os; supports a wide variety of sound cards, allowing users
+ to enjoy high fidelity output from a &os; system. This includes
the ability to record and playback audio in the MPEG Audio Layer
- 3 (MP3), WAV, and Ogg Vorbis formats as well as many other
- formats. The FreeBSD Ports Collection also contains
- applications allowing you to edit your recorded audio, add sound
- effects, and control attached MIDI devices.</para>
+ 3 (<acronym>MP3</acronym>), Waveform Audio File
+ (<acronym>WAV</acronym>), Ogg Vorbis, and other formats. The
+ &os; Ports Collection contains many applications for editing
+ recorded audio, adding sound effects, and controlling attached
+ MIDI devices.</para>
- <para>With some experimentation, &os; can support
- playback of video files and DVDs. The number of applications
- to encode, convert, and playback various video media is more
- limited than the number of sound applications. For example as
- of this writing, there are no good re-encoding applications
- in the FreeBSD Ports Collection that could be used to convert
- between formats, as there is with <filename
- role="package">audio/sox</filename>. However, the software
- landscape in this area is changing rapidly.</para>
+ <para>&os; also supports the playback of video files and DVDs.
+ The &os; Ports Collection contains applications to encode,
+ convert, and playback various video media.</para>
- <para>This chapter will describe the necessary steps to configure
- your sound card. The configuration and installation of X11
- (<xref linkend="x11"/>) has already taken care of the
- hardware issues for your video card, though there may be some
- tweaks to apply for better playback.</para>
+ <para>This chapter describes how to configure sound cards, video
+ playback, TV tuner cards, and scanners on &os;. It also
+ describes some of the applications which are available for
+ using these devices.</para>
- <para>After reading this chapter, you will know:</para>
+ <para>After reading this chapter, you will know how to:</para>
<itemizedlist>
<listitem>
- <para>How to configure your system so that your sound card
- is recognized.</para>
+ <para>Configure a sound card on os;.</para>
</listitem>
<listitem>
- <para>Methods to test whether your card is working.</para>
+ <para>Troubleshoot the sound setup.</para>
</listitem>
<listitem>
- <para>How to troubleshoot your sound setup.</para>
+ <para>Playback and encode MP3s and other audio.</para>
</listitem>
<listitem>
- <para>How to playback and encode MP3s and other audio.</para>
+ <para>Prepare a &os; system for video playback.</para>
</listitem>
<listitem>
- <para>How video is supported by the X server.</para>
- </listitem>
-
- <listitem>
- <para>Some video player/encoder ports which give good
- results.</para>
- </listitem>
-
- <listitem>
- <para>How to playback DVDs, <filename>.mpg</filename> and
+ <para>Playback DVDs, <filename>.mpg</filename>, and
<filename>.avi</filename> files.</para>
</listitem>
<listitem>
- <para>How to rip CD and DVD content into files.</para>
+ <para>Rip CD and DVD content into files.</para>
</listitem>
<listitem>
- <para>How to configure a TV card.</para>
+ <para>Configure a TV card.</para>
+ </listitem>
+
+ <listitem>
+ <para>Install and setup MythTV on &os;</para>
+ </listitem>
+
+ <listitem>
+ <para>Configure an image scanner.</para>
</listitem>
<listitem>
@@ -100,10 +92,9 @@
</itemizedlist>
<warning>
- <para>Trying to mount audio CDs with the &man.mount.8; command
- will result in an error, at least, and a <emphasis>kernel
- panic</emphasis>, at worst. These media have specialized
- encodings which differ from the usual ISO-filesystem.</para>
+ <para>Audio CDs have specialized encodings which differ from the
+ usual ISO-filesystem. This means that they should not be
+ mounted using &man.mount.8;.</para>
</warning>
</sect1>
@@ -134,101 +125,92 @@
<title>Configuring the System</title>
<indexterm><primary>PCI</primary></indexterm>
- <indexterm><primary>ISA</primary></indexterm>
<indexterm><primary>sound cards</primary></indexterm>
- <para>Before you begin, you should know the model of the card
- you have, the chip it uses, and whether it is a PCI or ISA
- card. FreeBSD supports a wide variety of both PCI and ISA
- cards. Check the supported audio devices list of the <ulink
- url="&rel.current.hardware;">Hardware Notes</ulink> to
- see if your card is supported. The Hardware Notes will
- also mention which driver supports your card.</para>
+ <para>Before beginning the configuration, determine the model of
+ the sound card and the chip it uses. &os; supports a wide
+ variety of sound cards. Check the supported audio devices
+ list of the <ulink url="&rel.current.hardware;">Hardware
+ Notes</ulink> to see if the card is supported and which &os;
+ driver it uses.</para>
<indexterm>
<primary>kernel</primary>
<secondary>configuration</secondary>
</indexterm>
- <para>To use your sound device, you will need to load the proper
- device driver. This may be accomplished in one of two ways.
- The easiest way is to simply load a kernel module for your
- sound card with &man.kldload.8; which can either be done from
- the command line:</para>
+ <para>In order to use the sound device, the proper device driver
+ must be loaded. This may be accomplished in one of two ways.
+ The easiest way is to load a kernel module for the sound card
+ with &man.kldload.8;. This example loads the driver for a
+ Creative &soundblaster; Live! sound card:</para>
<screen>&prompt.root; <userinput>kldload snd_emu10k1</userinput></screen>
- <para>or by adding the appropriate line to the file
- <filename>/boot/loader.conf</filename> like this:</para>
+ <para>To automate the loading of this driver at boot time, add the
+ driver to <filename>/boot/loader.conf</filename>. The line for
+ this driver is:</para>
<programlisting>snd_emu10k1_load="YES"</programlisting>
- <para>These examples are for a Creative &soundblaster; Live! sound
- card. Other available loadable sound modules are listed in
- <filename>/boot/defaults/loader.conf</filename>.
- If you are not sure which driver to use, you may try to load
- the <filename>snd_driver</filename> module:</para>
+ <para>Other available sound modules are listed in
+ <filename>/boot/defaults/loader.conf</filename>. When unsure
+ which driver to use, load the <filename>snd_driver</filename>
+ module:</para>
<screen>&prompt.root; <userinput>kldload snd_driver</userinput></screen>
- <para>This is a metadriver loading the most common device drivers
- at once. This speeds up the search for the correct driver. It
- is also possible to load all sound drivers via the
- <filename>/boot/loader.conf</filename> facility.</para>
+ <para>This is a metadriver which loads all of the most common
+ sound drivers and can be used to speed up the search for the
+ correct driver. It is also possible to load all sound drivers
+ by adding the metadriver to
+ <filename>/boot/loader.conf</filename>.</para>
- <para>If you wish to find out the driver selected for your
- soundcard after loading the <filename>snd_driver</filename>
- metadriver, you may check the <filename>/dev/sndstat</filename>
- file with the <command>cat /dev/sndstat</command>
- command.</para>
+ <para>To determine which driver was selected for the sound card
+ after loading the <filename>snd_driver</filename> metadriver,
+ type <command>cat /dev/sndstat</command>.</para>
- <para>A second method is to statically
- compile in support for your sound card in your kernel. The
- section below provides the information you need to add support
- for your hardware in this manner. For more information about
- recompiling your kernel, please see <xref
- linkend="kernelconfig"/>.</para>
+ <para>Users who prefer to statically compile in support for the
+ sound card in a custom kernel should refer to the instructions
+ in the next section. For more information about recompiling a
+ kernel, refer to <xref linkend="kernelconfig"/>.</para>
<sect3>
<title>Configuring a Custom Kernel with Sound Support</title>
- <para>The first thing to do is add the audio framework driver
- &man.sound.4; to the kernel; for that you will need to
- add the following line to the kernel configuration file:</para>
+ <para>When using a custom kernel to provide sound support, make
+ sure that the audio framework driver exists in the custom kernel
+ configuration file:</para>
<programlisting>device sound</programlisting>
- <para>Next, you have to add the support for your sound card.
- Therefore, you need to know which driver supports the card.
- Check the supported audio devices list of the <ulink
- url="&rel.current.hardware;">Hardware Notes</ulink>, to
- determine the correct driver for your sound card. For
- example, a Creative &soundblaster; Live! sound card is
- supported by the &man.snd.emu10k1.4; driver. To add the support
- for this card, use the following:</para>
+ <para>Next, add support for the sound card. Therefore, you need
+ to know which driver supports the card. To continue the example
+ of the Creative &soundblaster; Live! sound card from the
+ previous section, use the following line in the custom kernel
+ configuration file:</para>
<programlisting>device snd_emu10k1</programlisting>
<para>Be sure to read the manual page of the driver for the
syntax to use. The explicit syntax for the kernel
configuration of every supported sound driver can also be
- found in the <filename>/usr/src/sys/conf/NOTES</filename>
- file.</para>
+ found in <filename>/usr/src/sys/conf/NOTES</filename>.</para>
- <para>Non-PnP ISA sound cards may require you to provide the
- kernel with information on the card settings (IRQ, I/O port,
- etc), as is true of all non-PnP ISA cards. This is done via
- the <filename>/boot/device.hints</filename> file. During the
- boot process, the &man.loader.8; will read this file and pass
- the settings to the kernel. For example, an old Creative
+ <para>Non-PnP ISA sound cards may require the IRQ and I/O port
+ settings of the card to be added to
+ <filename>/boot/device.hints</filename>. During the boot
+ process, &man.loader.8; reads this file and passes the
+ settings to the kernel. For example, an old Creative
&soundblaster; 16 ISA non-PnP card will use the
&man.snd.sbc.4; driver in conjunction with
- <literal>snd_sb16</literal>. For this card the following
+ <literal>snd_sb16</literal>. For this card, the following
lines must be added to the kernel configuration file:</para>
<programlisting>device snd_sbc
device snd_sb16</programlisting>
- <para>and these to
+ <para>If the card uses the <literal>0x220</literal> I/O port and
+ IRQ <literal>5</literal>, these lines must also be added to
<filename>/boot/device.hints</filename>:</para>
<programlisting>hint.sbc.0.at="isa"
@@ -240,31 +222,32 @@ hint.sbc.0.flags="0x15"</programlisting>
<para>In this case, the card uses the <literal>0x220</literal>
I/O port and the IRQ <literal>5</literal>.</para>
- <para>The syntax used in the
- <filename>/boot/device.hints</filename> file is covered in the
- &man.sound.4; driver manual page and the manual page
- for the driver in question.</para>
+ <para>The syntax used in
+ <filename>/boot/device.hints</filename> is described in
+ &man.sound.4; and the manual page for the driver of the sound
+ card.</para>
<para>The settings shown above are the defaults. In some
- cases, you may need to change the IRQ or the other settings to
- match your card. See the &man.snd.sbc.4; manual page for more
- information about this card.</para>
+ cases, the IRQ or other settings may need to be changed to
+ match the card. Refer to &man.snd.sbc.4; for more information
+ about this card.</para>
</sect3>
</sect2>
<sect2 id="sound-testing">
<title>Testing the Sound Card</title>
- <para>After rebooting with the modified kernel, or after loading
- the required module, the sound card should appear in your system
- message buffer (&man.dmesg.8;) as something like:</para>
+ <para>After rebooting into the custom kernel, or after loading
+ the required module, the sound card should appear in the system
+ message buffer. Run &man.dmesg.8; and look for a message
+ like:</para>
<screen>pcm0: <Intel ICH3 (82801CA)> port 0xdc80-0xdcbf,0xd800-0xd8ff irq 5 at device 31.5 on pci0
pcm0: [GIANT-LOCKED]
pcm0: <Cirrus Logic CS4205 AC97 Codec></screen>
- <para>The status of the sound card may be checked via the
- <filename>/dev/sndstat</filename> file:</para>
+ <para>The status of the sound card may also be checked using this
+ command:</para>
<screen>&prompt.root; <userinput>cat /dev/sndstat</userinput>
FreeBSD Audio Driver (newpcm)
@@ -272,46 +255,43 @@ Installed devices:
pcm0: <Intel ICH3 (82801CA)> at io 0xd800, 0xdc80 irq 5 bufsz 16384
kld snd_ich (1p/2r/0v channels duplex default)</screen>
- <para>The output from your system may vary. If no
+ <para>The output may vary between systems. If no
<devicename>pcm</devicename> devices are listed, go back and
- review what was done earlier. Go through your kernel
- configuration file again and make sure the correct
+ review the kernel configuration file and make sure the correct
device driver was chosen. Common problems are listed in <xref
linkend="troubleshooting"/>.</para>
- <para>If all goes well, you should now have a functioning sound
- card. If your CD-ROM or DVD-ROM drive's audio-out pins are
- properly connected to your sound card, you can put a CD in the
+ <para>If all goes well, the sound card should now work in os;. If
+ the CD-ROM or DVD-ROM drive's audio-out pins are properly
+ connected to the sound card, one can insert an audio CD in the
drive and play it with &man.cdcontrol.1;:</para>
<screen>&prompt.user; <userinput>cdcontrol -f /dev/acd0 play 1</userinput></screen>
<para>Various applications, such as <filename
- role="package">audio/workman</filename> can provide a
- friendlier interface. You may want to install an application
- such as <filename role="package">audio/mpg123</filename> to
- listen to MP3 audio files.</para>
+ role="package">audio/workman</filename> provide a friendlier
+ interface. The <filename role="package">audio/mpg123</filename>
+ port can be installed to listen to MP3 audio files.</para>
- <para>Another quick way to test the card is sending data
- to <filename>/dev/dsp</filename>, like this:</para>
+ <para>Another quick way to test the card is to send data to
+ <filename>/dev/dsp</filename>:</para>
<screen>&prompt.user; <userinput>cat <replaceable>filename</replaceable> > /dev/dsp</userinput></screen>
<para>where
<filename><replaceable>filename</replaceable></filename> can
- be any file. This command line should produce some noise,
- confirming the sound card is actually working.</para>
+ be any file. This command should produce some noise, confirming
+ that the sound card is actually working.</para>
<note>
- <para>The device nodes <filename>/dev/dsp*</filename> will be
- created automatically when needed. If they are not used, they
+ <para>The <devicename>/dev/dsp*</devicename> device nodes will
+ be created automatically as needed. When not in use, they
do not exist and will not appear in the output of
&man.ls.1;.</para>
</note>
- <para>Sound card mixer levels can be changed via the &man.mixer.8;
- command. More details can be found in the &man.mixer.8; manual
- page.</para>
+ <para>Sound card mixer levels can be changed using &man.mixer.8;.
+ More details can be found in &man.mixer.8;.</para>
<sect3 id="troubleshooting">
<title>Common Problems</title>
@@ -356,9 +336,8 @@ kld snd_ich (1p/2r/0v channels duplex default)</screen>
<entry><errorname>xxx: can't open
/dev/dsp!</errorname></entry>
<entry><para>Check with <command>fstat | grep
- dsp</command>
- if another application is holding the device open.
- Noteworthy troublemakers are
+ dsp</command> if another application is holding the
+ device open. Noteworthy troublemakers are
<application>esound</application> and
<application>KDE</application>'s sound
support.</para></entry>
@@ -370,9 +349,9 @@ kld snd_ich (1p/2r/0v channels duplex default)</screen>
<para>Another issue is that modern graphics cards often come
with their own sound driver, for use with
<acronym>HDMI</acronym> and similar. This sound device will
- sometimes be enumerated before the actual soundcard and the
- soundcard will subsequently not be used as the default
- playback device. To check if this is the case, run
+ sometimes be enumerated before the sound card and the sound
+ card will subsequently not be used as the default playback
+ device. To check if this is the case, run
<application>dmesg</application> and look for
<literal>pcm</literal>. The output looks something like
this:</para>
@@ -397,16 +376,16 @@ pcm7: <HDA Realtek ALC889 PCM #3 Digital> at cad 2 nid 1 on hdac1
<para>Here the graphics card (<literal>NVidia</literal>) has
been enumerated before the sound card (<literal>Realtek
- ALC889</literal>). To use the sound card as default playback
- device, change <literal>hw.snd.default_unit</literal> to the
- unit that should be used for playback, enter the
- following:</para>
+ ALC889</literal>). To use the sound card as the default
+ playback device, change <varname>hw.snd.default_unit</varname>
+ to the unit that should be used for playback:</para>
<screen>&prompt.root; <userinput>sysctl hw.snd.default_unit=<replaceable>n</replaceable></userinput></screen>
<para>Here, <literal>n</literal> is the number of the sound
- device to use, in this example <literal>4</literal>. You can
- make this change permanent by adding the following line to
+ device to use. In this example, it should be
+ <literal>4</literal>. Make this change permanent by adding
+ the following line to
<filename>/etc/sysctl.conf</filename>:</para>
<programlisting>hw.snd.default_unit=<replaceable>4</replaceable></programlisting>
@@ -426,20 +405,13 @@ pcm7: <HDA Realtek ALC889 PCM #3 Digital> at cad 2 nid 1 on hdac1
<title>Utilizing Multiple Sound Sources</title>
<para>It is often desirable to have multiple sources of sound that
- are able to play simultaneously, such as when
- <application>esound</application> or
- <application>artsd</application> do not support sharing of the
- sound device with a certain application.</para>
+ are able to play simultaneously. &os; uses <emphasis>Virtual
+ Sound Channels</emphasis>, which can be enabled using
+ &man.sysctl.8;. Virtual channels allow one to multiplex the
+ sound card's playback by mixing sound in the kernel.</para>
- <para>FreeBSD lets you do this through <emphasis>Virtual Sound
- Channels</emphasis>, which can be enabled with the
- &man.sysctl.8; facility. Virtual channels allow you to
- multiplex your sound card's playback by mixing sound in the
- kernel.</para>
-
- <para>To set the number of virtual channels, there are three
- sysctl knobs which, if you are the <username>root</username>
- user, can be set like this:</para>
+ <para>To set the number of virtual channels, three
+ &man.sysctl.8; knobs are available:</para>
<screen>&prompt.root; <userinput>sysctl dev.pcm.0.play.vchans=4</userinput>
&prompt.root; <userinput>sysctl dev.pcm.0.rec.vchans=4</userinput>
@@ -450,26 +422,26 @@ pcm7: <HDA Realtek ALC889 PCM #3 Digital> at cad 2 nid 1 on hdac1
<varname>dev.pcm.0.play.vchans=4</varname> and
<varname>dev.pcm.0.rec.vchans=4</varname> are the number of
virtual channels <devicename>pcm0</devicename> has for playback
- and recording, and are configurable once a device has been
+ and recording, and are configurable after a device has been
attached. <literal>hw.snd.maxautovchans</literal> is the number
of virtual channels a new audio device is given when it is
attached using &man.kldload.8;. Since the
<devicename>pcm</devicename> module can be loaded independently
of the hardware drivers, <varname>hw.snd.maxautovchans</varname>
- can store how many virtual channels any devices which are
- attached later will be given. Refer to &man.pcm.4; manual page
- for more information.</para>
+ indicates how many virtual channels will be given to devices
+ when they are attached. Refer to &man.pcm.4; for more
+ information.</para>
<note>
- <para>You cannot change the number of virtual channels for a
- device while it is in use. First close any programs using
+ <para>The number of virtual channels for a device cannot be
+ changed while it is in use. First, close any programs using
the device, such as music players or sound daemons.</para>
</note>
<para>
The correct <devicename>pcm</devicename> device will
- automatically be allocated transparently to a program
- that requests <filename>/dev/dsp0</filename>.</para>
+ automatically be allocated transparently to a program that
+ requests <filename>/dev/dsp0</filename>.</para>
</sect2>
<sect2>
@@ -486,18 +458,20 @@ pcm7: <HDA Realtek ALC889 PCM #3 Digital> at cad 2 nid 1 on hdac1
<title>Setting Default Values for Mixer Channels</title>
<para>The default values for the different mixer channels are
- hardcoded in the sourcecode of the &man.pcm.4; driver. There
- are many different applications and daemons that allow
- you to set values for the mixer that are remembered between
- invocations, but this is not a clean solution. It is possible
- to set default mixer values at the driver level — this
- is accomplished by defining the appropriate values in
- <filename>/boot/device.hints</filename>, e.g.:</para>
+ hardcoded in the source code of the &man.pcm.4; driver. There
+ are many different applications and daemons that allow values to
+ be set for the mixer that are remembered between invocations,
+ but this is not a clean solution. It is possible to set default
+ mixer values at the driver level. This is accomplished by
+ defining the appropriate values in
+ <filename>/boot/device.hints</filename>, as seen in this
+ example:</para>
<programlisting>hint.pcm.0.vol="50"</programlisting>
<para>This will set the volume channel to a default value of
- 50 when the &man.pcm.4; module is loaded.</para>
+ <literal>50</literal> when the &man.pcm.4; module is
+ loaded.</para>
</sect2>
</sect1>
@@ -515,18 +489,18 @@ pcm7: <HDA Realtek ALC889 PCM #3 Digital> at cad 2 nid 1 on hdac1
<title>MP3 Audio</title>
- <para>MP3 (MPEG Layer 3 Audio) accomplishes near CD-quality sound,
- leaving no reason to let your FreeBSD workstation fall short of
- its offerings.</para>
+ <para>This section describes some <acronym>MP3</acronym>
+ players available for &os;, how to rip audio CD tracks, and
+ how to encode and decode <acronym>MP3</acronym>s.</para>
<sect2 id="mp3-players">
<title>MP3 Players</title>
- <para>By far, the most popular X11 MP3 player is
- <application>XMMS</application> (X Multimedia System).
+ <para>A popular graphical <acronym>MP3</acronym> player is
+ <application>XMMS</application>.
<application>Winamp</application>
skins can be used with <application>XMMS</application> since
- the GUI is almost identical to that of Nullsoft's
+ the interface is almost identical to that of Nullsoft's
<application>Winamp</application>.
<application>XMMS</application> also has native plug-in
support.</para>
@@ -541,14 +515,16 @@ pcm7: <HDA Realtek ALC889 PCM #3 Digital> at cad 2 nid 1 on hdac1
<application>XMMS</application> simple to use.</para>
<para>The <filename role="package">audio/mpg123</filename> port
- is an alternative, command-line MP3 player.</para>
+ provides an alternative, command-line <acronym>MP3</acronym>
+ player.</para>
<para><application>mpg123</application> can be run by specifying
- the sound device and the MP3 file on the command line.
- Assuming your audio device is
- <devicename>/dev/dsp1.0</devicename> and you want to play the
- MP3 file <replaceable>Foobar-GreatestHits.mp3</replaceable>
- you would enter the following:</para>
+ the sound device and the <acronym>MP3</acronym> file on the
+ command line. Assuming the audio device is
+ <devicename>/dev/dsp1.0</devicename> and the
+ <acronym>MP3</acronym> file is
+ <replaceable>Foobar-GreatestHits.mp3</replaceable>, enter the
+ following to play the file:</para>
<screen>&prompt.root; <userinput>mpg123 -a <devicename>/dev/dsp1.0</devicename> <replaceable>Foobar-GreatestHits.mp3</replaceable></userinput>
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3.
@@ -567,63 +543,64 @@ MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo</screen>
<sect2 id="rip-cd">
<title>Ripping CD Audio Tracks</title>
- <para>Before encoding a CD or CD track to MP3, the audio data on
- the CD must be ripped onto the hard drive. This is done by
- copying the raw CDDA (CD Digital Audio) data to WAV
- files.</para>
+ <para>Before encoding a CD or CD track to
+ <acronym>MP3</acronym>, the audio data on the CD must be
+ ripped to the hard drive. This is done by copying the raw CD
+ Digital Audio (<acronym>CDDA</acronym>) data to
+ <acronym>WAV</acronym> files.</para>
- <para>The <command>cdda2wav</command> tool, which is a part of
- the <filename role="package">sysutils/cdrtools</filename>
+ <para>The <command>cdda2wav</command> tool, which is installed
+ with the <filename role="package">sysutils/cdrtools</filename>
suite, is used for ripping audio information from CDs and the
information associated with them.</para>
<para>With the audio CD in the drive, the following command can
- be issued (as <username>root</username>) to rip an entire CD
- into individual (per track) WAV files:</para>
+ be issued as <username>root</username> to rip an entire CD
+ into individual (per track) <acronym>WAV</acronym>
+ files:</para>
<screen>&prompt.root; <userinput>cdda2wav -D <replaceable>0,1,0</replaceable> -B</userinput></screen>
- <para><application>cdda2wav</application> will support
- ATAPI (IDE) CDROM drives. To rip from an IDE drive, specify
- the device name in place of the SCSI unit numbers. For
- example, to rip track 7 from an IDE drive:</para>
-
- <screen>&prompt.root; <userinput>cdda2wav -D <replaceable>/dev/acd0</replaceable> -t 7</userinput></screen>
-
<para>The <option>-D <replaceable>0,1,0</replaceable></option>
indicates the SCSI device <devicename>0,1,0</devicename>,
which corresponds to the output of <command>cdrecord
-scanbus</command>.</para>
+ <para><application>cdda2wav</application> will support ATAPI
+ (IDE) CDROM drives. To rip from an IDE drive, specify the
+ device name in place of the SCSI unit numbers. For example,
+ to rip track 7 from an IDE drive:</para>
+
+ <screen>&prompt.root; <userinput>cdda2wav -D <replaceable>/dev/acd0</replaceable> -t 7</userinput></screen>
+
<para>To rip individual tracks, make use of the
- <option>-t</option> option as shown:</para>
+ <option>-t</option> as shown:</para>
<screen>&prompt.root; <userinput>cdda2wav -D <replaceable>0,1,0</replaceable> -t 7</userinput></screen>
<para>This example rips track seven of the audio CDROM. To rip
- a range of tracks, for example, track one to seven, specify a
+ a range of tracks, such as track one to seven, specify a
range:</para>
<screen>&prompt.root; <userinput>cdda2wav -D <replaceable>0,1,0</replaceable> -t 1+7</userinput></screen>
- <para>The utility &man.dd.1; can also be used to extract audio
- tracks on ATAPI drives, read <xref
- linkend="duplicating-audiocds"/> for more information on
- that possibility.</para>
+ <para>&man.dd.1; can also be used to extract audio tracks on
+ ATAPI drives, as described in <xref
+ linkend="duplicating-audiocds"/>.</para>
</sect2>
<sect2 id="mp3-encoding">
<title>Encoding MP3s</title>
- <para>Nowadays, the mp3 encoder of choice is
- <application>lame</application>.
- <application>Lame</application> can be found at
- <filename role="package">audio/lame</filename> in the ports
- tree.</para>
+ <para>
+ <application>Lame</application> is a popular
+ <acronym>MP3</acronym> encoder which can be installed from the
+ <filename role="package">audio/lame</filename> port. Due to
+ licensing restrictions, a package is not available.</para>
- <para>Using the ripped WAV files, the following command will
- convert
+ <para>The following command will convert the ripped
+ <acronym>WAV</acronym> files
<filename><replaceable>audio01.wav</replaceable></filename>
to
<filename><replaceable>audio01.mp3</replaceable></filename>:</para>
@@ -637,26 +614,27 @@ MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo</screen>
--tg "<replaceable>Genre</replaceable>" \
<replaceable>audio01.wav audio01.mp3</replaceable></userinput></screen>
- <para>128 kbits seems to be the standard MP3 bitrate in
- use. Many enjoy the higher quality 160, or 192. The higher
- the bitrate, the more disk space the resulting MP3 will
- consume--but the quality will be higher. The
- <option>-h</option> option turns on the <quote>higher quality
- but a little slower</quote> mode. The options beginning with
- <option>--t</option> indicate ID3 tags, which usually contain
- song information, to be embedded within the MP3 file.
- Additional encoding options can be found by consulting the
- <application>lame</application> man page.</para>
+ <para>128 kbits is a standard <acronym>MP3</acronym>
+ bitrate. The 160 and 192 bitrates provide higher quality.
+ The higher the bitrate, the larger the size of the resulting
+ <acronym>MP3</acronym>. <option>-h</option> turns on the
+ <quote>higher quality but a little slower</quote> mode. The
+ options beginning with <option>--t</option> indicate ID3 tags,
+ which usually contain song information, to be embedded within
+ the <acronym>MP3</acronym> file. Additional encoding options
+ can be found in the <application>lame</application> manual
+ page.</para>
</sect2>
<sect2 id="mp3-decoding">
<title>Decoding MP3s</title>
- <para>In order to burn an audio CD from MP3s, they must be
- converted to a non-compressed WAV format. Both
+ <para>In order to burn an audio CD from <acronym>MP3</acronym>s,
+ they must first be converted to a non-compressed
+ <acronym>WAV</acronym> format. Both
<application>XMMS</application> and
- <application>mpg123</application> support the output of MP3
- to an uncompressed file format.</para>
+ <application>mpg123</application> support the output of
+ <acronym>MP3</acronym> to an uncompressed file format.</para>
<para>Writing to Disk in <application>XMMS</application>:</para>
@@ -666,12 +644,12 @@ MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo</screen>
</step>
<step>
- <para>Right-click on the window to bring up the
+ <para>Right-click the window to bring up the
<application>XMMS</application> menu.</para>
</step>
<step>
- <para>Select <literal>Preference</literal> under
+ <para>Select <literal>Preferences</literal> under
<literal>Options</literal>.</para>
</step>
@@ -685,26 +663,28 @@ MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo</screen>
</step>
<step>
- <para>Enter (or choose browse) a directory to write the
+ <para>Enter or browse to a directory to write the
uncompressed files to.</para>
</step>
<step>
- <para>Load the MP3 file into <application>XMMS</application>
- as usual, with volume at 100% and EQ settings turned
- off.</para>
+ <para>Load the <acronym>MP3</acronym> file into
+ <application>XMMS</application> as usual, with volume at
+ 100% and EQ settings turned off.</para>
</step>
<step>
- <para>Press <literal>Play</literal> —
+ <para>Press <literal>Play</literal>. The
<application>XMMS</application> will appear as if it is
- playing the MP3, but no music will be heard. It is
- actually playing the MP3 to a file.</para>
+ playing the <acronym>MP3</acronym>, but no music will be
+ heard. It is actually playing the <acronym>MP3</acronym>
+ to a file.</para>
</step>
<step>
- <para>Be sure to set the default Output Plugin back to what
- it was before in order to listen to MP3s again.</para>
+ <para>When finished, be sure to set the default Output
+ Plugin back to what it was before in order to listen to
+ <acronym>MP3</acronym>s again.</para>
</step>
</procedure>
@@ -719,22 +699,24 @@ MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo</screen>
</step>
</procedure>
- <para><application>XMMS</application> writes a file in the WAV
- format, while <application>mpg123</application> converts the
- MP3 into raw PCM audio data. Both of these formats can be
- used with <application>cdrecord</application> to create audio
- CDs. You have to use raw PCM with &man.burncd.8;. If you
- use WAV files, you will notice a small tick sound at the
- beginning of each track, this sound is the header of the WAV
- file. You can simply remove the header of a WAV file with
- the utility <application>SoX</application> (it can be
+ <para><application>XMMS</application> writes a file in the
+ <acronym>WAV</acronym> format, while
+ <application>mpg123</application> converts the
+ <acronym>MP3</acronym> into raw PCM audio data. Both of these
+ formats can be used with <application>cdrecord</application>
+ to create audio CDs, whereas &man.burncd.8; requires a raw
+ Pulse-Code Modulation (<acronym>PCM</acronym>. When using
+ <acronym>WAV</acronym> files, there will be a small tick
+ sound at the beginning of each track. This sound is the
+ header of the <acronym>WAV</acronym> file. One can remove the
+ header with <application>SoX</application>, which can be
installed from the <filename
- role="package">audio/sox</filename> port or package):</para>
+ role="package">audio/sox</filename> port or package:</para>
<screen>&prompt.user; <userinput>sox -t wav -r 44100 -s -w -c 2 <replaceable>track.wav track.raw</replaceable></userinput></screen>
- <para>Read <xref linkend="creating-cds"/> for more information
- on using a CD burner in FreeBSD.</para>
+ <para>Refer to <xref linkend="creating-cds"/> for more
+ information on using a CD burner in &os;.</para>
</sect2>
</sect1>
@@ -752,43 +734,40 @@ MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo</screen>
<title>Video Playback</title>
- <para>Video playback is a very new and rapidly developing
- application area. Be patient. Not everything is going to work
- as smoothly as it did with sound.</para>
-
- <para>Before you begin, you should know the model of the video
- card you have and the chip it uses. While
+ <para>Before configuring video playback, determine the model
+ of the video card and the chip it uses. While
<application>&xorg;</application> supports a wide variety of
video cards, fewer give good playback performance. To obtain
- a list of extensions supported by the X server using your card
- use the command &man.xdpyinfo.1; while X11 is running.</para>
+ a list of extensions supported by the
+ <application>&xorg;</application> server using the card, run
+ &man.xdpyinfo.1; while <application>&xorg;</application> is
+ running.</para>
- <para>It is a good idea to have a short MPEG file which can be
- treated as a test file for evaluating various players and
- options. Since some DVD players will look for DVD media in
- <filename>/dev/dvd</filename> by default, or have this device
- name hardcoded in them, you might find it useful to make
+ <para>It is a good idea to have a short MPEG test file for
+ evaluating various players and options. Since some DVD
+ applications look for DVD media in <filename
+ class="directory">/dev/dvd</filename> by default, or have this
+ device name hardcoded in them, it might be useful to make
symbolic links to the proper devices:</para>
<screen>&prompt.root; <userinput>ln -sf /dev/acd0 /dev/dvd</userinput>
&prompt.root; <userinput>ln -sf /dev/acd0 /dev/rdvd</userinput></screen>
- <para>Note that due to the nature of &man.devfs.5;,
- manually created links like these will not persist if you reboot
- your system. In order to create the symbolic links
- automatically whenever you boot your system, add the following
- lines to <filename>/etc/devfs.conf</filename>:</para>
+ <para>Due to the nature of &man.devfs.5;, manually created links
+ will not persist after a system reboot. In order to create the
+ symbolic links automatically when the system boots, add the
+ following lines to <filename>/etc/devfs.conf</filename>:</para>
<programlisting>link acd0 dvd
link acd0 rdvd</programlisting>
- <para>Additionally, DVD decryption, which requires invoking
- special DVD-ROM functions, requires write permission on the DVD
- devices.</para>
+ <para>DVD decryption invokes special DVD-ROM functions and
+ requires write permission on the DVD devices.</para>
- <para>To enhance the shared memory X11 interface, it is
- recommended that the values of some &man.sysctl.8; variables
- should be increased:</para>
+ <para>To enhance the shared memory
+ <application>&xorg;</application> interface, it is
+ recommended to increase the values of these &man.sysctl.8;
+ variables:</para>
<programlisting>kern.ipc.shmmax=67108864
kern.ipc.shmall=32768</programlisting>
@@ -800,32 +779,33 @@ kern.ipc.shmall=32768</programlisting>
<indexterm><primary>SDL</primary></indexterm>
<indexterm><primary>DGA</primary></indexterm>
- <para>There are several possible ways to display video under X11.
- What will really work is largely hardware dependent. Each
- method described below will have varying quality across
- different hardware. Secondly, the rendering of video in X11
- is a topic receiving a lot of attention lately, and with each
- version of <application>&xorg;</application>, there may be
- significant improvement.</para>
+ <para>There are several possible ways to display video under
+ <application>&xorg;</application>. What works is largely
+ hardware dependent. Each method described below will have
+ varying quality across different hardware.</para>
- <para>A list of common video interfaces:</para>
+ <para>Common video interfaces include:</para>
<orderedlist>
<listitem>
- <para>X11: normal X11 output using shared memory.</para>
+ <para><application>&xorg;</application>: normal output using
+ shared memory.</para>
</listitem>
<listitem>
- <para>XVideo: an extension to the X11 interface which supports
- video in any X11 drawable.</para>
+ <para>XVideo: an extension to the
+ <application>&xorg;</application> interface which supports
+ video in any drawable object.</para>
</listitem>
<listitem>
- <para>SDL: the Simple Directmedia Layer.</para>
+ <para><acronym>SDL</acronym>: the Simple Directmedia
+ Layer.</para>
</listitem>
<listitem>
- <para>DGA: the Direct Graphics Access.</para>
+ <para><acronym>DGA</acronym>: the Direct Graphics
+ Access.</para>
</listitem>
<listitem>
@@ -837,9 +817,9 @@ kern.ipc.shmall=32768</programlisting>
<title>XVideo</title>
<para><application>&xorg;</application> has an extension called
- <emphasis>XVideo</emphasis> (aka Xvideo, aka Xv, aka xv) which
- allows video to be directly displayed in drawable objects
- through a special acceleration. This extension provides very
+ <emphasis>XVideo</emphasis>, also known as Xvideo, Xv, and xv.
+ It allows video to be directly displayed in drawable objects
+ through a special acceleration. This extension provides
good quality playback even on low-end machines.</para>
<para>To check whether the extension is running, use
@@ -847,7 +827,7 @@ kern.ipc.shmall=32768</programlisting>
<screen>&prompt.user; <userinput>xvinfo</userinput></screen>
- <para>XVideo is supported for your card if the result looks
+ <para>XVideo is supported for the card if the result looks
like:</para>
<screen>X-Video Extension version 2.2
@@ -919,9 +899,9 @@ kern.ipc.shmall=32768</programlisting>
depth: 1
red, green, blue masks: 0x0, 0x0, 0x0</screen>
- <para>Also note that the formats listed (YUV2, YUV12, etc) are
- not present with every implementation of XVideo and their
- absence may hinder some players.</para>
+ <para>The formats listed, such as YUV2 and YUV12, are not present
+ with every implementation of XVideo and their absence may hinder
+ some players.</para>
<para>If the result looks like:</para>
@@ -929,15 +909,11 @@ kern.ipc.shmall=32768</programlisting>
screen #0
no adaptors present</screen>
- <para>Then XVideo is probably not supported for your card.</para>
-
- <para>If XVideo is not supported for your card, this only means
- that it will be more difficult for your display to meet the
- computational demands of rendering video. Depending on your
- video card and processor, though, you might still be able to
- have a satisfying experience. You should probably read about
- ways of improving performance in the advanced reading <xref
- linkend="video-further-reading"/>.</para>
+ <para>XVideo is probably not supported for the card. This means
+ that it will be more difficult for the display to meet the
+ computational demands of rendering video. Depending on the
+ video card and processor, one might still be able to have a
+ satisfying experience.</para>
</sect3>
@@ -949,26 +925,28 @@ no adaptors present</screen>
allowing cross-platform applications to be developed which make
efficient use of sound and graphics. The SDL layer provides a
low-level abstraction to the hardware which can sometimes be
- more efficient than the X11 interface.</para>
+ more efficient than the <application>&xorg;</application>
+ interface.</para>
- <para>The SDL can be found at <filename
- role="package">devel/sdl12</filename>.</para>
+ <para><acronym>SDL</acronym> can be installed using the <filename
+ role="package">devel/sdl12</filename> package or port.</para>
</sect3>
<sect3 id="video-interface-DGA">
<title>Direct Graphics Access</title>
- <para>Direct Graphics Access is an X11 extension which allows
- a program to bypass the X server and directly alter the
- framebuffer. Because it relies on a low level memory mapping to
- effect this sharing, programs using it must be run as
+ <para><acronym>DGA</acronym> is an
+ <application>&xorg;</application> extension which allows a
+ program to bypass the <application>&xorg;</application> server
+ and directly alter the framebuffer. Because it relies on a low
+ level memory mapping, programs using it must be run as
<username>root</username>.</para>
- <para>The DGA extension can be tested and benchmarked by
- &man.dga.1;. When <command>dga</command> is running, it
- changes the colors of the display whenever a key is pressed. To
- quit, use <keycap>q</keycap>.</para>
+ <para>The <acronym>DGA</acronym> extension can be tested and
+ benchmarked using &man.dga.1;. When <command>dga</command> is
+ running, it changes the colors of the display whenever a key is
+ pressed. To quit, press <keycap>q</keycap>.</para>
</sect3>
</sect2>
@@ -979,17 +957,14 @@ no adaptors present</screen>
<indexterm><primary>video ports</primary></indexterm>
<indexterm><primary>video packages</primary></indexterm>
- <para>This section discusses the software available from the
- FreeBSD Ports Collection which can be used for video playback.
- Video playback is a very active area of software development,
- and the capabilities of various applications are bound to
- diverge somewhat from the descriptions given here.</para>
+ <para>This section introduces some of the software available from
+ the &os; Ports Collection which can be used for video
+ playback.</para>
- <para>Firstly, it is important to know that many of the video
- applications which run on FreeBSD were developed as Linux
- applications. Many of these applications are still
- beta-quality. Some of the problems that you may encounter with
- video packages on FreeBSD include:</para>
+ <para>Many of the video applications which run on &os; were
+ developed as &linux; applications. Many of these applications
+ are still beta-quality. Some of the problems commonly
+ encountered with video packages on &os; include:</para>
<orderedlist>
@@ -1010,8 +985,8 @@ no adaptors present</screen>
</listitem>
<listitem>
- <para>A seemingly trivial filter like rescaling of the image
- size results in very bad artifacts from a buggy rescaling
+ <para>A seemingly trivial filter, like rescaling of the image
+ size, results in bad artifacts from a buggy rescaling
routine.</para>
</listitem>
@@ -1028,14 +1003,13 @@ no adaptors present</screen>
</orderedlist>
- <para>Many of these applications may also exhibit
- <quote>Linux-isms</quote>. That is, there may be issues
- resulting from the way some standard libraries are
- implemented in the Linux distributions, or some features of
- the Linux kernel which have been assumed by the authors of the
- applications. These issues are not always noticed and worked
- around by the port maintainers, which can lead to problems like
- these:</para>
+ <para>Many applications may also exhibit
+ <quote>&linux;-isms</quote>. There may be issues resulting from
+ the way some standard libraries are implemented in the &linux;
+ distributions, or some features of the &linux; kernel which have
+ been assumed by the authors of the applications. These issues
+ are not always noticed and worked around by the port
+ maintainers, which can lead to problems like these:</para>
<orderedlist>
<listitem>
@@ -1049,29 +1023,19 @@ no adaptors present</screen>
</listitem>
<listitem>
- <para>Software not yet in the FreeBSD Ports Collection
- which is commonly used in conjunction with the
- application.</para>
+ <para>Relies on software which is not yet available in the
+ &os; Ports Collection.</para>
</listitem>
</orderedlist>
- <para>So far, these application developers have been cooperative
- with port maintainers to minimize the work-arounds needed for
- port-ing.</para>
-
<sect3 id="video-mplayer">
<title>MPlayer</title>
- <para><application>MPlayer</application> is a recently developed
- and rapidly developing video player. The goals of the
- <application>MPlayer</application> team are speed and
- flexibility on Linux and other Unices. The project was
- started when the team founder got fed up with bad playback
- performance on then available players. Some would say that
- the graphical interface has been sacrificed for a streamlined
- design. However, once you get used to the command line
- options and the key-stroke controls, it works very
- well.</para>
+ <para><application>MPlayer</application> is a command-line video
+ player with an optional graphical interface which aims to
+ provide speed and flexibility. This application, as well as
+ other graphical front-ends, is available from the &os; Ports
+ Collection.</para>
<sect4 id="video-mplayer-building">
<title>Building MPlayer</title>
@@ -1079,54 +1043,33 @@ no adaptors present</screen>
<indexterm><primary>MPlayer</primary>
<secondary>making</secondary></indexterm>
- <para><application>MPlayer</application> resides in <filename
- role="package">multimedia/mplayer</filename>.
- <application>MPlayer</application> performs a variety of
- hardware checks during the build process, resulting in a
- binary which will not be portable from one system to
- another. Therefore, it is important to build it from
- ports and not to use a binary package. Additionally, a
- number of options can be specified in the
- <command>make</command> command line, as described in the
- <filename>Makefile</filename> and at the start of the
- build:</para>
+ <para><application>MPlayer</application> is available as a
+ package or port in <filename
+ role="package">multimedia/mplayer</filename>. Several
+ compile options are available and a variety of hardware
+ checks occur during the build process. For these reasons,
+ some users prefer to build the port rather than install the
+ package. The available options will be displayed in a
+ menu after these commands are input:</para>
<screen>&prompt.root; <userinput>cd /usr/ports/multimedia/mplayer</userinput>
-&prompt.root; <userinput>make</userinput>
-N - O - T - E
+&prompt.root; <userinput>make</userinput></screen>
-Take a careful look into the Makefile in order
-to learn how to tune mplayer towards you personal preferences!
-For example,
-make WITH_GTK1
-builds MPlayer with GTK1-GUI support.
-If you want to use the GUI, you can either install
-/usr/ports/multimedia/mplayer-skins
-or download official skin collections from
-http://www.mplayerhq.hu/homepage/dload.html</screen>
+ <para>The menu options should be reviewed to determine the
+ type of support to compile into the port. If an option is
+ not selected, <application>MPlayer</application> will not be
+ able to display that type of video format. Use the arrow
+ keys and spacebar to select the required formats. When
+ finished, press <keycap>Enter</keycap> to continue the port
+ compile and installation.</para>
- <para>The default port options should be sufficient for most
- users. However, if you need the XviD codec, you have to
- specify the <makevar>WITH_XVID</makevar> option in the
- command line. The default DVD device can also be defined
- with the <makevar>WITH_DVD_DEVICE</makevar> option, by
- default <filename>/dev/acd0</filename> will be used.</para>
-
- <para>As of this writing, the
- <application>MPlayer</application> port will build its HTML
- documentation and two executables,
- <command>mplayer</command>, and <command>mencoder</command>,
- which is a tool for re-encoding video.</para>
-
- <para>The HTML documentation for
- <application>MPlayer</application> is very informative.
- If the reader finds the information on video hardware and
- interfaces in this chapter lacking, the
- <application>MPlayer</application> documentation is a very
- thorough supplement. You should definitely take the time
- to read the <application>MPlayer</application> documentation
- if you are looking for information about video support in
- &unix;.</para>
+ <para>By default, this package or port will build the
+ <command>mplayer</command> command line utility and the
+ <command>gmplayer</command> graphical utility. To encode
+ videos, install the <filename
+ role="package">multimedia/mencoder</filename> port. Due
+ to licensing restrictions, a package is not available for
+ <command>MEncoder</command>.</para>
</sect4>
@@ -1136,23 +1079,20 @@ http://www.mplayerhq.hu/homepage/dload.html</screen>
<indexterm><primary>MPlayer</primary>
<secondary>use</secondary></indexterm>
- <para>Any user of <application>MPlayer</application> must set
- up a <filename>.mplayer</filename> subdirectory of her
- home directory. To create this necessary subdirectory,
- you can type the following:</para>
+ <para>The first time <application>MPlayer</application> is
+ run, it will create <filename
+ class="directory">~/.mplayer</filename> in the user's
+ home directory. This subdirectory contains default versions
+ of the user-specific configuration files.</para>
- <screen>&prompt.user; <userinput>cd /usr/ports/multimedia/mplayer</userinput>
-&prompt.user; <userinput>make install-user</userinput></screen>
+ <para>This section describes only a few common uses. Refer
+ to the <command>mplayer</command> manual page for a complete
+ description of its numerous options.</para>
- <para>The command options for <command>mplayer</command> are
- listed in the manual page. For even more detail there is
- HTML documentation. In this section, we will describe only
- a few common uses.</para>
-
- <para>To play a file, such as
+ <para>To play the file
<filename><replaceable>testfile.avi</replaceable></filename>,
- through one of the various video interfaces set the
- <option>-vo</option> option:</para>
+ specify the video interfaces with
+ <option>-vo</option>:</para>
<screen>&prompt.user; <userinput>mplayer -vo xv <replaceable>testfile.avi</replaceable></userinput></screen>
@@ -1168,46 +1108,47 @@ http://www.mplayerhq.hu/homepage/dload.html</screen>
relative performance depends on many factors and will vary
significantly with hardware.</para>
- <para>To play from a DVD, replace the
+ <para>To play a DVD, replace the
<filename><replaceable>testfile.avi</replaceable></filename>
with <option>dvd://<replaceable>N</replaceable> -dvd-device
- <replaceable>DEVICE</replaceable></option> where
+ <replaceable>DEVICE</replaceable></option>, where
<replaceable>N</replaceable> is the title number to play
and <filename><replaceable>DEVICE</replaceable></filename>
is the device node for the DVD-ROM. For example, to play
- title 3 from <filename>/dev/dvd</filename>:</para>
+ title 3 from <devicename>/dev/dvd</devicename>:</para>
<screen>&prompt.root; <userinput>mplayer -vo xv dvd://3 -dvd-device /dev/dvd</userinput></screen>
<note>
<para>The default DVD device can be defined during the build
- of the <application>MPlayer</application> port via the
- <makevar>WITH_DVD_DEVICE</makevar> option. By default,
- this device is <filename>/dev/acd0</filename>. More
- details can be found in the port
- <filename>Makefile</filename>.</para>
+ of the <application>MPlayer</application> port by
+ including the
+ <makevar>WITH_DVD_DEVICE=/path/to/desired/device</makevar>
+ option. By default, the device is
+ <filename>/dev/acd0</filename>. More details can be found
+ in the port's
+ <filename>Makefile.options</filename>.</para>
</note>
- <para>To stop, pause, advance and so on, consult the
- keybindings, which are output by running <command>mplayer
- -h</command> or read the manual page.</para>
+ <para>To stop, pause, advance, and so on, consult the
+ keybindings, which are displayed by running <command>mplayer
+ -h</command>, or read the manual page.</para>
- <para>Additional important options for playback are:
- <option>-fs -zoom</option> which engages the fullscreen mode
- and <option>-framedrop</option> which helps
+ <para>Additional playback options include
+ <option>-fs -zoom</option>, which engages fullscreen mode,
+ and <option>-framedrop</option>, which helps
performance.</para>
- <para>In order for the mplayer command line to not become too
- large, the user can create a file
- <filename>.mplayer/config</filename> and set default options
- there:</para>
+ <para>Each user can add commonly used options to their
+ <filename>~/.mplayer/config</filename> like so:</para>
+
<programlisting>vo=xv
fs=yes
zoom=yes</programlisting>
- <para>Finally, <command>mplayer</command> can be used to rip a
- DVD title into a <filename>.vob</filename> file. To dump
- out the second title from a DVD, type this:</para>
+ <para><command>mplayer</command> can be used to rip a DVD
+ title to a <filename>.vob</filename>. To dump the second
+ title from a DVD:</para>
<screen>&prompt.root; <userinput>mplayer -dumpstream -dumpfile out.vob dvd://2 -dvd-device /dev/dvd</userinput></screen>
@@ -1215,87 +1156,86 @@ zoom=yes</programlisting>
MPEG and can be manipulated by the other packages described
in this section.</para>
+ <para>The <ulink url="http://www.mplayerhq.hu/DOCS/">MPlayer
+ documentation</ulink> is technically informative and
+ should be consulted by anyone wishing to obtain a high level
+ of expertise with &unix; video. The
+ <application>MPlayer</application> mailing list is hostile
+ to anyone who has not bothered to read the documentation, so
+ before making a bug report, read the documentation
+ first.</para>
+
</sect4>
<sect4 id="video-mencoder">
- <title>mencoder</title>
+ <title><application>MEncoder</application></title>
<indexterm>
<primary>mencoder</primary>
</indexterm>
- <para>Before using <command>mencoder</command> it is a good
- idea to familiarize yourself with the options from the HTML
- documentation. There is a manual page, but it is not very
- useful without the HTML documentation. There are
- innumerable ways to improve quality, lower bitrate, and
- change formats, and some of these tricks may make the
- difference between good or bad performance. Here are a
- couple of examples to get you going. First a simple
- copy:</para>
+ <para>Before using <command>mencoder</command>, it is a good
+ idea to become familiar with the options described in the
+ <ulink
+ url="http://www.mplayerhq.hu/DOCS/HTML/en/mencoder.html">HTML
+ documentation</ulink>. There are innumerable ways to
+ improve quality, lower bitrate, and change formats, and some
+ of these options may make the difference between good or bad
+ performance. Improper combinations of command line options
+ can yield output files that are unplayable even by
+ <command>mplayer</command>.</para>
+
+ <para>Here is an example of a simple copy:</para>
<screen>&prompt.user; <userinput>mencoder <replaceable>input.avi</replaceable> -oac copy -ovc copy -o <replaceable>output.avi</replaceable></userinput></screen>
- <para>Improper combinations of command line options can yield
- output files that are unplayable even by
- <command>mplayer</command>. Thus, if you just want to rip
- to a file, stick to the <option>-dumpfile</option> in
+ <para>To rip to a file, use <option>-dumpfile</option> with
<command>mplayer</command>.</para>
<para>To convert
<filename><replaceable>input.avi</replaceable></filename>
- to the MPEG4 codec with MPEG3 audio encoding (<filename
- role="package">audio/lame</filename> is required):</para>
+ to the MPEG4 codec with MPEG3 audio encoding, first install
+ the <filename role="package">audio/lame</filename> port.
+ Due to licensing restrictions, a package is not available.
+ Once installed, type:</para>
<screen>&prompt.user; <userinput>mencoder <replaceable>input.avi</replaceable> -oac mp3lame -lameopts br=192 \
-ovc lavc -lavcopts vcodec=mpeg4:vhq -o <replaceable>output.avi</replaceable></userinput></screen>
- <para>This has produced output playable by
- <command>mplayer</command> and
+ <para>This will produce output playable by applications such
+ as <command>mplayer</command> and
<command>xine</command>.</para>
<para><filename><replaceable>input.avi</replaceable></filename>
can be replaced with <option>dvd://1 -dvd-device
/dev/dvd</option> and run as <username>root</username>
- to re-encode a DVD title directly. Since you are likely
- to be dissatisfied with your results the first time around,
- it is recommended you dump the title to a file and work on
- the file.</para>
+ to re-encode a DVD title directly. Since it may take a few
+ tries to get the desired result, it is recommended to dump
+ the title to a file and to work on the file.</para>
</sect4>
</sect3>
<sect3 id="video-xine">
- <title>The xine Video Player</title>
+ <title>The <application>xine</application> Video Player</title>
- <para>The <application>xine</application> video player is a
- project of wide scope aiming not only at being an all in one
- video solution, but also in producing a reusable base library
- and a modular executable which can be extended with plugins.
- It comes both as a package and as a port, <filename
- role="package">multimedia/xine</filename>.</para>
+ <para><application>xine</application> is a video player with a
+ reusable base library and a modular executable which can be
+ extended with plugins. It can be installed using the
+ <filename role="package">multimedia/xine</filename> package or
+ port.</para>
- <para>The <application>xine</application> player
- is still very rough around the edges, but it is clearly off
- to a good start. In practice, <application>xine</application>
- requires either a fast CPU with a fast video card, or support
- for the XVideo extension. The GUI is usable, but a bit
- clumsy.</para>
-
- <para>As of this writing, there is no input module shipped with
- <application>xine</application> which will play CSS encoded
- DVDs. There are third party builds which do have modules for
- this built in them, but none of these are in the FreeBSD Ports
- Collection.</para>
-
- <para>Compared to <application>MPlayer</application>,
- <application>xine</application> does more for the user, but
- at the same time, takes some of the more fine-grained control
- away from the user. The <application>xine</application> video
+ <para>In practice, <application>xine</application> requires
+ either a fast CPU with a fast video card, or support for the
+ XVideo extension. The <application>xine</application> video
player performs best on XVideo interfaces.</para>
- <para>By default, <application>xine</application> player will
- start up in a graphical user interface. The menus can then
- be used to open a specific file:</para>
+ <para>By default, the <application>xine</application> player
+ starts a graphical user interface. The menus can then be used
+ to open a specific file.</para>
+
+ <para>Alternatively, <application>xine</application> may be
+ invoked to play a file immediately without the graphical
+ interface:</para>
<screen>&prompt.user; <userinput>xine</userinput></screen>
@@ -1304,33 +1244,37 @@ zoom=yes</programlisting>
<screen>&prompt.user; <userinput>xine -g -p <replaceable>mymovie.avi</replaceable></userinput></screen>
+ <para>The <ulink
+ url="http://dvd.sourceforge.net/xine-howto/en_GB/html/howto.html">
+ xine HOWTO</ulink> contains a chapter on performance
+ improvement which is general to all players.</para>
</sect3>
<sect3 id="video-ports-transcode">
- <title>The transcode Utilities</title>
+ <title>The <application>transcode</application>
+ Utilities</title>
- <para>The software <application>transcode</application> is not a
- player, but a suite of tools for re-encoding video and audio
- files. With <application>transcode</application>, one has the
- ability to merge video files, repair broken files, using
- command line tools with <filename>stdin/stdout</filename>
- stream interfaces.</para>
+ <para><application>transcode</application> provides a suite of
+ tools for re-encoding video and audio files.
+ <application>transcode</application> can be used to merge
+ video files or repair broken files using command line tools
+ with <filename>stdin/stdout</filename> stream
+ interfaces.</para>
- <para>A great number of options can be specified during the
- build from the <filename
- role="package">multimedia/transcode</filename> port, we
- recommend the following command line to build
- <application>transcode</application>:</para>
+ <para><application>transcode</application> can be installed
+ using the <filename
+ role="package">multimedia/transcode</filename> package or
+ port. Many users prefer to compile the port as it provides a
+ menu of compile options for specifying the support and codecs
+ to compile in. If an option is not selected,
+ <application>transcode</application> will not be able to
+ encode that format. Use the arrow keys and spacebar to select
+ the required formats. When finished, press
+ <keycap>Enter</keycap> to continue the port compile and
+ installation.</para>
- <screen>&prompt.root; <userinput>make WITH_OPTIMIZED_CFLAGS=yes WITH_LIBA52=yes WITH_LAME=yes WITH_OGG=yes \
-WITH_MJPEG=yes -DWITH_XVID=yes</userinput></screen>
-
- <para>The proposed settings should be sufficient for most
- users.</para>
-
- <para>To illustrate <command>transcode</command> capacities, one
- example to show how to convert a DivX file into a PAL MPEG-1
- file (PAL VCD):</para>
+ <para>This example demonstrates how to convert a DivX file into
+ a PAL MPEG-1 file (PAL VCD):</para>
<screen>&prompt.user; <userinput>transcode -i
<replaceable>input.avi</replaceable> -V --export_prof vcd-pal -o output_vcd</userinput>
@@ -1339,75 +1283,17 @@ WITH_MJPEG=yes -DWITH_XVID=yes</userinput></screen>
<para>The resulting MPEG file,
<filename><replaceable>output_vcd.mpg</replaceable></filename>,
is ready to be played with <application>MPlayer</application>.
- You could even burn the file on a CD-R media to create a Video
- CD, in this case you will need to install and use both <filename
+ The file can be burned on a CD-R media to create a Video CD. In
+ this, install and use the <filename
role="package">multimedia/vcdimager</filename> and <filename
role="package">sysutils/cdrdao</filename> programs.</para>
- <para>There is a manual page for <command>transcode</command>, but
- you should also consult the <ulink
+ <para>In addition to the manual page for
+ <command>transcode</command>, refer to the <ulink
url="http://www.transcoding.org/cgi-bin/transcode">transcode
wiki</ulink> for further information and examples.</para>
</sect3>
</sect2>
-
- <sect2 id="video-further-reading">
- <title>Further Reading</title>
-
- <para>The various video software packages for FreeBSD are
- developing rapidly. It is quite possible that in the near
- future many of the problems discussed here will have been
- resolved. In the mean time, those who want to get the very
- most out of FreeBSD's A/V capabilities will have to cobble
- together knowledge from several FAQs and tutorials and use a
- few different applications. This section exists to give the
- reader pointers to such additional information.</para>
-
- <para>The <ulink url="http://www.mplayerhq.hu/DOCS/">MPlayer
- documentation</ulink> is very technically informative.
- These documents should probably be consulted by anyone wishing
- to obtain a high level of expertise with &unix; video. The
- <application>MPlayer</application> mailing list is hostile to
- anyone who has not bothered to read the documentation, so if
- you plan on making bug reports to them, RTFM.</para>
-
- <para>The <ulink
- url="http://dvd.sourceforge.net/xine-howto/en_GB/html/howto.html">
- xine HOWTO</ulink> contains a chapter on performance improvement
- which is general to all players.</para>
-
- <para>Finally, there are some other promising applications which
- the reader may try:</para>
-
- <itemizedlist>
- <listitem>
- <para><ulink
- url="http://avifile.sourceforge.net/">Avifile</ulink>
- which is also a port <filename
- role='package'>multimedia/avifile</filename>.</para>
- </listitem>
-
- <listitem>
- <para><ulink
- url="http://www.dtek.chalmers.se/groups/dvd/">Ogle</ulink>
- which is also a port <filename
- role='package'>multimedia/ogle</filename>.</para>
- </listitem>
-
- <listitem>
- <para><ulink
- url="http://xtheater.sourceforge.net/">Xtheater</ulink></para>
- </listitem>
-
- <listitem>
- <para><filename
- role="package">multimedia/dvdauthor</filename>, an open
- source package for authoring DVD content.</para>
- </listitem>
-
- </itemizedlist>
-
- </sect2>
</sect1>
<sect1 id="tvcard">
@@ -1438,44 +1324,43 @@ WITH_MJPEG=yes -DWITH_XVID=yes</userinput></screen>
<sect2>
<title>Introduction</title>
- <para>TV cards allow you to watch broadcast or cable TV on your
- computer. Most of them accept composite video via an RCA or
- S-video input and some of these cards come with a FM radio
- tuner.</para>
+ <para>TV cards allow can be used to watch broadcast or cable TV on
+ a computer. Most cards accept composite video via an RCA or
+ S-video input and some cards include a FM radio tuner.</para>
<para>&os; provides support for PCI-based TV cards using a
Brooktree Bt848/849/878/879 or a Conexant CN-878/Fusion 878a
- Video Capture Chip with the &man.bktr.4; driver. You must
- also ensure the board comes with a supported tuner, consult
- the &man.bktr.4; manual page for a list of supported
- tuners.</para>
+ video capture chip with the &man.bktr.4; driver. Ensure the
+ board comes with a supported tuner. Consult &man.bktr.4; for a
+ list of supported tuners.</para>
</sect2>
<sect2>
- <title>Adding the Driver</title>
+ <title>Loading the Driver</title>
- <para>To use your card, you will need to load the &man.bktr.4;
- driver, this can be done by adding the following line to the
- <filename>/boot/loader.conf</filename> file like this:</para>
+ <para>In order to use the card, the &man.bktr.4; driver must be
+ loaded. To automate this at boot time, add the following line
+ to <filename>/boot/loader.conf</filename>:</para>
<programlisting>bktr_load="YES"</programlisting>
- <para>Alternatively, you may statically compile the support for
- the TV card in your kernel, in that case add the following
- lines to your kernel configuration:</para>
+ <para>Alternatively, one can statically compile support for
+ the TV card into a custom kernel. In that case, add the
+ following lines to the custom kernel configuration
+ file:</para>
<programlisting>device bktr
device iicbus
device iicbb
device smbus</programlisting>
- <para>These additional device drivers are necessary because
- of the card components being interconnected via an I2C bus.
- Then build and install a new kernel.</para>
+ <para>These additional devices are necessary as the card
+ components are interconnected via an I2C bus. Then, build and
+ install a new kernel.</para>
- <para>Once the support was added to your system, you have to
- reboot your machine. During the boot process, your TV card
- should show up, like this:</para>
+ <para>To test the driver, reboot the system. The TV card
+ should appear in the boot messages, as seen in this
+ example:</para>
<programlisting>bktr0: <BrookTree 848A> mem 0xd7000000-0xd7000fff irq 10 at device 10.0 on pci0
iicbb0: <I2C bit-banging driver> on bti2c0
@@ -1484,30 +1369,30 @@ iicbus1: <Philips I2C bus> on iicbb0 master-only
smbus0: <System Management Bus> on bti2c0
bktr0: Pinnacle/Miro TV, Philips SECAM tuner.</programlisting>
- <para>Of course these messages can differ according to your
- hardware. However you should check if the tuner is correctly
- detected; it is still possible to override some of the
- detected parameters with &man.sysctl.8; MIBs and kernel
- configuration file options. For example, if you want to force
- the tuner to a Philips SECAM tuner, you should add the
- following line to your kernel configuration file:</para>
+ <para>The messages will differ according to the hardware. Check
+ the messages to determine if the tuner is correctly detected.
+ It is still possible to override some of the detected
+ parameters with &man.sysctl.8; MIBs and kernel configuration
+ file options. For example, to force the tuner to a Philips
+ SECAM tuner, add the following line to a custom kernel
+ configuration file:</para>
<programlisting>options OVERRIDE_TUNER=6</programlisting>
- <para>or you can directly use &man.sysctl.8;:</para>
+ <para>or, use &man.sysctl.8;:</para>
<screen>&prompt.root; <userinput>sysctl hw.bt848.tuner=6</userinput></screen>
- <para>See the &man.bktr.4; manual page and the
- <filename>/usr/src/sys/conf/NOTES</filename> file for more
+ <para>Refer to &man.bktr.4; and
+ <filename>/usr/src/sys/conf/NOTES</filename> for more
details on the available options.</para>
</sect2>
<sect2>
<title>Useful Applications</title>
- <para>To use your TV card you need to install one of the
- following applications:</para>
+ <para>To use the TV card, install one of the following
+ applications:</para>
<itemizedlist>
<listitem>
@@ -1517,21 +1402,12 @@ bktr0: Pinnacle/Miro TV, Philips SECAM tuner.</programlisting>
</listitem>
<listitem>
<para><filename role="package">multimedia/xawtv</filename>
- is also a TV application, with the same features as
- <application>fxtv</application>.</para>
+ is another TV application with similar features.</para>
</listitem>
<listitem>
- <para><filename role="package">misc/alevt</filename> decodes
- and displays Videotext/Teletext.</para>
- </listitem>
- <listitem>
- <para><filename role="package">audio/xmradio</filename>, an
- application to use the FM radio tuner coming with some
- TV cards.</para>
- </listitem>
- <listitem>
- <para><filename role="package">audio/wmtune</filename>, a
- handy desktop application for radio tuners.</para>
+ <para><filename role="package">audio/xmradio</filename>
+ provides an application for using the FM radio tuner of a
+ TV card.</para>
</listitem>
</itemizedlist>
@@ -1542,62 +1418,28 @@ bktr0: Pinnacle/Miro TV, Philips SECAM tuner.</programlisting>
<sect2>
<title>Troubleshooting</title>
- <para>If you encounter any problem with your TV card, you should
- check at first if the video capture chip and the tuner are
- really supported by the &man.bktr.4; driver and if you used
- the right configuration options. For more support and various
- questions about your TV card you may want to contact and use
- the archives of the &a.multimedia.name; mailing list.</para>
+ <para>If any problems are encountered with the TV card,
+ check that the video capture chip and the tuner are
+ supported by &man.bktr.4; and that the right configuration
+ options were used. For more support and various questions
+ about TV cards, refer to the archives of the
+ &a.multimedia.name; mailing list.</para>
</sect2>
</sect1>
<sect1 id="mythtv">
<title>MythTV</title>
- <para>MythTV is an open source <acronym
- role="Personal Video Recorder">PVR</acronym> software
- project.</para>
+ <para>MythTV is a popular, open source <acronym
+ role="Personal Video Recorder">PVR</acronym>
+ application. This section demonstrates how to install and
+ setup MythTV on &os;. Refer to the <ulink
+ url="http://www.mythtv.org/wiki/">MythTV wiki</ulink> for
+ more information on how to use MythTV.</para>
- <para>It is well-known in the &linux; world as a complex
- application with many dependencies, and therefore difficult to
- install. The &os; ports system simplifies much of the process,
- but some components must be set up manually. This section is
- intended to help and guide in setting up MythTV.</para>
-
- <sect2>
- <title>Hardware</title>
-
- <para>MythTV is designed to utilise <acronym
- role="Video for Linux">V4L</acronym> to access video input
- devices such as encoders and tuners. At this time, MythTV
- works best with <acronym role="Universal Serial
- Bus">USB</acronym> DVB-S/C/T cards supported by <filename
- role="package">multimedia/webcamd</filename> because
- <application>webcamd</application> provides a <acronym
- role="Video for Linux">V4L</acronym> userland application.
- Any <acronym role="Digital Video Broadcasting">DVB</acronym>
- card supported by <application>webcamd</application> should
- work with MythTV, but a list of known working cards can be
- found <ulink
- url="http://wiki.freebsd.org/WebcamCompat">here</ulink>.
- There are also drivers available for Hauppauge cards in the
- following packages: <filename
- role="package">multimedia/pvr250</filename> and <filename
- role="package">multimedia/pvrxxx</filename>, but they
- provide a non-standard driver interface that does not work
- with versions of MythTV greater than 0.23.</para>
-
- <para><ulink url="http://wiki.freebsd.org/HTPC">HTPC</ulink>
- contains a list of all available <acronym
- role="Digital Video Broadcasting">DVB</acronym>
- drivers.</para>
- </sect2>
-
- <sect2>
- <title>Dependencies</title>
-
- <para>Being flexible and modular, MythTV allows the user to
- have the frontend and backend on different machines.</para>
+ <para>MythTV requires a frontend and a backend; however,
+ it allows the user to have the frontend and backend on
+ different machines.</para>
<para>For the frontend, <filename
role="package">multimedia/mythtv-frontend</filename> is
@@ -1605,29 +1447,56 @@ bktr0: Pinnacle/Miro TV, Philips SECAM tuner.</programlisting>
<filename role="package">x11/xorg</filename>. Ideally, the
frontend computer also has a video card that supports <acronym
role="X-Video Motion Compensation">XvMC</acronym> and,
- optionally, a <acronym
- role="Linux Infrared Remote
- Control">LIRC</acronym>-compatible
- remote.</para>
+ optionally, a <acronym role="Linux Infrared Remote
+ Control">LIRC</acronym>-compatible remote.</para>
<para>For the backend, <filename
role="package">multimedia/mythtv</filename> is required,
- as well as a &mysql; database, and optionally a tuner and
- storage for recordings. The &mysql; package should be
- automatically installed as a dependency when installing
+ along with the &mysql; database server. Optionally a tuner
+ and storage for any recorded data. The &mysql; package should
+ be automatically installed as a dependency when installing
<filename role="package">multimedia/mythtv</filename>.</para>
+
+ <sect2>
+ <title>Hardware</title>
+
+ <para>MythTV is designed to utilize <acronym
+ role="Video for Linux">V4L</acronym> to access video input
+ devices such as encoders and tuners. At this time, MythTV
+ works best with <acronym role="Universal Serial
+ Bus">USB</acronym> DVB-S/C/T cards supported by <filename
+ role="package">multimedia/webcamd</filename>, as it provides
+ a <acronym
+ role="Video for Linux">V4L</acronym> userland application.
+ Any <acronym role="Digital Video Broadcasting">DVB</acronym>
+ card supported by <application>webcamd</application> should
+ work with MythTV. A list of known working cards can be
+ found <ulink
+ url="http://wiki.freebsd.org/WebcamCompat">here</ulink>.
+ Drivers are also available for Hauppauge cards in the
+ following ports: <filename
+ role="package">multimedia/pvr250</filename> and <filename
+ role="package">multimedia/pvrxxx</filename>, but they
+ provide a non-standard driver interface that does not work
+ with versions of MythTV greater than 0.23. Due to licensing
+ restrictions, no packages are available and these two ports
+ must be compiled.</para>
+
+ <para>The <ulink url="http://wiki.freebsd.org/HTPC">HTPC
+ wiki page</ulink> contains a list of all available <acronym
+ role="Digital Video Broadcasting">DVB</acronym>
+ drivers.</para>
</sect2>
<sect2>
<title>Setting up MythTV</title>
- <para>To install MythTV, use the following steps. First,
- install MythTV from the &os; Ports collection:</para>
+ <para>To install the MythTV port:</para>
<screen>&prompt.root; <userinput>cd /usr/ports/multimedia/mythtv</userinput>
&prompt.root; <userinput>make install</userinput></screen>
- <para>Set up the MythTV database:</para>
+ <para>Once installed, set up the MythTV database:</para>
<screen>&prompt.root; <userinput>mysql -uroot -p < /usr/local/share/mythtv/database/mc.sql</userinput></screen>
@@ -1637,7 +1506,7 @@ bktr0: Pinnacle/Miro TV, Philips SECAM tuner.</programlisting>
<para>Start the backend:</para>
- <screen>&prompt.root; <userinput>echo 'mythbackend_enable="YES"' >> /etc/rc.conf</userinput>
+ <screen>&prompt.root; <userinput>echo 'mythbackend_enable="YES"' >> /etc/rc.conf</userinput>
&prompt.root; <userinput>service mythbackend start</userinput></screen>
</sect2>
</sect1>
@@ -1660,40 +1529,35 @@ bktr0: Pinnacle/Miro TV, Philips SECAM tuner.</programlisting>
<primary>image scanners</primary>
</indexterm>
- <sect2>
- <title>Introduction</title>
+ <para>In &os;, access to image scanners is provided by the
+ <application>SANE</application> (Scanner Access Now Easy)
+ <acronym role="Application Programming
+ Interface">API</acronym> available through the &os; Ports
+ Collection. <application>SANE</application> will also use
+ some &os; device drivers to provide access to the scanner
+ hardware.</para>
- <para>In &os;, access to image scanners is provided
- by the <application>SANE</application> (Scanner Access Now
- Easy) <acronym role="Application Programming
- Interface">API</acronym> available through the &os; Ports
- Collection. <application>SANE</application> will also use
- some &os; device drivers to access to the scanner
- hardware.</para>
-
- <para>&os; supports both SCSI and USB scanners. Be sure your
- scanner is supported by <application>SANE</application> prior
- to performing any configuration.
- <application>SANE</application> has a <ulink
- url="http://www.sane-project.org/sane-supported-devices.html">supported
- devices</ulink> list that can provide you with information
- about the support for a scanner and its status.</para>
- </sect2>
+ <para>&os; supports both SCSI and USB scanners. Be sure the
+ scanner is supported by <application>SANE</application> prior
+ to performing any configuration. Refer to the <ulink
+ url="http://www.sane-project.org/sane-supported-devices.html">
+ supported devices list</ulink> for more information about supported
+ scanners.</para>
<sect2>
<title>Kernel Configuration</title>
- <para>As mentioned above both SCSI and USB interfaces are
- supported. According to your scanner interface, different
- device drivers are required.</para>
+ <para>Both SCSI and USB interfaces are supported. Depending
+ upon the scanner interface, different device drivers are
+ required.</para>
<sect3 id="scanners-kernel-usb">
<title>USB Interface</title>
<para>The <filename>GENERIC</filename> kernel by default
includes the device drivers needed to support USB scanners.
- Should you decide to use a custom kernel, be sure that the
- following lines are present in your kernel configuration
+ Users with a custom kernel should ensure that the following
+ lines are present in the custom kernel configuration
file:</para>
<programlisting>device usb
@@ -1701,47 +1565,43 @@ device uhci
device ohci
device ehci</programlisting>
- <para>After rebooting with the correct kernel,
- plug in your USB scanner. A
- line showing the detection of your
- scanner should appear in the system message buffer
- (&man.dmesg.8;):</para>
+ <para>Plug in the USB scanner. Use &man.dmesg.8; to determine
+ whether the scanner appears in the system message
+ buffer:</para>
<screen>ugen0.2: <EPSON> at usbus0</screen>
- <para>These messages show that our scanner is using
- either <filename>/dev/ugen0.2</filename>
- as device node. For this example, a
+ <para>These messages indicate that the scanner is using
+ either <filename>/dev/ugen0.2</filename> or
+ <filename>/dev/uscanner0</filename>, depending on the &os;
+ version. For this example, a
&epson.perfection; 1650 USB scanner was used.</para>
</sect3>
<sect3>
<title>SCSI Interface</title>
- <para>If your scanner comes with a SCSI interface, it is
- important to know which SCSI controller board you will use.
- According to the SCSI chipset used, you will have to tune
- your kernel configuration file. The
- <filename>GENERIC</filename> kernel supports the most common
- SCSI controllers. Be sure to read the
- <filename>NOTES</filename> file
- and add the correct line to your kernel
- configuration file. In addition to the SCSI adapter driver,
- you need to have the following lines in your kernel
- configuration file:</para>
+ <para>If the scanner uses a SCSI interface, it is important to
+ know which SCSI controller board it will use. Depending
+ upon the SCSI chipset, a custom kernel configuration file
+ may be needed. The <filename>GENERIC</filename> kernel
+ supports the most common SCSI controllers. Refer to
+ <filename>/usr/src/sys/conf/NOTES</filename> to determine
+ the correct line to add to a custom kernel configuration
+ file. In addition to the SCSI adapter driver, the following
+ lines are needed in the kernel configuration file:</para>
<programlisting>device scbus
device pass</programlisting>
- <para>Once your kernel has been properly compiled and
- installed, you should be able to see the devices in the
- system message buffer, when booting:</para>
+ <para>Verify that the device is displayed in the system
+ message buffer:</para>
<screen>pass2 at aic0 bus 0 target 2 lun 0
pass2: <AGFA SNAPSCAN 600 1.10> Fixed Scanner SCSI-2 device
pass2: 3.300MB/s transfers</screen>
- <para>If your scanner was not powered-on at system boot, it
+ <para>If the scanner was not powered-on at system boot, it
is still possible to manually force the detection by
performing a SCSI bus scan with the &man.camcontrol.8;
command:</para>
@@ -1752,7 +1612,7 @@ Re-scan of bus 1 was successful
Re-scan of bus 2 was successful
Re-scan of bus 3 was successful</screen>
- <para>Then the scanner will appear in the SCSI devices
+ <para>The scanner should now appear in the SCSI devices
list:</para>
<screen>&prompt.root; <userinput>camcontrol devlist</userinput>
@@ -1761,97 +1621,81 @@ Re-scan of bus 3 was successful</screen>
<AGFA SNAPSCAN 600 1.10> at scbus1 target 2 lun 0 (pass3)
<PHILIPS CDD3610 CD-R/RW 1.00> at scbus2 target 0 lun 0 (pass2,cd0)</screen>
- <para>More details about SCSI devices are available in the
- &man.scsi.4; and &man.camcontrol.8; manual pages.</para>
+ <para>Refer to &man.scsi.4; and &man.camcontrol.8; for more
+ details about SCSI devices on &os;.</para>
</sect3>
</sect2>
<sect2>
<title>SANE Configuration</title>
- <para>The <application>SANE</application> system is
- split in two parts: the backends (<filename
- role="package">graphics/sane-backends</filename>) and the
+ <para>The <application>SANE</application> system is split in two
+ parts: the backends (<filename
+ role="package">graphics/sane-backends</filename>) and the
frontends (<filename
- role="package">graphics/sane-frontends</filename>). The
- backends part provides access to the scanner itself. The
+ role="package">graphics/sane-frontends</filename>). The
+ backends provide access to the scanner. The
<application>SANE</application>'s <ulink
- url="http://www.sane-project.org/sane-supported-devices.html">supported
- devices</ulink> list specifies which backend will support your
- image scanner. It is mandatory to determine the correct
- backend for your scanner if you want to be able to use your
- device. The frontends part provides the graphical scanning
- interface (<application>xscanimage</application>).</para>
+ url="http://www.sane-project.org/sane-supported-devices.html">supported
+ devices</ulink> list specifies which backend will support the
+ image scanner. The correct backend is needed in order to use
+ the scanner. The frontends provide the graphical scanning
+ interface, <application>xscanimage</application>.</para>
- <para>The first step is to install the <filename
+ <para>After installing the <filename
role="package">graphics/sane-backends</filename> port or
- package. Then, use the <command>sane-find-scanner</command>
- command to check the scanner detection by the
+ package, use <command>sane-find-scanner</command> to check the
+ scanner detection by the
<application>SANE</application> system:</para>
<screen>&prompt.root; <userinput>sane-find-scanner -q</userinput>
found SCSI scanner "AGFA SNAPSCAN 600 1.10" at /dev/pass3</screen>
- <para>The output will show the interface type of the scanner and
- the device node used to attach the scanner to the system. The
- vendor and the product model may not appear, it is not
- important.</para>
+ <para>The output should show the interface type of the scanner
+ and the device node used to attach the scanner to the system.
+ The vendor and the product model may or may not appear.</para>
<note>
- <para>Some USB scanners require you to load a firmware, this
- is explained in the backend manual page. You should also
- read &man.sane-find-scanner.1; and &man.sane.7; manual
- pages.</para>
+ <para>Some USB scanners require firmware to be loaded. Refer
+ to &man.sane-find-scanner.1; and &man.sane.7; for
+ details.</para>
</note>
- <para>Now we have to check if the scanner will be identified
- by a scanning frontend. By default, the
- <application>SANE</application> backends comes with a command
- line tool called &man.scanimage.1;. This command allows you
- to list the devices and to perform an image acquisition from
- the command line. The <option>-L</option> option is used to
- list the scanner devices:</para>
+ <para>Next, check if the scanner will be identified by a
+ scanning frontend. By default, the
+ <application>SANE</application> backends come with a command
+ line tool called &man.scanimage.1;. This command can be used
+ to list the devices and perform an image acquisition. Use
+ <option>-L</option> to list the scanner devices:</para>
<screen>&prompt.root; <userinput>scanimage -L</userinput>
device `snapscan:/dev/pass3' is a AGFA SNAPSCAN 600 flatbed scanner</screen>
- <para>Or, for example with the USB scanner used in the <xref
+ <para>Here is the output for the USB scanner used in <xref
linkend="scanners-kernel-usb"/>:</para>
<screen>&prompt.root; <userinput>scanimage -L</userinput>
device 'epson2:libusb:/dev/usb:/dev/ugen0.2' is a Epson GT-8200 flatbed scanner</screen>
- <para>This output comes from a &os; 8.X system, the
- <literal>'epson2:libusb:/dev/usb:/dev/ugen0.2'</literal> item
- gives us the backend name (<literal>epson2</literal>) and the
- device node (<literal>/dev/ugen0.2</literal>) used by our
+ <para>In this output,
+ <literal>'epson2:libusb:/dev/usb:/dev/ugen0.2'</literal> is
+ the backend name (<literal>epson2</literal>) and the device
+ node (<literal>/dev/ugen0.2</literal>) used by the
scanner.</para>
<note>
<para>No output or a message saying that no scanners were
identified indicates that &man.scanimage.1; is unable to
- identify the scanner. If this happens, you will need to
- edit the backend configuration file and define the scanner
- device used. The <filename
+ identify the scanner. If this happens, edit the backend
+ configuration file in <filename
class="directory">/usr/local/etc/sane.d/</filename>
- directory contains all backend configuration files. This
- identification problem does appear with certain USB
- scanners.</para>
+ and define the scanner device used.</para>
- <para>For example, with the USB scanner used in the <xref
- linkend="scanners-kernel-usb"/>, under &os; 8.X the
- scanner is perfectly detected and working but under prior
- versions of &os; (where &man.uscanner.4; driver is used)
- <command>sane-find-scanner</command> gives us the following
- information:</para>
+ <para>In the above example, the USB scanner is perfectly
+ detected and working.</para>
- <screen>&prompt.root; <userinput>sane-find-scanner -q</userinput>
-found USB scanner (UNKNOWN vendor and product) at device /dev/uscanner0</screen>
-
- <para>The scanner is correctly detected, it uses the USB
- interface and is attached to the
- <filename>/dev/uscanner0</filename> device node. We can
- now check if the scanner is correctly identified:</para>
+ <para>To determine if the scanner is correctly
+ identified:</para>
<screen>&prompt.root; <userinput>scanimage -L</userinput>
@@ -1860,108 +1704,94 @@ check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).</screen>
- <para>Since the scanner is not identified, we will need to edit
- the <filename>/usr/local/etc/sane.d/epson2.conf</filename>
- file. The scanner model used was the
- &epson.perfection; 1650, so we know the scanner will use
- the <literal>epson2</literal> backend. Be sure to read the
- help comments in the backends configuration files. Line
- changes are quite simple: comment out all lines that have the
- wrong interface for your scanner (in our case, we will comment
+ <para>Since the scanner is not identified, edit
+ <filename>/usr/local/etc/sane.d/epson2.conf</filename>. In
+ this example, the scanner model is
+ &epson.perfection; 1650 and it uses the
+ <literal>epson2</literal> backend. When editing, read the
+ help comments in the backend configuration file. Line
+ changes are simple: comment out all lines that have the
+ wrong interface for the scanner. In this example, comment
out all lines starting with the word <literal>scsi</literal>
- as our scanner uses the USB interface), then add at the end
- of the file a line specifying the interface and the device
- node used. In this case, we add the following line:</para>
+ as the scanner uses the USB interface. Then, at the end
+ of the file, add a line specifying the interface and the
+ device node used. In this case, add the following
+ line:</para>
<programlisting>usb /dev/uscanner0</programlisting>
- <para>Please be sure to read the comments provided in the
- backend configuration file as well as the backend manual page
- for more details and correct syntax to use. We can now verify
- if the scanner is identified:</para>
+ <para>Save the edits and verify that the scanner is
+ identified:</para>
<screen>&prompt.root; <userinput>scanimage -L</userinput>
device `epson:/dev/uscanner0' is a Epson GT-8200 flatbed scanner</screen>
- <para>Our USB scanner has been identified. It is not important
- if the brand and the model do not match the scanner. The
- key item to be concerned with is the
- <literal>`epson:/dev/uscanner0'</literal> field, which give
- us the right backend name and the right device node.</para>
+ <para>The <literal>`epson:/dev/uscanner0'</literal> field now
+ gives the right backend name and the device node.</para>
</note>
- <para>Once the <command>scanimage -L</command> command is able
- to see the scanner, the configuration is complete. The device
- is now ready to scan.</para>
+ <para>Once <command>scanimage -L</command> sees the scanner, the
+ configuration is complete and the device is now ready to
+ scan.</para>
- <para>While &man.scanimage.1; does allow us to perform an
- image acquisition from the command line, it is preferable to
- use a graphical user interface to perform image scanning.
- <application>SANE</application> offers a simple but efficient
- graphical interface: <application>xscanimage</application>
- (<filename
- role="package">graphics/sane-frontends</filename>).</para>
+ <para>While &man.scanimage.1; can be used to perform an image
+ acquisition from the command line, it is often preferable to
+ use a graphical interface to perform image scanning. The
+ <filename role="package">graphics/sane-frontends</filename>
+ package or port installs a simple but efficient graphical
+ interface, <application>xscanimage</application>.</para>
- <para><application>Xsane</application> (<filename
- role="package">graphics/xsane</filename>) is another popular
- graphical scanning frontend. This frontend offers advanced
- features such as various scanning mode (photocopy, fax, etc.),
- color correction, batch scans, etc. Both of these applications
- are usable as a <application>GIMP</application> plugin.</para>
+ <para><application>Xsane</application>, which is installed with
+ the <filename role="package">graphics/xsane</filename> package
+ or port, is another popular graphical scanning frontend. It
+ offers advanced features such as various scanning modes, color
+ correction, and batch scans. Both of these applications are
+ usable as a <application>GIMP</application> plugin.</para>
</sect2>
<sect2>
<title>Giving Other Users Access to the Scanner</title>
- <para>All previous operations have been done with
- <username>root</username> privileges. You may however, need
- other users to have access to the scanner. The user will need
+ <para>In order to have access to the scanner, a user needs
read and write permissions to the device node used by the
- scanner. As an example, our USB scanner uses the device node
- <filename>/dev/ugen0.2</filename> which is in fact just a
- symlink to the real device node called
- <filename>/dev/usb/0.2.0</filename> (a quick look at the
- contents of the <filename class="directory">/dev</filename>
- directory will confirm it). Both, the symlink and the
- device node, are owned respectively by the
- <groupname>wheel</groupname> and the
- <groupname>operator</groupname> groups. Adding the user
- <username><replaceable>joe</replaceable></username> to these
- groups will allow him to use the scanner but, for obvious
- security reasons, you should think twice before adding a user
- to any group, especially the <groupname>wheel</groupname> group.
- A better solution would be creating a specific group for using
- the USB devices and make the scanner device accessible to
- members of this group.</para>
+ scanner. In the previous example, the USB scanner uses the
+ device node <filename>/dev/ugen0.2</filename> which is really a
+ symlink to the real device node
+ <filename>/dev/usb/0.2.0</filename>. The symlink and the device
+ node are owned, respectively, by the
+ <groupname>wheel</groupname> and
+ <groupname>operator</groupname> groups. Adding the user to
+ these groups will allow access to the scanner. However, for
+ security reasons, always think twice before adding a user
+ to any group, especially <groupname>wheel</groupname>. A better
+ solution is to create a group to make the scanner device
+ accessible to members of this group.</para>
- <para>So we will use, for example, a group called
- <groupname><replaceable>usb</replaceable></groupname>. The
- first step is the creation of this group with the help of the
- &man.pw.8; command:</para>
+ <para>This example creates a group called
+ <groupname><replaceable>usb</replaceable></groupname> using
+ &man.pw.8;:</para>
<screen>&prompt.root; <userinput>pw groupadd usb</userinput></screen>
- <para>Then we have to make the <filename>/dev/ugen0.2</filename>
- symlink and the <filename>/dev/usb/0.2.0</filename> device
- node accessible to the <groupname>usb</groupname> group
- with the correct write permissions (<literal>0660</literal> or
- <literal>0664</literal>), because by default only the owner of
- these files (<username>root</username>) can write to them.
- All of this is done by adding the following
- lines to the <filename>/etc/devfs.rules</filename>
- file:</para>
+ <para>Then, make the <filename>/dev/ugen0.2</filename> symlink
+ and the <filename>/dev/usb/0.2.0</filename> device node
+ accessible to the <groupname>usb</groupname> group with write
+ permissions of (<literal>0660</literal> or
+ <literal>0664</literal>. All of this is done by adding the
+ following lines to
+ <filename>/etc/devfs.rules</filename>:</para>
<programlisting>[system=5]
add path ugen0.2 mode 0660 group usb
add path usb/0.2.0 mode 0666 group usb</programlisting>
- <para>Now, one will just have to add users to the
- <groupname><replaceable>usb</replaceable></groupname> group to
- allow the access to the scanner:</para>
+ <para>Finally, add the users to
+ <groupname><replaceable>usb</replaceable></groupname> in order
+ to allow access to the scanner:</para>
<screen>&prompt.root; <userinput>pw groupmod usb -m <replaceable>joe</replaceable></userinput></screen>
- <para>For more details read the &man.pw.8; manual page.</para>
+ <para>For more details refer to &man.pw.8;.</para>
</sect2>
</sect1>
</chapter>
diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
index e8c035e014..98d96ed097 100644
--- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
@@ -46,6 +46,16 @@
user accounts.</para>
</listitem>
+ <listitem>
+ <para>How to set &os; up to act as an <acronym>LDAP</acronym>
+ server or client</para>
+ </listitem>
+
+ <listitem>
+ <para>How to set &os; up to act as an <acronym>LDAP</acronym>
+ server or client</para>
+ </listitem>
+
<listitem>
<para>How to set up automatic network settings using
DHCP.</para>
@@ -126,9 +136,9 @@
<sect2 id="network-inetd-overview">
<title>Overview</title>
- <para>&man.inetd.8; is sometimes referred to as the
+ <para>The &man.inetd.8; daemon is sometimes referred to as the
<quote>Internet Super-Server</quote> because it manages
- connections for several services. When a connection is
+ connections for many services. When a connection is
received by <application>inetd</application>, it determines
which program the connection is destined for, spawns the
particular process and delegates the socket to it (the program
@@ -175,8 +185,7 @@
<screen>&prompt.root; <userinput>service inetd rcvar</userinput></screen>
- <para>
- can be run to display the current effective setting.</para>
+ <para>can be run to display the current effective setting.</para>
<para>Additionally, different command-line options can be passed
to <application>inetd</application> via the
@@ -202,9 +211,9 @@
<para>Although we mention rate-limiting options below, novice
users may be pleased to note that these parameters usually do
- not need to be modified. These options may be useful should
- you find that you are receiving an excessive amount of
- connections. A full list of options can be found in the
+ not need to be modified. These options may be useful if
+ an excessive amount of connections are being established.
+ A full list of options can be found in the
&man.inetd.8; manual.</para>
<variablelist>
@@ -509,7 +518,7 @@ server-program-arguments</programlisting>
place <option>max-connections-per-ip-per-minute</option>,
<option>max-child</option> or
<option>max-child-per-ip</option> limitations on certain
- daemons if you find that you have too many connections.</para>
+ daemons if there are too many connections.</para>
<para>By default, TCP wrapping is turned on. Consult the
&man.hosts.access.5; manual page for more information on
@@ -529,8 +538,7 @@ server-program-arguments</programlisting>
services of <application>inetd</application>.</para>
<para>The <application>auth</application> service provides
- identity
- network services, and is
+ identity network services, and is
configurable to a certain degree, whilst the others are simply
on or off.</para>
@@ -677,8 +685,8 @@ server-program-arguments</programlisting>
<para><acronym>NFS</acronym> configuration is a relatively
straightforward process. The processes that need to be
- running can all start at boot time with a few modifications to
- your <filename>/etc/rc.conf</filename> file.</para>
+ running can all start at boot time with a few modifications
+ to <filename>/etc/rc.conf</filename>.</para>
<para>On the <acronym>NFS</acronym> server, make sure that the
following options are configured in the
@@ -704,8 +712,8 @@ mountd_flags="-r"</programlisting>
system. Along with what machines have access to that file
system, access options may also be specified. There are many
such options that can be used in this file but only a few will
- be mentioned here. You can easily discover other options by
- reading over the &man.exports.5; manual page.</para>
+ be mentioned here. Other options are discussed in
+ the &man.exports.5; manual page.</para>
<para>Here are a few example <filename>/etc/exports</filename>
entries:</para>
@@ -717,11 +725,11 @@ mountd_flags="-r"</programlisting>
<para>The following examples give an idea of how to export
file systems, although the settings may be different depending
- on your environment and network configuration. For instance,
+ on the environment and network configuration. For instance,
to export the <filename>/cdrom</filename> directory to three
example machines that have the same domain name as the server
(hence the lack of a domain name for each) or have entries in
- your <filename>/etc/hosts</filename> file. The
+ the <filename>/etc/hosts</filename> file. The
<option>-ro</option> flag makes the exported file system
read-only. With this flag, the remote system will not be able
to write any changes to the exported file system.</para>
@@ -729,7 +737,7 @@ mountd_flags="-r"</programlisting>
<programlisting>/cdrom -ro host1 host2 host3</programlisting>
<para>The following line exports <filename>/home</filename> to
- three hosts by IP address. This is a useful setup if you have
+ three hosts by IP address. This is a useful setup on
a private network without a <acronym>DNS</acronym> server
configured. Optionally the <filename>/etc/hosts</filename>
file could be configured for internal hostnames; please review
@@ -755,8 +763,7 @@ mountd_flags="-r"</programlisting>
<para>In order for a client to access an exported file system,
the client must have permission to do so. Make sure the
- client is listed in your <filename>/etc/exports</filename>
- file.</para>
+ client is listed in <filename>/etc/exports</filename>.</para>
<para>In <filename>/etc/exports</filename>, each line represents
the export information for one file system to one host. A
@@ -778,8 +785,9 @@ mountd_flags="-r"</programlisting>
<para>The properties of one file system exported to a given host
must all occur on one line. Lines without a client specified
- are treated as a single host. This limits how you can export
- file systems, but for most people this is not an issue.</para>
+ are treated as a single host. This limits how file systems
+ may be exported; however, for most environments, this is not
+ an issue.</para>
<para>The following is an example of a valid export list, where
<filename>/usr</filename> and <filename>/exports</filename>
@@ -828,9 +836,8 @@ mountd_flags="-r"</programlisting>
<para>Now everything should be ready to actually mount a remote
file system. In these examples the server's name will be
<hostid>server</hostid> and the client's name will be
- <hostid>client</hostid>. If you only want to temporarily
- mount a remote file system or would rather test the
- configuration, just execute a command like this as
+ <hostid>client</hostid>. For testing or to temporarily
+ mount a remote file system execute a command like this as
<username>root</username> on the client:</para>
<indexterm>
@@ -841,11 +848,11 @@ mountd_flags="-r"</programlisting>
<para>This will mount the <filename>/home</filename> directory
on the server at <filename>/mnt</filename> on the client. If
- everything is set up correctly you should be able to enter
- <filename>/mnt</filename> on the client and see all the files
- that are on the server.</para>
+ everything is set up correctly, the server's files should be
+ visible and available in the <filename>/mnt</filename>
+ directory.</para>
- <para>If you want to automatically mount a remote file system
+ <para>To permanently mount a remote file system
each time the computer boots, add the file system to the
<filename>/etc/fstab</filename> file. Here is an
example:</para>
@@ -911,10 +918,9 @@ rpc_statd_enable="YES"</programlisting>
<listitem>
<para>Several machines could have a common
- <filename>/usr/ports/distfiles</filename> directory. That
- way, when you need to install a port on several machines,
- you can quickly access the source without downloading it
- on each machine.</para>
+ <filename>/usr/ports/distfiles</filename> directory. This
+ allows for quick access to the source files without
+ downloading them on each machine.</para>
</listitem>
</itemizedlist>
</sect2>
@@ -974,10 +980,10 @@ rpc_statd_enable="YES"</programlisting>
<title>Mounting an Export with
<application>amd</application></title>
- <para>You can view the available mounts of a remote host with
- the <command>showmount</command> command. For example, to
- view the mounts of a host named <hostid>foobar</hostid>, you
- can use:</para>
+ <para>The <command>showmount</command> command shows the
+ available mounts on a remote host. For example, to
+ view the mounts of a host named
+ <hostid>foobar</hostid>:</para>
<screen>&prompt.user; <userinput>showmount -e foobar</userinput>
Exports list on foobar:
@@ -1062,9 +1068,8 @@ Exports list on foobar:
<para>It should be noted that there is a different problem,
sometimes mistaken for this one, when the NFS servers and
clients are on different networks. If that is the case, make
- <emphasis>certain</emphasis> that your routers are routing the
- necessary <acronym>UDP</acronym> information, or you will not
- get anywhere, no matter what else you are doing.</para>
+ <emphasis>certain</emphasis> that the routers are routing the
+ necessary <acronym>UDP</acronym> information.</para>
<para>In the following examples, <hostid>fastws</hostid> is the
host (interface) name of a high-performance workstation, and
@@ -1076,7 +1081,7 @@ Exports list on foobar:
client for the exported file system. In all cases, note that
additional options, such as <option>hard</option> or
<option>soft</option> and <option>bg</option> may be desirable
- in your application.</para>
+ in the application.</para>
<para>Examples for the FreeBSD system (<hostid>freebox</hostid>)
as the client in <filename>/etc/fstab</filename> on
@@ -1211,12 +1216,12 @@ Exports list on foobar:
</sect2>
<sect2>
- <title>Terms/Processes You Should Know</title>
+ <title><acronym>NIS</acronym>Terms and Processes</title>
- <para>There are several terms and several important user
- processes that you will come across when attempting to
- implement NIS on FreeBSD, whether you are trying to create an
- NIS server or act as an NIS client:</para>
+ <para>There are several terms and important user
+ processes that will be explained while attempting to
+ implement NIS on FreeBSD, regardless if the system is a
+ NIS server or a NIS client:</para>
<indexterm>
<primary><application>rpcbind</application></primary>
@@ -1386,18 +1391,17 @@ Exports list on foobar:
<sect3>
<title>Planning</title>
- <para>Let us assume that you are the administrator of a small
- university lab. This lab, which consists of 15 FreeBSD
+ <para>Let us assume that an administrator of a small
+ university lab, which consists of 15 FreeBSD
machines, currently has no centralized point of
- administration; each machine has its own
+ administration. Each machine has its own
<filename>/etc/passwd</filename> and
<filename>/etc/master.passwd</filename>. These files are
kept in sync with each other only through manual
- intervention; currently, when you add a user to the lab, you
- must run <command>adduser</command> on all 15 machines.
- Clearly, this has to change, so you have decided to convert
- the lab to use NIS, using two of the machines as
- servers.</para>
+ intervention; currently, a user is added to the lab, the
+ process must be ran on all 15 machines.
+ The lab would clearly benefit from the addition of two
+ <acronym>NIS</acronym> servers.</para>
<para>Therefore, the configuration of the lab now looks
something like:</para>
@@ -1446,10 +1450,10 @@ Exports list on foobar:
</tgroup>
</informaltable>
- <para>If you are setting up a NIS scheme for the first time,
- it is a good idea to think through how you want to go about
- it. No matter what the size of your network, there are a
- few decisions that need to be made.</para>
+ <para>If this is the first time a <acronym>NIS</acronym> scheme
+ is being developed, it should be thoroughly planned ahead of
+ time. Regardless of network size, several decisions need to
+ be made as part of the planning process.</para>
<sect4>
<title>Choosing a NIS Domain Name</title>
@@ -1458,8 +1462,8 @@ Exports list on foobar:
<primary>NIS</primary>
<secondary>domainname</secondary>
</indexterm>
- <para>This might not be the <quote>domainname</quote> that
- you are used to. It is more accurately called the
+ <para>This might not be the normal <quote>domainname</quote>
+ for the network. It is more accurately called the
<quote>NIS domainname</quote>. When a client broadcasts
its requests for info, it includes the name of the NIS
domain that it is part of. This is how multiple servers
@@ -1471,19 +1475,19 @@ Exports list on foobar:
domainname for their NIS domainname. This is not
recommended as it can cause confusion when trying to debug
network problems. The NIS domainname should be unique
- within your network and it is helpful if it describes the
+ within the network and it is helpful if it describes the
group of machines it represents. For example, the Art
department at Acme Inc. might be in the
<quote>acme-art</quote> NIS domain. For this example,
- assume you have chosen the name
+ assume the chosen name will be
<literal>test-domain</literal>.</para>
<indexterm><primary>SunOS</primary></indexterm>
<para>However, some operating systems (notably &sunos;) use
their NIS domain name as their Internet domain name. If
- one or more machines on your network have this
- restriction, you <emphasis>must</emphasis> use the
- Internet domain name as your NIS domain name.</para>
+ one or more machines on the network have this
+ restriction, it <emphasis>must</emphasis> be used as the
+ Internet domain name for the NIS domain name.</para>
</sect4>
<sect4>
@@ -1496,16 +1500,15 @@ Exports list on foobar:
for its NIS domain, very often the machine becomes
unusable. The lack of user and group information causes
most systems to temporarily freeze up. With this in mind
- you should make sure to choose a machine that will not be
- prone to being rebooted regularly, or one that might be
+ be sure to choose a machine that will not be
+ prone to being rebooted frequently, or one that might be
used for development. The NIS server should ideally be a
stand alone machine whose sole purpose in life is to be an
- NIS server. If you have a network that is not very
+ NIS server. If the network is not very
heavily used, it is acceptable to put the NIS server on a
- machine running other services, just keep in mind that if
- the NIS server becomes unavailable, it will affect
- <emphasis>all</emphasis> of your NIS clients
- adversely.</para>
+ machine running other services, however; if
+ the NIS server becomes unavailable, it will adversely affect
+ <emphasis>all</emphasis> NIS clients.</para>
</sect4>
</sect3>
@@ -1540,11 +1543,10 @@ Exports list on foobar:
<secondary>server configuration</secondary>
</indexterm>
<para>Setting up a master NIS server can be relatively
- straight forward, depending on your needs. FreeBSD comes
- with support for NIS out-of-the-box. All you need is to
- add the following lines to
- <filename>/etc/rc.conf</filename>, and FreeBSD will do the
- rest for you.</para>
+ straight forward, depending on environmental needs. &os;
+ comes with support for NIS out-of-the-box. It only needs to
+ be enabled by adding the following lines to
+ <filename>/etc/rc.conf</filename>:</para>
<procedure>
<step>
@@ -1574,8 +1576,8 @@ Exports list on foobar:
</procedure>
<note>
- <para>Depending on your NIS setup, you may need to add
- further entries. See the <link
+ <para>Depending on the NIS setup, additional entries may
+ be required. See the <link
linkend="network-nis-server-is-client">section about
NIS servers that are also NIS clients</link>, below, for
details.</para>
@@ -1583,7 +1585,7 @@ Exports list on foobar:
<para>After setting up the above entries, run the command
<command>/etc/netstart</command> as superuser. It will
- set up everything for you, using the values you defined in
+ set up everything, using the values defined in
<filename>/etc/rc.conf</filename>. As a last step, before
initializing the NIS maps, start the
<application>ypserv</application> daemon manually:</para>
@@ -1602,44 +1604,44 @@ Exports list on foobar:
that are kept in the <filename>/var/yp</filename>
directory. They are generated from configuration files in
the <filename>/etc</filename> directory of the NIS master,
- with one exception: the
- <filename>/etc/master.passwd</filename> file. This is for
- a good reason, you do not want to propagate passwords to
- your <username>root</username> and other administrative
+ with one exception: <filename>/etc/master.passwd</filename>.
+ This is for
+ a good reason, never propagate passwords for
+ <username>root</username> and other administrative
accounts to all the servers in the NIS domain. Therefore,
- before we initialize the NIS maps, you should:</para>
+ before the the NIS maps are initialized, configure the primary
+ password files:</para>
<screen>&prompt.root; <userinput>cp /etc/master.passwd /var/yp/master.passwd</userinput>
&prompt.root; <userinput>cd /var/yp</userinput>
&prompt.root; <userinput>vi master.passwd</userinput></screen>
- <para>You should remove all entries regarding system
+ <para>It is advisable to remove all entries regarding system
accounts (<username>bin</username>,
<username>tty</username>, <username>kmem</username>,
<username>games</username>, etc), as well as any accounts
- that you do not want to be propagated to the NIS clients
+ that do not need to be propagated to the NIS clients
(for example <username>root</username> and any other UID 0
(superuser) accounts).</para>
- <note><para>Make sure the
+ <note><para>Ensure the
<filename>/var/yp/master.passwd</filename> is neither
- group nor world readable (mode 600)! Use the
- <command>chmod</command> command, if
+ group or world readable (mode 600)! Use the
+ <command>chmod</command> command, as
appropriate.</para></note>
<indexterm><primary>Tru64 UNIX</primary></indexterm>
- <para>When you have finished, it is time to initialize the
- NIS maps! FreeBSD includes a script named
- <command>ypinit</command> to do this for you (see its
+ <para>When this task has been completed, it is time to
+ initialize the NIS maps. FreeBSD includes a script named
+ <command>ypinit</command> to do this (see its
manual page for more information). Note that this script
is available on most &unix; Operating Systems, but not on
all. On Digital UNIX/Compaq Tru64 UNIX it is called
<command>ypsetup</command>. Because we are generating
maps for an NIS master, we are going to pass the
<option>-m</option> option to <command>ypinit</command>.
- To generate the NIS maps, assuming you already performed
- the steps above, run:</para>
+ To generate the NIS maps run:</para>
<screen>ellington&prompt.root; <userinput>ypinit -m test-domain</userinput>
Server Type: MASTER Domain: test-domain
@@ -1665,14 +1667,14 @@ Is this correct? [y/n: y] <userinput>y</userinput>
NIS Map update completed.
ellington has been setup as an YP master server without any errors.</screen>
- <para><command>ypinit</command> should have created
- <filename>/var/yp/Makefile</filename> from
+ <para>At this point, <command>ypinit</command> should have
+ created <filename>/var/yp/Makefile</filename> from
<filename>/var/yp/Makefile.dist</filename>.
- When created, this file assumes that you are operating
- in a single server NIS environment with only FreeBSD
+ When created, this file assumes that the operating
+ environment is a single server NIS system with only &os;
machines. Since <literal>test-domain</literal> has
- a slave server as well, you must edit
- <filename>/var/yp/Makefile</filename>:</para>
+ a slave server as well, edit
+ <filename>/var/yp/Makefile</filename> as well:</para>
<screen>ellington&prompt.root; <userinput>vi /var/yp/Makefile</userinput></screen>
@@ -1756,12 +1758,12 @@ ypxfr: Exiting: Map successfully transferred
coltrane has been setup as an YP slave server without any errors.
Don't forget to update map ypservers on ellington.</screen>
- <para>You should now have a directory called
+ <para>There should be a directory called
<filename>/var/yp/test-domain</filename>. Copies of the
- NIS master server's maps should be in this directory. You
- will need to make sure that these stay updated. The
+ NIS master server's maps should be in this directory. These
+ files must always be up to date. The
following <filename>/etc/crontab</filename> entries on
- your slave servers should do the job:</para>
+ the slave servers should do the job:</para>
<programlisting>20 * * * * root /usr/libexec/ypxfr passwd.byname
21 * * * * root /usr/libexec/ypxfr passwd.byuid</programlisting>
@@ -1769,7 +1771,7 @@ Don't forget to update map ypservers on ellington.</screen>
<para>These two lines force the slave to sync its maps with
the maps on the master server. These entries are not
mandatory because the master server automatically attempts
- to push any map changes to its slaves. However, due to
+ to push any map changes to its slaves; however, due to
the importance of correct password information on other
clients depending on the slave server, it is recommended
to specifically force the password map updates frequently.
@@ -1785,10 +1787,10 @@ Don't forget to update map ypservers on ellington.</screen>
<sect3>
<title>NIS Clients</title>
- <para> An NIS client establishes what is called a binding to a
+ <para>An NIS client establishes what is called a binding to a
particular NIS server using the
- <command>ypbind</command> daemon.
- <command>ypbind</command> checks the system's default
+ <command>ypbind</command> daemon. The
+ <command>ypbind</command> command checks the system's default
domain (as set by the <command>domainname</command>
command), and begins broadcasting RPC requests on the local
network. These requests specify the name of the domain for
@@ -1820,9 +1822,9 @@ Don't forget to update map ypservers on ellington.</screen>
<procedure>
<step>
- <para>Edit the file <filename>/etc/rc.conf</filename>
+ <para>Edit <filename>/etc/rc.conf</filename>
and add the following lines in order to set the NIS
- domainname and start <command>ypbind</command> upon
+ domainname and start <command>ypbind</command> during
network startup:</para>
<programlisting>nisdomainname="test-domain"
@@ -1831,7 +1833,7 @@ nis_client_enable="YES"</programlisting>
<step>
<para>To import all possible password entries from the
- NIS server, remove all user accounts from your
+ NIS server, remove all user accounts from the
<filename>/etc/master.passwd</filename> file and use
<command>vipw</command> to add the following line to
the end of the file:</para>
@@ -1841,7 +1843,7 @@ nis_client_enable="YES"</programlisting>
<note>
<para>This line will afford anyone with a valid
account in the NIS server's password maps an
- account. There are many ways to configure your NIS
+ account. There are many ways to configure the NIS
client by changing this line. See the
<link
linkend="network-netgroups">netgroups
@@ -1851,8 +1853,8 @@ nis_client_enable="YES"</programlisting>
</note>
<note>
- <para>You should keep at least one local account (i.e.
- not imported via NIS) in your
+ <para>Keep in mind that at least one local account (i.e.
+ not imported via NIS) must exist in
<filename>/etc/master.passwd</filename> and this
account should also be a member of the group
<groupname>wheel</groupname>. If there is something
@@ -1864,8 +1866,8 @@ nis_client_enable="YES"</programlisting>
<step>
<para>To import all possible group entries from the NIS
- server, add this line to your
- <filename>/etc/group</filename> file:</para>
+ server, add this line to
+ <filename>/etc/group</filename>:</para>
<programlisting>+:*::</programlisting>
</step>
@@ -1877,18 +1879,19 @@ nis_client_enable="YES"</programlisting>
<screen>&prompt.root; <userinput>/etc/netstart</userinput>
&prompt.root; <userinput>service ypbind start</userinput></screen>
- <para>After completing these steps, you should be able to
- run <command>ypcat passwd</command> and see the NIS
+ <para>After completing these steps, the command,
+ <command>ypcat passwd</command>, should show the
server's passwd map.</para>
- </sect4> </sect3>
+ </sect4>
+ </sect3>
</sect2>
<sect2>
<title>NIS Security</title>
- <para>In general, any remote user can issue an RPC to
- &man.ypserv.8; and retrieve the contents of your NIS maps,
- provided the remote user knows your domainname. To prevent
+ <para>In general, any remote user may issue an RPC to
+ &man.ypserv.8; and retrieve the contents of the NIS maps,
+ provided the remote user knows the domainname. To prevent
such unauthorized transactions, &man.ypserv.8; supports a
feature called <quote>securenets</quote> which can be used to
restrict access to a given set of hosts. At startup,
@@ -1934,7 +1937,7 @@ nis_client_enable="YES"</programlisting>
<para>While both of these access control mechanisms provide
some security, they, like the privileged port test, are
vulnerable to <quote>IP spoofing</quote> attacks. All
- NIS-related traffic should be blocked at your
+ NIS-related traffic should be blocked at the
firewall.</para>
<para>Servers using <filename>/var/yp/securenets</filename>
@@ -1951,15 +1954,15 @@ nis_client_enable="YES"</programlisting>
<para>Using <filename>/var/yp/securenets</filename> on a
server with such an archaic implementation of TCP/IP is a
really bad idea and will lead to loss of NIS functionality
- for large parts of your network.</para>
+ for large parts of the network.</para>
<indexterm><primary>TCP Wrappers</primary></indexterm>
- <para>The use of the <application>TCP Wrapper</application>
- package increases the latency of your NIS server. The
+ <para>The use of <application>TCP Wrapper</application>
+ increases the latency of the NIS server. The
additional delay may be long enough to cause timeouts in
client programs, especially in busy networks or with slow
- NIS servers. If one or more of your client systems
- suffers from these symptoms, you should convert the client
+ NIS servers. If one or more of the client systems
+ suffers from these symptoms, convert the client
systems in question into NIS slave servers and force them
to bind to themselves.</para>
</note>
@@ -1977,21 +1980,21 @@ nis_client_enable="YES"</programlisting>
<para>There is a way to bar specific users from logging on to a
machine, even if they are present in the NIS database. To do
- this, all you must do is add
+ this, add
<literal>-<replaceable>username</replaceable></literal> with
the correct number of colons like other entries to the
end of the <filename>/etc/master.passwd</filename> file on the
client machine, where <replaceable>username</replaceable> is
- the username of the user you wish to bar from logging in.
+ the username of the user to bar from logging in.
The line with the blocked user must be before the
<literal>+</literal> line for allowing NIS users.
This should preferably be done using <command>vipw</command>,
- since <command>vipw</command> will sanity check your changes
+ since <command>vipw</command> will sanity check the changes
to <filename>/etc/master.passwd</filename>, as well as
- automatically rebuild the password database when you finish
- editing. For example, if we wanted to bar user
+ automatically rebuild the password database after
+ editing. For example, to bar user
<username>bill</username> from logging on to
- <hostid>basie</hostid> we would:</para>
+ <hostid>basie</hostid>:</para>
<screen>basie&prompt.root; <userinput>vipw</userinput>
<userinput>[add -bill::::::::: to the end, exit]</userinput>
@@ -2037,10 +2040,10 @@ basie&prompt.root;</screen>
<indexterm><primary>netgroups</primary></indexterm>
<para>The method shown in the previous section works reasonably
- well if you need special rules for a very small number of
- users and/or machines. On larger networks, you
- <emphasis>will</emphasis> forget to bar some users from
- logging onto sensitive machines, or you may even have to
+ well for special rules in an environment with small numbers of
+ users and/or machines. On larger networks, administrators
+ <emphasis>will</emphasis> likely forget to bar some users from
+ logging onto sensitive machines, or may even have to
modify each machine separately, thus losing the main benefit
of NIS: <emphasis>centralized</emphasis>
administration.</para>
@@ -2054,15 +2057,15 @@ basie&prompt.root;</screen>
<para>Netgroups were developed to handle large, complex networks
with hundreds of users and machines. On one hand, this is a
- Good Thing if you are forced to deal with such a situation.
+ Good Thing in such a situation.
On the other hand, this complexity makes it almost impossible
to explain netgroups with really simple examples. The example
used in the remainder of this section demonstrates this
problem.</para>
- <para>Let us assume that your successful introduction of NIS in
- your laboratory caught your superiors' interest. Your next
- job is to extend your NIS domain to cover some of the other
+ <para>Let us assume that the successful introduction of NIS in
+ the laboratory caught a superiors' interest. The next
+ task is to extend the NIS domain to cover some of the other
machines on campus. The two tables contain the names of the
new users and new machines as well as brief descriptions of
them.</para>
@@ -2121,7 +2124,7 @@ basie&prompt.root;</screen>
<entry><hostid>war</hostid>,
<hostid>death</hostid>, <hostid>famine</hostid>,
<hostid>pollution</hostid></entry>
- <entry>Your most important servers. Only the IT
+ <entry>The most important servers deployed. Only the IT
employees are allowed to log onto these
machines.</entry>
</row>
@@ -2154,37 +2157,37 @@ basie&prompt.root;</screen>
</tgroup>
</informaltable>
- <para>If you tried to implement these restrictions by separately
- blocking each user, you would have to add one
+ <para>An attempt to implement these restrictions by separately
+ blocking each user, would require the addition of the
<literal>-<replaceable>user</replaceable></literal> line to
- each system's <filename>passwd</filename> for each user who is
- not allowed to login onto that system. If you forget just one
- entry, you could be in trouble. It may be feasible to do this
- correctly during the initial setup, however you
- <emphasis>will</emphasis> eventually forget to add the lines
- for new users during day-to-day operations. After all, Murphy
- was an optimist.</para>
+ each system's <filename>passwd</filename>. One line for each user
+ who is not allowed to login onto that system. Forgetting just one
+ entry could cause significant trouble. It may be feasible to
+ do this correctly during the initial setup; however, eventually
+ someone will forget to add these lines
+ for new users.</para>
<para>Handling this situation with netgroups offers several
- advantages. Each user need not be handled separately; you
- assign a user to one or more netgroups and allow or forbid
- logins for all members of the netgroup. If you add a new
- machine, you will only have to define login restrictions for
- netgroups. If a new user is added, you will only have to add
- the user to one or more netgroups. Those changes are
+ advantages. Each user need not be handled separately; they
+ would be assigned to one or more netgroups and logins would
+ be allowed or forbidden for all members of the netgroup.
+ While adding a new
+ machine, login restrictions must be defined for all
+ netgroups. If a new user is added, they must be added
+ to one or more netgroups. Those changes are
independent of each other: no more <quote>for each combination
- of user and machine do...</quote> If your NIS setup is planned
- carefully, you will only have to modify exactly one central
- configuration file to grant or deny access to machines.</para>
+ of user and machine do...</quote> If the NIS setup is planned
+ carefully, only one central configuration file
+ needs modification to grant or deny access to machines.</para>
<para>The first step is the initialization of the NIS map
- netgroup. FreeBSD's &man.ypinit.8; does not create this map
- by default, but its NIS implementation will support it once it
- has been created. To create an empty map, simply type</para>
+ netgroup. &os;'s &man.ypinit.8; does not create this map
+ by default, but its NIS implementation will support it
+ after creation. To create an empty map, simply type</para>
<screen>ellington&prompt.root; <userinput>vi /var/yp/netgroup</userinput></screen>
- <para>and start adding content. For our example, we need at
+ <para>and begin adding content. For our example, we need at
least four netgroups: IT employees, IT apprentices, normal
employees and interns.</para>
@@ -2202,10 +2205,10 @@ INTERNS (,able,test-domain) (,baker,test-domain)</programlisting>
<orderedlist>
<listitem>
<para>The name of the host(s) where the following items are
- valid. If you do not specify a hostname, the entry is
- valid on all hosts. If you do specify a hostname, you
- will enter a realm of darkness, horror and utter
- confusion.</para>
+ valid. If a hostname is not specified, the entry is
+ valid on all hosts. If a hostname is specified, it
+ will need to be micro-managed within this
+ configuration.</para>
</listitem>
<listitem>
@@ -2214,43 +2217,41 @@ INTERNS (,able,test-domain) (,baker,test-domain)</programlisting>
</listitem>
<listitem>
- <para>The NIS domain for the account. You can import
- accounts from other NIS domains into your netgroup if you
- are one of the unlucky fellows with more than one NIS
- domain.</para>
+ <para>The NIS domain for the account. Accounts may be
+ imported from other NIS domains into a netgroup.</para>
</listitem>
</orderedlist>
- <para>Each of these fields can contain wildcards. See
+ <para>Each of these fields may contain wildcards. See
&man.netgroup.5; for details.</para>
<note>
<indexterm><primary>netgroups</primary></indexterm>
<para>Netgroup names longer than 8 characters should not be
- used, especially if you have machines running other
- operating systems within your NIS domain. The names are
- case sensitive; using capital letters for your netgroup
+ used, especially with machines running other
+ operating systems within the NIS domain. The names are
+ case sensitive; using capital letters for netgroup
names is an easy way to distinguish between user, machine
and netgroup names.</para>
- <para>Some NIS clients (other than FreeBSD) cannot handle
+ <para>Some NIS clients (other than &os;) cannot handle
netgroups with a large number of entries. For example, some
older versions of &sunos; start to cause trouble if a
netgroup contains more than 15 <emphasis>entries</emphasis>.
- You can circumvent this limit by creating several
- sub-netgroups with 15 users or less and a real netgroup that
- consists of the sub-netgroups:</para>
+ This limit may be circumvented by creating several
+ sub-netgroups with 15 users or fewer and a real netgroup
+ consisting of the sub-netgroups:</para>
<programlisting>BIGGRP1 (,joe1,domain) (,joe2,domain) (,joe3,domain) [...]
BIGGRP2 (,joe16,domain) (,joe17,domain) [...]
BIGGRP3 (,joe31,domain) (,joe32,domain)
BIGGROUP BIGGRP1 BIGGRP2 BIGGRP3</programlisting>
- <para>You can repeat this process if you need more than 225
- users within a single netgroup.</para>
+ <para>Repeat this process if more than 225
+ users will exist within a single netgroup.</para>
</note>
- <para>Activating and distributing your new NIS map is
+ <para>Activating and distributing the new NIS map is
easy:</para>
<screen>ellington&prompt.root; <userinput>cd /var/yp</userinput>
@@ -2260,7 +2261,7 @@ ellington&prompt.root; <userinput>make</userinput></screen>
<filename>netgroup</filename>,
<filename>netgroup.byhost</filename> and
<filename>netgroup.byuser</filename>. Use &man.ypcat.1; to
- check if your new NIS maps are available:</para>
+ check if the new NIS maps are available:</para>
<screen>ellington&prompt.user; <userinput>ypcat -k netgroup</userinput>
ellington&prompt.user; <userinput>ypcat -k netgroup.byhost</userinput>
@@ -2268,13 +2269,13 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
<para>The output of the first command should resemble the
contents of <filename>/var/yp/netgroup</filename>. The second
- command will not produce output if you have not specified
- host-specific netgroups. The third command can be used to
+ command will not produce output without specified
+ host-specific netgroups. The third command may be used to
get the list of netgroups for a user.</para>
<para>The client setup is quite simple. To configure the server
- <hostid>war</hostid>, you only have to start
- &man.vipw.8; and replace the line</para>
+ <hostid>war</hostid>, use
+ &man.vipw.8; to replace the line</para>
<programlisting>+:::::::::</programlisting>
@@ -2295,8 +2296,8 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
<command>ls -l</command> will show the numerical ID instead of
the username and <command>find . -user joe -print</command>
will fail with <errorname>No such user</errorname>. To fix
- this, you will have to import all user entries
- <emphasis>without allowing them to login onto your
+ this, import all user entries
+ <emphasis>without allowing them to login into the
servers</emphasis>.</para>
<para>This can be achieved by adding another line to
@@ -2306,9 +2307,9 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
<para><literal>+:::::::::/sbin/nologin</literal>, meaning
<quote>Import all entries but replace the shell with
<filename>/sbin/nologin</filename> in the imported
- entries</quote>. You can replace any field in the
+ entries</quote>. It is possible to replace any field in the
<literal>passwd</literal> entry by placing a default value in
- your <filename>/etc/master.passwd</filename>.</para>
+ <filename>/etc/master.passwd</filename>.</para>
<!-- Been there, done that, got the scars to prove it - ue -->
<warning>
@@ -2320,9 +2321,9 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
shell.</para>
</warning>
- <para>After this change, you will only have to change one NIS
- map if a new employee joins the IT department. You could use
- a similar approach for the less important servers by replacing
+ <para>After this change, the NIS map will only need modification
+ when a new employee joins the IT department. A similar approach
+ for the less important servers may be used by replacing
the old <literal>+:::::::::</literal> in their local version
of <filename>/etc/master.passwd</filename> with something like
this:</para>
@@ -2342,16 +2343,16 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
change a few weeks later: The IT department starts hiring
interns. The IT interns are allowed to use the normal
workstations and the less important servers; and the IT
- apprentices are allowed to login onto the main servers. You
- add a new netgroup <literal>IT_INTERN</literal>, add the new
- IT interns to this netgroup and start to change the
- configuration on each and every machine... As the old saying
+ apprentices are allowed to login onto the main servers.
+ Add a new netgroup <literal>IT_INTERN</literal>, then add the
+ new IT interns to this netgroup and start to change the
+ configuration on each and every machine. As the old saying
goes: <quote>Errors in centralized planning lead to global
mess</quote>.</para>
<para>NIS' ability to create netgroups from other netgroups can
be used to prevent situations like these. One possibility is
- the creation of role-based netgroups. For example, you could
+ the creation of role-based netgroups. For example, one might
create a netgroup called <literal>BIGSRV</literal> to define
the login restrictions for the important servers, another
netgroup called <literal>SMALLSRV</literal> for the less
@@ -2359,7 +2360,7 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
<literal>USERBOX</literal> for the normal
workstations. Each of these netgroups contains the netgroups
that are allowed to login onto these machines. The new
- entries for your NIS map netgroup should look like
+ entries for the NIS map netgroup should look like
this:</para>
<programlisting>BIGSRV IT_EMP IT_APP
@@ -2367,10 +2368,11 @@ SMALLSRV IT_EMP IT_APP ITINTERN
USERBOX IT_EMP ITINTERN USERS</programlisting>
<para>This method of defining login restrictions works
- reasonably well if you can define groups of machines with
- identical restrictions. Unfortunately, this is the exception
- and not the rule. Most of the time, you will need the ability
- to define login restrictions on a per-machine basis.</para>
+ reasonably well when it is possible to define groups of machines
+ with identical restrictions. Unfortunately, this is the
+ exception and not the rule. Most of the time, the ability
+ to define login restrictions on a per-machine basis is
+ required.</para>
<para>Machine-specific netgroup definitions are the other
possibility to deal with the policy change outlined above. In
@@ -2386,8 +2388,8 @@ USERBOX IT_EMP ITINTERN USERS</programlisting>
<programlisting>+@<replaceable>BOXNAME</replaceable>:::::::::
+:::::::::/sbin/nologin</programlisting>
- <para>Once you have completed this task for all your machines,
- you will not have to modify the local versions of
+ <para>Once this task is completed on all the machines,
+ there is no longer a need to modify the local versions of
<filename>/etc/master.passwd</filename> ever again. All
further changes can be handled by modifying the NIS map. Here
is an example of a possible netgroup map for this
@@ -2429,50 +2431,52 @@ ONE SECURITY
TWO (,hotel,test-domain)
# [...more groups to follow]</programlisting>
- <para>If you are using some kind of database to manage your user
- accounts, you should be able to create the first part of the
- map with your database's report tools. This way, new users
+ <para>If some kind of database is used to manage the user
+ accounts, it may be possible to create the first part of the
+ map using the database's reporting tools. This way, new users
will automatically have access to the boxes.</para>
<para>One last word of caution: It may not always be advisable
- to use machine-based netgroups. If you are deploying a couple
+ to use machine-based netgroups. When deploying a couple
of dozen or even hundreds of identical machines for student
- labs, you should use role-based netgroups instead of
- machine-based netgroups to keep the size of the NIS map within
- reasonable limits.</para>
+ labs, role-based netgroups instead of
+ machine-based netgroups may be used to keep the size of the NIS
+ map within reasonable limits.</para>
</sect2>
<sect2>
<title>Important Things to Remember</title>
- <para>There are still a couple of things that you will need to
- do differently now that you are in an NIS environment.</para>
+ <para>There are still a couple of things administrators need to
+ do differently now that machines are in an NIS
+ environment.</para>
<itemizedlist>
<listitem>
- <para>Every time you wish to add a user to the lab, you
- must add it to the master NIS server
- <emphasis>only</emphasis>, and <emphasis>you must remember
- to rebuild the NIS maps</emphasis>. If you forget to do
- this, the new user will not be able to login anywhere
- except on the NIS master. For example, if we needed to
- add a new user <username>jsmith</username> to the lab, we
- would:</para>
+ <para>Every time a new user is added to the lab, they
+ must be added to the master NIS server
+ and the <acronym>NIS</acronym> maps will need rebuilt. If
+ this step is omitted, the new user will not be able to login
+ anywhere except on the NIS master. For example, if we
+ needed to add a new user <username>jsmith</username> to
+ the lab, we would:</para>
<screen>&prompt.root; <userinput>pw useradd jsmith</userinput>
&prompt.root; <userinput>cd /var/yp</userinput>
&prompt.root; <userinput>make test-domain</userinput></screen>
- <para>You could also run <command>adduser jsmith</command>
+ <para>The user may also be added using
+ <command>adduser jsmith</command>
instead of <command>pw useradd jsmith</command>.</para>
</listitem>
<listitem>
<para><emphasis>Keep the administration accounts out of the
- NIS maps</emphasis>. You do not want to be propagating
- administrative accounts and passwords to machines that
- will have users that should not have access to those
- accounts.</para>
+ NIS maps</emphasis>. This is undesirable as it will
+ create a security risk. These users and passwords should
+ not be propagated to all machines. Especially if these
+ machines will have users whom should not have access to
+ those accounts.</para>
</listitem>
<listitem>
<para><emphasis>Keep the NIS master and slave secure, and
@@ -2482,8 +2486,9 @@ TWO (,hotel,test-domain)
login to the lab.</para>
<para>This is the chief weakness of any centralized
- administration system. If you do not protect your NIS
- servers, you will have a lot of angry users!</para>
+ administration system. If the NIS servers are not
+ protected, there will be a lot of angry users and
+ unhappy management!</para>
</listitem>
</itemizedlist>
</sect2>
@@ -2491,19 +2496,19 @@ TWO (,hotel,test-domain)
<sect2>
<title>NIS v1 Compatibility</title>
- <para> FreeBSD's <application>ypserv</application> has some
- support for serving NIS v1 clients. FreeBSD's NIS
- implementation only uses the NIS v2 protocol, however other
+ <para>&os;'s <application>ypserv</application> has some
+ support for serving NIS v1 clients. &os;'s NIS
+ implementation only uses the NIS v2 protocol; however, other
implementations include support for the v1 protocol for
backwards compatibility with older systems. The
<application>ypbind</application> daemons supplied with these
- systems will try to establish a binding to an NIS v1 server
+ systems will attempt to establish a binding to an NIS v1 server
even though they may never actually need it (and they may
persist in broadcasting in search of one even after they
receive a response from a v2 server). Note that while support
for normal client calls is provided, this version of
<application>ypserv</application> does not handle v1 map
- transfer requests; consequently, it cannot be used as a master
+ transfer requests. Additionally, it cannot be used as a master
or slave in conjunction with older NIS servers that only
support the v1 protocol. Fortunately, there probably are not
any such servers still in use today.</para>
@@ -2512,7 +2517,7 @@ TWO (,hotel,test-domain)
<sect2 id="network-nis-server-is-client">
<title>NIS Servers That Are Also NIS Clients</title>
- <para> Care must be taken when running
+ <para>Care must be taken when running
<application>ypserv</application> in a multi-server domain
where the server machines are also NIS clients. It is
generally a good idea to force the servers to bind to
@@ -2525,11 +2530,11 @@ TWO (,hotel,test-domain)
present since the servers might bind to each other all over
again.</para>
- <para>You can force a host to bind to a particular server by
+ <para>A host may be forced to bind to a particular server by
running <command>ypbind</command> with the <option>-S</option>
- flag. If you do not want to do this manually each time you
- reboot your NIS server, you can add the following lines to
- your <filename>/etc/rc.conf</filename>:</para>
+ flag. Add the following lines to
+ <filename>/etc/rc.conf</filename> to enable this feature
+ during every system boot:</para>
<programlisting>nis_client_enable="YES" # run client stuff as well
nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</replaceable>"</programlisting>
@@ -2546,12 +2551,12 @@ nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</
</indexterm>
<para>One of the most common issues that people run into when
trying to implement NIS is password format compatibility. If
- your NIS server is using DES encrypted passwords, it will only
- support clients that are also using DES. For example, if you
- have &solaris; NIS clients in your network, then you will
- almost certainly need to use DES encrypted passwords.</para>
+ the NIS server is using DES encrypted passwords, it will only
+ support clients that are also using DES. For example, if any
+ &solaris; NIS clients exist on the network, there is a highly
+ likelihood DES must be used for encrypted passwords.</para>
- <para>To check which format your servers and clients are using,
+ <para>To check which format the servers and clients are using,
look at <filename>/etc/login.conf</filename>. If the host is
configured to use DES encrypted passwords, then the
<literal>default</literal> class will contain an entry like
@@ -2567,9 +2572,9 @@ nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</
<literal>blf</literal> and <literal>md5</literal> (for
Blowfish and MD5 encrypted passwords, respectively).</para>
- <para>If you have made changes to
- <filename>/etc/login.conf</filename>, you will also need to
- rebuild the login capability database, which is achieved by
+ <para>If any changes were made to
+ <filename>/etc/login.conf</filename>, the
+ login capability database must be rebuilt by
running the following command as
<username>root</username>:</para>
@@ -2582,26 +2587,380 @@ nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</
rebuilt.</para></note>
<para>Next, in order to ensure that passwords are encrypted with
- the format that you have chosen, you should also check that
+ the chosen format, check that
the <literal>crypt_default</literal> in
- <filename>/etc/auth.conf</filename> gives precedence to your
- chosen password format. To do this, place the format that you
- have chosen first in the list. For example, when using DES
+ <filename>/etc/auth.conf</filename> gives precedence to the
+ chosen password format. To do this, place the chosen format
+ first in the list. For example, when using DES
encrypted passwords, the entry would be:</para>
<programlisting>crypt_default = des blf md5</programlisting>
<para>Having followed the above steps on each of the &os; based
- NIS servers and clients, you can be sure that they all agree
- on which password format is used within your network. If you
+ NIS servers and clients, verify that they all agree
+ on which password format is used within the network. If users
have trouble authenticating on an NIS client, this is a pretty
good place to start looking for possible problems. Remember:
- if you want to deploy an NIS server for a heterogeneous
- network, you will probably have to use DES on all systems
+ to deploy an NIS server for a heterogeneous
+ network, they will probably have to use DES on all systems
because it is the lowest common standard.</para>
</sect2>
</sect1>
+ <sect1 id="network-ldap">
+ <sect1info>
+ <authorgroup>
+ <author>
+ <firstname>Tom</firstname>
+ <surname>Rhodes</surname>
+ <contrib>Written by </contrib>
+ </author>
+ </authorgroup>
+ </sect1info>
+ <title>&os; and <acronym>LDAP</acronym></title>
+
+ <indexterm><primary>LDAP</primary></indexterm>
+
+ <para><acronym>LDAP</acronym>, the Lightweight Directory Access
+ Protocol, is an application layer protocol used to access,
+ modify, and authenticate (bind) using a distributed directory
+ information service. Think of it as a phone or record book which
+ stores several levels of hierarchical, homogeneous information.
+ It is often used in networks where users often need access to
+ several levels of internal information utilizing a single
+ account. For example, email authentication, pulling employee
+ contact information, and internal website authentication might
+ all make use of a single user in the <acronym>LDAP</acronym>
+ server's record base.</para>
+
+ <para>This section will not provide a history or the implementation
+ details of the protocol. These sections were authored to get an
+ <acronym>LDAP</acronym> server and/or client configured both
+ quickly and securely; however, any information base requires
+ planning and this is no exception.</para>
+
+ <para>Planning should include what type of information will be
+ stored, what that information will be used for, whom should
+ have access to said information, and how to secure this
+ information from prying eyes.</para>
+
+ <sect2>
+ <title><acronym>LDAP</acronym> Terminology and Structure</title>
+
+ <para>Before continuing, several parts of <acronym>LDAP</acronym>
+ must be explained to prevent confusion. And confusion with
+ this configuration is relatively simple. To begin, all
+ directory entries consist of a group of
+ <emphasis>attributes</emphasis>. Each of these attribute sets
+ contain a name, a unique identifier known as a
+ <acronym>DN</acronym> or distinguished name normally built from
+ several other attributes such as the <acronym>RDN</acronym>.
+ The <acronym>RDN</acronym> or relative distinguished name, is
+ a more common name for the attribute. Like directories have
+ absolute and relative paths, consider a <acronym>DN</acronym>
+ as an absolute path and the <acronym>RDN</acronym> as the
+ relative path.</para>
+
+ <para>As an example, an entry might look like the
+ following:</para>
+
+ <screen>&prompt.user; ldapsearch -xb "uid=trhodes,ou=users,o=example.com"</screen>
+
+ <programlisting># extended LDIF
+#
+# LDAPv3
+# base <uid=trhodes,ou=users,o=example.com> with scope subtree
+# filter: (objectclass=*)
+# requesting: ALL
+#
+
+# trhodes, users, example.com
+dn: uid=trhodes,ou=users,o=example.com
+mail: trhodes@example.com
+cn: Tom Rhodes
+uid: trhodes
+telephoneNumber: (xxx) xxx-xxxx
+
+# search result
+search: 2
+result: 0 Success
+
+# numResponses: 2
+# numEntries: 1</programlisting>
+
+ <para>In this example, it is very obvious what the various
+ attributes are; however, the <acronym>cn</acronym> attribute
+ should be noticed. This is the <acronym>RDN</acronym> discussed
+ previously. In addition, there is a unique user id provided
+ here. It is common practice to have specific uid or uuids for
+ entries to ease in any future migration.</para>
+ </sect2>
+
+ <sect2>
+ <title>Configuring an <acronym>LDAP</acronym> Server</title>
+
+ <indexterm><primary>LDAP Server</primary></indexterm>
+
+ <para>To configure &os; to act as an <acronym>LDAP</acronym>
+ server, the OpenLDAP port needs installed. This may be
+ accomplished using the <command>pkg_add</command> command
+ or by installing the
+ <filename role="port">net/openldap24-server</filename>
+ port. Building the port is recommended as the administrator
+ may select a great deal of options at this time and disable
+ some options. In most cases, the defaults will be fine;
+ however, this is the time to enable SQL support if
+ needed.</para>
+
+ <para>A few directories will be required from this point on,
+ at minimal, a data directory and a directory to store the
+ certificates in. Create them both with the following
+ commands:</para>
+
+ <screen>&prompt.root; <userinput>mkdir /var/db/openldap-data</userinput></screen>
+
+ <screen>&prompt.root; <userinput>mkdir /usr/local/etc/openldap/private</userinput></screen>
+
+ <para>Copy over the database configuration file:</para>
+
+ <screen>&prompt.root; <userinput>cp /usr/local/etc/openldap/DB_CONFIG.example /var/db/openldap-data/DB_CONFIG</userinput></screen>
+
+ <para>The next phase is to configure the <acronym>SSL</acronym>
+ certificates. While creating certificates is discussed in
+ the <link linkend="openssl">OpenSSL</link> section in this
+ book, a certificate authority is needed so a different method
+ will be used. It is recommended that this section be reviewed
+ prior to configuring to ensure correct information is entered
+ during the certificate creation process below.</para>
+
+ <para>The following commands must be executed in the
+ <filename class="directory">
+ /usr/local/etc/openldap/private</filename> directory. This
+ is important as the file permissions will need to be restrictive
+ and users should not have access to these files directly. To
+ create the certificates, issues the following commands.</para>
+
+ <screen>&prompt.root; <userinput>openssl req -days 365 -nodes -new -x509 -keyout ca.key -out ../ca.crt</userinput></screen>
+
+ <para>The entries for these may be completely generic
+ <emphasis>except</emphasis> for the
+ <emphasis>Common Name</emphasis> entry. This entry must have
+ something different than the system hostname. If the entry
+ is the hostname, it would be like the hostname is attempting
+ to verify hostname. In cases with a self signed certificate
+ like this example, just prefix the hostname with
+ <acronym>CA</acronym> for certificate authority.</para>
+
+ <para>The next task is to create a certificate signing request
+ and a private key. To do this, issue the following
+ commands:</para>
+
+ <screen>&prompt.root; <userinput>openssl req -days 365 -nodes -new -keyout server.key -out server.csr</userinput></screen>
+
+ <para>During the certificate generation process, be sure to
+ correctly set the common name attribute. After this has
+ been completed, the key will need signed:</para>
+
+ <screen>&prompt.root; <userinput>openssl x509 -req -days 365 -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial</userinput></screen>
+
+ <para>The final part of the certificate generation process
+ is to generate and sign the client certificates:</para>
+
+ <screen>&prompt.root; <userinput>openssl req -days 365 -nodes -new -keyout client.key -out client.csr</userinput></screen>
+
+ <screen>&prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen>
+
+ <para>Remember, again, to respect the common name attribute. This
+ is a common cause for confusion during the first attempt to
+ configure <acronym>LDAP</acronym>. In addition, ensure that
+ a total of eight (8) new files have been generated through
+ the proceeding commands. If so, the next step is to edit
+ <filename>/usr/local/etc/openldap/slapd.conf</filename> and add
+ the following options:</para>
+
+ <programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3
+TLSCertificateFile /usr/local/etc/openldap/server.crt
+TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key
+TLSCACertificateFile /usr/local/etc/openldap/ca.crt</programlisting>
+
+ <para>In addition, edit
+ <filename>/usr/local/etc/openldap/ldap.conf</filename> and
+ add the following lines:</para>
+
+ <programlisting>TLS_CACERT /usr/local/etc/openldap/ca.crt
+TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting>
+
+ <para>While editing these this file, set the <option>BASE</option>
+ to the desired values, and uncomment all three of the
+ <option>URI</option>, <option>SIZELIMIT</option> and
+ <option>TIMELIMIT</option> options. In addition, set the
+ <option>URI</option> to contain <option>ldap://</option>
+ and <option>ldaps://</option>.</para>
+
+ <para>The resulting file should look similar to the following
+ shown here:</para>
+
+ <programlisting>BASE dc=example,dc=com
+URI ldap:// ldaps://
+
+SIZELIMIT 12
+TIMELIMIT 15
+#DEREF never
+
+TLS_CACERT /usr/local/etc/openldap/ca.crt
+TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting>
+
+ <para>A password for the server will need to be created as the
+ default is extremely poor as is normal in this industry. To
+ do this, issue the following command, sending the output to
+ <filename>slapd.conf</filename>:</para>
+
+ <screen>&prompt.root; <userinput>slappasswd -h "{SHA}" >> /usr/local/etc/openldap/slapd.conf</userinput></screen>
+
+ <para>There will be a prompt for entering the password and,
+ if the process does not fail, a password hash will be added
+ to the end of <filename>slapd.conf</filename>. The
+ <command>slappasswd</command> understands several hashing
+ formats, refer to the manual page for more information.</para>
+
+ <para>Edit <filename>/usr/local/etc/openldap/slapd.conf</filename>
+ and add the following lines:</para>
+
+ <programlisting>password-hash {sha}
+allow bind_v2</programlisting>
+
+ <para>In addition, the <option>suffix</option> in this file must
+ be updated to match the <option>BASE</option> from the previous
+ configuration. The <option>rootdn</option> option should
+ also be set. A good recommendation is something like
+ <option>cn=Manager</option>. Before saving this file, place
+ the <option>rootpw</option> option in front of the password
+ output from the <command>slappasswd</command> and delete the
+ old <option>rootpw</option> option above. The end result
+ should look similar to this:</para>
+
+ <programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3
+TLSCertificateFile /usr/local/etc/openldap/server.crt
+TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key
+TLSCACertificateFile /usr/local/etc/openldap/ca.crt
+rootpw {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=</programlisting>
+
+ <para>Finally, enable the <application>OpenLDAP</application>
+ service in <filename>rc.conf</filename>. At this time,
+ setting up a <acronym>URI</acronym> and providing the group
+ and user to run as may be useful.
+ Edit <filename>/etc/rc.conf</filename> and add the following
+ lines:</para>
+
+ <programlisting>slapd_enable="YES"
+slapd_flags="-4 -h ldaps:///"</programlisting>
+
+ <para>At this point the server should be ready to be brought
+ up and tested. To perform this task, issue the following
+ command:</para>
+
+ <screen>&prompt.root; <userinput>service slapd start</userinput></screen>
+
+ <para>If everything was configured correctly, a search of the
+ directory should show a successful connection with a single
+ response as in this example:</para>
+
+ <screen>&prompt.root; <userinput>ldapsearch -Z</userinput></screen>
+
+ <programlisting># extended LDIF
+#
+# LDAPv3
+# base <dc=example,dc=com> (default) with scope subtree
+# filter: (objectclass=*)
+# requesting: ALL
+#
+
+# search result
+search: 3
+result: 32 No such object
+
+# numResponses: 1</programlisting>
+
+ <para>Considering the service should now be responding, as it
+ is above, the directory may be populated using the
+ <command>ldapadd</command> command. In this example, there
+ is a file containing a list of users to be added to this
+ particular directory. First, create a file to be imported
+ with the following dataset:</para>
+
+ <programlisting>dn: dc=example,dc=com
+objectclass: dcObject
+objectclass: organization
+o: Example
+dc: Example
+
+dn: cn=Manager,dc=example,dc=com
+objectclass: organizationalRole
+cn: Manager</programlisting>
+
+ <note>
+ <para>To debug any of the following, stop the
+ <command>slapd</command> service using the
+ <command>service</command> command and start it using with
+ debugging options. To accomplish this, issue the following
+ command:</para>
+
+ <screen>&prompt.root; <userinput>/usr/local/libexec/slapd -d -1</userinput></screen>
+ </note>
+
+ <para>To import this datafile, issue the following command,
+ assuming the file is <filename>import.ldif</filename>:</para>
+
+ <screen>&prompt.root; <userinput>ldapadd -Z -D "cn=Manager,dc=example,dc=com" -W -f <replaceable>import.ldif</replaceable></userinput></screen>
+
+ <para>There will be a request for the password specified earlier,
+ and the output should look like this:</para>
+
+ <screen>Enter LDAP Password:
+adding new entry "dc=example,dc=com"
+
+adding new entry "cn=Manager,dc=example,dc=com"</screen>
+
+ <para>Verify the data was added by issuing a search on the
+ server using <command>ldapsearch</command>. In this case
+ the output should look like this:</para>
+
+ <screen>&prompt.user; <userinput>ldapsearch -Z</userinput></screen>
+
+ <screen># extended LDIF
+#
+# LDAPv3
+# base <dc=example,dc=com> (default) with scope subtree
+# filter: (objectclass=*)
+# requesting: ALL
+#
+
+# example.com
+dn: dc=example,dc=com
+objectClass: dcObject
+objectClass: organization
+o: Example
+dc: Example
+
+# Manager, example.com
+dn: cn=Manager,dc=example,dc=com
+objectClass: organizationalRole
+cn: Manager
+
+# search result
+search: 3
+result: 0 Success
+
+# numResponses: 3
+# numEntries: 2</screen>
+
+ <para>It is of course advisable to read about the structure of
+ <acronym>LDAP</acronym> directories and the various manual
+ pages mentioned in this section. At this point, the server
+ should be configured and functioning properly.</para>
+ </sect2>
+ </sect1>
+
<sect1 id="network-dhcp">
<sect1info>
<authorgroup>
@@ -2693,7 +3052,7 @@ nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</
fill in the network configuration information
automatically.</para>
- <para>There are two things you must do to have your system use
+ <para>There are two things required to have the system use
DHCP upon startup:</para>
<indexterm>
<primary>DHCP</primary>
@@ -2702,30 +3061,33 @@ nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</
<itemizedlist>
<listitem>
<para>Make sure that the <devicename>bpf</devicename>
- device is compiled into your kernel. To do this, add
- <literal>device bpf</literal> to your kernel
+ device is compiled into the kernel. To do this, add
+ <literal>device bpf</literal> to the kernel
configuration file, and rebuild the kernel. For more
information about building kernels, see <xref
linkend="kernelconfig"/>.</para> <para>The
<devicename>bpf</devicename> device is already part of
the <filename>GENERIC</filename> kernel that is supplied
- with FreeBSD, so if you do not have a custom kernel, you
- should not need to create one in order to get DHCP
- working.</para>
+ with &os;, thus there is no need to build a custom kernel
+ for <acronym>DHCP</acronym>. In the case of a custom
+ kernel configuration file, this device must be present
+ for <acronym>DHCP</acronym> to function properly.</para>
+
<note>
<para>For those who are particularly security conscious,
- you should be warned that <devicename>bpf</devicename>
+ take note that <devicename>bpf</devicename>
is also the device that allows packet sniffers to work
correctly (although they still have to be run as
<username>root</username>).
<devicename>bpf</devicename> <emphasis>is</emphasis>
- required to use DHCP, but if you are very sensitive
- about security, you probably should not add
- <devicename>bpf</devicename> to your
+ required to use DHCP; however, the security sensitive
+ types should probably not add
+ <devicename>bpf</devicename> to the
kernel in the expectation that at some point in the
- future you will be using DHCP.</para>
+ future the system will be using DHCP.</para>
</note>
</listitem>
+
<listitem>
<para>By default, DHCP configuration on &os; runs in the
background, or <firstterm>asynchronously</firstterm>.
@@ -2761,9 +3123,10 @@ nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</
<xref linkend="config-network-setup"/>.</para>
</note>
- <para>If you are using a different location for
- <command>dhclient</command>, or if you wish to pass
- additional flags to <command>dhclient</command>, also
+ <para>When using a different file system location for
+ <command>dhclient</command>, or if
+ additional flags must be passed to
+ <command>dhclient</command>,
include (editing as necessary):</para>
<programlisting>dhclient_program="/sbin/dhclient"
@@ -2846,10 +3209,11 @@ dhclient_flags=""</programlisting>
(Internet Systems Consortium) implementation of the DHCP
server.</para>
- <para>The server is not provided as part of FreeBSD, and so
- you will need to install the <filename
- role="package">net/isc-dhcp42-server</filename> port to
- provide this service. See <xref linkend="ports"/> for
+ <para>The server is not provided as part of &os;, and so
+ the <filename
+ role="package">net/isc-dhcp42-server</filename> port must
+ be installed to provide this service.
+ See <xref linkend="ports"/> for
more information on using the Ports Collection.</para>
</sect3>
@@ -2860,33 +3224,35 @@ dhclient_flags=""</programlisting>
<primary>DHCP</primary>
<secondary>installation</secondary>
</indexterm>
- <para>In order to configure your FreeBSD system as a DHCP
- server, you will need to ensure that the &man.bpf.4;
- device is compiled into your kernel. To do this, add
- <literal>device bpf</literal> to your kernel
+ <para>In order to configure the &os; system as a DHCP
+ server, first ensure that the &man.bpf.4;
+ device is compiled into the kernel. To do this, add
+ <literal>device bpf</literal> to the kernel
configuration file, and rebuild the kernel. For more
information about building kernels, see <xref
linkend="kernelconfig"/>.</para>
<para>The <devicename>bpf</devicename> device is already
part of the <filename>GENERIC</filename> kernel that is
- supplied with FreeBSD, so you do not need to create a
- custom kernel in order to get DHCP working.</para>
+ supplied with &os;, so there is no need to create a
+ custom kernel in order to get <acronym>DHCP</acronym>
+ working.</para>
<note>
<para>Those who are particularly security conscious
should note that <devicename>bpf</devicename> is also
- the device that allows packet sniffers to work
+ the device that allows packet sniffers to function
correctly (although such programs still need
- privileged access). <devicename>bpf</devicename>
- <emphasis>is</emphasis> required to use DHCP, but if
- you are very sensitive about security, you probably
- should not include <devicename>bpf</devicename> in
- your kernel purely because you expect to use DHCP at
- some point in the future.</para>
+ privileged access). The <devicename>bpf</devicename>
+ device <emphasis>is</emphasis> required to use DHCP, but
+ if the sensitivity of the system's security is high, this
+ device should not be included in
+ the kernel purely because the use of
+ <acronym>DHCP</acronym> may, at
+ some point in the future, be desired.</para>
</note>
- <para>The next thing that you will need to do is edit the
+ <para>The next thing that is needed is to edit the
sample <filename>dhcpd.conf</filename> which was installed
by the <filename
role="package">net/isc-dhcp42-server</filename> port.
@@ -2993,9 +3359,9 @@ host mailhost {
</callout>
</calloutlist>
- <para>Once you have finished writing your
- <filename>dhcpd.conf</filename>,
- you should enable the DHCP server in
+ <para>Once the configuration of
+ <filename>dhcpd.conf</filename> has been completed,
+ enable the DHCP server in
<filename>/etc/rc.conf</filename>, i.e., by adding:</para>
<programlisting>dhcpd_enable="YES"
@@ -3003,23 +3369,21 @@ dhcpd_ifaces="dc0"</programlisting>
<para>Replace the <literal>dc0</literal> interface name with
the interface (or interfaces, separated by whitespace)
- that your DHCP server should listen on for DHCP client
+ that the DHCP server should listen on for DHCP client
requests.</para>
- <para>Then, you can proceed to start the server by issuing
+ <para>Proceed to start the server by issuing
the following command:</para>
<screen>&prompt.root; <userinput>service isc-dhcpd start</userinput></screen>
- <para>Should you need to make changes to the configuration
- of your server in the future, it is important to note that
- sending a <literal>SIGHUP</literal> signal to
- <application>dhcpd</application> does
- <emphasis>not</emphasis> result in the configuration being
- reloaded, as it does with most daemons. You will need to
- send a <literal>SIGTERM</literal> signal to stop the
- process, and then restart it using the command
- above.</para>
+ <para>Any future changes to the configuration
+ of the server will require the sending of a
+ <literal>SIGTERM</literal> signal to
+ <application>dhcpd</application> rather than a
+ <literal>SIGHUP</literal>. It is definitely more
+ simple to use &man.service.8; to completely restart
+ the service.</para>
</sect3>
<sect3>
@@ -3067,7 +3431,7 @@ dhcpd_ifaces="dc0"</programlisting>
<para><application>dhcrelay</application> is used in
advanced environments where one DHCP server forwards a
request from a client to another DHCP server on a
- separate network. If you require this functionality,
+ separate network. If this functionality is required,
then install the <filename
role="package">net/isc-dhcp42-relay</filename> port.
The &man.dhcrelay.8; manual page provided with the
@@ -3390,8 +3754,8 @@ dhcpd_ifaces="dc0"</programlisting>
<para>There are obviously many configuration options for
<filename>/etc/namedb/named.conf</filename> that are beyond
- the scope of this document. However, if you are interested in
- the startup options for <application>named</application> on
+ the scope of this document. There are other startup options
+ for <application>named</application> on
&os;, take a look at the
<literal>named_<replaceable>*</replaceable></literal> flags in
<filename>/etc/defaults/rc.conf</filename> and consult the
@@ -3487,7 +3851,7 @@ options {
<warning>
<para><hostid role="ipaddr">127.0.0.1</hostid> will
<emphasis>not</emphasis> work here. Change this
- <acronym>IP</acronym> address to a name server at your
+ <acronym>IP</acronym> address to a name server at the
uplink.</para>
</warning>
@@ -4527,9 +4891,9 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
world. The majority of web servers on the Internet are using
the <application>Apache HTTP Server</application>.
<application>Apache</application> software packages should be
- included on your FreeBSD installation media. If you did not
- install <application>Apache</application> when you first
- installed FreeBSD, then you can install it from the <filename
+ included on the &os; installation media. If
+ <application>Apache</application> was not installed while
+ installing &os;, then it can be installed from the <filename
role="package">www/apache22</filename> port.</para>
<para>Once <application>Apache</application> has been installed
@@ -4582,7 +4946,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<listitem>
<para>The address to which problems with the server should
- be emailed. This address appears on some
+ be emailed. This address also appears on some
server-generated pages, such as error documents.</para>
</listitem>
</varlistentry>
@@ -4591,10 +4955,11 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<term><literal>ServerName www.example.com</literal></term>
<listitem>
- <para><literal>ServerName</literal> allows you to set a
- host name which is sent back to clients for your server
- if it is different than the one that the host is
- configured with (i.e., use <hostid>www</hostid> instead
+ <para><literal>ServerName</literal> allows an administrator
+ to set a host name which is sent back to clients for the
+ server. This is useful if the host is different than the
+ one that it is configured with (i.e., use
+ <hostid>www</hostid> instead
of the host's real name).</para>
</listitem>
</varlistentry>
@@ -4604,8 +4969,8 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
"/usr/local/www/apache22/data"</literal></term>
<listitem>
- <para><literal>DocumentRoot</literal>: The directory out
- of which you will serve your documents. By default, all
+ <para><literal>DocumentRoot</literal>: The directory
+ where documents will be served from. By default, all
requests are taken from this directory, but symbolic
links and aliases may be used to point to other
locations.</para>
@@ -4613,11 +4978,13 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
</varlistentry>
</variablelist>
- <para>It is always a good idea to make backup copies of your
+ <para>It is always a good idea to make backup copies of the
<application>Apache</application> configuration file before
- making changes. Once you are satisfied with your initial
- configuration you are ready to start running
- <application>Apache</application>.</para>
+ making changes. When the configuration of
+ <application>Apache</application>, is complete, save the
+ file and verify the configuration using &man.apachectl.8;.
+ To do this, issue <command>apachectl configtest</command>
+ which should return <literal>Syntax OK</literal>.</para>
</sect2>
<sect2>
@@ -4645,8 +5012,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<programlisting>apache22_flags=""</programlisting>
<para>The <application>Apache</application> configuration can be
- tested for errors before starting the <command>httpd</command>
- daemon for the first time, or after making subsequent
+ tested for errors after making subsequent
configuration changes while <command>httpd</command> is
running. This can be done by the &man.rc.8; script directly,
or by the &man.service.8; utility by issuing one of the
@@ -4691,14 +5057,14 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<para>To setup <application>Apache</application> to use
Name-based Virtual Hosting add an entry like the following to
- your <filename>httpd.conf</filename>:</para>
+ <filename>httpd.conf</filename>:</para>
<programlisting>NameVirtualHost *</programlisting>
- <para>If your webserver was named <hostid
- role="fqdn">www.domain.tld</hostid> and you wanted to setup
+ <para>If the webserver was named <hostid
+ role="fqdn">www.domain.tld</hostid> and
a virtual domain for <hostid
- role="fqdn">www.someotherdomain.tld</hostid> then you would
+ role="fqdn">www.someotherdomain.tld</hostid> then
add the following entries to
<filename>httpd.conf</filename>:</para>
@@ -4712,8 +5078,8 @@ ServerName www.someotherdomain.tld
DocumentRoot /www/someotherdomain.tld
</VirtualHost></screen>
- <para>Replace the addresses with the addresses you want to use
- and the path to the documents with what you are using.</para>
+ <para>Replace the addresses with the addresses needed
+ and the path to the documents with what are being used.</para>
<para>For more information about setting up virtual hosts,
please consult the official <application>Apache</application>
@@ -4746,7 +5112,7 @@ DocumentRoot /www/someotherdomain.tld
Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols. This module provides
everything necessary to request a signed certificate from
- a trusted certificate signing authority so that you can run
+ a trusted certificate signing authority to run
a secure web server on &os;.</para>
<para>The <application>mod_ssl</application> module is built
@@ -4802,8 +5168,8 @@ DocumentRoot /www/someotherdomain.tld
<para>Django depends on <application>mod_python</application>,
<application>Apache</application>, and an SQL database
- engine of your choice. The FreeBSD Port will install all of
- these pre-requisites for you with the appropriate
+ engine. The &os; Port will install all of
+ these pre-requisites with the appropriate
flags.</para>
<example id="network-www-django-install">
@@ -4815,22 +5181,23 @@ DocumentRoot /www/someotherdomain.tld
<screen>&prompt.root; <userinput>cd /usr/ports/www/py-django; make all install clean -DWITH_MOD_PYTHON3 -DWITH_POSTGRESQL</userinput></screen>
</example>
- <para>Once Django and these pre-requisites are installed, you
- will need to create a Django project directory and then
- configure Apache to use the embedded Python interpreter to
- call your application for specific URLs on your site.</para>
+ <para>Once Django and these pre-requisites are installed,
+ the application will need a Django project directory along
+ with the Apache configuration to use the embedded Python
+ interpreter. This will be the interpreter to
+ call the application for specific URLs on the site.</para>
<example id="network-www-django-apache-config">
<title>Apache Configuration for Django/mod_python</title>
- <para>You will need to add a line to the apache
+ <para>A line must be added to the apache
<filename>httpd.conf</filename> file to configure Apache
- to pass requests for certain URLs to your web
+ to pass requests for certain URLs to the web
application:</para>
<screen><Location "/">
SetHandler python-program
- PythonPath "['/dir/to/your/django/packages/'] + sys.path"
+ PythonPath "['/dir/to/the/django/packages/'] + sys.path"
PythonHandler django.core.handlers.modpython
SetEnv DJANGO_SETTINGS_MODULE mysite.settings
PythonAutoReload On
@@ -5020,7 +5387,7 @@ DocumentRoot /www/someotherdomain.tld
<para>The most important configuration step is deciding which
accounts will be allowed access to the FTP server. A normal
- FreeBSD system has a number of system accounts used for
+ &os; system has a number of system accounts used for
various daemons, but unknown users should not be allowed to
log in with these accounts. The
<filename>/etc/ftpusers</filename> file is a list of users
@@ -5029,7 +5396,8 @@ DocumentRoot /www/someotherdomain.tld
specific users here that should not be allowed access to
FTP.</para>
- <para>You may want to restrict the access of some users without
+ <para>In some cases it may be desirable to restrict the access
+ of some users without
preventing them completely from using FTP. This can be
accomplished with the <filename>/etc/ftpchroot</filename>
file. This file lists users and groups subject to FTP access
@@ -5041,10 +5409,10 @@ DocumentRoot /www/someotherdomain.tld
<secondary>anonymous</secondary>
</indexterm>
- <para>If you would like to enable anonymous FTP access to your
- server, then you must create a user named
- <username>ftp</username> on your &os; system. Users will then
- be able to log on to your FTP server with a username of
+ <para>To enable anonymous FTP access to the
+ server, create a user named
+ <username>ftp</username> on the &os; system. Users will then
+ be able to log on to the FTP server with a username of
<username>ftp</username> or <username>anonymous</username> and
with any password (by convention an email address for the user
should be used as the password). The FTP server will call
@@ -5074,7 +5442,7 @@ DocumentRoot /www/someotherdomain.tld
the <application>inetd</application> configuration must be
reloaded after this configuration file is changed. Please
refer to <xref linkend="network-inetd-settings"/> for details
- on enabling <application>inetd</application> on your
+ on enabling <application>inetd</application> on the
system.</para>
<para>Alternatively, <application>ftpd</application> can also be
@@ -5091,7 +5459,7 @@ DocumentRoot /www/someotherdomain.tld
<screen>&prompt.root; <userinput>service ftpd start</userinput></screen>
- <para>You can now log on to your FTP server by typing:</para>
+ <para>You can now log on to the FTP server by typing:</para>
<screen>&prompt.user; <userinput>ftp localhost</userinput></screen>
@@ -5119,13 +5487,14 @@ DocumentRoot /www/someotherdomain.tld
</indexterm>
<para>Be aware of the potential problems involved with running
- an anonymous FTP server. In particular, you should think
- twice about allowing anonymous users to upload files. You may
- find that your FTP site becomes a forum for the trade of
- unlicensed commercial software or worse. If you do need to
- allow anonymous FTP uploads, then you should set up the
+ an anonymous FTP server. In particular, think
+ twice about allowing anonymous users to upload files. It may
+ turn out that the FTP site becomes a forum for the trade of
+ unlicensed commercial software or worse. If anonymous
+ FTP uploads are required, then verify the
permissions so that these files can not be read by other
- anonymous users until they have been reviewed.</para>
+ anonymous users until they have been reviewed by an
+ administrator.</para>
</sect2>
</sect1>
@@ -5160,13 +5529,13 @@ DocumentRoot /www/someotherdomain.tld
<para><application>Samba</application> is a popular open source
software package that provides file and print services for
µsoft.windows; clients. Such clients can connect to and
- use FreeBSD filespace as if it was a local disk drive, or
- FreeBSD printers as if they were local printers.</para>
+ use &os; filespace as if it was a local disk drive, or
+ &os; printers as if they were local printers.</para>
<para><application>Samba</application> software packages should
- be included on your FreeBSD installation media. If you did
- not install <application>Samba</application> when you first
- installed FreeBSD, then you can install it from the <filename
+ be included on the &os; installation media. If they were
+ not installed when first
+ installing &os;, then they may be installed from the <filename
role="package">net/samba34</filename> port or package.</para>
<!-- mention LDAP, Active Directory, WinBIND, ACL, Quotas, PAM, .. -->
@@ -5186,8 +5555,8 @@ DocumentRoot /www/someotherdomain.tld
<para>The <filename>smb.conf</filename> file contains runtime
configuration information for
<application>Samba</application>, such as definitions of the
- printers and <quote>file system shares</quote> that you would
- like to share with &windows; clients. The
+ printers and <quote>file system shares</quote> that will
+ be shared with &windows; clients. The
<application>Samba</application> package includes a web based
tool called <application>swat</application> which provides a
simple way of configuring the <filename>smb.conf</filename>
@@ -5212,16 +5581,18 @@ DocumentRoot /www/someotherdomain.tld
reloaded after this configuration file is changed.</para>
<para>Once <application>swat</application> has been enabled in
- <filename>inetd.conf</filename>, you can use a browser to
- connect to <ulink url="http://localhost:901"></ulink>. You
- will first have to log on with the system
- <username>root</username> account.</para>
+ <filename>inetd.conf</filename>, a web browser may be used to
+ connect to <ulink url="http://localhost:901"></ulink>. At
+ first login, the system
+ <username>root</username> account must be used.</para>
-<!-- XXX screenshots go here, loader is creating them -->
+<!-- XXX screenshots go here, loader is creating them
+ XXXTR: I'll believe it when I see it. -->
- <para>Once you have successfully logged on to the main
- <application>Samba</application> configuration page, you can
- browse the system documentation, or begin by clicking on the
+ <para>Once successfully logging on to the main
+ <application>Samba</application> configuration page, the
+ system documentation will be available, or configuration may
+ begin by clicking on the
<guimenu>Globals</guimenu> tab. The
<guimenu>Globals</guimenu> section corresponds to the
variables that are set in the <literal>[global]</literal>
@@ -5232,9 +5603,9 @@ DocumentRoot /www/someotherdomain.tld
<sect3>
<title>Global Settings</title>
- <para>Whether you are using <application>swat</application> or
- editing <filename>/usr/local/etc/smb.conf</filename>
- directly, the first directives you are likely to encounter
+ <para>Whether <application>swat</application> is being used or
+ <filename>/usr/local/etc/smb.conf</filename> is being edited
+ directly, the first directives encountered
when configuring <application>Samba</application>
are:</para>
@@ -5288,14 +5659,14 @@ DocumentRoot /www/someotherdomain.tld
<listitem>
<para>The two most common options here are
<literal>security = share</literal> and
- <literal>security = user</literal>. If your clients
+ <literal>security = user</literal>. If the clients
use usernames that are the same as their usernames on
- your &os; machine then you will want to use user level
- security. This is the default security policy and it
+ the &os; machine then user level security should be
+ used. This is the default security policy and it
requires clients to first log on before they can
access shared resources.</para>
- <para>In share level security, client do not need to log
+ <para>In share level security, clients do not need to log
onto the server with a valid username and password
before attempting to connect to a shared resource.
This was the default security model for older versions
@@ -5312,8 +5683,8 @@ DocumentRoot /www/someotherdomain.tld
<indexterm><primary>SQL database</primary></indexterm>
<para><application>Samba</application> has several
- different backend authentication models. You can
- authenticate clients with LDAP, NIS+, a SQL database,
+ different backend authentication models. Clients may
+ be authenticated with LDAP, NIS+, an SQL database,
or a modified password file. The default
authentication method is <literal>smbpasswd</literal>,
and that is all that will be covered here.</para>
@@ -5325,8 +5696,8 @@ DocumentRoot /www/someotherdomain.tld
backend is used, the
<filename>/usr/local/etc/samba/smbpasswd</filename> file
must be created to allow <application>Samba</application> to
- authenticate clients. If you would like to give
- your &unix; user accounts access from &windows; clients, use
+ authenticate clients. To provide
+ the &unix; user accounts access from &windows; clients, use
the following command:</para>
<screen>&prompt.root; <userinput>smbpasswd -a username</userinput></screen>
@@ -5344,9 +5715,10 @@ DocumentRoot /www/someotherdomain.tld
url="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/">Official
Samba HOWTO</ulink>
for additional information about configuration
- options. With the basics outlined here, you should have
- everything you need to start running
- <application>Samba</application>.</para>
+ options. With the basics outlined here, the minimal required
+ start running <application>Samba</application> will
+ be explained. Other documentation should be consulted in
+ addition to the information here.</para>
</sect3>
</sect2>
@@ -5386,16 +5758,17 @@ Starting smbd.</screen>
more information about using rc scripts.</para>
<para><application>Samba</application> actually consists of
- three separate daemons. You should see that both the
+ three separate daemons. Notice that both the
<application>nmbd</application> and
<application>smbd</application> daemons are started by the
- <filename>samba</filename> script. If you enabled winbind
- name resolution services in <filename>smb.conf</filename>,
- then you will also see that the
- <application>winbindd</application> daemon is started.</para>
+ <filename>samba</filename> script. If winbind,
+ name resolution services were enabled in
+ <filename>smb.conf</filename>,
+ the <application>winbindd</application> daemon will be
+ started as well.</para>
- <para>You can stop <application>Samba</application> at any time
- by typing :</para>
+ <para><application>Samba</application> may be stopped at any time
+ by typing:</para>
<screen>&prompt.root; <userinput>service samba stop</userinput></screen>
@@ -5426,7 +5799,7 @@ Starting smbd.</screen>
<title>Overview</title>
<para>Over time, a computer's clock is prone to drift. The
- Network Time Protocol (NTP) is one way to ensure your clock
+ Network Time Protocol (NTP) is one way to ensure the clock
stays accurate.</para>
<para>Many Internet services rely on, or greatly benefit from,
@@ -5443,11 +5816,11 @@ Starting smbd.</screen>
<primary>NTP</primary>
<secondary>ntpd</secondary>
</indexterm>
- <para>FreeBSD ships with the &man.ntpd.8; <acronym
+ <para>&os; ships with the &man.ntpd.8; <acronym
role="Network Time Protocol">NTP</acronym> server which can
be used to query other <acronym
role="Network Time Protocol">NTP</acronym> servers to set
- the clock on your machine or provide time
+ the clock on the machine or provide time
services to others.</para>
</sect2>
@@ -5459,27 +5832,27 @@ Starting smbd.</screen>
<secondary>choosing servers</secondary>
</indexterm>
- <para>In order to synchronize your clock, you will need to find
- one or more <acronym role="Network Time
- Protocol">NTP</acronym> servers to use. Your network
+ <para>In order to synchronize the clock, one or more
+ <acronym role="Network Time Protocol">NTP</acronym> servers
+ must be defined. The network
administrator or ISP may have set up an NTP server for this
purpose—check their documentation to see if this is the
case. There is an <ulink
url="http://support.ntp.org/bin/view/Servers/WebHome">online
- list of publicly accessible NTP servers</ulink> which you can
- use to find an NTP server near to you. Make sure you are
- aware of the policy for any servers you choose, and ask for
- permission if required.</para>
+ list of publicly accessible NTP servers</ulink> which may be
+ referenced to find an NTP server nearest to the system.
+ Take care to review the policy for any chosen servers, and ask
+ for permission if required.</para>
<para>Choosing several unconnected NTP servers is a good idea in
- case one of the servers you are using becomes unreachable or
+ case one of the servers being used becomes unreachable or
its clock is unreliable. &man.ntpd.8; uses the responses it
receives from other servers intelligently—it will favor
unreliable servers less than reliable ones.</para>
</sect2>
<sect2>
- <title>Configuring Your Machine</title>
+ <title>Configuring The Machine</title>
<indexterm>
<primary>NTP</primary>
@@ -5491,8 +5864,8 @@ Starting smbd.</screen>
<indexterm><primary>ntpdate</primary></indexterm>
- <para>If you only wish to synchronize your clock when the
- machine boots up, you can use &man.ntpdate.8;. This may be
+ <para>To synchronize the clock only when the
+ machine boots up, use &man.ntpdate.8;. This may be
appropriate for some desktop machines which are frequently
rebooted and only require infrequent synchronization, but
most machines should run &man.ntpd.8;.</para>
@@ -5505,8 +5878,8 @@ Starting smbd.</screen>
<para>To enable &man.ntpdate.8; at boot time, add
<literal>ntpdate_enable="YES"</literal> to
- <filename>/etc/rc.conf</filename>. You will also need to
- specify all servers you wish to synchronize with and any
+ <filename>/etc/rc.conf</filename>. Also
+ specify all synchronization servers and any
flags to be passed to &man.ntpdate.8; in
<varname>ntpdate_flags</varname>.</para>
</sect3>
@@ -5552,7 +5925,7 @@ driftfile /var/db/ntp.drift</programlisting>
<para>The <literal>driftfile</literal> option specifies which
file is used to store information about previous responses
- from the NTP servers you are using. This file contains
+ from the NTP servers being used. This file contains
internal information for NTP. It should not be modified by
any other process.</para>
</sect3>
@@ -5560,27 +5933,27 @@ driftfile /var/db/ntp.drift</programlisting>
<sect3>
<title>Controlling Access to Your Server</title>
- <para>By default, your NTP server will be accessible to all
+ <para>By default, the NTP server will be accessible to all
hosts on the Internet. The <literal>restrict</literal>
- option in <filename>/etc/ntp.conf</filename> allows you to
- control which machines can access your server.</para>
+ option in <filename>/etc/ntp.conf</filename>
+ controls which machines can access the server.</para>
- <para>If you want to deny all machines from accessing your NTP
+ <para>To deny all machines from accessing the NTP
server, add the following line to
<filename>/etc/ntp.conf</filename>:</para>
<programlisting>restrict default ignore</programlisting>
<note>
- <para>This will also prevent access from your server to
- any servers listed in your local configuration. If you
- need to synchronise your NTP server with an external NTP
- server you should allow the specific server. See the
+ <para>This will also prevent access from the server to
+ any servers listed in the local configuration. If there is
+ a need to synchronise the NTP server with an external NTP
+ server, allow only that specific server. See the
&man.ntp.conf.5; manual for more information.</para>
</note>
- <para>If you only want to allow machines within your own
- network to synchronize their clocks with your server, but
+ <para>To allow machines within the
+ network to synchronize their clocks with the server, but
ensure they are not allowed to configure the server or used
as peers to synchronize against, add</para>
@@ -5588,14 +5961,14 @@ driftfile /var/db/ntp.drift</programlisting>
<para>instead, where <hostid
role="ipaddr">192.168.1.0</hostid> is an IP address on
- your network and <hostid
- role="netmask">255.255.255.0</hostid> is your network's
+ the network and <hostid
+ role="netmask">255.255.255.0</hostid> is the network's
netmask.</para>
- <para><filename>/etc/ntp.conf</filename> can contain multiple
- <literal>restrict</literal> options. For more details, see
- the <literal>Access Control Support</literal> subsection of
- &man.ntp.conf.5;.</para>
+ <para>The <filename>/etc/ntp.conf</filename> file can contain
+ multiple <literal>restrict</literal> options. For more
+ details, see the <literal>Access Control Support</literal>
+ subsection of &man.ntp.conf.5;.</para>
</sect3>
</sect2>
@@ -5604,12 +5977,12 @@ driftfile /var/db/ntp.drift</programlisting>
<para>To ensure the NTP server is started at boot time, add the
line <literal>ntpd_enable="YES"</literal> to
- <filename>/etc/rc.conf</filename>. If you wish to pass
+ <filename>/etc/rc.conf</filename>. To pass
additional flags to &man.ntpd.8;, edit the
<varname>ntpd_flags</varname> parameter in
<filename>/etc/rc.conf</filename>.</para>
- <para>To start the server without rebooting your machine, run
+ <para>To start the server without rebooting the machine, run
<command>ntpd</command> being sure to specify any additional
parameters from <varname>ntpd_flags</varname> in
<filename>/etc/rc.conf</filename>. For example:</para>
@@ -5623,10 +5996,10 @@ driftfile /var/db/ntp.drift</programlisting>
<para>The &man.ntpd.8; program does not need a permanent
connection to the Internet to function properly. However, if
- you have a temporary connection that is configured to dial out
+ there is a temporary connection that is configured to dial out
on demand, it is a good idea to prevent NTP traffic from
- triggering a dial out or keeping the connection alive. If you
- are using user PPP, you can use <literal>filter</literal>
+ triggering a dial out or keeping the connection alive. PPP
+ users can use the <literal>filter</literal>
directives in <filename>/etc/ppp/ppp.conf</filename>. For
example:</para>
@@ -5646,7 +6019,7 @@ driftfile /var/db/ntp.drift</programlisting>
<note>
<para>Some Internet access providers block low-numbered ports,
preventing NTP from functioning since replies never
- reach your machine.</para>
+ reach the machine.</para>
</note>
</sect2>
@@ -5682,7 +6055,7 @@ driftfile /var/db/ntp.drift</programlisting>
<para>Centralized logging to a specific logging host can reduce
some of the administrative burden of log file administration.
- Log file aggregation, merging and rotation can be configured in
+ Log file aggregation, merging and rotation may be configured in
one location, using the native tools of &os;, such as
&man.syslogd.8; and &man.newsyslog.8;. In the following example
configuration, host <hostid>A</hostid>, named <hostid
@@ -5716,15 +6089,15 @@ driftfile /var/db/ntp.drift</programlisting>
</listitem>
<listitem>
- <para>syslogd has been configured to accept remote messages
- from client machines;</para>
+ <para><command>syslogd</command> has been configured to
+ accept remote messages from client machines;</para>
</listitem>
<listitem>
- <para>The syslogd server and all client machines must have
- valid entries for both forward and reverse
- <acronym>DNS</acronym>, or be properly configured in
- <filename>/etc/hosts</filename>.</para>
+ <para>The <command>syslogd</command> server and all client
+ machines must have valid entries for both forward and
+ reverse <acronym>DNS</acronym>, or be properly configured
+ in <filename>/etc/hosts</filename>.</para>
</listitem>
</itemizedlist>
@@ -5770,13 +6143,14 @@ syslogd_flags="-a logclient.example.com -v -v"</programlisting>
does not matter, but &man.touch.1; works great for situations
such as this:</para>
- <screen>&prompt.root; <userinput>touch <filename>/var/log/logclient.log</filename></userinput></screen>
+ <screen>&prompt.root; <userinput><command>touch</command>
+ <filename>/var/log/logclient.log</filename></userinput></screen>
<para>At this point, the <command>syslogd</command> daemon
should be restarted and verified:</para>
- <screen>&prompt.root; <userinput>service syslogd restart</userinput>
-&prompt.root; <userinput>pgrep syslog</userinput></screen>
+ <screen>&prompt.root; <userinput>service <command>syslogd</command> restart</userinput>
+&prompt.root; <userinput><command>pgrep</command> syslog</userinput></screen>
<para>If a <acronym>PID</acronym> is returned, the server has
been restarted successfully, and client configuration may
@@ -5851,13 +6225,14 @@ syslogd_flags="-s -v -v"</programlisting>
<para>Once added, <command>syslogd</command> must be restarted
for the changes to take effect:</para>
- <screen>&prompt.root; <userinput>service syslogd restart</userinput></screen>
+ <screen>&prompt.root; <userinput>service <command>syslogd</command> restart</userinput></screen>
<para>To test that log messages are being sent across the
network, use &man.logger.1; on the client to send a message to
<command>syslogd</command>:</para>
- <screen>&prompt.root; <userinput>logger "<replaceable>Test message from logclient</replaceable>"</userinput></screen>
+ <screen>&prompt.root; <userinput><command>logger</command>
+ "<replaceable>Test message from logclient</replaceable>"</userinput></screen>
<para>This message should now exist both in
<filename>/var/log/messages</filename> on the client, and
@@ -5888,7 +6263,7 @@ syslogd_flags="-s -v -v"</programlisting>
<programlisting>syslogd_flags="-d -a logclien.example.com -v -v"</programlisting>
- <screen>&prompt.root; <userinput>service syslogd restart</userinput></screen>
+ <screen>&prompt.root; <userinput>service <command>syslogd</command> restart</userinput></screen>
<para>Debugging data similar to the following will flash on the
screen immediately after the restart:</para>
@@ -5913,7 +6288,7 @@ rejected in rule 0 due to name mismatch.</screen>
<literal>logclien</literal>. After the proper alterations
are made, a restart is issued with expected results:</para>
- <screen>&prompt.root; <userinput>service syslogd restart</userinput>
+ <screen>&prompt.root; <userinput>service <command>syslogd</command> restart</userinput>
logmsg: pri 56, flags 4, from logserv.example.com, msg syslogd: restart
syslogd: restarted
logmsg: pri 6, flags 4, from logserv.example.com, msg syslogd: kernel boot file is /boot/kernel/kernel
diff --git a/en_US.ISO8859-1/books/handbook/ports/chapter.xml b/en_US.ISO8859-1/books/handbook/ports/chapter.xml
index f00a54b828..39d26ffa0a 100644
--- a/en_US.ISO8859-1/books/handbook/ports/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/ports/chapter.xml
@@ -347,22 +347,19 @@ Info: Lists information about open files (similar to fstat(1))</screen>
<title>Using Binary Packages</title>
- <para>There are several different tools used to manage packages on
- &os;:</para>
+ <para>At the present time, &os; is transitioning toward a new
+ method of package management. Users of the latest releases
+ may wish to investigate the benefits of using
+ <link linkend="pkgng-intro">PKGng</link> to manage third
+ party software on &os;. For those not yet migrated to the
+ <application>pkgng</application> tool, the tools discussed
+ here may be used for managing the package database. For
+ simplicity, the <command>sysinstall</command> utility is
+ also available post-install for package management.</para>
- <itemizedlist>
- <listitem>
- <para>The <command>sysinstall</command> utility can be invoked
- on a running system to install, delete, and list available
- and installed packages. For more information, see
- <xref linkend="packages"/>.</para>
- </listitem>
-
- <listitem>
- <para>The package management command line tools, which are
- the subject of the rest of this section.</para>
- </listitem>
- </itemizedlist>
+ <para>All package installation files are stored in the
+ package database directory,
+ <filename class="directory">/var/db/pkg</filename>.</para>
<sect2>
<title>Installing a Package</title>
@@ -579,14 +576,6 @@ docbook =
<para>in this case, all packages whose names start with
<literal>xchat</literal> will be deleted.</para>
</sect2>
-
- <sect2>
- <title>Miscellaneous</title>
-
- <para>All package information, including the file list and
- descriptions of each installed package is stored within the
- <filename>/var/db/pkg</filename> directory.</para>
- </sect2>
</sect1>
<sect1 id="pkgng-intro">
@@ -1800,32 +1789,40 @@ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/ fetch</userinput></screen>
</sect1>
<sect1 id="ports-nextsteps">
- <title>Post-installation Activities</title>
+ <title>Working With Installed Ports</title>
- <para>After installing a new application you will normally want to
- read any documentation it may have included, edit any
- required configuration files, and ensure that the
- application's service starts at boot time.</para>
+ <para>Most third party applications will need some level of
+ configuration after they were installed. This may be a simple
+ configuration file alteration, or perhaps the application will
+ just generate a configuration file. Most applications will
+ have documentation installed into
+ <filename class="directory">/usr/local/share/doc</filename> and
+ manual pages. This documentation should be consulted before
+ continuing. Some applications run services which must be added
+ to the <filename>/etc/rc.conf</filename> file before
+ starting.</para>
- <para>The exact steps you need to take to configure each
- application will obviously be different. However, if you have
- just installed a new application and are wondering
- <quote>What now?</quote> these tips might help:</para>
+ <para>The following list contains useful information for
+ post-install port management. In several cases, finding
+ the location of binaries if they were installed outside
+ of the <envar>PATH</envar>. Users of &man.csh.1; should run
+ <command>rehash</command> to rebuild the known binary
+ list in the shells <envar>PATH</envar>.</para>
<itemizedlist>
<listitem>
- <para>Use &man.pkg.info.1; to find out which files were
- installed, and where. For example, if you have just
- installed FooPackage version 1.0.0, then this command</para>
+ <para>The &man.pkg.info.1; command will print all installed
+ files and their location. For example, if the FooPackage
+ version 1.0.0 was just installed, then the following
+ command will show all the files installed with the
+ package.</para>
- <screen>&prompt.root; <userinput>pkg_info -L foopackage-1.0.0 | less</userinput></screen>
+ <screen>&prompt.root; <userinput>pkg_info -L <replaceable>foopackage-1.0.0</replaceable> | less</userinput></screen>
- <para>will show all the files installed by the package. Pay
- special attention to files located in
- <filename>man/</filename>, which will be manual pages,
- <filename>etc/</filename>, which will be configuration
- files, and <filename>doc/</filename>, which will be more
- comprehensive documentation.</para>
+ <para>Configuration files are always installed in
+ <filename class="directory">/usr/local/etc</filename>
+ and should definitely be consulted before attempting
+ to use the new application.</para>
<para>To determine which version of the application was
installed:</para>
@@ -1839,17 +1836,18 @@ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/ fetch</userinput></screen>
</listitem>
<listitem>
- <para>Once you have identified where the application's manual
- pages have been installed, review them using &man.man.1;.
- Review the sample configuration files and any additional
- documentation that may have been provided.</para>
+ <para>These commands will also show the names of any manual
+ pages installed with the application. This additional
+ documentation will now be available to the &man.man.1;
+ command.</para>
</listitem>
<listitem>
- <para>If the application has a web site, check it for
- additional documentation, frequently asked questions, and so
- forth. If you are not sure of the web site address it may
- be listed in the output from</para>
+ <para>If the application has a web site, consult it for
+ additional documentation or a frequently asked questions
+ page. If the website is unknown, the following command
+ will be useful to print out this information if it's
+ available.</para>
<screen>&prompt.root; <userinput>pkg_info <replaceable>foopackage-1.0.0</replaceable></userinput></screen>
diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.xml b/en_US.ISO8859-1/books/handbook/security/chapter.xml
index 0beccf251e..df1fa9b1d0 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.xml
@@ -24,31 +24,27 @@
<sect1 id="security-synopsis">
<title>Synopsis</title>
- <para>This chapter will provide a basic introduction to system
+ <para>This chapter provides a basic introduction to system
security concepts, some general good rules of thumb, and some
- advanced topics under &os;. A lot of the topics covered here
- can be applied to system and Internet security in general as
- well. The Internet is no longer a <quote>friendly</quote> place
- in which everyone wants to be your kind neighbor. Securing your
- system is imperative to protect your data, intellectual
+ advanced topics under &os;. Many of the topics covered here
+ can be applied to system and Internet security in general.
+ Securing a system is imperative to protect data, intellectual
property, time, and much more from the hands of hackers and the
like.</para>
- <para>&os; provides an array of utilities and mechanisms to ensure
- the integrity and security of your system and network.</para>
+ <para>&os; provides an array of utilities and mechanisms to
+ protect the integrity and security of the system and
+ network.</para>
<para>After reading this chapter, you will know:</para>
<itemizedlist>
<listitem>
- <para>Basic system security concepts, in respect to
- &os;.</para>
+ <para>Basic &os; system security concepts.</para>
</listitem>
<listitem>
- <para>About the various crypt mechanisms available in &os;,
- such as <acronym>DES</acronym> and
- <acronym>MD5</acronym>.</para>
+ <para>The various crypt mechanisms available in &os;.</para>
</listitem>
<listitem>
@@ -57,45 +53,46 @@
<listitem>
<para>How to configure <acronym>TCP</acronym> Wrappers for use
- with <application>inetd</application>.</para>
+ with &man.inetd.8;.</para>
</listitem>
<listitem>
- <para>How to set up <application>Kerberos5</application> on
+ <para>How to set up <application>Kerberos</application> on
&os;.</para>
</listitem>
<listitem>
<para>How to configure IPsec and create a
- <acronym>VPN</acronym> between &os;/&windows;
- machines.</para>
+ <acronym>VPN</acronym>.</para>
</listitem>
<listitem>
<para>How to configure and use
- <application>OpenSSH</application>, &os;'s
- <acronym>SSH</acronym> implementation.</para>
+ <application>OpenSSH</application> on &os;.</para>
</listitem>
<listitem>
- <para>What file system <acronym>ACL</acronym>s are and how to
- use them.</para>
+ <para>How to use filesystem <acronym>ACL</acronym>s.</para>
</listitem>
<listitem>
- <para>How to use the <application>Portaudit</application>
- utility to audit third party software packages installed
- from the Ports Collection.</para>
+ <para>How to use <application>portaudit</application> to
+ audit third party software packages installed from the
+ Ports Collection.</para>
</listitem>
<listitem>
- <para>How to utilize the &os; security advisories
- publications.</para>
+ <para>How to utilize &os; security advisories.</para>
</listitem>
<listitem>
- <para>Have an idea of what Process Accounting is and how to
- enable it on &os;.</para>
+ <para>What Process Accounting is and how to enable it on
+ &os;.</para>
+ </listitem>
+
+ <listitem>
+ <para>Understand the resource limits database and
+ how to utilize it to control user resources.</para>
</listitem>
</itemizedlist>
@@ -107,36 +104,26 @@
</listitem>
</itemizedlist>
- <para>Additional security topics are covered throughout this book.
- For example, Mandatory Access Control is discussed in <xref
- linkend="mac"/> and Internet Firewalls are discussed in <xref
- linkend="firewalls"/>.</para>
+ <para>Additional security topics are covered elsewhere in this
+ Handbook. For example, Mandatory Access Control is discussed in
+ <xref linkend="mac"/> and Internet firewalls are discussed in
+ <xref linkend="firewalls"/>.</para>
</sect1>
<sect1 id="security-intro">
<title>Introduction</title>
<para>Security is a function that begins and ends with the system
- administrator. While all BSD &unix; multi-user systems have
- some inherent security, the job of building and maintaining
- additional security mechanisms to keep those users
- <quote>honest</quote> is probably one of the single largest
- undertakings of the sysadmin. Machines are only as secure as
- you make them, and security concerns are ever competing with the
- human necessity for convenience. &unix; systems, in general,
- are capable of running a huge number of simultaneous processes
- and many of these processes operate as servers — meaning
- that external entities can connect and talk to them. As
- yesterday's mini-computers and mainframes become today's
- desktops, and as computers become networked and inter-networked,
- security becomes an even bigger issue.</para>
+ administrator. While &os; provides some inherent security, the
+ job of configuring and maintaining additional security
+ mechanisms is probably one of the single largest undertakings of
+ the sysadmin.</para>
<para>System security also pertains to dealing with various forms
of attack, including attacks that attempt to crash, or otherwise
make a system unusable, but do not attempt to compromise the
- <username>root</username> account (<quote>break root</quote>).
- Security concerns can be split up into several
- categories:</para>
+ <username>root</username> account. Security concerns can be
+ split up into several categories:</para>
<orderedlist>
<listitem>
@@ -148,7 +135,7 @@
</listitem>
<listitem>
- <para>Root compromise through accessible servers.</para>
+ <para>Root compromise through accessible services.</para>
</listitem>
<listitem>
@@ -171,50 +158,36 @@
</indexterm>
<indexterm><primary>Denial of Service (DoS)</primary></indexterm>
- <para>A denial of service attack is an action that deprives the
- machine of needed resources. Typically, DoS attacks are
- brute-force mechanisms that attempt to crash or otherwise make a
- machine unusable by overwhelming its servers or network stack.
- Some DoS attacks try to take advantage of bugs in the networking
- stack to crash a machine with a single packet. The latter can
- only be fixed by applying a bug fix to the kernel. Attacks on
- servers can often be fixed by properly specifying options to
+ <para>A Denial of Service <acronym>DoS</acronym> attack is an
+ action that deprives the machine of needed resources.
+ Typically, <acronym>DoS</acronym> attacks are brute-force
+ mechanisms that attempt to crash or otherwise make a machine
+ unusable by overwhelming its services or network stack. Attacks
+ on servers can often be fixed by properly specifying options to
limit the load the servers incur on the system under adverse
conditions. Brute-force network attacks are harder to deal
- with. A spoofed-packet attack, for example, is nearly
- impossible to stop, short of cutting your system off from the
- Internet. It may not be able to take your machine down, but it
- can saturate your Internet connection.</para>
+ with. This type of attack may not be able to take the machine
+ down, but it can saturate the Internet connection.</para>
<indexterm>
<primary>security</primary>
<secondary>account compromises</secondary>
</indexterm>
- <para>A user account compromise is even more common than a DoS
- attack. Many sysadmins still run standard
- <application>telnetd</application>,
- <application>rlogind</application>,
- <application>rshd</application>, and
- <application>ftpd</application> servers on their machines.
- These servers, by default, do not operate over encrypted
- connections. The result is that if you have any moderate-sized
- user base, one or more of your users logging into your system
- from a remote location (which is the most common and convenient
- way to login to a system) will have his or her password sniffed.
- The attentive system admin will analyze his remote access logs
- looking for suspicious source addresses even for successful
- logins.</para>
+ <para>A user account compromise is more common than a
+ <acronym>DoS</acronym> attack. Many sysadmins still run
+ unencrypted services, meaning that users logging into the
+ system from a remote location are vulnerable to having their
+ password sniffed. The attentive sysadmin analyzes the remote
+ access logs looking for suspicious source addresses and
+ suspicious logins.</para>
- <para>One must always assume that once an attacker has access to a
- user account, the attacker can break <username>root</username>.
- However, the reality is that in a well secured and maintained
- system, access to a user account does not necessarily give the
- attacker access to <username>root</username>. The distinction
- is important because without access to <username>root</username>
- the attacker cannot generally hide his tracks and may, at best,
- be able to do nothing more than mess with the user's files, or
- crash the machine. User account compromises are very common
+ <para>In a well secured and maintained system, access to a user
+ account does not necessarily give the attacker access to
+ <username>root</username>. Without <username>root</username>
+ access, the attacker cannot generally hide his tracks and may,
+ at best, be able to do nothing more than mess with the user's
+ files or crash the machine. User account compromises are common
because users tend not to take the precautions that sysadmins
take.</para>
@@ -223,27 +196,14 @@
<secondary>backdoors</secondary>
</indexterm>
- <para>System administrators must keep in mind that there are
- potentially many ways to break <username>root</username> on a
- machine. The attacker may know the <username>root</username>
- password, the attacker may find a bug in a root-run server and
- be able to break <username>root</username> over a network
- connection to that server, or the attacker may know of a bug in
- a suid-root program that allows the attacker to break
- <username>root</username> once he has broken into a user's
- account. If an attacker has found a way to break
- <username>root</username> on a machine, the attacker may not
- have a need to install a backdoor. Many of the
- <username>root</username> holes found and closed to date involve
- a considerable amount of work by the attacker to cleanup after
- himself, so most attackers install backdoors. A backdoor
- provides the attacker with a way to easily regain
- <username>root</username> access to the system, but it also
- gives the smart system administrator a convenient way to detect
- the intrusion. Making it impossible for an attacker to install
- a backdoor may actually be detrimental to your security, because
- it will not close off the hole the attacker found to break in
- the first place.</para>
+ <para>There are potentially many ways to break
+ <username>root</username>: the attacker may know the
+ <username>root</username> password, the attacker may exploit a
+ bug in a service which runs as <username>root</username>, or the
+ attacker may know of a bug in a SUID-root program. An attacker
+ may utilize a program known as a backdoor to search for
+ vulnerable systems, take advantage of unpatched exploits to
+ access a system, and hide traces of illegal activity.</para>
<para>Security remedies should always be implemented with a
multi-layered <quote>onion peel</quote> approach and can be
@@ -251,26 +211,26 @@
<orderedlist>
<listitem>
- <para>Securing <username>root</username> and staff
+ <para>Secure <username>root</username> and staff
accounts.</para>
</listitem>
<listitem>
- <para>Securing <username>root</username>–run servers
- and suid/sgid binaries.</para>
+ <para>Secure <username>root</username>–run servers
+ and SUID/SGID binaries.</para>
</listitem>
<listitem>
- <para>Securing user accounts.</para>
+ <para>Secure user accounts.</para>
</listitem>
<listitem>
- <para>Securing the password file.</para>
+ <para>Secure the password file.</para>
</listitem>
<listitem>
- <para>Securing the kernel core, raw devices, and
- file systems.</para>
+ <para>Secure the kernel core, raw devices, and
+ filesystems.</para>
</listitem>
<listitem>
@@ -283,8 +243,7 @@
</listitem>
</orderedlist>
- <para>The next section of this chapter will cover the above bullet
- items in greater depth.</para>
+ <para>The next section covers these items in greater depth.</para>
</sect1>
<sect1 id="securing-freebsd">
@@ -295,254 +254,137 @@
<secondary>securing &os;</secondary>
</indexterm>
- <note>
- <title>Command Versus Protocol</title>
-
- <para>Throughout this document, we will use
- <application>bold</application> text to refer to an
- application, and a <command>monospaced</command> font to refer
- to specific commands. Protocols will use a normal font. This
- typographical distinction is useful for instances such as ssh,
- since it is a protocol as well as command.</para>
- </note>
-
- <para>The sections that follow will cover the methods of securing
- your &os; system that were mentioned in the <link
- linkend="security-intro">last section</link> of this
- chapter.</para>
+ <para>This section describes methods for securing a &os; system
+ against the attacks that were mentioned in the <link
+ linkend="security-intro">previous section</link>.</para>
<sect2 id="securing-root-and-staff">
- <title>Securing the <username>root</username> Account and
- Staff Accounts</title>
+ <title>Securing the <username>root</username> Account</title>
<indexterm>
- <primary><command>su</command></primary>
+ <primary>&man.su.1;</primary>
</indexterm>
- <para>First off, do not bother securing staff accounts if you
- have not secured the <username>root</username> account. Most
+ <para>Most
systems have a password assigned to the
- <username>root</username> account. The first thing you do is
- assume that the password is <emphasis>always</emphasis>
- compromised. This does not mean that you should remove the
- password. The password is almost always necessary for console
- access to the machine. What it does mean is that you should
- not make it possible to use the password outside of the
- console or possibly even with the &man.su.1; command. For
- example, make sure that your ptys are specified as being
- insecure in the <filename>/etc/ttys</filename> file so that
- direct <username>root</username> logins via
- <command>telnet</command> or <command>rlogin</command> are
- disallowed. If using other login services such as
- <application>sshd</application>, make sure that direct
- <username>root</username> logins are disabled there as well.
- You can do this by editing your
- <filename>/etc/ssh/sshd_config</filename> file, and making
- sure that <literal>PermitRootLogin</literal> is set to
- <literal>no</literal>. Consider every access method —
- services such as FTP often fall through the cracks. Direct
- <username>root</username> logins should only be allowed via
- the system console.</para>
+ <username>root</username> account. Assume that this password
+ is <emphasis>always</emphasis> at risk of being compromised.
+ This does not mean that the password should be disabled as the
+ password is almost always necessary for console access to the
+ machine. However, it should not be possible to use this
+ password outside of the console or possibly even with
+ &man.su.1;. For example, setting the entries in
+ <filename>/etc/ttys</filename> to <literal>insecure</literal>
+ prevents <username>root</username> logins to the specified
+ terminals. In &os;, <username>root</username> logins using
+ &man.ssh.1; are disabled by default as
+ <literal>PermitRootLogin</literal> is set to
+ <literal>no</literal> in
+ <filename>/etc/ssh/sshd_config</filename>. Consider every
+ access method as services such as FTP often fall through the
+ cracks. Direct <username>root</username> logins should only
+ be allowed via the system console.</para>
<indexterm>
<primary><groupname>wheel</groupname></primary>
</indexterm>
- <para>Of course, as a sysadmin you have to be able to get to
- <username>root</username>, so we open up a few holes. But we
- make sure these holes require additional password verification
- to operate. One way to make <username>root</username>
- accessible is to add appropriate staff accounts to the
- <groupname>wheel</groupname> group (in
- <filename>/etc/group</filename>). The staff members placed in
- the <groupname>wheel</groupname> group are allowed to
- <command>su</command> to <username>root</username>. You
- should never give staff members native
- <groupname>wheel</groupname> access by putting them in the
- <groupname>wheel</groupname> group in their password entry.
- Staff accounts should be placed in a
- <groupname>staff</groupname> group, and then added to the
- <groupname>wheel</groupname> group via the
- <filename>/etc/group</filename> file. Only those staff
- members who actually need to have <username>root</username>
- access should be placed in the <groupname>wheel</groupname>
- group. It is also possible, when using an authentication
- method such as Kerberos, to use Kerberos'
- <filename>.k5login</filename> file in the
- <username>root</username> account to allow a &man.ksu.1; to
- <username>root</username> without having to place anyone at
- all in the <groupname>wheel</groupname> group. This may be
- the better solution since the <groupname>wheel</groupname>
- mechanism still allows an intruder to break
- <username>root</username> if the intruder has gotten hold of
- your password file and can break into a staff account. While
- having the <groupname>wheel</groupname> mechanism is better
- than having nothing at all, it is not necessarily the safest
- option.</para>
+ <para>Since a sysadmin needs access to
+ <username>root</username>, additional password verification
+ should be configured. One method is to add appropriate user
+ accounts to <groupname>wheel</groupname> in
+ <filename>/etc/group</filename>. Members of
+ <groupname>wheel</groupname> are allowed to &man.su.1; to
+ <username>root</username>. Only those users who actually need
+ to have <username>root</username> access should be placed in
+ <groupname>wheel</groupname>. When using Kerberos for
+ authentication, create a <filename>.k5login</filename> in
+ the home directory of <username>root</username> to allow
+ &man.ksu.1; to be used without having to place anyone in
+ <groupname>wheel</groupname>.</para>
- <para>To lock an account completely, the &man.pw.8; command
- should be used:</para>
+ <para>To lock an account completely, use &man.pw.8;:</para>
<screen>&prompt.root; <userinput>pw lock <replaceable>staff</replaceable></userinput></screen>
- <para>This will prevent the user from logging in using any
- mechanism, including &man.ssh.1;.</para>
+ <para>This will prevent the specified user from logging in using
+ any mechanism, including &man.ssh.1;.</para>
<para>Another method of blocking access to accounts would be to
replace the encrypted password with a single
<quote><literal>*</literal></quote> character. This character
- would never match the encrypted password and thus block user
- access. For example, the following staff account:</para>
+ would never match the encrypted password and thus blocks user
+ access. For example, the entry for the following
+ account:</para>
<programlisting>foobar:R9DT/Fa1/LV9U:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh</programlisting>
- <para>Should be changed to this:</para>
+ <para>could be changed to this using &man.vipw.8;:</para>
<programlisting>foobar:*:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh</programlisting>
- <para>This will prevent the <username>foobar</username> user
- from logging in using conventional methods. This method for
- access restriction is flawed on sites using
+ <para>This prevents <username>foobar</username> from logging in
+ using conventional methods. This method for access
+ restriction is flawed on sites using
<application>Kerberos</application> or in situations where the
user has set up keys with &man.ssh.1;.</para>
- <para>These security mechanisms also assume that you are logging
+ <para>These security mechanisms assume that users are logging
in from a more restrictive server to a less restrictive
- server. For example, if your main box is running all sorts of
- servers, your workstation should not be running any. In order
- for your workstation to be reasonably secure you should run as
- few servers as possible, up to and including no servers at
- all, and you should run a password-protected screen blanker.
- Of course, given physical access to a workstation an attacker
- can break any sort of security you put on it. This is
- definitely a problem that you should consider, but you should
- also consider the fact that the vast majority of break-ins
- occur remotely, over a network, from people who do not have
- physical access to your workstation or servers.</para>
+ server. For example, if the server is running network
+ services, the workstation should not be running any. In
+ order for a workstation to be reasonably secure, run zero or
+ as few services as possible and run a password-protected
+ screensaver. Of course, given physical access to any system,
+ an attacker can break any sort of security. Fortunately,
+ many break-ins occur remotely, over a network, from people who
+ do not have physical access to the system.</para>
- <para>Using something like Kerberos also gives you the ability
- to disable or change the password for a staff account in one
- place, and have it immediately affect all the machines on
- which the staff member may have an account. If a staff
- member's account gets compromised, the ability to instantly
- change his password on all machines should not be underrated.
- With discrete passwords, changing a password on N machines can
- be a mess. You can also impose re-passwording restrictions
- with Kerberos: not only can a Kerberos ticket be made to
- timeout after a while, but the Kerberos system can require
- that the user choose a new password after a certain period of
- time (say, once a month).</para>
+ <para>Using Kerberos provides the ability to disable or change
+ the password for a user in one place, and have it immediately
+ affect all the machines on which the user has an account. If
+ an account is compromised, the ability to instantly change the
+ associated password on all machines should not be underrated.
+ Additional restrictions can be imposed with Kerberos: a
+ Kerberos ticket can be configured to timeout and the Kerberos
+ system can require that the user choose a new password after a
+ configurable period of time.</para>
</sect2>
<sect2>
<title>Securing Root-run Servers and SUID/SGID Binaries</title>
- <indexterm>
- <primary><command>ntalk</command></primary>
- </indexterm>
- <indexterm>
- <primary><command>comsat</command></primary>
- </indexterm>
- <indexterm>
- <primary><command>finger</command></primary>
- </indexterm>
<indexterm>
<primary>sandboxes</primary>
</indexterm>
<indexterm>
- <primary><application>sshd</application></primary>
- </indexterm>
- <indexterm>
- <primary><application>telnetd</application></primary>
- </indexterm>
- <indexterm>
- <primary><application>rshd</application></primary>
- </indexterm>
- <indexterm>
- <primary><application>rlogind</application></primary>
+ <primary>&man.sshd.8;</primary>
</indexterm>
- <para>The prudent sysadmin only runs the servers he needs to, no
- more, no less. Be aware that third party servers are often
- the most bug-prone. For example, running an old version of
- <application>imapd</application> or
- <application>popper</application> is like giving a universal
- <username>root</username> ticket out to the entire world.
- Never run a server that you have not checked out carefully.
- Many servers do not need to be run as
- <username>root</username>. For example, the
- <application>ntalk</application>,
- <application>comsat</application>, and
- <application>finger</application> daemons can be run in
- special user <firstterm>sandboxes</firstterm>. A sandbox is
- not perfect, unless you go through a large amount of trouble,
- but the onion approach to security still stands: If someone is
- able to break in through a server running in a sandbox, they
- still have to break out of the sandbox. The more layers the
- attacker must break through, the lower the likelihood of his
- success. Root holes have historically been found in virtually
- every server ever run as <username>root</username>, including
- basic system servers. If you are running a machine through
- which people only login via <application>sshd</application>
- and never login via <application>telnetd</application> or
- <application>rshd</application> or
- <application>rlogind</application>, then turn off those
- services!</para>
+ <para>The prudent sysadmin only enables required services and is
+ aware that third party servers are often the most bug-prone.
+ Never run a server that has not been checked out carefully.
+ Think twice before running any service as
+ <username>root</username> as many daemons can be run as a
+ separate service account or can be started in a
+ <firstterm>sandbox</firstterm>. Do not activate insecure
+ services such as &man.telnetd.8; or &man.rlogind.8;.</para>
- <para>&os; now defaults to running
- <application>ntalkd</application>,
- <application>comsat</application>, and
- <application>finger</application> in a sandbox. Another
- program which may be a candidate for running in a sandbox is
- &man.named.8;. <filename>/etc/defaults/rc.conf</filename>
- includes the arguments necessary to run
- <application>named</application> in a sandbox in a
- commented-out form. Depending on whether you are installing a
- new system or upgrading an existing system, the special user
- accounts used by these sandboxes may not be installed. The
- prudent sysadmin would research and implement sandboxes for
- servers whenever possible.</para>
-
- <indexterm>
- <primary><application>sendmail</application></primary>
- </indexterm>
-
- <para>There are a number of other servers that typically do not
- run in sandboxes: <application>sendmail</application>,
- <application>popper</application>,
- <application>imapd</application>,
- <application>ftpd</application>, and others. There are
- alternatives to some of these, but installing them may require
- more work than you are willing to perform (the convenience
- factor strikes again). You may have to run these servers as
- <username>root</username> and rely on other mechanisms to
- detect break-ins that might occur through them.</para>
-
- <para>The other big potential <username>root</username> holes in
- a system are the suid-root and sgid binaries installed on the
- system. Most of these binaries, such as
- <application>rlogin</application>, reside in <filename
- class="directory">/bin</filename>, <filename
- class="directory">/sbin</filename>, <filename
+ <para>Another potential security hole is SUID-root and SGID
+ binaries. Most of these binaries, such as &man.rlogin.1;,
+ reside in <filename class="directory">/bin</filename>,
+ <filename class="directory">/sbin</filename>, <filename
class="directory">/usr/bin</filename>, or <filename
class="directory">/usr/sbin</filename>. While nothing is
- 100% safe, the system-default suid and sgid binaries can be
- considered reasonably safe. Still, <username>root</username>
- holes are occasionally found in these binaries. A
- <username>root</username> hole was found in
- <literal>Xlib</literal> in 1998 that made
- <application>xterm</application> (which is typically suid)
- vulnerable. It is better to be safe than sorry and the
- prudent sysadmin will restrict suid binaries, that only staff
- should run, to a special group that only staff can access, and
- get rid of (<command>chmod 000</command>) any suid binaries
- that nobody uses. A server with no display generally does not
- need an <application>xterm</application> binary. Sgid
- binaries can be almost as dangerous. If an intruder can break
- an sgid-kmem binary, the intruder might be able to read
+ 100% safe, the system-default SUID and SGID binaries can be
+ considered reasonably safe. It is recommended to restrict
+ SUID binaries to a special group that only staff can access,
+ and to delete any unused SUID binaries. SGID binaries can be
+ almost as dangerous. If an intruder can break an SGID-kmem
+ binary, the intruder might be able to read
<filename>/dev/kmem</filename> and thus read the encrypted
- password file, potentially compromising any passworded
- account. Alternatively an intruder who breaks group
+ password file, potentially compromising user accounts.
+ Alternatively, an intruder who breaks group
<literal>kmem</literal> can monitor keystrokes sent through
ptys, including ptys used by users who login through secure
methods. An intruder that breaks the
@@ -558,226 +400,198 @@
<title>Securing User Accounts</title>
<para>User accounts are usually the most difficult to secure.
- While you can impose draconian access restrictions on your
- staff and <quote>star</quote> out their passwords, you may not
- be able to do so with any general user accounts you might
- have. If you do have sufficient control, then you may win out
- and be able to secure the user accounts properly. If not, you
- simply have to be more vigilant in your monitoring of those
- accounts. Use of ssh and Kerberos for user accounts is more
- problematic, due to the extra administration and technical
- support required, but still a very good solution compared to a
- encrypted password file.</para>
+ Be vigilant in the monitoring of user accounts. Use of
+ &man.ssh.1; and Kerberos for user accounts requires extra
+ administration and technical support, but provides a good
+ solution compared to an encrypted password file.</para>
</sect2>
<sect2>
<title>Securing the Password File</title>
<para>The only sure fire way is to star out as many passwords as
- you can and use ssh or Kerberos for access to those accounts.
- Even though the encrypted password file
+ possible and use &man.ssh.1; or Kerberos for access to those
+ accounts. Even though the encrypted password file
(<filename>/etc/spwd.db</filename>) can only be read by
<username>root</username>, it may be possible for an intruder
to obtain read access to that file even if the attacker cannot
obtain root-write access.</para>
- <para>Your security scripts should always check for and report
- changes to the password file (see the <link
+ <para>Security scripts should be used to check for and report
+ changes to the password file as described in the <link
linkend="security-integrity">Checking file integrity</link>
- section below).</para>
+ section.</para>
</sect2>
<sect2>
<title>Securing the Kernel Core, Raw Devices, and
- File Systems</title>
+ Filesystems</title>
- <para>If an attacker breaks <username>root</username> he can do
- just about anything, but there are certain conveniences. For
- example, most modern kernels have a packet sniffing device
- driver built in. Under &os; it is called the
- <devicename>bpf</devicename> device. An intruder will
- commonly attempt to run a packet sniffer on a compromised
- machine. You do not need to give the intruder the capability
- and most systems do not have the need for the
- <devicename>bpf</devicename> device compiled in.</para>
+ <para>Most modern kernels have a packet sniffing device driver
+ built in. Under &os; it is called
+ <devicename>bpf</devicename>. This device is needed for DHCP,
+ but can be removed in the custom kernel configuration file of
+ systems that do not provide or use DHCP.</para>
<indexterm>
- <primary><command>sysctl</command></primary>
+ <primary>&man.sysctl.8;</primary>
</indexterm>
- <para>But even if you turn off the <devicename>bpf</devicename>
- device, you still have <filename>/dev/mem</filename> and
- <filename>/dev/kmem</filename> to worry about. For that
- matter, the intruder can still write to raw disk devices.
- Also, there is another kernel feature called the module
- loader, &man.kldload.8;. An enterprising intruder can use a
- KLD module to install his own <devicename>bpf</devicename>
- device, or other sniffing device, on a running kernel. To
- avoid these problems you have to run the kernel at a higher
- secure level, at least securelevel 1.</para>
+ <para>Even if <devicename>bpf</devicename> is disabled,
+ <filename>/dev/mem</filename> and
+ <filename>/dev/kmem</filename> are still problematic. An
+ intruder can still write to raw disk devices. An enterprising
+ intruder can use &man.kldload.8; to install his own
+ <devicename>bpf</devicename>, or another sniffing device, on a
+ running kernel. To avoid these problems, run the kernel at a
+ higher security level, at least security level 1.</para>
- <para>The secure level of the kernel can be set in a variety of
- ways. The simplest way of raising the secure level of a
- running kernel is through a <command>sysctl</command> on the
- <varname>kern.securelevel</varname> kernel variable:</para>
+ <para>The security level of the kernel can be set in a variety
+ of ways. The simplest way of raising the security level of a
+ running kernel is to set
+ <varname>kern.securelevel</varname>:</para>
<screen>&prompt.root; <userinput>sysctl kern.securelevel=<replaceable>1</replaceable></userinput></screen>
- <para>By default, the &os; kernel boots with a secure level of
- -1. The secure level will remain at -1 unless it is altered,
- either by the administrator or by &man.init.8; because of a
- setting in the start up scripts. The secure level may be
- raised during system startup by setting the
- <varname>kern_securelevel_enable</varname> variable to
- <literal>YES</literal> in the
- <filename>/etc/rc.conf</filename> file, and the value of the
- <varname>kern_securelevel</varname> variable to the desired
- secure level.</para>
+ <para>By default, the &os; kernel boots with a security level of
+ -1. This is called <quote>insecure mode</quote> because
+ immutable file flags may be turned off and all devices may be
+ read from or written to. The security level will remain at -1
+ unless it is altered, either by the administrator or by
+ &man.init.8;, because of a setting in the startup scripts.
+ The security level may be raised during system startup by
+ setting
+ <varname>kern_securelevel_enable</varname> to
+ <literal>YES</literal> in <filename>/etc/rc.conf</filename>,
+ and the value of <varname>kern_securelevel</varname> to the
+ desired security level.</para>
- <para>The default secure level of a &os; system right after the
- startup scripts are done is -1. This is called
- <quote>insecure mode</quote> because immutable file flags may
- be turned off, all devices may be read from or written to, and
- so on.</para>
-
- <para>Once the secure level is set to 1 or a higher value, the
+ <para>Once the security level is set to 1 or a higher value, the
append-only and immutable files are honored, they cannot be
- turned off, and access to raw devices will be denied. Higher
+ turned off, and access to raw devices is denied. Higher
levels restrict even more operations. For a full description
- of the effect of various secure levels, please read the
- &man.security.7; manual page.</para>
+ of the effect of various security levels, refer to
+ &man.security.7; and &man.init.8;.</para>
<note>
- <para>Bumping the secure level to 1 or higher may cause a few
- problems to X11 (access to <filename>/dev/io</filename> will
- be blocked), or to the installation of &os; built from
- source (the <maketarget>installworld</maketarget> part of
- the process needs to temporarily reset the append-only and
- immutable flags of some files), and in a few other cases.
- Sometimes, as in the case of X11, it may be possible to work
- around this by starting &man.xdm.1; pretty early in the boot
- process, when the securelevel is still low enough.
- Workarounds like this may not be possible for all secure
+ <para>Bumping the security level to 1 or higher may cause a
+ few problems to <application>&xorg;</application>, as access
+ to <filename>/dev/io</filename> will be blocked, or to the
+ installation of &os; built from source as
+ <maketarget>installworld</maketarget> needs to temporarily
+ reset the append-only and immutable flags of some files.
+ In the case of <application>&xorg;</application>, it may be
+ possible to work around this by starting &man.xdm.1; early
+ in the boot process, when the security level is still low
+ enough. Workarounds may not be possible for all secure
levels or for all the potential restrictions they enforce.
A bit of forward planning is a good idea. Understanding the
- restrictions imposed by each secure level is important as
+ restrictions imposed by each security level is important as
they severely diminish the ease of system use. It will also
make choosing a default setting much simpler and prevent any
surprises.</para>
</note>
- <para>If the kernel's secure level is raised to 1 or a higher
+ <para>If the kernel's security level is raised to 1 or a higher
value, it may be useful to set the <literal>schg</literal>
- flag on critical startup binaries, directories, and script
- files (i.e., everything that gets run up to the point where
- the securelevel is set). This might be overdoing it, and
- upgrading the system is much more difficult when it operates
- at a high secure level. A less strict compromise is to run
- the system at a higher secure level but skip setting the
- <literal>schg</literal> flag for every system file and
- directory under the sun. Another possibility is to simply
+ flag on critical startup binaries, directories, script files,
+ and everything that gets run up to the point where the
+ security level is set. A less strict compromise is to run
+ the system at a higher security level but skip setting the
+ <literal>schg</literal> flag. Another possibility is to
mount <filename class="directory">/</filename> and <filename
class="directory">/usr</filename> read-only. It should be
noted that being too draconian about what is permitted may
- prevent the all-important detection of an intrusion.</para>
+ prevent detection of an intrusion.</para>
</sect2>
<sect2 id="security-integrity">
- <title>Checking File Integrity: Binaries, Configuration Files,
- Etc.</title>
+ <title>Checking File Integrity</title>
- <para>When it comes right down to it, you can only protect your
- core system configuration and control files so much before the
- convenience factor rears its ugly head. For example, using
- <command>chflags</command> to set the <literal>schg</literal>
- bit on most of the files in <filename
+ <para>One can only protect the core system configuration and
+ control files so much before the convenience factor rears its
+ ugly head. For example, using &man.chflags.1; to set the
+ <literal>schg</literal> bit on most of the files in <filename
class="directory">/</filename> and <filename
class="directory">/usr</filename> is probably
counterproductive, because while it may protect the files, it
- also closes a detection window. The last layer of your
- security onion is perhaps the most important —
- detection. The rest of your security is pretty much useless
- (or, worse, presents you with a false sense of security) if
- you cannot detect potential intrusions. Half the job of the
- onion is to slow down the attacker, rather than stop him, in
- order to be able to catch him in the act.</para>
+ also closes an intrusion detection window. Security measures
+ are useless or, worse, present a false sense of security, if
+ potential intrusions cannot be detected. Half the job of
+ security is to slow down, not stop, an attacker, in order to
+ catch him in the act.</para>
<para>The best way to detect an intrusion is to look for
modified, missing, or unexpected files. The best way to look
- for modified files is from another (often centralized)
- limited-access system. Writing your security scripts on the
- extra-secure limited-access system makes them mostly invisible
- to potential attackers, and this is important. In order to
- take maximum advantage you generally have to give the
- limited-access box significant access to the other machines in
- the business, usually either by doing a read-only NFS export
- of the other machines to the limited-access box, or by setting
- up ssh key-pairs to allow the limited-access box to ssh to the
- other machines. Except for its network traffic, NFS is the
- least visible method — allowing you to monitor the file
- systems on each client box virtually undetected. If your
- limited-access server is connected to the client boxes through
- a switch, the NFS method is often the better choice. If your
- limited-access server is connected to the client boxes through
- a hub, or through several layers of routing, the NFS method
- may be too insecure (network-wise) and using ssh may be the
- better choice even with the audit-trail tracks that ssh
- lays.</para>
+ for modified files is from another, often centralized,
+ limited-access system. Writing security scripts on the
+ extra-security limited-access system makes them mostly
+ invisible to potential attackers. In order to take maximum
+ advantage, the limited-access box needs significant access to
+ the other machines, usually either through a read-only
+ <acronym>NFS</acronym> export or by setting up
+ &man.ssh.1; key-pairs. Except for its network traffic,
+ <acronym>NFS</acronym> is the least visible method, allowing
+ the administrator to monitor the filesystems on each client
+ box virtually undetected. If a limited-access server is
+ connected to the client boxes through a switch, the
+ <acronym>NFS</acronym> method is often the better choice. If
+ a limited-access server is connected to the client boxes
+ through several layers of routing, the <acronym>NFS</acronym>
+ method may be too insecure and &man.ssh.1; may be the better
+ choice.</para>
- <para>Once you have given a limited-access box at least read
- access to the client systems it is supposed to monitor, you
- must write scripts to do the actual monitoring. Given an NFS
- mount, you can write scripts out of simple system utilities
- such as &man.find.1; and &man.md5.1;. It is best to
- physically md5 the client-box files at least once a day, and
+ <para>Once a limited-access box has been given at least read
+ access to the client systems it is supposed to monitor, create
+ the monitoring scripts. Given an <acronym>NFS</acronym>
+ mount, write scripts out of simple system utilities such as
+ &man.find.1; and &man.md5.1;. It is best to physically
+ &man.md5.1; the client system's files at least once a day, and
to test control files such as those found in <filename
class="directory">/etc</filename> and <filename
class="directory">/usr/local/etc</filename> even more often.
When mismatches are found, relative to the base md5
information the limited-access machine knows is valid, it
- should scream at a sysadmin to go check it out. A good
- security script will also check for inappropriate suid
- binaries and for new or deleted files on system partitions
- such as <filename class="directory">/</filename> and <filename
+ should alert the sysadmin. A good security script will also
+ check for inappropriate SUID binaries and for new or deleted
+ files on system partitions such as <filename
+ class="directory">/</filename> and <filename
class="directory">/usr</filename>.</para>
- <para>When using ssh rather than NFS, writing the security
- script is much more difficult. You essentially have to
- <command>scp</command> the scripts to the client box in order
- to run them, making them visible, and for safety you also need
- to <command>scp</command> the binaries (such as find) that
- those scripts use. The <application>ssh</application> client
- on the client box may already be compromised. All in all,
- using ssh may be necessary when running over insecure links,
- but it is also a lot harder to deal with.</para>
+ <para>When using &man.ssh.1; rather than <acronym>NFS</acronym>,
+ writing the security script is more difficult. For example,
+ &man.scp.1; is needed to send the scripts to the client box in
+ order to run them. The &man.ssh.1; client on the client box
+ may already be compromised. Using &man.ssh.1; may be
+ necessary when running over insecure links, but it is harder
+ to deal with.</para>
- <para>A good security script will also check for changes to user
- and staff members access configuration files:
- <filename>.rhosts</filename>, <filename>.shosts</filename>,
- <filename>.ssh/authorized_keys</filename> and so forth, files
- that might fall outside the purview of the
+ <para>A good security script will also check for changes to
+ hidden configuration files, such as
+ <filename>.rhosts</filename> and
+ <filename>.ssh/authorized_keys</filename>, as these files
+ might fall outside the purview of the
<literal>MD5</literal> check.</para>
- <para>If you have a huge amount of user disk space, it may take
- too long to run through every file on those partitions. In
- this case, setting mount flags to disallow suid binaries is a
- good idea. The <literal>nosuid</literal> option (see
- &man.mount.8;) is what you want to look into. You should
- probably scan them anyway, at least once a week, since the
- object of this layer is to detect a break-in attempt, whether
- or not the attempt succeeds.</para>
+ <para>For a large amount of user disk space, it may take too
+ long to run through every file on those partitions. In this
+ case, consider setting mount flags to disallow SUID binaries
+ by using <literal>nosuid</literal> with &man.mount.8;. Scan
+ these partitions at least once a week, since the objective is
+ to detect a break-in attempt, whether or not the attempt
+ succeeds.</para>
<para>Process accounting (see &man.accton.8;) is a relatively
- low-overhead feature of the operating system which might help
- as a post-break-in evaluation mechanism. It is especially
- useful in tracking down how an intruder has actually broken
- into a system, assuming the file is still intact after the
- break-in has occurred.</para>
+ low-overhead feature of &os; which might help as a
+ post-break-in evaluation mechanism. It is especially useful
+ in tracking down how an intruder broke into a system, assuming
+ the file is still intact after the break-in has
+ occurred.</para>
<para>Finally, security scripts should process the log files,
and the logs themselves should be generated in as secure a
- manner as possible — remote syslog can be very useful.
- An intruder will try to cover his tracks, and log files are
+ manner as possible and sent to a remote syslog server. An
+ intruder will try to cover his tracks, and log files are
critical to the sysadmin trying to track down the time and
method of the initial break-in. One way to keep a permanent
record of the log files is to run the system console to a
@@ -789,14 +603,14 @@
<title>Paranoia</title>
<para>A little paranoia never hurts. As a rule, a sysadmin can
- add any number of security features, as long as they do not
- affect convenience, and can add security features that
+ add any number of security features which do not affect
+ convenience and can add security features that
<emphasis>do</emphasis> affect convenience with some added
- thought. Even more importantly, a security administrator
- should mix it up a bit — if you use recommendations such
- as those given by this document verbatim, you give away your
- methodologies to the prospective attacker who also has access
- to this document.</para>
+ thought. More importantly, a security administrator should
+ mix it up a bit. If recommendations, such as those mentioned
+ in this section, are applied verbatim, those methodologies are
+ given to the prospective attacker who also has access to this
+ document.</para>
</sect2>
<sect2>
@@ -806,11 +620,11 @@
<primary>Denial of Service (DoS)</primary>
</indexterm>
- <para>This section covers Denial of Service attacks. A DoS
- attack is typically a packet attack. While there is not much
- you can do about modern spoofed packet attacks that saturate
- your network, you can generally limit the damage by ensuring
- that the attacks cannot take down your servers by:</para>
+ <para>A <acronym>DoS</acronym> attack is typically a packet
+ attack. While there is not much one can do about spoofed
+ packet attacks that saturate a network, one can generally
+ limit the damage by ensuring that the attack cannot take down
+ servers by:</para>
<orderedlist>
<listitem>
@@ -818,146 +632,116 @@
</listitem>
<listitem>
- <para>Limiting springboard attacks (ICMP response attacks,
- ping broadcast, etc.).</para>
+ <para>Limiting springboard attacks such as ICMP response
+ attacks and ping broadcasts.</para>
</listitem>
<listitem>
- <para>Overloading the Kernel Route Cache.</para>
+ <para>Overloading the kernel route cache.</para>
</listitem>
</orderedlist>
- <para>A common DoS attack scenario is attacking a forking server
- and making it spawn so many child processes that the host
- system eventually runs out of memory, file descriptors, etc.
- and then grinds to a halt. <application>inetd</application>
- (see &man.inetd.8;) has several options to limit this sort of
- attack. It should be noted that while it is possible to
- prevent a machine from going down, it is not generally
- possible to prevent a service from being disrupted by the
- attack. Read the <application>inetd</application> manual page
- carefully and pay specific attention to the
+ <para>A common <acronym>DoS</acronym> attack scenario is to
+ force a forking server to spawn so many child processes that
+ the host system eventually runs out of memory and file
+ descriptors, and then grinds to a halt. There are several
+ options to &man.inetd.8; to limit this sort of attack. It
+ should be noted that while it is possible to prevent a machine
+ from going down, it is not generally possible to prevent a
+ service from being disrupted by the attack. Read
+ &man.inetd.8; carefully and pay specific attention to
<option>-c</option>, <option>-C</option>, and
- <option>-R</option> options. Note that spoofed-IP attacks
- will circumvent the <option>-C</option> option to
- <application>inetd</application>, so typically a combination
- of options must be used. Some standalone servers have
- self-fork-limitation parameters.</para>
+ <option>-R</option>. Spoofed IP attacks will circumvent
+ <option>-C</option> to &man.inetd.8;, so typically a
+ combination of options must be used. Some standalone servers
+ have self-fork-limitation parameters.</para>
- <para><application>Sendmail</application> has its
- <option>-OMaxDaemonChildren</option> option, which tends to
- work much better than trying to use
+ <para><application>Sendmail</application> provides
+ <option>-OMaxDaemonChildren</option>, which tends to work
+ better than trying to use
<application>Sendmail</application>'s load limiting options
- due to the load lag. You should specify a
- <literal>MaxDaemonChildren</literal> parameter, when you start
- <application>sendmail</application>; high enough to handle
- your expected load, but not so high that the computer cannot
- handle that number of <application>Sendmail</application>
- instances without falling on its face. It is also prudent to
- run <application>Sendmail</application> in queued mode
- (<option>-ODeliveryMode=queued</option>) and to run the daemon
- (<command>sendmail -bd</command>) separate from the queue-runs
- (<command>sendmail -q15m</command>). If you still want
- real-time delivery you can run the queue at a much lower
- interval, such as <option>-q1m</option>, but be sure to
- specify a reasonable <literal>MaxDaemonChildren</literal>
- option for <emphasis>that</emphasis>
- <application>Sendmail</application> to prevent cascade
- failures.</para>
+ due to the load lag. Specify a
+ <literal>MaxDaemonChildren</literal> when starting
+ <application>Sendmail</application> which is high enough to
+ handle the expected load, but not so high that the computer
+ cannot handle that number of
+ <application>Sendmail</application> instances. It is prudent
+ to run <application>Sendmail</application> in queued mode
+ using <option>-ODeliveryMode=queued</option> and to run the
+ daemon (<command>sendmail -bd</command>) separate from the
+ queue-runs (<command>sendmail -q15m</command>). For
+ real-time delivery, run the queue at a much lower interval,
+ such as <option>-q1m</option>, but be sure to specify a
+ reasonable <literal>MaxDaemonChildren</literal> to prevent
+ cascade failures.</para>
- <para><application>Syslogd</application> can be attacked
- directly and it is strongly recommended that you use the
- <option>-s</option> option whenever possible, and the
- <option>-a</option> option otherwise.</para>
+ <para>&man.syslogd.8; can be attacked directly and it is
+ strongly recommended to use
+ <option>-s</option> whenever possible, and
+ <option>-a</option> otherwise.</para>
- <para>You should also be fairly careful with connect-back
- services such as <application>TCP Wrapper</application>'s
- reverse-identd, which can be attacked directly. You generally
- do not want to use the reverse-ident feature of
- <application>TCP Wrapper</application> for this reason.</para>
+ <para>Be careful with connect-back services such as
+ reverse-identd, which can be attacked directly. The
+ reverse-ident feature of
+ <application>TCP Wrappers</application> is not recommended for
+ this reason.</para>
- <para>It is a very good idea to protect internal services from
- external access by firewalling them off at your border
- routers. The idea here is to prevent saturation attacks from
- outside your LAN, not so much to protect internal services
- from network-based <username>root</username> compromise.
- Always configure an exclusive firewall, i.e., <quote>firewall
- everything <emphasis>except</emphasis> ports A, B, C, D, and
- M-Z</quote>. This way you can firewall off all of your low
- ports except for certain specific services such as
- <application>named</application> (if you are primary for a
- zone), <application>ntalkd</application>,
- <application>sendmail</application>, and other
- Internet-accessible services. If you try to configure the
- firewall the other way — as an inclusive or permissive
- firewall, there is a good chance that you will forget to
- <quote>close</quote> a couple of services, or that you will
- add a new internal service and forget to update the firewall.
- You can still open up the high-numbered port range on the
- firewall, to allow permissive-like operation, without
- compromising your low ports. Also take note that &os; allows
- you to control the range of port numbers used for dynamic
- binding, via the various
- <varname>net.inet.ip.portrange</varname>
- <command>sysctl</command>'s (<command>sysctl -a | fgrep
- portrange</command>), which can also ease the complexity of
- your firewall's configuration. For example, you might use a
- normal first/last range of 4000 to 5000, and a hiport range of
- 49152 to 65535, then block off everything under 4000 in your
- firewall (except for certain specific Internet-accessible
- ports, of course).</para>
+ <para>It is recommended to protect internal services from
+ external access by firewalling them at the border routers.
+ This is to prevent saturation attacks from outside the LAN,
+ not so much to protect internal services from network-based
+ <username>root</username> compromise. Always configure an
+ exclusive firewall which denies everything by default except
+ for traffic which is explicitly allowed. The range of port
+ numbers used for dynamic binding in &os; is controlled by
+ several <varname>net.inet.ip.portrange</varname>
+ &man.sysctl.8; variables.</para>
- <para>Another common DoS attack is called a springboard attack
- — to attack a server in a manner that causes the server
- to generate responses which overloads the server, the local
- network, or some other machine. The most common attack of
- this nature is the <emphasis>ICMP ping broadcast
- attack</emphasis>. The attacker spoofs ping packets sent to
- your LAN's broadcast address with the source IP address set to
- the actual machine they wish to attack. If your border
- routers are not configured to stomp on ping packets to
- broadcast addresses, your LAN winds up generating sufficient
- responses to the spoofed source address to saturate the
- victim, especially when the attacker uses the same trick on
- several dozen broadcast addresses over several dozen different
- networks at once. Broadcast attacks of over a hundred and
- twenty megabits have been measured. A second common
- springboard attack is against the ICMP error reporting system.
- By constructing packets that generate ICMP error responses, an
- attacker can saturate a server's incoming network and cause
- the server to saturate its outgoing network with ICMP
- responses. This type of attack can also crash the server by
- running it out of memory, especially if the server cannot
- drain the ICMP responses it generates fast enough. Use the
- <application>sysctl</application> variable
+ <para>Another common <acronym>DoS</acronym> attack, called a
+ springboard attack, causes the server to generate responses
+ which overloads the server, the local network, or some other
+ machine. The most common attack of this nature is the
+ <emphasis>ICMP ping broadcast attack</emphasis>. The attacker
+ spoofs ping packets sent to the LAN's broadcast address with
+ the source IP address set to the machine to attack. If the
+ border routers are not configured to drop ping packets sent to
+ broadcast addresses, the LAN generates sufficient responses to
+ the spoofed source address to saturate the victim, especially
+ when the attack is against several dozen broadcast addresses
+ over several dozen different networks at once. A second
+ common springboard attack constructs packets that generate
+ ICMP error responses which can saturate a server's incoming
+ network and cause the server to saturate its outgoing network
+ with ICMP responses. This type of attack can crash the
+ server by running it out of memory, especially if the server
+ cannot drain the ICMP responses it generates fast enough. Use
+ the &man.sysctl.8; variable
<literal>net.inet.icmp.icmplim</literal> to limit these
attacks. The last major class of springboard attacks is
- related to certain internal <application>inetd</application>
- services such as the udp echo service. An attacker simply
- spoofs a UDP packet with the source address being server A's
- echo port, and the destination address being server B's echo
- port, where server A and B are both on your LAN. The two
- servers then bounce this one packet back and forth between
- each other. The attacker can overload both servers and their
- LANs simply by injecting a few packets in this manner.
- Similar problems exist with the internal
- <application>chargen</application> port. A competent sysadmin
- will turn off all of these inetd-internal test
- services.</para>
+ related to certain internal &man.inetd.8; services such as the
+ UDP echo service. An attacker spoofs a UDP packet with a
+ source address of server A's echo port and a destination
+ address of server B's echo port, where server A and B on the
+ same LAN. The two servers bounce this one packet back and
+ forth between each other. The attacker can overload both
+ servers and the LAN by injecting a few packets in this manner.
+ Similar problems exist with the
+ <application>chargen</application> port. These inetd-internal
+ test services should remain disabled.</para>
- <para>Spoofed packet attacks may also be used to overload the
- kernel route cache. Refer to the
+ <para>Spoofed packet attacks may be used to overload the kernel
+ route cache. Refer to the
<varname>net.inet.ip.rtexpire</varname>,
<varname>rtminexpire</varname>, and
- <varname>rtmaxcache</varname> <command>sysctl</command>
- parameters. A spoofed packet attack that uses a random source
- IP will cause the kernel to generate a temporary cached route
- in the route table, viewable with <command>netstat -rna |
- fgrep W3</command>. These routes typically timeout in 1600
+ <varname>rtmaxcache</varname> &man.sysctl.8; parameters. A
+ spoofed packet attack that uses a random source IP will cause
+ the kernel to generate a temporary cached route in the route
+ table, viewable with <command>netstat -rna | fgrep
+ W3</command>. These routes typically timeout in 1600
seconds or so. If the kernel detects that the cached route
- table has gotten too big it will dynamically reduce the
+ table has gotten too big, it will dynamically reduce the
<varname>rtexpire</varname> but will never decrease it to less
- than <varname>rtminexpire</varname>. There are two
+ than <varname>rtminexpire</varname>. This creates two
problems:</para>
<orderedlist>
@@ -973,55 +757,50 @@
</listitem>
</orderedlist>
- <para>If your servers are connected to the Internet via a T3 or
+ <para>If the servers are connected to the Internet via a T3 or
better, it may be prudent to manually override both
<varname>rtexpire</varname> and <varname>rtminexpire</varname>
via &man.sysctl.8;. Never set either parameter to zero
- (unless you want to crash the machine). Setting both
- parameters to 2 seconds should be sufficient to protect the
- route table from attack.</para>
+ as this could crash the machine. Setting both parameters to 2
+ seconds should be sufficient to protect the route table from
+ attack.</para>
</sect2>
<sect2>
- <title>Access Issues with Kerberos and SSH</title>
+ <title>Access Issues with Kerberos and &man.ssh.1;</title>
- <indexterm><primary><command>ssh</command></primary></indexterm>
+ <indexterm><primary>&man.ssh.1;</primary></indexterm>
- <para>There are a few issues with both Kerberos and
- ssh that need to be addressed if
- you intend to use them. Kerberos 5 is an excellent
- authentication protocol, but there are bugs in the kerberized
- <application>telnet</application> and
- <application>rlogin</application> applications that make them
- unsuitable for dealing with binary streams. Also, by default
- Kerberos does not encrypt a session unless you use the
- <option>-x</option> option. <application>ssh</application>
- encrypts everything by default.</para>
+ <para>There are a few issues with both Kerberos and &man.ssh.1;
+ that need to be addressed if they are used. Kerberos is an
+ excellent authentication protocol, but there are bugs in the
+ kerberized versions of &man.telnet.1; and &man.rlogin.1; that
+ make them unsuitable for dealing with binary streams. By
+ default, Kerberos does not encrypt a session unless
+ <option>-x</option> is used whereas &man.ssh.1; encrypts
+ everything.</para>
- <para>Ssh works quite well in every respect except that it
- forwards encryption keys by default. What this means is that
- if you have a secure workstation holding keys that give you
- access to the rest of the system, and you ssh to an insecure
- machine, your keys are usable. The actual keys themselves are
- not exposed, but ssh installs a forwarding port for the
- duration of your login, and if an attacker has broken
- <username>root</username> on the insecure machine he can
- utilize that port to use your keys to gain access to any other
- machine that your keys unlock.</para>
+ <para>While &man.ssh.1; works well, it forwards encryption keys
+ by default. This introduces a security risk to a user who
+ uses &man.ssh.1; to access an insecure machine from a secure
+ workstation. The keys themselves are not exposed, but
+ &man.ssh.1; installs a forwarding port for the duration of the
+ login. If an attacker has broken <username>root</username> on
+ the insecure machine, he can utilize that port to gain access
+ to any other machine that those keys unlock.</para>
- <para>We recommend that you use ssh in combination with Kerberos
- whenever possible for staff logins.
- <application>Ssh</application> can be compiled with Kerberos
- support. This reduces your reliance on potentially exposed
- ssh keys while at the same time protecting passwords via
- Kerberos. Ssh keys should only be used for automated tasks
- from secure machines (something that Kerberos is unsuited to
- do). We also recommend that you either turn off
- key-forwarding in the ssh configuration, or that you make use
- of the <literal>from=IP/DOMAIN</literal> option that ssh
- allows in its <filename>authorized_keys</filename> file to
- make the key only usable to entities logging in from specific
- machines.</para>
+ <para>It is recommended that &man.ssh.1; is used in combination
+ with Kerberos whenever possible for staff logins and
+ &man.ssh.1; can be compiled with Kerberos support. This
+ reduces reliance on potentially exposed <acronym>SSH</acronym>
+ keys while protecting passwords via Kerberos. Keys should
+ only be used for automated tasks from secure machines as this
+ is something that Kerberos is unsuited to. It is recommended
+ to either turn off key-forwarding in the
+ <acronym>SSH</acronym> configuration, or to make use
+ of <literal>from=IP/DOMAIN</literal> in
+ <filename>authorized_keys</filename> to make the key only
+ usable to entities logging in from specific machines.</para>
</sect2>
</sect1>
@@ -1052,56 +831,43 @@
<indexterm><primary>SHA512</primary></indexterm>
<para>Every user on a &unix; system has a password associated with
- their account. It seems obvious that these passwords need to be
- known only to the user and the actual operating system. In
- order to keep these passwords secret, they are encrypted with
- what is known as a <quote>one-way hash</quote>, that is, they
- can only be easily encrypted but not decrypted. In other words,
- what we told you a moment ago was obvious is not even true: the
- operating system itself does not <emphasis>really</emphasis>
- know the password. It only knows the
+ their account. In order to keep these passwords secret, they
+ are encrypted with a <quote>one-way hash</quote>, as they can
+ be easily encrypted but not decrypted. The operating system
+ itself does not know the password. It only knows the
<emphasis>encrypted</emphasis> form of the password. The only
way to get the <quote>plain-text</quote> password is by a brute
force search of the space of possible passwords.</para>
- <para>Unfortunately the only secure way to encrypt passwords when
- &unix; came into being was based on DES, the Data Encryption
- Standard. This was not such a problem for users resident in the
- US, but since the source code for DES could not be exported
- outside the US, &os; had to find a way to both comply with US
- law and retain compatibility with all the other &unix; variants
- that still used DES.</para>
-
- <para>The solution was to divide up the encryption libraries so
- that US users could install the DES libraries and use DES but
- international users still had an encryption method that could be
- exported abroad. This is how &os; came to use MD5 as its
- default encryption method. MD5 is believed to be more secure
- than DES, so installing DES is offered primarily for
- compatibility reasons.</para>
+ <para>Originally, the only secure way to encrypt passwords in
+ &unix; was based on the Data Encryption Standard
+ (<acronym>DES</acronym>). Since the source code for
+ <acronym>DES</acronym> could not be exported outside the US,
+ &os; had to find a way to both comply with US law and retain
+ compatibility with other &unix; variants that used
+ <acronym>DES</acronym>. The solution was MD5 which is believed
+ to be more secure than <acronym>DES</acronym>.</para>
<sect2>
- <title>Recognizing Your Crypt Mechanism</title>
+ <title>Recognizing the Crypt Mechanism</title>
- <para>Currently the library supports DES, MD5, Blowfish, SHA256,
- and SHA512 hash functions. By default &os; 9.1 and later
- uses SHA512 to encrypt passwords. Older versions use MD5 by
- default.</para>
-
- <para>It is pretty easy to identify which encryption method &os;
- is set up to use. Examining the encrypted passwords in the
- <filename>/etc/master.passwd</filename> file is one way.
- Passwords encrypted with the MD5 hash are longer than those
- encrypted with the DES hash and also begin with the characters
+ <para>Currently the library supports <acronym>DES</acronym>,
+ MD5, Blowfish, SHA256, and SHA512 hash functions. To identify
+ which encryption method &os; is set up to use, examine the
+ encrypted passwords in
+ <filename>/etc/master.passwd</filename>. Passwords encrypted
+ with the MD5 hash are longer than those encrypted with the
+ <acronym>DES</acronym> hash and begin with the characters
<literal>$1$</literal>. Passwords starting with
<literal>$2a$</literal> are encrypted with the
- Blowfish hash function. DES password strings do not have any
- particular identifying characteristics, but they are shorter
- than MD5 passwords, and are coded in a 64-character alphabet
- which does not include the <literal>$</literal>
- character, so a relatively short string which does not begin
- with a dollar sign is very likely a DES password. Both SHA256
- and SHA512 begin with the characters
+ Blowfish hash function. <acronym>DES</acronym> password
+ strings do not have any particular identifying
+ characteristics, but they are shorter than MD5 passwords, and
+ are coded in a 64-character alphabet which does not include
+ the <literal>$</literal> character, so a relatively
+ short string which does not begin with a dollar sign is very
+ likely a <acronym>DES</acronym> password. Both SHA256 and
+ SHA512 begin with the characters
<literal>$6$</literal>.</para>
<para>The password format used for new passwords is controlled
@@ -1109,8 +875,8 @@
<filename>/etc/login.conf</filename>, which takes values of
<literal>des</literal>, <literal>md5</literal>,
<literal>blf</literal>, <literal>sha256</literal> or
- <literal>sha512</literal>. See the &man.login.conf.5; manual
- page for more information about login capabilities.</para>
+ <literal>sha512</literal>. Refer to &man.login.conf.5; for
+ more information about login capabilities.</para>
</sect2>
</sect1>
@@ -1123,83 +889,76 @@
<secondary>one-time passwords</secondary>
</indexterm>
- <para>By default, &os; includes support for OPIE (One-time
- Passwords In Everything), which uses the MD5 hash by
+ <para>By default, &os; includes support for One-time Passwords In
+ Everything (<acronym>OPIE</acronym>), which uses the MD5 hash by
default.</para>
- <para>There are three different sorts of passwords which we will
- discuss below. The first is your usual &unix; style or Kerberos
- password; we will call this a <quote>&unix; password</quote>.
- The second sort is the one-time password which is generated by
- the OPIE &man.opiekey.1; program and accepted by the
- &man.opiepasswd.1; program and the login prompt; we will call
- this a <quote>one-time password</quote>. The final sort of
- password is the secret password which you give to the
- <command>opiekey</command> program (and sometimes the
- <command>opiepasswd</command> programs) which it uses to
- generate one-time passwords; we will call it a <quote>secret
- password</quote> or just unqualified
- <quote>password</quote>.</para>
+ <para>There are three different types of passwords. The first is
+ the usual &unix; style or Kerberos password. The second is the
+ one-time password which is generated by &man.opiekey.1; and
+ accepted by &man.opiepasswd.1; and the login prompt. The final
+ type of password is the <quote>secret password</quote> used by
+ &man.opiekey.1;, and sometimes &man.opiepasswd.1;, to generate
+ one-time passwords.</para>
- <para>The secret password does not have anything to do with your
- &unix; password; they can be the same but this is not
- recommended. OPIE secret passwords are not limited to 8
+ <para>The secret password has nothing to do with the &unix;
+ password. They can be the same, but this is not recommended.
+ <acronym>OPIE</acronym> secret passwords are not limited to 8
characters like old &unix; passwords<footnote><para>Under &os;
the standard login password may be up to 128 characters in
- length.</para></footnote>, they can be as long as you like.
- Passwords of six or seven word long phrases are fairly common.
- For the most part, the OPIE system operates completely
- independently of the &unix; password system.</para>
+ length.</para></footnote>. Passwords of six or seven word
+ long phrases are fairly common. For the most part, the
+ <acronym>OPIE</acronym> system operates completely independently
+ of the &unix; password system.</para>
<para>Besides the password, there are two other pieces of data
- that are important to OPIE. One is what is known as the
+ that are important to <acronym>OPIE</acronym>. One is the
<quote>seed</quote> or <quote>key</quote>, consisting of two
- letters and five digits. The other is what is called the
- <quote>iteration count</quote>, a number between 1 and 100.
- OPIE creates the one-time password by concatenating the seed and
- the secret password, then applying the MD5 hash as many times as
- specified by the iteration count and turning the result into six
- short English words. These six English words are your one-time
- password. The authentication system (primarily PAM) keeps track
- of the last one-time password used, and the user is
- authenticated if the hash of the user-provided password is equal
- to the previous password. Because a one-way hash is used it is
- impossible to generate future one-time passwords if a
- successfully used password is captured; the iteration count is
- decremented after each successful login to keep the user and the
- login program in sync. When the iteration count gets down to 1,
- OPIE must be reinitialized.</para>
+ letters and five digits. The other is the <quote>iteration
+ count</quote>, a number between 1 and 100.
+ <acronym>OPIE</acronym> creates the one-time password by
+ concatenating the seed and the secret password, applying the MD5
+ hash as many times as specified by the iteration count, and
+ turning the result into six short English words. These six
+ English words are the one-time password. The authentication
+ system (primarily PAM) keeps track of the last one-time password
+ used, and the user is authenticated if the hash of the
+ user-provided password is equal to the previous password.
+ Because a one-way hash is used, it is impossible to generate
+ future one-time passwords if a successfully used password is
+ captured. The iteration count is decremented after each
+ successful login to keep the user and the login program in sync.
+ When the iteration count gets down to 1,
+ <acronym>OPIE</acronym> must be reinitialized.</para>
- <para>There are a few programs involved in each system which we
- will discuss below. The <command>opiekey</command> program
- accepts an iteration count, a seed, and a secret password, and
- generates a one-time password or a consecutive list of one-time
- passwords. The <command>opiepasswd</command> program is used to
- initialize OPIE, and to change passwords, iteration counts, or
- seeds; it takes either a secret passphrase, or an iteration
- count, seed, and a one-time password. The
- <command>opieinfo</command> program will examine the relevant
- credentials files (<filename>/etc/opiekeys</filename>) and print
- out the invoking user's current iteration count and seed.</para>
+ <para>There are a few programs involved in this process.
+ &man.opiekey.1; accepts an iteration count, a seed, and a secret
+ password, and generates a one-time password or a consecutive
+ list of one-time passwords. In addition to initializing
+ <acronym>OPIE</acronym>, &man.opiepasswd.1; is used to change
+ passwords, iteration counts, or seeds. It takes either a secret
+ passphrase, or an iteration count, seed, and a one-time
+ password. The relevant credential files in
+ <filename>/etc/opiekeys</filename> are examined by
+ &man.opieinfo.1; which prints out the invoking user's current
+ iteration count and seed.</para>
- <para>There are four different sorts of operations we will cover.
- The first is using <command>opiepasswd</command> over a secure
- connection to set up one-time-passwords for the first time, or
- to change your password or seed. The second operation is using
- <command>opiepasswd</command> over an insecure connection, in
- conjunction with <command>opiekey</command> over a secure
- connection, to do the same. The third is using
- <command>opiekey</command> to log in over an insecure
- connection. The fourth is using <command>opiekey</command> to
- generate a number of keys which can be written down or printed
- out to carry with you when going to some location without secure
- connections to anywhere.</para>
+ <para>There are four different sorts of operations. The first is
+ to use &man.opiepasswd.1; over a secure connection to set up
+ one-time-passwords for the first time, or to change the password
+ or seed. The second operation is to use &man.opiepasswd.1; over
+ an insecure connection, in conjunction with &man.opiekey.1; over
+ a secure connection, to do the same. The third is to use
+ &man.opiekey.1; to log in over an insecure connection. The
+ fourth is to use &man.opiekey.1; to generate a number of keys
+ which can be written down or printed out to carry to insecure
+ locations in order to make a connection to anywhere.</para>
<sect2>
<title>Secure Connection Initialization</title>
- <para>To initialize OPIE for the first time, execute the
- <command>opiepasswd</command> command:</para>
+ <para>To initialize <acronym>OPIE</acronym> for the first time,
+ execute &man.opiepasswd.1;:</para>
<screen>&prompt.user; <userinput>opiepasswd -c</userinput>
[grimreaper] ~ $ opiepasswd -f -c
@@ -1215,32 +974,29 @@ ID unfurl OTP key is 499 to4268
MOS MALL GOAT ARM AVID COED</screen>
<para>At the <prompt>Enter new secret pass phrase:</prompt> or
- <prompt>Enter secret password:</prompt> prompts, you should
- enter a password or phrase. Remember, this is not the
- password that you will use to login with, this is used to
- generate your one-time login keys. The <quote>ID</quote> line
- gives the parameters of your particular instance: your login
- name, the iteration count, and seed. When logging in the
- system will remember these parameters and present them back to
- you so you do not have to remember them. The last line gives
- the particular one-time password which corresponds to those
- parameters and your secret password; if you were to re-login
- immediately, this one-time password is the one you would
- use.</para>
+ <prompt>Enter secret password:</prompt> prompt, enter a
+ password or phrase. This is not the login password as this
+ password is used to generate the one-time login keys. The
+ <quote>ID</quote> line gives the parameters of the instance:
+ the login name, iteration count, and seed. When logging in,
+ the system will remember these parameters and display them,
+ meaning that they do not have to be memorized. The last line
+ gives the particular one-time password which corresponds to
+ those parameters and the secret password. At the next login,
+ this one-time password is the one to use.</para>
</sect2>
<sect2>
<title>Insecure Connection Initialization</title>
- <para>To initialize or change your secret password over an
- insecure connection, you will need to already have a secure
- connection to some place where you can run
- <command>opiekey</command>; this might be in the form of a
- shell prompt on a machine you trust. You will also need to
- make up an iteration count (100 is probably a good value), and
- you may make up your own seed or use a randomly-generated one.
- Over on the insecure connection (to the machine you are
- initializing), use <command>opiepasswd</command>:</para>
+ <para>To initialize or change the secret password over an
+ insecure connection, a secure connection is needed to some
+ place where &man.opiekey.1; can be run. This might be a shell
+ prompt on a trusted machine. An iteration count is needed,
+ where 100 is probably a good value, and the seed can either be
+ specified or the randomly-generated one used. On the insecure
+ connection, the machine being initialized, use
+ &man.opiepasswd.1;:</para>
<screen>&prompt.user; <userinput>opiepasswd</userinput>
@@ -1256,26 +1012,26 @@ New secret pass phrase:
ID mark OTP key is 499 gr4269
LINE PAP MILK NELL BUOY TROY</screen>
- <para>To accept the default seed press <keycap>Return</keycap>.
- Then before entering an access password, move over to your
- secure connection and give it the same parameters:</para>
+ <para>To accept the default seed, press <keycap>Return</keycap>.
+ Before entering an access password, move over to the secure
+ connection and give it the same parameters:</para>
<screen>&prompt.user; <userinput>opiekey 498 to4268</userinput>
Using the MD5 algorithm to compute response.
-Reminder: Don't use opiekey from telnet or dial-in sessions.
+Reminder: Do not use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
GAME GAG WELT OUT DOWN CHAT</screen>
- <para>Now switch back over to the insecure connection, and copy
- the one-time password generated over to the relevant
+ <para>Switch back over to the insecure connection, and copy
+ the generated one-time password over to the relevant
program.</para>
</sect2>
<sect2>
<title>Generating a Single One-time Password</title>
- <para>Once you have initialized OPIE and login, you will be
- presented with a prompt like this:</para>
+ <para>After initializing <acronym>OPIE</acronym> and logging in,
+ a prompt like this will be displayed:</para>
<screen>&prompt.user; <userinput>telnet example.com</userinput>
Trying 10.0.0.1...
@@ -1288,49 +1044,47 @@ login: <userinput><username></userinput>
otp-md5 498 gr4269 ext
Password: </screen>
- <para>As a side note, the OPIE prompts have a useful feature
- (not shown here): if you press <keycap>Return</keycap> at the
- password prompt, the prompter will turn echo on, so you can
- see what you are typing. This can be extremely useful if you
- are attempting to type in a password by hand, such as from a
- printout.</para>
+ <para>The <acronym>OPIE</acronym> prompts provides a useful
+ feature. If <keycap>Return</keycap> is pressed at the
+ password prompt, the prompt will turn echo on and display
+ what is typed. This can be useful when attempting to type in
+ a password by hand from a printout.</para>
<indexterm><primary>MS-DOS</primary></indexterm>
<indexterm><primary>Windows</primary></indexterm>
<indexterm><primary>MacOS</primary></indexterm>
- <para>At this point you need to generate your one-time password
- to answer this login prompt. This must be done on a trusted
- system that you can run <command>opiekey</command> on. (There
- are versions of these for DOS, &windows; and &macos; as well.)
- They need the iteration count and the seed as command line
- options. You can cut-and-paste these right from the login
- prompt on the machine that you are logging in to.</para>
+ <para>At this point, generate the one-time password to answer
+ this login prompt. This must be done on a trusted system
+ where it is safe to run &man.opiekey.1;. There are versions
+ of this command for &windows;, &macos; and &os;. This command
+ needs the iteration count and the seed as command line
+ options. Use cut-and-paste from the login prompt on the
+ machine being logged in to.</para>
<para>On the trusted system:</para>
<screen>&prompt.user; <userinput>opiekey 498 to4268</userinput>
Using the MD5 algorithm to compute response.
-Reminder: Don't use opiekey from telnet or dial-in sessions.
+Reminder: Do not use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
GAME GAG WELT OUT DOWN CHAT</screen>
- <para>Now that you have your one-time password you can continue
- logging in.</para>
+ <para>Once the one-time password is generated, continue to log
+ in.</para>
</sect2>
<sect2>
<title>Generating Multiple One-time Passwords</title>
- <para>Sometimes you have to go places where you do not have
- access to a trusted machine or secure connection. In this
- case, it is possible to use the <command>opiekey</command>
- command to generate a number of one-time passwords beforehand
- to be printed out and taken with you. For example:</para>
+ <para>Sometimes there is no access to a trusted machine or
+ secure connection. In this case, it is possible to use
+ &man.opiekey.1; to generate a number of one-time passwords
+ beforehand. For example:</para>
<screen>&prompt.user; <userinput>opiekey -n 5 30 zz99999</userinput>
Using the MD5 algorithm to compute response.
-Reminder: Don't use opiekey from telnet or dial-in sessions.
+Reminder: Do not use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: <userinput><secret password></userinput>
26: JOAN BORE FOSS DES NAY QUIT
27: LATE BIAS SLAY FOLK MUCH TRIG
@@ -1339,28 +1093,26 @@ Enter secret pass phrase: <userinput><secret password></userinput>
30: GREW JIVE SAN GIRD BOIL PHI</screen>
<para>The <option>-n 5</option> requests five keys in sequence,
- the <option>30</option> specifies what the last iteration
+ and <option>30</option> specifies what the last iteration
number should be. Note that these are printed out in
- <emphasis>reverse</emphasis> order of eventual use. If you
- are really paranoid, you might want to write the results down
- by hand; otherwise you can cut-and-paste into
- <command>lpr</command>. Note that each line shows both the
- iteration count and the one-time password; you may still find
- it handy to scratch off passwords as you use them.</para>
+ <emphasis>reverse</emphasis> order of use. The really
+ paranoid might want to write the results down by hand;
+ otherwise, print the list. Each line shows both the iteration
+ count and the one-time password. Scratch off the passwords as
+ they are used.</para>
</sect2>
<sect2>
<title>Restricting Use of &unix; Passwords</title>
- <para>OPIE can restrict the use of &unix; passwords based on the
- IP address of a login session. The relevant file is
- <filename>/etc/opieaccess</filename>, which is present by
- default. Please check &man.opieaccess.5; for more information
- on this file and which security considerations you should be
- aware of when using it.</para>
+ <para><acronym>OPIE</acronym> can restrict the use of &unix;
+ passwords based on the IP address of a login session. The
+ relevant file is <filename>/etc/opieaccess</filename>, which
+ is present by default. Refer to &man.opieaccess.5; for more
+ information on this file and which security considerations to
+ be aware of when using it.</para>
- <para>Here is a sample <filename>opieaccess</filename>
- file:</para>
+ <para>Here is a sample <filename>opieaccess</filename>:</para>
<programlisting>permit 192.168.0.0 255.255.0.0</programlisting>
@@ -1369,7 +1121,8 @@ Enter secret pass phrase: <userinput><secret password></userinput>
to use &unix; passwords at any time.</para>
<para>If no rules in <filename>opieaccess</filename> are
- matched, the default is to deny non-OPIE logins.</para>
+ matched, the default is to deny non-<acronym>OPIE</acronym>
+ logins.</para>
</sect2>
</sect1>
@@ -1388,59 +1141,29 @@ Enter secret pass phrase: <userinput><secret password></userinput>
<indexterm><primary>TCP Wrappers</primary></indexterm>
- <para>Anyone familiar with &man.inetd.8; has probably heard of
- <acronym>TCP</acronym> Wrappers at some point. But few
- individuals seem to fully comprehend its usefulness in a network
- environment. It seems that everyone wants to install a firewall
- to handle network connections. While a firewall has a wide
- variety of uses, there are some things that a firewall will not
- handle, such as sending text back to the connection originator.
- The <acronym>TCP</acronym> Wrappers software does this and much
- more. In the next few sections many of the
- <acronym>TCP</acronym> Wrappers features will be discussed, and,
- when applicable, example configuration lines will be
- provided.</para>
+ <para><acronym>TCP</acronym> Wrappers extends the abilities of
+ <xref linkend="network-inetd"/> to provide support for every
+ server daemon under its control. It can be configured
+ to provide logging support, return messages to connections, and
+ permit a daemon to only accept internal connections. While some
+ of these features can be provided by implementing a firewall,
+ <acronym>TCP</acronym> Wrappers adds an extra layer of
+ protection and goes beyond the amount of control a firewall can
+ provide.</para>
- <para>The <acronym>TCP</acronym> Wrappers software extends the
- abilities of <application>inetd</application> to provide support
- for every server daemon under its control. Using this method it
- is possible to provide logging support, return messages to
- connections, permit a daemon to only accept internal
- connections, etc. While some of these features can be provided
- by implementing a firewall, this will add not only an extra
- layer of protection but go beyond the amount of control a
- firewall can provide.</para>
-
- <para>The added functionality of <acronym>TCP</acronym> Wrappers
- should not be considered a replacement for a good firewall.
- <acronym>TCP</acronym> Wrappers can be used in conjunction
- with a firewall or other security enhancements though and
- it can serve nicely as an extra layer of protection
- for the system.</para>
-
- <para>Since this is an extension to the configuration of
- <application>inetd</application>, the reader is expected have
- read the <link linkend="network-inetd">inetd
- configuration</link> section.</para>
-
- <note>
- <para>While programs run by &man.inetd.8; are not exactly
- <quote>daemons</quote>, they have traditionally been called
- daemons. This is the term we will use in this section
- too.</para>
- </note>
+ <para><acronym>TCP</acronym> Wrappers should not be considered a
+ replacement for a properly configured firewall.
+ <acronym>TCP</acronym> Wrappers should be used in conjunction
+ with a firewall and other security enhancements.</para>
<sect2>
<title>Initial Configuration</title>
- <para>The only requirement of using <acronym>TCP</acronym>
- Wrappers in &os; is to ensure the
- <application>inetd</application> server is started from
- <filename>rc.conf</filename> with the <option>-Ww</option>
- option; this is the default setting. Of course, proper
- configuration of <filename>/etc/hosts.allow</filename> is also
- expected, but &man.syslogd.8; will throw messages in the
- system logs in these cases.</para>
+ <para>To enable <acronym>TCP</acronym> Wrappers in &os;, ensure
+ the &man.inetd.8; server is started from
+ <filename>/etc/rc.conf</filename> with
+ <option>-Ww</option>. Then, properly configure
+ <filename>/etc/hosts.allow</filename>.</para>
<note>
<para>Unlike other implementations of <acronym>TCP</acronym>
@@ -1453,37 +1176,30 @@ Enter secret pass phrase: <userinput><secret password></userinput>
are set to either be permitted or blocked depending on the
options in <filename>/etc/hosts.allow</filename>. The default
configuration in &os; is to allow a connection to every daemon
- started with <application>inetd</application>. Changing this
- will be discussed only after the basic configuration is
- covered.</para>
+ started with &man.inetd.8;.</para>
<para>Basic configuration usually takes the form of
- <literal>daemon : address : action</literal>. Where
- <literal>daemon</literal> is the daemon name which
- <command>inetd</command> started. The
- <literal>address</literal> can be a valid hostname, an
- <acronym>IP</acronym> address or an IPv6 address enclosed in
- brackets ([ ]). The <literal>action</literal> field can
- be either <literal>allow</literal> or <literal>deny</literal>
- to grant or deny access appropriately. Keep in mind that
- configuration works off a first rule match semantic, meaning
- that the configuration file is scanned in ascending order for
- a matching rule. When a match is found the rule is applied
- and the search process will halt.</para>
+ <literal>daemon : address : action</literal>, where
+ <literal>daemon</literal> is the daemon which &man.inetd.8;
+ started, <literal>address</literal> is a valid hostname,
+ <acronym>IP</acronym> address, or an IPv6 address enclosed in
+ brackets ([ ]), and <literal>action</literal> is
+ either <literal>allow</literal> or <literal>deny</literal>.
+ <acronym>TCP</acronym> Wrappers uses a first rule match
+ semantic, meaning that the configuration file is scanned in
+ ascending order for a matching rule. When a match is found,
+ the rule is applied and the search process stops.</para>
- <para>Several other options exist but they will be explained
- in a later section. A simple configuration line may easily be
- constructed from that information alone. For example, to
- allow <acronym>POP</acronym>3 connections via the
- <filename role="package">mail/qpopper</filename> daemon,
- the following lines should be appended to
+ <para>For example, to allow <acronym>POP</acronym>3 connections
+ via the <filename role="package">mail/qpopper</filename>
+ daemon, the following lines should be appended to
<filename>hosts.allow</filename>:</para>
<programlisting># This line is required for POP3 connections:
qpopper : ALL : allow</programlisting>
- <para>After adding this line, <application>inetd</application>
- will need to be restarted by using &man.service.8;:</para>
+ <para>After adding this line, &man.inetd.8; needs to be
+ restarted:</para>
<screen>&prompt.root; <userinput>service inetd restart</userinput></screen>
</sect2>
@@ -1491,45 +1207,41 @@ qpopper : ALL : allow</programlisting>
<sect2>
<title>Advanced Configuration</title>
- <para><acronym>TCP</acronym> Wrappers has advanced options too;
- they will allow for more control over the way connections are
- handled. In some cases it may be a good idea to return a
- comment to certain hosts or daemon connections. In other
- cases, perhaps a log file should be recorded or an email sent
- to the administrator. Other situations may require the use of
- a service for local connections only. This is all possible
+ <para><acronym>TCP</acronym> Wrappers provides advanced options
+ to allow more control over the way connections are handled.
+ In some cases, it may be appropriate to return a comment to
+ certain hosts or daemon connections. In other cases, a log
+ entry should be recorded or an email sent to the
+ administrator. Other situations may require the use of a
+ service for local connections only. This is all possible
through the use of configuration options known as
<literal>wildcards</literal>, expansion characters and
- external command execution. The next two sections are written
- to cover these situations.</para>
+ external command execution.</para>
<sect3>
<title>External Commands</title>
<para>Suppose that a situation occurs where a connection
should be denied yet a reason should be sent to the
- individual who attempted to establish that connection. How
- could it be done? That action can be made possible by using
- the <option>twist</option> option. When a connection
- attempt is made, <option>twist</option> will be called to
- execute a shell command or script. An example already
- exists in the <filename>hosts.allow</filename> file:</para>
+ individual who attempted to establish that connection. That
+ action is possible with <option>twist</option>. When a
+ connection attempt is made, <option>twist</option> executes
+ a shell command or script. An example exists in
+ <filename>hosts.allow</filename>:</para>
<programlisting># The rest of the daemons are protected.
ALL : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."</programlisting>
- <para>This example shows that the message,
- <quote>You are not allowed to use <literal>daemon</literal>
- from <literal>hostname</literal>.</quote> will be returned
- for any daemon not previously configured in the access file.
- This is extremely useful for sending a reply back to the
- connection initiator right after the established connection
- is dropped. Note that any message returned
- <emphasis>must</emphasis> be wrapped in quote
- <literal>"</literal> characters; there are no exceptions to
- this rule.</para>
+ <para>In this example, the message <quote>You are not allowed
+ to use <literal>daemon</literal> from
+ <literal>hostname</literal>.</quote> will be returned for
+ any daemon not previously configured in the access file.
+ This is useful for sending a reply back to the connection
+ initiator right after the established connection is dropped.
+ Any message returned <emphasis>must</emphasis> be wrapped in
+ quote (<literal>"</literal>) characters.</para>
<warning>
<para>It may be possible to launch a denial of service
@@ -1538,14 +1250,14 @@ ALL : ALL \
requests.</para>
</warning>
- <para>Another possibility is to use the <option>spawn</option>
- option in these cases. Like <option>twist</option>, the
- <option>spawn</option> option implicitly denies the
- connection and may be used to run external shell commands or
- scripts. Unlike <option>twist</option>,
- <option>spawn</option> will not send a reply back to the
- individual who established the connection. For an example,
- consider the following configuration line:</para>
+ <para>Another possibility is to use <option>spawn</option>.
+ Like <option>twist</option>, <option>spawn</option>
+ implicitly denies the connection and may be used to run
+ external shell commands or scripts. Unlike
+ <option>twist</option>, <option>spawn</option> will not send
+ a reply back to the individual who established the
+ connection. For example, consider the following
+ configuration line:</para>
<programlisting># We do not allow connections from example.com:
ALL : .example.com \
@@ -1553,44 +1265,36 @@ ALL : .example.com \
/var/log/connections.log) \
: deny</programlisting>
- <para>This will deny all connection attempts from the <hostid
- role="fqdn">*.example.com</hostid> domain; simultaneously
- logging the hostname, <acronym>IP</acronym> address and the
- daemon which they attempted to access in the
- <filename>/var/log/connections.log</filename> file.</para>
+ <para>This will deny all connection attempts from <hostid
+ role="fqdn">*.example.com</hostid> and log the hostname,
+ <acronym>IP</acronym> address, and the daemon to which
+ access was attempted to
+ <filename>/var/log/connections.log</filename>.</para>
- <para>Aside from the already explained substitution characters
- above, e.g., <literal>%a</literal>, a few others exist. See
- the &man.hosts.access.5; manual page for the complete
- list.</para>
+ <para>This example uses the substitution characters
+ <literal>%a</literal> and <literal>%h</literal>. Refer to
+ &man.hosts.access.5; for the complete list.</para>
</sect3>
<sect3>
<title>Wildcard Options</title>
- <para>Thus far the <literal>ALL</literal> option has been used
- continuously throughout the examples. Other options exist
- which could extend the functionality a bit further. For
- instance, <literal>ALL</literal> may be used to match every
- instance of either a daemon, domain or an
- <acronym>IP</acronym> address. Another wildcard available
- is <literal>PARANOID</literal> which may be used to match
+ <para>The <literal>ALL</literal> option may be used to match
+ every instance of a daemon, domain, or an
+ <acronym>IP</acronym> address. Another wildcard is
+ <literal>PARANOID</literal> which may be used to match
any host which provides an <acronym>IP</acronym> address
- that may be forged. In other words,
+ that may be forged. For example,
<literal>PARANOID</literal> may be used to define an action
to be taken whenever a connection is made from an
<acronym>IP</acronym> address that differs from its
- hostname. The following example may shed some more light on
- this discussion:</para>
+ hostname. In this example, all connection requests to
+ &man.sendmail.8; which have an <acronym>IP</acronym> address
+ that varies from its hostname will be denied:</para>
<programlisting># Block possibly spoofed requests to sendmail:
sendmail : PARANOID : deny</programlisting>
- <para>In that example all connection requests to
- <command>sendmail</command> which have an
- <acronym>IP</acronym> address that varies from its hostname
- will be denied.</para>
-
<caution>
<para>Using the <literal>PARANOID</literal> wildcard may
severely cripple servers if the client or server has a
@@ -1599,13 +1303,11 @@ sendmail : PARANOID : deny</programlisting>
</caution>
<para>To learn more about wildcards and their associated
- functionality, see the &man.hosts.access.5; manual
- page.</para>
+ functionality, refer to &man.hosts.access.5;.</para>
<para>Before any of the specific configuration lines above
will work, the first configuration line should be commented
- out in <filename>hosts.allow</filename>. This was noted at
- the beginning of this section.</para>
+ out in <filename>hosts.allow</filename>.</para>
</sect3>
</sect2>
</sect1>
@@ -1632,52 +1334,47 @@ sendmail : PARANOID : deny</programlisting>
<para><application>Kerberos</application> is a network add-on
system/protocol that allows users to authenticate themselves
- through the services of a secure server. Services such as
- remote login, remote copy, secure inter-system file copying and
- other high-risk tasks are made considerably safer and more
- controllable.</para>
-
- <para><application>Kerberos</application> can be described as an
+ through the services of a secure server.
+ <application>Kerberos</application> can be described as an
identity-verifying proxy system. It can also be described as a
- trusted third-party authentication system.
- <application>Kerberos</application> provides only one function
- — the secure authentication of users on the network. It
- does not provide authorization functions (what users are allowed
- to do) or auditing functions (what those users did). After a
- client and server have used <application>Kerberos</application>
- to prove their identity, they can also encrypt all of their
- communications to assure privacy and data integrity as they go
- about their business.</para>
+ trusted third-party authentication system. After a user
+ authenticates with <application>Kerberos</application>, their
+ communications can be encrypted to assure privacy and data
+ integrity.</para>
- <para>Therefore it is highly recommended that
- <application>Kerberos</application> be used with other security
- methods which provide authorization and audit services.</para>
+ <para>The only function of <application>Kerberos</application> is
+ to provide the secure authentication of users on the network.
+ It does not provide authorization functions (what users are
+ allowed to do) or auditing functions (what those users did). It
+ is recommended that <application>Kerberos</application> be used
+ with other security methods which provide authorization and
+ audit services.</para>
- <para>The following instructions can be used as a guide on how to
- set up <application>Kerberos</application> as distributed for
- &os;. However, you should refer to the relevant manual pages
- for a complete description.</para>
+ <para>This section provides a guide on how to set up
+ <application>Kerberos</application> as distributed for &os;.
+ Refer to the relevant manual pages for more complete
+ descriptions.</para>
<para>For purposes of demonstrating a
<application>Kerberos</application> installation, the various
- name spaces will be handled as follows:</para>
+ name spaces will be as follows:</para>
<itemizedlist>
<listitem>
<para>The <acronym>DNS</acronym> domain (<quote>zone</quote>)
- will be example.org.</para>
+ will be <hostid role="fqdn">example.org</hostid>.</para>
</listitem>
<listitem>
<para>The <application>Kerberos</application> realm will be
- EXAMPLE.ORG.</para>
+ <literal>EXAMPLE.ORG</literal>.</para>
</listitem>
</itemizedlist>
<note>
- <para>Please use real domain names when setting up
- <application>Kerberos</application> even if you intend to run
- it internally. This avoids <acronym>DNS</acronym> problems
+ <para>Use real domain names when setting up
+ <application>Kerberos</application> even if it will run
+ internally. This avoids <acronym>DNS</acronym> problems
and assures inter-operation with other
<application>Kerberos</application> realms.</para>
</note>
@@ -1699,9 +1396,9 @@ sendmail : PARANOID : deny</programlisting>
<para><application>Kerberos</application> is both the name of a
network authentication protocol and an adjective to describe
- programs that implement the program
- (<application>Kerberos</application> telnet, for example).
- The current version of the protocol is version 5, described in
+ programs that implement it, such as
+ <application>Kerberos</application> telnet. The current
+ version of the protocol is version 5, described in
<acronym>RFC</acronym> 1510.</para>
<para>Several free implementations of this protocol are
@@ -1711,24 +1408,22 @@ sendmail : PARANOID : deny</programlisting>
<application>Kerberos</application> was originally developed,
continues to develop their <application>Kerberos</application>
package. It is commonly used in the <acronym>US</acronym> as
- a cryptography product, as such it has historically been
- affected by <acronym>US</acronym> export regulations. The
+ a cryptography product, and has historically been affected by
+ <acronym>US</acronym> export regulations. The
<acronym>MIT</acronym> <application>Kerberos</application> is
- available as a port (<filename
- role="package">security/krb5</filename>). Heimdal
- <application>Kerberos</application> is another version 5
- implementation, and was explicitly developed outside of the
- <acronym>US</acronym> to avoid export regulations (and is thus
- often included in non-commercial &unix; variants). The
+ available as the <filename
+ role="package">security/krb5</filename> package or port.
+ Heimdal <application>Kerberos</application> is another version
+ 5 implementation, and was explicitly developed outside of the
+ <acronym>US</acronym> to avoid export regulations. The
Heimdal <application>Kerberos</application> distribution is
- available as a port (<filename
- role="package">security/heimdal</filename>), and a minimal
- installation of it is included in the base &os;
+ available as a the <filename
+ role="package">security/heimdal</filename> package or port,
+ and a minimal installation is included in the base &os;
install.</para>
- <para>In order to reach the widest audience, these instructions
- assume the use of the Heimdal distribution included in
- &os;.</para>
+ <para>These instructions assume the use of the Heimdal
+ distribution included in &os;.</para>
</sect2>
<sect2>
@@ -1741,30 +1436,28 @@ sendmail : PARANOID : deny</programlisting>
<para>The Key Distribution Center (<acronym>KDC</acronym>) is
the centralized authentication service that
- <application>Kerberos</application> provides — it is the
+ <application>Kerberos</application> provides. It is the
computer that issues <application>Kerberos</application>
tickets. The <acronym>KDC</acronym> is considered
<quote>trusted</quote> by all other computers in the
<application>Kerberos</application> realm, and thus has
heightened security concerns.</para>
- <para>Note that while running the
- <application>Kerberos</application> server requires very few
- computing resources, a dedicated machine acting only as a
- <acronym>KDC</acronym> is recommended for security
- reasons.</para>
+ <para>While running the <application>Kerberos</application>
+ server requires very few computing resources, a dedicated
+ machine acting only as a <acronym>KDC</acronym> is recommended
+ for security reasons.</para>
<para>To begin setting up a <acronym>KDC</acronym>, ensure that
- your <filename>/etc/rc.conf</filename> file contains the
- correct settings to act as a <acronym>KDC</acronym> (you may
- need to adjust paths to reflect your own system):</para>
+ <filename>/etc/rc.conf</filename> contains the correct
+ settings to act as a <acronym>KDC</acronym>. As required,
+ adjust paths to reflect the system:</para>
<programlisting>kerberos5_server_enable="YES"
kadmind5_server_enable="YES"</programlisting>
- <para>Next we will set up your
- <application>Kerberos</application> config file,
- <filename>/etc/krb5.conf</filename>:</para>
+ <para>Next, edit <filename>/etc/krb5.conf</filename> as
+ follows:</para>
<programlisting>[libdefaults]
default_realm = EXAMPLE.ORG
@@ -1776,24 +1469,22 @@ kadmind5_server_enable="YES"</programlisting>
[domain_realm]
.example.org = EXAMPLE.ORG</programlisting>
- <para>Note that this <filename>/etc/krb5.conf</filename> file
- implies that your <acronym>KDC</acronym> will have the
- fully-qualified hostname of <hostid
- role="fqdn">kerberos.example.org</hostid>. You will need to
- add a CNAME (alias) entry to your zone file to accomplish this
- if your <acronym>KDC</acronym> has a different
- hostname.</para>
+ <para>This <filename>/etc/krb5.conf</filename> implies that the
+ <acronym>KDC</acronym> will use the fully-qualified hostname
+ <hostid role="fqdn">kerberos.example.org</hostid>. Add a
+ CNAME (alias) entry to the zone file to accomplish this
+ if the <acronym>KDC</acronym> has a different hostname.</para>
<note>
<para>For large networks with a properly configured
- <acronym>BIND</acronym> <acronym>DNS</acronym> server, the
- above example could be trimmed to:</para>
+ <acronym>DNS</acronym> server, the above example could be
+ trimmed to:</para>
<programlisting>[libdefaults]
default_realm = EXAMPLE.ORG</programlisting>
<para>With the following lines being appended to the
- <hostid role="fqdn">example.org</hostid> zonefile:</para>
+ <hostid role="fqdn">example.org</hostid> zone file:</para>
<programlisting>_kerberos._udp IN SRV 01 00 88 kerberos.example.org.
_kerberos._tcp IN SRV 01 00 88 kerberos.example.org.
@@ -1804,7 +1495,7 @@ _kerberos IN TXT EXAMPLE.ORG</programlisting>
<note>
<para>For clients to be able to find the
- <application>Kerberos</application> services, you
+ <application>Kerberos</application> services, it
<emphasis>must</emphasis> have either a fully configured
<filename>/etc/krb5.conf</filename> or a minimally
configured <filename>/etc/krb5.conf</filename>
@@ -1812,34 +1503,27 @@ _kerberos IN TXT EXAMPLE.ORG</programlisting>
server.</para>
</note>
- <para>Next we will create the
- <application>Kerberos</application> database. This database
- contains the keys of all principals encrypted with a master
- password. You are not required to remember this password, it
- will be stored in a file
- (<filename>/var/heimdal/m-key</filename>). To create the
- master key, run <command>kstash</command> and enter a
- password.</para>
+ <para>Next, create the <application>Kerberos</application>
+ database which contains the keys of all principals encrypted
+ with a master password. It is not required to remember this
+ password as it will be stored in
+ <filename>/var/heimdal/m-key</filename>. To create the
+ master key, run &man.kstash.8; and enter a password.</para>
- <para>Once the master key has been created, you can initialize
- the database using the <command>kadmin</command> program with
- the <literal>-l</literal> option (standing for
- <quote>local</quote>). This option instructs
- <command>kadmin</command> to modify the database files
- directly rather than going through the
- <command>kadmind</command> network service. This handles the
- chicken-and-egg problem of trying to connect to the database
- before it is created. Once you have the
- <command>kadmin</command> prompt, use the
- <command>init</command> command to create your realms initial
- database.</para>
+ <para>Once the master key has been created, initialize the
+ database using <command>kadmin -l</command>. This option
+ instructs &man.kadmin.8; to modify the local database files
+ directly rather than going through the &man.kadmind.8; network
+ service. This handles the chicken-and-egg problem of trying
+ to connect to the database before it is created. At the
+ &man.kadmin.8; prompt, use <command>init</command> to create
+ the realm's initial database.</para>
- <para>Lastly, while still in <command>kadmin</command>, create
- your first principal using the <command>add</command> command.
- Stick to the defaults options for the principal for now, you
- can always change them later with the
- <command>modify</command> command. Note that you can use the
- <literal>?</literal> command at any prompt to see the
+ <para>Lastly, while still in &man.kadmin.8;, create the first
+ principal using <command>add</command>. Stick to the default
+ options for the principal for now, as these can be changed
+ later with <command>modify</command>. Type
+ <literal>?</literal> at the &man.kadmin.8; prompt to see the
available options.</para>
<para>A sample database creation session is shown below:</para>
@@ -1858,13 +1542,13 @@ Attributes []:
Password: <userinput>xxxxxxxx</userinput>
Verifying password - Password: <userinput>xxxxxxxx</userinput></screen>
- <para>Now it is time to start up the <acronym>KDC</acronym>
- services. Run <command>service kerberos start</command> and
+ <para>Next, start the <acronym>KDC</acronym> services. Run
+ <command>service kerberos start</command> and
<command>service kadmind start</command> to bring up the
- services. Note that you will not have any kerberized daemons
- running at this point but you should be able to confirm that
- the <acronym>KDC</acronym> is functioning by obtaining and
- listing a ticket for the principal (user) that you just
+ services. While there will not be any kerberized daemons
+ running at this point, it is possible to confirm that the
+ <acronym>KDC</acronym> is functioning by obtaining and
+ listing a ticket for the principal (user) that was just
created from the command-line of the <acronym>KDC</acronym>
itself:</para>
@@ -1878,8 +1562,7 @@ Credentials cache: FILE:<filename>/tmp/krb5cc_500</filename>
Issued Expires Principal
Aug 27 15:37:58 Aug 28 01:37:58 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG</screen>
- <para>The ticket can then be revoked when you have
- finished:</para>
+ <para>The ticket can then be revoked when finished:</para>
<screen>&prompt.user; <userinput>kdestroy</userinput></screen>
</sect2>
@@ -1893,55 +1576,46 @@ Aug 27 15:37:58 Aug 28 01:37:58 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG</screen>
<secondary>enabling services</secondary>
</indexterm>
- <para>First, we need a copy of the
- <application>Kerberos</application> configuration file,
- <filename>/etc/krb5.conf</filename>. To do so, simply copy
- it over to the client computer from the
- <acronym>KDC</acronym> in a secure fashion (using network
- utilities, such as &man.scp.1;, or physically via a floppy
- disk).</para>
+ <para>First, copy
+ <filename>/etc/krb5.conf</filename> from the
+ <acronym>KDC</acronym> to the client computer in a secure
+ fashion, such as &man.scp.1;, or physically via a removable
+ media.</para>
- <para>Next you need a <filename>/etc/krb5.keytab</filename>
- file. This is the major difference between a server
- providing <application>Kerberos</application> enabled
- daemons and a workstation — the server must have a
- <filename>keytab</filename> file. This file contains the
+ <para>Next, create <filename>/etc/krb5.keytab</filename>.
+ This is the major difference between a server providing
+ <application>Kerberos</application> enabled daemons and a
+ workstation: the server must have a
+ <filename>keytab</filename>. This file contains the
server's host key, which allows it and the
<acronym>KDC</acronym> to verify each others identity. It
must be transmitted to the server in a secure fashion, as
the security of the server can be broken if the key is made
- public. This explicitly means that transferring it via a
- clear text channel, such as <acronym>FTP</acronym>, is a
- very bad idea.</para>
+ public.</para>
- <para>Typically, you transfer the <filename>keytab</filename>
- to the server using the <command>kadmin</command> program.
- This is handy because you also need to create the host
- principal (the <acronym>KDC</acronym> end of the
- <filename>krb5.keytab</filename>) using
- <command>kadmin</command>.</para>
+ <para>Typically, the <filename>keytab</filename> is transferred
+ to the server using &man.kadmin.8;. This is handy because the
+ host principal, the <acronym>KDC</acronym> end of the
+ <filename>krb5.keytab</filename>, is also created using
+ &man.kadmin.8;.</para>
- <para>Note that you must have already obtained a ticket and
- that this ticket must be allowed to use the
- <command>kadmin</command> interface in the
+ <para>A ticket must already be obtained and this ticket must be
+ allowed to use the &man.kadmin.8; interface in the
<filename>kadmind.acl</filename>. See the section titled
- <quote>Remote administration</quote> in the Heimdal info
- pages (<command>info heimdal</command>) for details on
- designing access control lists. If you do not want to
- enable remote <command>kadmin</command> access, you can
- simply securely connect to the <acronym>KDC</acronym> (via
- local console, &man.ssh.1; or
- <application>Kerberos</application> &man.telnet.1;) and
- perform administration locally using
+ <quote>Remote administration</quote> in<command>info
+ heimdal</command> for details on designing access control
+ lists. Instead of enabling remote &man.kadmin.8; access, the
+ administrator can securely connect to the
+ <acronym>KDC</acronym> via the local console or &man.ssh.1;,
+ and perform administration locally using
<command>kadmin -l</command>.</para>
- <para>After installing the <filename>/etc/krb5.conf</filename>
- file, you can use <command>kadmin</command> from the
- <application>Kerberos</application> server. The
- <command>add --random-key</command> command will let you add
- the server's host principal, and the <command>ext</command>
- command will allow you to extract the server's host
- principal to its own keytab. For example:</para>
+ <para>After installing <filename>/etc/krb5.conf</filename>,
+ use <command>add --random-key</command> from the
+ <application>Kerberos</application> server. This adds
+ the server's host principal. Then, use <command>ext</command>
+ to extract the server's host principal to its own keytab. For
+ example:</para>
<screen>&prompt.root; <userinput>kadmin</userinput>
kadmin><userinput> add --random-key host/myserver.example.org</userinput>
@@ -1951,47 +1625,42 @@ Attributes []:
kadmin><userinput> ext host/myserver.example.org</userinput>
kadmin><userinput> exit</userinput></screen>
- <para>Note that the <command>ext</command> command (short for
- <quote>extract</quote>) stores the extracted key in
- <filename>/etc/krb5.keytab</filename> by default.</para>
+ <para>Note that <command>ext</command> stores the extracted key
+ in <filename>/etc/krb5.keytab</filename> by default.</para>
- <para>If you do not have <command>kadmind</command> running on
- the <acronym>KDC</acronym> (possibly for security reasons)
- and thus do not have access to <command>kadmin</command>
- remotely, you can add the host principal
+ <para>If &man.kadmind.8; is not running on the
+ <acronym>KDC</acronym> and there is no access to
+ &man.kadmin.8; remotely, add the host principal
(<username>host/myserver.EXAMPLE.ORG</username>) directly on
the <acronym>KDC</acronym> and then extract it to a
- temporary file (to avoid over-writing the
+ temporary file to avoid overwriting the
<filename>/etc/krb5.keytab</filename> on the
- <acronym>KDC</acronym>) using something like this:</para>
+ <acronym>KDC</acronym>, using something like this:</para>
<screen>&prompt.root; <userinput>kadmin</userinput>
kadmin><userinput> ext --keytab=/tmp/example.keytab host/myserver.example.org</userinput>
kadmin><userinput> exit</userinput></screen>
- <para>You can then securely copy the keytab to the server
- computer (using <command>scp</command> or a floppy, for
- example). Be sure to specify a non-default keytab name to
- avoid over-writing the keytab on the
+ <para>The keytab can then be securely copied to the server
+ using &man.scp.1; or a removable media. Be sure to specify a
+ non-default keytab name to avoid overwriting the keytab on the
<acronym>KDC</acronym>.</para>
- <para>At this point your server can communicate with the
- <acronym>KDC</acronym> (due to its
- <filename>krb5.conf</filename> file) and it can prove its
- own identity (due to the <filename>krb5.keytab</filename>
- file). It is now ready for you to enable some
- <application>Kerberos</application> services. For this
- example we will enable the <command>telnet</command> service
- by putting a line like this into your
- <filename>/etc/inetd.conf</filename> and then restarting the
- &man.inetd.8; service with <command>service inetd
+ <para>At this point, the server can communicate with the
+ <acronym>KDC</acronym> using
+ <filename>krb5.conf</filename> and it can prove its
+ own identity with <filename>krb5.keytab</filename>. It is now
+ ready for the <application>Kerberos</application> services to
+ be enabled. For this example, the &man.telnetd.8; service
+ is enabled in <filename>/etc/inetd.conf</filename> and
+ &man.inetd.8; has been restarted with <command>service inetd
restart</command>:</para>
<programlisting>telnet stream tcp nowait root /usr/libexec/telnetd telnetd -a user</programlisting>
- <para>The critical bit is that the <command>-a</command> (for
- authentication) type is set to user. Consult the
- &man.telnetd.8; manual page for more details.</para>
+ <para>The critical change is that the <option>-a</option>
+ authentication type is set to user. Refer to &man.telnetd.8;
+ for more details.</para>
</sect2>
<sect2>
@@ -2003,44 +1672,35 @@ kadmin><userinput> exit</userinput></screen>
<secondary>configure clients</secondary>
</indexterm>
- <para>Setting up a client computer is almost trivially easy.
- As far as <application>Kerberos</application> configuration
- goes, you only need the <application>Kerberos</application>
- configuration file, located at
- <filename>/etc/krb5.conf</filename>. Simply securely copy
- it over to the client computer from the
+ <para>Setting up a client computer is easy as only
+ <filename>/etc/krb5.conf</filename> is needed. Securely copy
+ this file over to the client computer from the
<acronym>KDC</acronym>.</para>
- <para>Test your client computer by attempting to use
- <command>kinit</command>, <command>klist</command>, and
- <command>kdestroy</command> from the client to obtain, show,
- and then delete a ticket for the principal you created
- above. You should also be able to use
- <application>Kerberos</application> applications to connect
- to <application>Kerberos</application> enabled servers,
- though if that does not work and obtaining a ticket does the
- problem is likely with the server and not with the client or
- the <acronym>KDC</acronym>.</para>
+ <para>Test the client by attempting to use &man.kinit.1;,
+ &man.klist.1;, and &man.kdestroy.1; from the client to obtain,
+ show, and then delete a ticket for the principal created
+ above. <application>Kerberos</application> applications
+ should also be able to connect to
+ <application>Kerberos</application> enabled servers. If that
+ does not work but obtaining a ticket does, the problem is
+ likely with the server and not with the client or the
+ <acronym>KDC</acronym>.</para>
- <para>When testing an application like
- <command>telnet</command>, try using a packet sniffer (such
- as &man.tcpdump.1;) to confirm that your password is not
- sent in the clear. Try using <command>telnet</command> with
- the <literal>-x</literal> option, which encrypts the entire
- data stream (similar to <command>ssh</command>).</para>
+ <para>When testing a Kerberized application, try using a packet
+ sniffer such as &man.tcpdump.1; to confirm that the password
+ is not sent in the clear.</para>
<para>Various non-core <application>Kerberos</application>
- client applications are also installed by default. This is
- where the <quote>minimal</quote> nature of the base Heimdal
- installation is felt: <command>telnet</command> is the only
+ client applications are available. The <quote>minimal</quote>
+ installation in &os; installs &man.telnetd.8; as the only
<application>Kerberos</application> enabled service.</para>
- <para>The Heimdal port adds some of the missing client
- applications: <application>Kerberos</application> enabled
- versions of <command>ftp</command>, <command>rsh</command>,
- <command>rcp</command>, <command>rlogin</command>, and a few
- other less common programs. The <acronym>MIT</acronym> port
- also contains a full suite of
+ <para>The Heimdal port installs
+ <application>Kerberos</application> enabled versions of
+ &man.ftpd.8;, &man.rshd.8;, &man.rcp.1;, &man.rlogind.8;, and
+ a few other less common programs. The <acronym>MIT</acronym>
+ port also contains a full suite of
<application>Kerberos</application> client
applications.</para>
</sect2>
@@ -2058,40 +1718,29 @@ kadmin><userinput> exit</userinput></screen>
</indexterm>
<para>Users within a realm typically have their
- <application>Kerberos</application> principal (such as
- <username>tillman@EXAMPLE.ORG</username>) mapped to a local
- user account (such as a local account named
- <username>tillman</username>). Client applications such as
- <command>telnet</command> usually do not require a user name
- or a principal.</para>
-
- <para>Occasionally, however, you want to grant access to a
- local user account to someone who does not have a matching
- <application>Kerberos</application> principal. For example,
- <username>tillman@EXAMPLE.ORG</username> may need access to
- the local user account <username>webdevelopers</username>.
- Other principals may also need access to that local
- account.</para>
+ <application>Kerberos</application> principal mapped to a
+ local user account. Occasionally, one needs to grant access
+ to a local user account to someone who does not have a
+ matching <application>Kerberos</application> principal. For
+ example, <username>tillman@EXAMPLE.ORG</username> may need
+ access to the local user account
+ <username>webdevelopers</username>. Other principals may also
+ need access to that local account.</para>
<para>The <filename>.k5login</filename> and
- <filename>.k5users</filename> files, placed in a users home
- directory, can be used similar to a powerful combination of
- <filename>.hosts</filename> and
- <filename>.rhosts</filename>, solving this problem. For
- example, if a <filename>.k5login</filename> with the
- following contents:</para>
+ <filename>.k5users</filename> files, placed in a user's home
+ directory, can be used to solve this problem. For example, if
+ <filename>.k5login</filename> with the following contents is
+ placed in the home directory of
+ <username>webdevelopers</username>, both principals listed
+ will have access to that account without requiring a shared
+ password.:</para>
<screen>tillman@example.org
jdoe@example.org</screen>
- <para>Were to be placed into the home directory of the local
- user <username>webdevelopers</username> then both principals
- listed would have access to that account without requiring a
- shared password.</para>
-
- <para>Reading the manual pages for these commands is
- recommended. Note that the <command>ksu</command> manual
- page covers <filename>.k5users</filename>.</para>
+ <para>Refer to &man.ksu.1; for more information about
+ <filename>.k5users</filename>.</para>
</sect2>
<sect2>
@@ -2107,135 +1756,123 @@ jdoe@example.org</screen>
<listitem>
<para>When using either the Heimdal or
<acronym>MIT</acronym>
- <application>Kerberos</application> ports ensure that
- your <envar>PATH</envar> environment variable lists the
+ <application>Kerberos</application> ports, ensure that
+ the <envar>PATH</envar> lists the
<application>Kerberos</application> versions of the
client applications before the system versions.</para>
</listitem>
<listitem>
- <para>Do all the computers in your realm have synchronized
- time settings? If not, authentication may fail.
+ <para>If all the computers in the realm do not have
+ synchronized time settings, authentication may fail.
<xref linkend="network-ntp"/> describes how to synchronize
clocks using <acronym>NTP</acronym>.</para>
</listitem>
<listitem>
- <para><acronym>MIT</acronym> and Heimdal inter-operate
- nicely. Except for <command>kadmin</command>, the
- protocol for which is not standardized.</para>
+ <para><acronym>MIT</acronym> and Heimdal interoperate
+ except for &man.kadmin.8;, which is not
+ standardized.</para>
</listitem>
<listitem>
- <para>If you change your hostname, you also need to change
- your <username>host/</username> principal and update
- your keytab. This also applies to special keytab
+ <para>If the hostname is changed, the
+ <username>host/</username> principal must be changed and
+ the keytab updated. This also applies to special keytab
entries like the <username>www/</username> principal
- used for Apache's
- <filename
+ used for Apache's <filename
role="package">www/mod_auth_kerb</filename>.</para>
</listitem>
<listitem>
- <para>All hosts in your realm must be resolvable (both
- forwards and reverse) in <acronym>DNS</acronym> (or
- <filename>/etc/hosts</filename> as a minimum). CNAMEs
+ <para>All hosts in the realm must be both forward and
+ reverse resolvable in <acronym>DNS</acronym> or, at a
+ minimum, in <filename>/etc/hosts</filename>. CNAMEs
will work, but the A and PTR records must be correct and
- in place. The error message is not very intuitive:
- <errorname>Kerberos5 refuses authentication because Read
- req failed: Key table entry not
+ in place. The error message for unresolvable hosts is not
+ intuitive: <errorname>Kerberos5 refuses authentication
+ because Read req failed: Key table entry not
found</errorname>.</para>
</listitem>
<listitem>
- <para>Some operating systems that may being acting as
- clients to your <acronym>KDC</acronym> do not set the
- permissions for <command>ksu</command> to be setuid
- <username>root</username>. This means that
- <command>ksu</command> does not work, which is a good
- security idea but annoying. This is not a
+ <para>Some operating systems that act as clients to the
+ <acronym>KDC</acronym> do not set the permissions for
+ &man.ksu.1; to be setuid <username>root</username>. This
+ means that &man.ksu.1; does not work. This is not a
<acronym>KDC</acronym> error.</para>
</listitem>
<listitem>
<para>With <acronym>MIT</acronym>
- <application>Kerberos</application>, if you want to
- allow a principal to have a ticket life longer than the
- default ten hours, you must use
- <command>modify_principal</command> in
- <command>kadmin</command> to change the maxlife of both
- the principal in question and the
+ <application>Kerberos</application>, in order to allow a
+ principal to have a ticket life longer than the default
+ ten hours, use <command>modify_principal</command> at the
+ &man.kadmin.8; prompt to change the maxlife of both the
+ principal in question and the
<username>krbtgt</username> principal. Then the
- principal can use the <literal>-l</literal> option with
- <command>kinit</command> to request a ticket with a
- longer lifetime.</para>
+ principal can use <command>kinit -l</command> to request a
+ ticket with a longer lifetime.</para>
</listitem>
<listitem>
<note>
- <para>If you run a packet sniffer on your
- <acronym>KDC</acronym> to add in troubleshooting and
- then run <command>kinit</command> from a workstation,
- you will notice that your <acronym>TGT</acronym> is
- sent immediately upon running <command>kinit</command>
- — even before you type your password! The
- explanation is that the
+ <para>When running a packet sniffer on the
+ <acronym>KDC</acronym> to aid in troubleshooting while
+ running &man.kinit.1; from a workstation, the Ticket
+ Granting Ticket (<acronym>TGT</acronym>) is sent
+ immediately upon running &man.kinit.1;, even before the
+ password is typed. This is because the
<application>Kerberos</application> server freely
- transmits a <acronym>TGT</acronym> (Ticket Granting
- Ticket) to any unauthorized request; however, every
- <acronym>TGT</acronym> is encrypted in a key derived
- from the user's password. Therefore, when a user
- types their password it is not being sent to the
- <acronym>KDC</acronym>, it is being used to decrypt
- the <acronym>TGT</acronym> that
- <command>kinit</command> already obtained. If the
- decryption process results in a valid ticket with a
- valid time stamp, the user has valid
+ transmits a <acronym>TGT</acronym> to any unauthorized
+ request. However, every <acronym>TGT</acronym> is
+ encrypted in a key derived from the user's password.
+ When a user types their password, it is not sent to the
+ <acronym>KDC</acronym>, it is instead used to decrypt
+ the <acronym>TGT</acronym> that &man.kinit.1; already
+ obtained. If the decryption process results in a valid
+ ticket with a valid time stamp, the user has valid
<application>Kerberos</application> credentials.
These credentials include a session key for
establishing secure communications with the
<application>Kerberos</application> server in the
- future, as well as the actual ticket-granting ticket,
- which is actually encrypted with the
+ future, as well as the actual <acronym>TGT</acronym>,
+ which is encrypted with the
<application>Kerberos</application> server's own key.
- This second layer of encryption is unknown to the
- user, but it is what allows the
+ This second layer of encryption allows the
<application>Kerberos</application> server to verify
- the authenticity of each
- <acronym>TGT</acronym>.</para>
+ the authenticity of each <acronym>TGT</acronym>.</para>
</note>
</listitem>
<listitem>
- <para>If you want to use long ticket lifetimes (a week,
- for example) and you are using
- <application>OpenSSH</application> to connect to the
- machine where your ticket is stored, make sure that
+ <para>To use long ticket lifetimes, such as a week, when
+ using <application>OpenSSH</application> to connect to the
+ machine where the ticket is stored, make sure that
<application>Kerberos</application>
<option>TicketCleanup</option> is set to
- <literal>no</literal> in your
- <filename>sshd_config</filename> or else your tickets
- will be deleted when you log out.</para>
+ <literal>no</literal> in
+ <filename>sshd_config</filename> or else tickets will be
+ deleted at log out.</para>
</listitem>
<listitem>
- <para>Remember that host principals can have a longer
- ticket lifetime as well. If your user principal has a
- lifetime of a week but the host you are connecting to
- has a lifetime of nine hours, you will have an expired
- host principal in your cache and the ticket cache will
- not work as expected.</para>
+ <para>Host principals can have a longer ticket lifetime. If
+ the user principal has a lifetime of a week but the host
+ being connected to has a lifetime of nine hours, the user
+ cache will have an expired host principal and the ticket
+ cache will not work as expected.</para>
</listitem>
<listitem>
- <para>When setting up a <filename>krb5.dict</filename>
- file to prevent specific bad passwords from being used
- (the manual page for <command>kadmind</command> covers
- this briefly), remember that it only applies to
- principals that have a password policy assigned to them.
- The <filename>krb5.dict</filename> files format is
- simple: one string per line. Creating a symbolic link
- to <filename>/usr/share/dict/words</filename> might be
+ <para>When setting up <filename>krb5.dict</filename> to
+ prevent specific bad passwords from being used as
+ described in &man.kadmind.8;, remember that it only
+ applies to principals that have a password policy assigned
+ to them. The format used in
+ <filename>krb5.dict</filename> is one string per line.
+ Creating a symbolic link to
+ <filename>/usr/share/dict/words</filename> might be
useful.</para>
</listitem>
</itemizedlist>
@@ -2245,46 +1882,41 @@ jdoe@example.org</screen>
<title>Differences with the <acronym>MIT</acronym>
Port</title>
- <para>The major difference between the <acronym>MIT</acronym>
- and Heimdal installs relates to the
- <command>kadmin</command> program which has a different (but
- equivalent) set of commands and uses a different protocol.
- This has a large implications if your <acronym>KDC</acronym>
- is <acronym>MIT</acronym> as you will not be able to use the
- Heimdal <command>kadmin</command> program to administer your
- <acronym>KDC</acronym> remotely (or vice versa, for that
- matter).</para>
+ <para>The major difference between <acronym>MIT</acronym> and
+ Heimdal relates to &man.kadmin.8; which has a different, but
+ equivalent, set of commands and uses a different protocol.
+ If the <acronym>KDC</acronym> is <acronym>MIT</acronym>, the
+ Heimdal version of &man.kadmin.8; cannot be used to administer
+ the <acronym>KDC</acronym> remotely, and vice versa.</para>
- <para>The client applications may also take slightly different
+ <para>The client applications may also use slightly different
command line options to accomplish the same tasks.
Following the instructions on the <acronym>MIT</acronym>
- <application>Kerberos</application> web site
- (<ulink url="http://web.mit.edu/Kerberos/www/"></ulink>) is
+ <application>Kerberos</application> <ulink
+ url="http://web.mit.edu/Kerberos/www/">web site</ulink> is
recommended. Be careful of path issues: the
- <acronym>MIT</acronym> port installs into
- <filename class="directory">/usr/local/</filename> by default,
- and the <quote>normal</quote> system applications may be run
- instead of <acronym>MIT</acronym> if your
- <envar>PATH</envar> environment variable lists the system
- directories first.</para>
+ <acronym>MIT</acronym> port installs into <filename
+ class="directory">/usr/local/</filename> by default, and the
+ <quote>normal</quote> system applications run instead of
+ <acronym>MIT</acronym> versions if <envar>PATH</envar> lists
+ the system directories first.</para>
<note>
- <para>With the <acronym>MIT</acronym>
- <filename role="package">security/krb5</filename> port that
- is provided by &os;, be sure to read the
+ <para>With the &os; <acronym>MIT</acronym> <filename
+ role="package">security/krb5</filename> port, be sure to
+ read
<filename>/usr/local/share/doc/krb5/README.FreeBSD</filename>
- file installed by the port if you want to understand why
- logins via <command>telnetd</command> and
- <command>klogind</command> behave somewhat oddly. Most
- importantly, correcting the <quote>incorrect permissions on
- cache file</quote> behavior requires that the
+ installed by the port to understand why logins via
+ &man.telnetd.8; and <command>klogind</command> behave
+ somewhat oddly. Correcting the <quote>incorrect permissions
+ on cache file</quote> behavior requires that the
<command>login.krb5</command> binary be used for
authentication so that it can properly change ownership for
the forwarded credentials.</para>
</note>
- <para>The <filename>rc.conf</filename> must also be modified
- to contain the following configuration:</para>
+ <para>The following edits should also be made to
+ <filename>rc.conf</filename>:</para>
<programlisting>kerberos5_server="/usr/local/sbin/krb5kdc"
kadmind5_server="/usr/local/sbin/kadmind"
@@ -2292,7 +1924,7 @@ kerberos5_server_enable="YES"
kadmind5_server_enable="YES"</programlisting>
<para>This is done because the applications for
- <acronym>MIT</acronym> kerberos installs binaries in the
+ <acronym>MIT</acronym> Kerberos installs binaries in the
<filename class="directory">/usr/local</filename>
hierarchy.</para>
</sect2>
@@ -2308,17 +1940,16 @@ kadmind5_server_enable="YES"</programlisting>
<sect3>
<title><application>Kerberos</application> is an
- all-or-nothing approach</title>
+ All or Nothing Approach</title>
<para>Every service enabled on the network must be modified
- to work with <application>Kerberos</application> (or be
- otherwise secured against network attacks) or else the
- users credentials could be stolen and re-used. An example
+ to work with <application>Kerberos</application>, or be
+ otherwise secured against network attacks, or else the
+ user's credentials could be stolen and re-used. An example
of this would be <application>Kerberos</application>
- enabling all remote shells (via <command>rsh</command> and
- <command>telnet</command>, for example) but not converting
- the <acronym>POP3</acronym> mail server which sends
- passwords in plain text.</para>
+ enabling all remote shells but not converting the
+ <acronym>POP3</acronym> mail server which sends passwords in
+ plain text.</para>
</sect3>
<sect3>
@@ -2326,73 +1957,65 @@ kadmind5_server_enable="YES"</programlisting>
Single-User Workstations</title>
<para>In a multi-user environment,
- <application>Kerberos</application> is less secure.
- This is because it stores the tickets in the
- <filename class="directory">/tmp</filename> directory, which
- is readable by all users. If a user is sharing a computer
- with several other people simultaneously (i.e.
- multi-user), it is possible that the user's tickets can be
- stolen (copied) by another user.</para>
+ <application>Kerberos</application> is less secure. This is
+ because it stores the tickets in <filename
+ class="directory">/tmp</filename>, which is readable by
+ all users. If a user is sharing a computer with other
+ users, it is possible that the user's tickets can be stolen
+ or copied by another user.</para>
<para>This can be overcome with the <literal>-c</literal>
- filename command-line option or (preferably) the
- <envar>KRB5CCNAME</envar> environment variable, but this
- is rarely done. In principal, storing the ticket in the
- users home directory and using simple file permissions can
- mitigate this problem.</para>
+ command-line option or, preferably, the
+ <envar>KRB5CCNAME</envar> environment variable. Storing
+ the ticket in the user's home directory and using file
+ permissions are commonly used to mitigate this
+ problem.</para>
</sect3>
<sect3>
<title>The KDC is a Single Point of Failure</title>
- <para>By design, the <acronym>KDC</acronym> must be as
- secure as the master password database is contained on it.
- The <acronym>KDC</acronym> should have absolutely no other
- services running on it and should be physically secured.
- The danger is high because
+ <para>By design, the <acronym>KDC</acronym> must be as secure
+ as its master password database. The <acronym>KDC</acronym>
+ should have absolutely no other services running on it and
+ should be physically secure. The danger is high because
<application>Kerberos</application> stores all passwords
- encrypted with the same key (the <quote>master</quote>
- key), which in turn is stored as a file on the
- <acronym>KDC</acronym>.</para>
+ encrypted with the same <quote>master</quote> key which is
+ stored as a file on the <acronym>KDC</acronym>.</para>
- <para>As a side note, a compromised master key is not quite
- as bad as one might normally fear. The master key is only
- used to encrypt the <application>Kerberos</application>
- database and as a seed for the random number generator.
- As long as access to your <acronym>KDC</acronym> is
- secure, an attacker cannot do much with the master
- key.</para>
+ <para>A compromised master key is not quite as bad as one
+ might fear. The master key is only used to encrypt the
+ <application>Kerberos</application> database and as a seed
+ for the random number generator. As long as access to the
+ <acronym>KDC</acronym> is secure, an attacker cannot do much
+ with the master key.</para>
<para>Additionally, if the <acronym>KDC</acronym> is
- unavailable (perhaps due to a denial of service attack or
- network problems) the network services are unusable as
- authentication can not be performed, a recipe for a
- denial-of-service attack. This can alleviated with
- multiple <acronym>KDC</acronym>s (a single master and one
- or more slaves) and with careful implementation of
- secondary or fall-back authentication
- (<acronym>PAM</acronym> is excellent for this).</para>
+ unavailable, network services are unusable as authentication
+ cannot be performed. This can be alleviated with a single
+ master <acronym>KDC</acronym> and one or more slaves, and
+ with careful implementation of secondary or fall-back
+ authentication using <acronym>PAM</acronym>.</para>
</sect3>
<sect3>
<title><application>Kerberos</application>
Shortcomings</title>
- <para><application>Kerberos</application> allows users,
- hosts and services to authenticate between themselves. It
- does not have a mechanism to authenticate the
+ <para><application>Kerberos</application> allows users, hosts
+ and services to authenticate between themselves. It does
+ not have a mechanism to authenticate the
<acronym>KDC</acronym> to the users, hosts or services.
- This means that a trojanned <command>kinit</command> (for
- example) could record all user names and passwords.
- Something like
- <filename role="package">security/tripwire</filename> or
- other file system integrity checking tools can alleviate
+ This means that a trojanned &man.kinit.1; could record all
+ user names and passwords. Filesystem integrity checking
+ tools like <filename
+ role="package">security/tripwire</filename> can alleviate
this.</para>
</sect3>
</sect2>
<sect2>
- <title>Resources and further information</title>
+ <title>Resources and Further Information</title>
<indexterm>
<primary>Kerberos5</primary>
@@ -2455,31 +2078,29 @@ kadmind5_server_enable="YES"</programlisting>
<secondary>OpenSSL</secondary>
</indexterm>
- <para>One feature that many users overlook is the
- <application>OpenSSL</application> toolkit included in &os;.
- <application>OpenSSL</application> provides an encryption
- transport layer on top of the normal communications layer;
- thus allowing it to be intertwined with many network
- applications and services.</para>
+ <para>The
+ <application>OpenSSL</application> toolkit is included in &os;.
+ It provides an encryption transport layer on top of the normal
+ communications layer, allowing it to be intertwined with many
+ network applications and services.</para>
- <para>Some uses of <application>OpenSSL</application> may
- include encrypted authentication of mail clients, web based
- transactions such as credit card payments and more. Many
- ports such as
+ <para>Some uses of <application>OpenSSL</application> may include
+ encrypted authentication of mail clients and web based
+ transactions such as credit card payments. Many ports such as
<filename role="package">www/apache22</filename>, and
- <filename role="package">mail/claws-mail</filename> will offer
+ <filename role="package">mail/claws-mail</filename> offer
compilation support for building with
<application>OpenSSL</application>.</para>
<note>
- <para>In most cases the Ports Collection will attempt to build
+ <para>In most cases, the Ports Collection will attempt to build
the <filename role="package">security/openssl</filename>
- port unless the <makevar>WITH_OPENSSL_BASE</makevar> make
- variable is explicitly set to <quote>yes</quote>.</para>
+ port unless <makevar>WITH_OPENSSL_BASE</makevar> is explicitly
+ set to <quote>yes</quote>.</para>
</note>
<para>The version of <application>OpenSSL</application> included
- in &os; supports Secure Sockets Layer v2/v3 (SSLv2/SSLv3),
+ in &os; supports Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and
Transport Layer Security v1 (TLSv1) network security protocols
and can be used as a general cryptographic library.</para>
@@ -2489,7 +2110,7 @@ kadmind5_server_enable="YES"</programlisting>
due to United States patents. To use it, the license should
be reviewed and, if the restrictions are acceptable, the
<makevar>MAKE_IDEA</makevar> variable must be set in
- <filename>make.conf</filename>.</para>
+ <filename>/etc/make.conf</filename>.</para>
</note>
<para>One of the most common uses of
@@ -2497,15 +2118,14 @@ kadmind5_server_enable="YES"</programlisting>
for use with software applications. These certificates ensure
that the credentials of the company or individual are valid
and not fraudulent. If the certificate in question has not
- been verified by one of the several <quote>Certificate
- Authorities</quote>, or <acronym>CA</acronym>s, a warning is
- usually produced. A Certificate Authority is a company, such
- as <ulink url="http://www.verisign.com">VeriSign</ulink>,
- which will sign certificates in order to validate credentials
- of individuals or companies. This process has a cost
- associated with it and is definitely not a requirement for
- using certificates; however, it can put some of the more
- paranoid users at ease.</para>
+ been verified by a <quote>Certificate Authority</quote>
+ (<acronym>CA</acronym>), a warning is produced. A
+ <acronym>CA</acronym> is a company, such as <ulink
+ url="http://www.verisign.com">VeriSign</ulink>, signs
+ certificates in order to validate the credentials of individuals
+ or companies. This process has a cost associated with it and is
+ not a requirement for using certificates; however, it can put
+ users at ease.</para>
<sect2>
<title>Generating Certificates</title>
@@ -2544,25 +2164,25 @@ to be sent with your certificate request
A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput>
An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen>
- <para>Notice the response directly after the
- <quote>Common Name</quote> prompt shows a domain name. This
- prompt requires a server name to be entered for verification
- purposes; placing anything but a domain name would yield a
- useless certificate. Other options, for instance expire
- time, alternate encryption algorithms, etc. are available.
- A complete list may be obtained by viewing the
- &man.openssl.1; manual page.</para>
+ <para>Notice the response directly after the <quote>Common
+ Name</quote> prompt shows a domain name. This prompt
+ requires a server name to be entered for verification
+ purposes and placing anything but a domain name yields a
+ useless certificate. Other options, such as the expire
+ time and alternate encryption algorithms, are available. A
+ complete list of options is described in
+ &man.openssl.1;.</para>
- <para>Two files should now exist in the directory in which the
- aforementioned command was issued. The certificate request,
- <filename>req.pem</filename>, may be sent to a certificate
- authority who will validate the credentials that you
- entered, sign the request and return the certificate to you.
- The second file created will be named
+ <para>Two files should now exist in the directory in which this
+ command was issued. The certificate request,
+ <filename>req.pem</filename>, may be sent to a
+ <acronym>CA</acronym> who will validate the entered
+ credentials, sign the request, and return the signed
+ certificate. The second file is named
<filename>cert.pem</filename> and is the private key for the
- certificate and should be protected at all costs; if this
+ certificate and should be protected at all costs. If this
falls in the hands of others it can be used to impersonate
- you (or your server).</para>
+ the user or the server.</para>
<para>In cases where a signature from a <acronym>CA</acronym>
is not required, a self signed certificate can be created.
@@ -2582,32 +2202,29 @@ An optional company name []:<userinput><replaceable>Another Name</replaceable></
certificate authority signature file,
<filename>myca.key</filename> and the certificate itself,
<filename>new.crt</filename>. These should be placed in a
- directory, preferably under
- <filename class="directory">/etc</filename>, which is readable
- only by <username>root</username>. Permissions of 0700 should
- be fine for this and they can be set with the
- <command>chmod</command> utility.</para>
+ directory, preferably under <filename
+ class="directory">/etc</filename>, which is readable only by
+ <username>root</username>. Permissions of 0700 are
+ appropriate and can be set using &man.chmod.1;.</para>
</sect2>
<sect2>
- <title>Using Certificates, an Example</title>
+ <title>Using Certificates</title>
- <para>So what can these files do? A good use would be to
- encrypt connections to the
+ <para>One use for a certificate is to encrypt connections to the
<application>Sendmail</application> <acronym>MTA</acronym>.
- This would dissolve the use of clear text authentication for
- users who send mail via the local
- <acronym>MTA</acronym>.</para>
+ This prevents the use of clear text authentication for users
+ who send mail via the local <acronym>MTA</acronym>.</para>
<note>
- <para>This is not the best use in the world as some
- <acronym>MUA</acronym>s will present the user with an
- error if they have not installed the certificate locally.
- Refer to the documentation included with the software for
- more information on certificate installation.</para>
+ <para>Some <acronym>MUA</acronym>s will display error if the
+ user has not installed the certificate locally. Refer to
+ the documentation included with the software for more
+ information on certificate installation.</para>
</note>
- <para>The following lines should be placed inside the local
+ <para>To configure <application>Sendmail</application>, the
+ following lines should be placed in the local
<filename>.mc</filename> file:</para>
<programlisting>dnl SSL Options
@@ -2617,24 +2234,24 @@ define(`confSERVER_CERT',`/etc/certs/new.crt')dnl
define(`confSERVER_KEY',`/etc/certs/myca.key')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl</programlisting>
- <para>Where <filename class="directory">/etc/certs/</filename>
- is the directory to be used for storing the certificate and
- key files locally. The last few requirements are a rebuild
- of the local <filename>.cf</filename> file. This is easily
- achieved by typing <command>make
- <maketarget>install</maketarget></command> within the
- <filename class="directory">/etc/mail</filename> directory.
+ <para>In this example, <filename
+ class="directory">/etc/certs/</filename>
+ stores the certificate and key files locally. After saving
+ the edits, rebuild the local <filename>.cf</filename> file by
+ typing
+ <command>make <maketarget>install</maketarget></command>
+ within <filename class="directory">/etc/mail</filename>.
Follow that up with <command>make
<maketarget>restart</maketarget></command> which should
start the <application>Sendmail</application> daemon.</para>
- <para>If all went well there will be no error messages in the
- <filename>/var/log/maillog</filename> file and
+ <para>If all went well, there will be no error messages in
+ <filename>/var/log/maillog</filename> and
<application>Sendmail</application> will show up in the
process list.</para>
- <para>For a simple test, simply connect to the mail server
- using the &man.telnet.1; utility:</para>
+ <para>For a simple test, connect to the mail server using
+ &man.telnet.1;:</para>
<screen>&prompt.root; <userinput>telnet <replaceable>example.com</replaceable> 25</userinput>
Trying 192.0.34.166...
@@ -2658,7 +2275,7 @@ Escape character is '^]'.
Connection closed by foreign host.</screen>
<para>If the <quote>STARTTLS</quote> line appears in the
- output then everything is working correctly.</para>
+ output, everything is working correctly.</para>
</sect2>
</sect1>
@@ -2676,15 +2293,12 @@ Connection closed by foreign host.</screen>
</authorgroup>
</sect1info>
- <title>VPN over IPsec</title>
+ <title><acronym>VPN</acronym> over IPsec</title>
<indexterm>
<primary>IPsec</primary>
</indexterm>
- <para>Creating a VPN between two networks, separated by the
- Internet, using FreeBSD gateways.</para>
-
<sect2>
<sect2info>
<authorgroup>
@@ -2701,18 +2315,16 @@ Connection closed by foreign host.</screen>
<title>Understanding IPsec</title>
- <para>This section will guide you through the process of
- setting up IPsec. In order to set up IPsec, it is necessary
- that you are familiar with the concepts of building a custom
+ <para>This section demonstrates the process of setting up IPsec.
+ It assumes familiarity with the concepts of building a custom
kernel (see <xref linkend="kernelconfig"/>).</para>
<para><emphasis>IPsec</emphasis> is a protocol which sits on
- top of the Internet Protocol (IP) layer. It allows two or
- more hosts to communicate in a secure manner (hence the
- name). The FreeBSD IPsec <quote>network stack</quote> is
- based on the <ulink url="http://www.kame.net/">KAME</ulink>
- implementation, which has support for both protocol
- families, IPv4 and IPv6.</para>
+ top of the Internet Protocol (<acronym>IP</acronym>) layer.
+ It allows two or more hosts to communicate in a secure manner.
+ The &os; IPsec <quote>network stack</quote> is based on the
+ <ulink url="http://www.kame.net/">KAME</ulink> implementation,
+ which has support for both IPv4 and IPv6.</para>
<indexterm>
<primary>IPsec</primary>
@@ -2729,16 +2341,17 @@ Connection closed by foreign host.</screen>
<itemizedlist>
<listitem>
<para><emphasis>Encapsulated Security Payload
- ESP)</emphasis>, protects the IP packet data from
- third party interference, by encrypting the contents
- using symmetric cryptography algorithms (like Blowfish,
- 3DES).</para>
+ <acronym>ESP</acronym>)</emphasis>: this protocol
+ protects the IP packet data from third party interference
+ by encrypting the contents using symmetric cryptography
+ algorithms such as Blowfish and 3DES.</para>
</listitem>
<listitem>
- <para><emphasis>Authentication Header (AH)</emphasis>,
+ <para><emphasis>Authentication Header
+ (<acronym>AH</acronym>)</emphasis>: this protocol
protects the IP packet header from third party
- interference and spoofing, by computing a cryptographic
+ interference and spoofing by computing a cryptographic
checksum and hashing the IP packet header fields with a
secure hashing function. This is then followed by an
additional header that contains the hash, to allow the
@@ -2760,26 +2373,23 @@ Connection closed by foreign host.</screen>
</indexterm>
<para>IPsec can either be used to directly encrypt the traffic
- between two hosts (known as <emphasis>Transport
- Mode</emphasis>); or to build <quote>virtual
- tunnels</quote> between two subnets, which could be used for
- secure communication between two corporate networks (known
- as <emphasis>Tunnel Mode</emphasis>). The latter is more
+ between two hosts using <emphasis>Transport Mode</emphasis> or
+ to build <quote>virtual tunnels</quote> using
+ <emphasis>Tunnel Mode</emphasis>. The latter mode is more
commonly known as a <emphasis>Virtual Private Network
- (VPN)</emphasis>. The &man.ipsec.4; manual page should be
- consulted for detailed information on the IPsec subsystem in
- FreeBSD.</para>
+ (<acronym>VPN</acronym>)</emphasis>. Consult &man.ipsec.4;
+ for detailed information on the IPsec subsystem in
+ &os;.</para>
- <para>To add IPsec support to your kernel, add the following
- options to your kernel configuration file:</para>
+ <para>To add IPsec support to the kernel, add the following
+ options to the custom kernel configuration file:</para>
<indexterm>
<primary>kernel options</primary>
<secondary>IPSEC</secondary>
</indexterm>
- <screen>
-options IPSEC #IP security
+ <screen>options IPSEC #IP security
device crypto</screen>
<indexterm>
@@ -2790,45 +2400,34 @@ device crypto</screen>
<para>If IPsec debugging support is desired, the following
kernel option should also be added:</para>
- <screen>
-options IPSEC_DEBUG #debug for IP security</screen>
+ <screen>options IPSEC_DEBUG #debug for IP security</screen>
</sect2>
<sect2>
- <title>The Problem</title>
-
- <para>There is no standard for what constitutes a VPN. VPNs
- can be implemented using a number of different technologies,
- each of which have their own strengths and weaknesses. This
- section presents a scenario, and the strategies used for
- implementing a VPN for this scenario.</para>
- </sect2>
-
- <sect2>
- <title>The Scenario: Two networks, one home based and one
- corporate based. Both are connected to the Internet, and
- expected, via this <acronym>VPN</acronym> to behave as
- one.</title>
+ <title><acronym>VPN</acronym> Between a Home and Corporate
+ Network</title>
<indexterm>
<primary>VPN</primary>
<secondary>creating</secondary>
</indexterm>
- <para>The premise is as follows:</para>
+ <para>There is no standard for what constitutes a
+ <acronym>VPN</acronym>. <acronym>VPN</acronym>s can be
+ implemented using a number of different technologies, each
+ of which has their own strengths and weaknesses. This
+ section presents the strategies used for implementing a
+ <acronym>VPN</acronym> for the following scenario:</para>
<itemizedlist>
<listitem>
- <para>You have at least two sites</para>
+ <para>There are at least two sites where each site is using
+ IP internally.</para>
</listitem>
<listitem>
- <para>Both sites are using IP internally</para>
- </listitem>
-
- <listitem>
- <para>Both sites are connected to the Internet, through a
- gateway that is running FreeBSD.</para>
+ <para>Both sites are connected to the Internet through a
+ gateway that is running &os;.</para>
</listitem>
<listitem>
@@ -2838,15 +2437,15 @@ options IPSEC_DEBUG #debug for IP security</screen>
<listitem>
<para>The internal addresses of the two networks can be
- public or private IP addresses, it does not matter.
- They just may not collide; e.g.: may not both use
+ either public or private IP addresses. However, the
+ address space must not collide. For example, both
+ networks cannot use
<hostid role="ipaddr">192.168.1.x</hostid>.</para>
</listitem>
</itemizedlist>
- </sect2>
- <sect2>
- <sect2info>
+ <sect3>
+ <sect3info>
<authorgroup>
<author>
<firstname>Tom</firstname>
@@ -2857,23 +2456,24 @@ options IPSEC_DEBUG #debug for IP security</screen>
<contrib>Written by </contrib>
</author>
</authorgroup>
- </sect2info>
+ </sect3info>
<title>Configuring IPsec on &os;</title>
- <para>To begin, the
+ <para>To begin,
<filename role="package">security/ipsec-tools</filename>
- must be installed from the Ports Collection. This third
- party software package provides a number of applications
- which will help support the configuration.</para>
+ must be installed from the Ports Collection. This software
+ provides a number of applications which support the
+ configuration.</para>
<para>The next requirement is to create two &man.gif.4;
pseudo-devices which will be used to tunnel packets and
allow both networks to communicate properly. As
<username>root</username>, run the following commands,
- replacing the <replaceable>internal</replaceable> and
- <replaceable>external</replaceable> items with the real
- internal and external gateways:</para>
+ replacing <replaceable>internal</replaceable> and
+ <replaceable>external</replaceable> with the real IP
+ addresses of the internal and external interfaces of the two
+ gateways:</para>
<screen>&prompt.root; <userinput>ifconfig gif0 create</userinput></screen>
@@ -2881,18 +2481,18 @@ options IPSEC_DEBUG #debug for IP security</screen>
<screen>&prompt.root; <userinput>ifconfig gif0 tunnel <replaceable>external1 external2</replaceable></userinput></screen>
- <para>For example, the corporate <acronym>LAN</acronym>'s
- public <acronym>IP</acronym> is
- <hostid role="ipaddr">172.16.5.4</hostid> having a private
- <acronym>IP</acronym> of
- <hostid role="ipaddr">10.246.38.1</hostid>. The home
- <acronym>LAN</acronym>'s public <acronym>IP</acronym> is
- <hostid role="ipaddr">192.168.1.12</hostid> with an internal
- private <acronym>IP</acronym> of
- <hostid role="ipaddr">10.0.0.5</hostid>.</para>
+ <para>In this example, the corporate <acronym>LAN</acronym>'s
+ external <acronym>IP</acronym> address is <hostid
+ role="ipaddr">172.16.5.4</hostid> and its internal
+ <acronym>IP</acronym> address is <hostid
+ role="ipaddr">10.246.38.1</hostid>. The home
+ <acronym>LAN</acronym>'s external <acronym>IP</acronym>
+ address is <hostid role="ipaddr">192.168.1.12</hostid> and its
+ internal private <acronym>IP</acronym> address is <hostid
+ role="ipaddr">10.0.0.5</hostid>.</para>
- <para>This may seem confusing, so review the following example
- output from the &man.ifconfig.8; command:</para>
+ <para>If this is confusing, review the following example output
+ from &man.ifconfig.8;:</para>
<programlisting>Gateway 1:
@@ -2908,9 +2508,8 @@ tunnel inet 192.168.1.12 --> 172.16.5.4
inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00
inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4</programlisting>
- <para>Once complete, both private <acronym>IP</acronym>s
- should be reachable using the &man.ping.8; command like
- the following output suggests:</para>
+ <para>Once complete, both internal <acronym>IP</acronym>
+ addresses should be reachable using &man.ping.8;:</para>
<programlisting>priv-net# ping 10.0.0.5
PING 10.0.0.5 (10.0.0.5): 56 data bytes
@@ -2950,8 +2549,7 @@ round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms</programlisting>
<para>At this point, internal machines should be reachable
from each gateway as well as from machines behind the
- gateways. This is easily determined from the following
- example:</para>
+ gateways. Again, use &man.ping.8; to confirm:</para>
<programlisting>corp-net# ping 10.0.0.8
PING 10.0.0.8 (10.0.0.8): 56 data bytes
@@ -2975,13 +2573,13 @@ PING 10.246.38.1 (10.246.38.107): 56 data bytes
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms</programlisting>
- <para>Setting up the tunnels is the easy part. Configuring
- a secure link is a much more in depth process. The
- following configuration uses pre-shared
- (<acronym>PSK</acronym>) <acronym>RSA</acronym> keys. Aside
- from the <acronym>IP</acronym> addresses, both
- <filename>/usr/local/etc/racoon/racoon.conf</filename> files
- will be identical and look similar to</para>
+ <para>Setting up the tunnels is the easy part. Configuring a
+ secure link is a more in depth process. The following
+ configuration uses pre-shared (<acronym>PSK</acronym>)
+ <acronym>RSA</acronym> keys. Other than the
+ <acronym>IP</acronym> addresses, the
+ <filename>/usr/local/etc/racoon/racoon.conf</filename> on
+ both gateways will be identical and look similar to:</para>
<programlisting>path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete
@@ -3041,21 +2639,17 @@ sainfo (address 10.246.38.0/24 any address 10.0.0.0/24 any) # address $network/
compression_algorithm deflate;
}</programlisting>
- <para>Explaining every available option, along with those
- listed in these examples is beyond the scope of this
- document. There is plenty of relevant information in the
- <application>racoon</application> configuration manual
- page.</para>
+ <para>For descriptions of each available option, refer to the
+ manual page for <filename>racoon.conf</filename>.</para>
- <para>The <acronym>SPD</acronym> policies need to be
- configured so &os; and <application>racoon</application> is
- able to encrypt and decrypt network traffic between
- hosts.</para>
+ <para>The Security Policy Database (<acronym>SPD</acronym>)
+ needs to be configured so that &os; and
+ <application>racoon</application> are able to encrypt and
+ decrypt network traffic between the hosts.</para>
- <para>This task may be undertaken with a simple shell script
- similar to the following which is on the corporate gateway.
- This file will be used during system initialization and
- should be saved as
+ <para>This can be achieved with a shell script, similar to the
+ following, on the corporate gateway. This file will be used
+ during system initialization and should be saved as
<filename>/usr/local/etc/racoon/setkey.conf</filename>.</para>
<programlisting>flush;
@@ -3088,12 +2682,12 @@ Foreground mode.
another console and use &man.tcpdump.1; to view network
traffic using the following command. Replace
<literal>em0</literal> with the network interface card as
- required.</para>
+ required:</para>
<screen>&prompt.root; <userinput>tcpdump -i em0 host <replaceable>172.16.5.4 and dst 192.168.1.12</replaceable></userinput></screen>
<para>Data similar to the following should appear on the
- console. If not, there is an issue, and debugging the
+ console. If not, there is an issue and debugging the
returned data will be required.</para>
<programlisting>01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa)
@@ -3102,11 +2696,10 @@ Foreground mode.
<para>At this point, both networks should be available and
seem to be part of the same network. Most likely both
- networks are protected by a firewall, as they should be. To
- allow traffic to flow between them, rules need to be added
- to pass packets back and forth. For the &man.ipfw.8;
- firewall, add the following lines to the firewall
- configuration file:</para>
+ networks are protected by a firewall. To allow traffic to
+ flow between them, rules need to be added to pass packets.
+ For the &man.ipfw.8; firewall, add the following lines to the
+ firewall configuration file:</para>
<programlisting>ipfw add 00201 allow log esp from any to any
ipfw add 00202 allow log ah from any to any
@@ -3140,7 +2733,8 @@ pass out quick on gif0 from any to any</programlisting>
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="yes"</programlisting>
- </sect2>
+ </sect3>
+ </sect2>
</sect1>
<sect1 id="openssh">
@@ -3165,65 +2759,62 @@ racoon_enable="yes"</programlisting>
<para><application>OpenSSH</application> is a set of network
connectivity tools used to access remote machines securely.
- It can be used as a direct replacement for
- <command>rlogin</command>, <command>rsh</command>,
- <command>rcp</command>, and <command>telnet</command>.
Additionally, TCP/IP connections can be tunneled/forwarded
- securely through SSH. <application>OpenSSH</application>
- encrypts all traffic to effectively eliminate eavesdropping,
- connection hijacking, and other network-level attacks.</para>
+ securely through <acronym>SSH</acronym> connections.
+ <application>OpenSSH</application> encrypts all traffic to
+ effectively eliminate eavesdropping, connection hijacking, and
+ other network-level attacks.</para>
<para><application>OpenSSH</application> is maintained by the
- OpenBSD project, and is based upon SSH v1.2.12 with all the
- recent bug fixes and updates. It is compatible with both SSH
- protocols 1 and 2.</para>
+ OpenBSD project and is installed by default in &os;. It is
+ compatible with both <acronym>SSH</acronym> version 1 and 2
+ protocols.</para>
<sect2>
- <title>Advantages of Using OpenSSH</title>
+ <title>Advantages of Using
+ <application>OpenSSH</application></title>
- <para>Normally, when using &man.telnet.1; or &man.rlogin.1;,
- data is sent over the network in a clear, un-encrypted form.
- Network sniffers anywhere in between the client and server
- can steal your user/password information or data transferred
- in your session. <application>OpenSSH</application> offers
- a variety of authentication and encryption methods to
- prevent this from happening.</para>
+ <para>When data is sent over the network in an unencrypted form,
+ network sniffers anywhere in between the client and server
+ can steal user/password information or data transferred
+ during the session. <application>OpenSSH</application> offers
+ a variety of authentication and encryption methods to prevent
+ this from happening.</para>
</sect2>
<sect2>
- <title>Enabling <application>sshd</application></title>
+ <title>Enabling The SSH Server</title>
<indexterm>
<primary>OpenSSH</primary>
<secondary>enabling</secondary>
</indexterm>
- <para>The <application>sshd</application> is an option
- presented during a <literal>Standard</literal> install of
- &os;. To see if <application>sshd</application> is enabled,
- check the <filename>rc.conf</filename> file for:</para>
+ <para>To see if &man.sshd.8; is enabled, check
+ <filename>/etc/rc.conf</filename> for this line:</para>
<programlisting>sshd_enable="YES"</programlisting>
- <para>This will load &man.sshd.8;, the daemon program for
- <application>OpenSSH</application>, the next time your
- system initializes. Alternatively, it is possible to use
- &man.service.8; to
- start <application>OpenSSH</application>:</para>
+ <para>This will start &man.sshd.8;, the daemon program for
+ <application>OpenSSH</application>, the next time the system
+ initializes. Alternatively, it is possible to use
+ &man.service.8; to start <application>OpenSSH</application>
+ now:</para>
<screen>&prompt.root; <userinput>service sshd start</userinput></screen>
</sect2>
<sect2>
- <title>SSH Client</title>
+ <title>The SSH Client</title>
<indexterm>
<primary>OpenSSH</primary>
<secondary>client</secondary>
</indexterm>
- <para>The &man.ssh.1; utility works similarly to
- &man.rlogin.1;.</para>
+ <para>To use &man.ssh.1; to connect to a system running
+ &man.sshd.8;, specify the username and host to log
+ into:</para>
<screen>&prompt.root; <userinput>ssh <replaceable>user@example.com</replaceable></userinput>
Host key not found from the list of known hosts.
@@ -3231,27 +2822,22 @@ Are you sure you want to continue connecting (yes/no)? <userinput>yes</userinput
Host 'example.com' added to the list of known hosts.
user@example.com's password: <userinput>*******</userinput></screen>
- <para>The login will continue just as it would have if a
- session was created using <command>rlogin</command> or
- <command>telnet</command>. SSH utilizes a key fingerprint
- system for verifying the authenticity of the server when the
- client connects. The user is prompted to enter
- <literal>yes</literal> only when connecting for the first
- time. Future attempts to login are all verified against the
- saved fingerprint key. The SSH client will alert you if the
- saved fingerprint differs from the received fingerprint on
- future login attempts. The fingerprints are saved in
- <filename>~/.ssh/known_hosts</filename>, or
- <filename>~/.ssh/known_hosts2</filename> for SSH v2
- fingerprints.</para>
+ <para><acronym>SSH</acronym> utilizes a key fingerprint system
+ to verify the authenticity of the server when the client
+ connects. The user is prompted to type
+ <literal>yes</literal> when connecting for the first time.
+ Future attempts to login are verified against the saved
+ fingerprint key and the &man.ssh.1; client will display an
+ alert if the saved fingerprint differs from the received
+ fingerprint on future login attempts. The fingerprints are
+ saved in <filename>~/.ssh/known_hosts</filename>.</para>
- <para>By default, recent versions of the
- <application>OpenSSH</application> servers only accept SSH
- v2 connections. The client will use version 2 if possible
- and will fall back to version 1. The client can also be
- forced to use one or the other by passing it the
- <option>-1</option> or <option>-2</option> for version 1 or
- version 2, respectively. The version 1 compatibility is
+ <para>By default, recent versions of &man.sshd.8; only accept
+ <acronym>SSH</acronym> v2 connections. The client will use
+ version 2 if possible and will fall back to version 1. The
+ client can also be forced to use one or the other by passing
+ it the <option>-1</option> or <option>-2</option> for version
+ 1 or version 2, respectively. The version 1 compatibility is
maintained in the client for backwards compatibility with
older versions.</para>
</sect2>
@@ -3264,12 +2850,11 @@ user@example.com's password: <userinput>*******</userinput></screen>
<secondary>secure copy</secondary>
</indexterm>
<indexterm>
- <primary><command>scp</command></primary>
+ <primary>&man.scp.1;</primary>
</indexterm>
- <para>The &man.scp.1; command works similarly to &man.rcp.1;;
- it copies a file to or from a remote machine, except in a
- secure fashion.</para>
+ <para>Use &man.scp.1; to copy a file to or from a remote machine
+ in a secure fashion.</para>
<screen>&prompt.root; <userinput> scp <replaceable>user@example.com:/COPYRIGHT COPYRIGHT</replaceable></userinput>
user@example.com's password: <userinput>*******</userinput>
@@ -3282,10 +2867,11 @@ COPYRIGHT 100% |*****************************| 4735
here.</para>
<para>The arguments passed to &man.scp.1; are similar to
- &man.cp.1;, with the file or files in the first argument,
- and the destination in the second. Since the file is
- fetched over the network, through SSH, one or more of the
- file arguments takes on the form
+ &man.cp.1;, with the file or files to copy in the first
+ argument, and the destination in the second. Since the file
+ is fetched over the network, through an
+ <acronym>SSH</acronym>, connection, one or more of the file
+ arguments takes the form
<option>user@host:<path_to_remote_file></option>.</para>
</sect2>
@@ -3299,25 +2885,20 @@ COPYRIGHT 100% |*****************************| 4735
<para>The system-wide configuration files for both the
<application>OpenSSH</application> daemon and client reside
- within the <filename class="directory">/etc/ssh</filename>
- directory.</para>
+ in <filename class="directory">/etc/ssh</filename>.</para>
<para><filename>ssh_config</filename> configures the client
settings, while <filename>sshd_config</filename> configures
- the daemon.</para>
-
- <para>Additionally, the <option>sshd_program</option>
- (<filename>/usr/sbin/sshd</filename> by default), and
- <option>sshd_flags</option> <filename>rc.conf</filename>
- options can provide more levels of configuration.</para>
+ the daemon. Each file has its own manual page which describes
+ the available configuration options.</para>
</sect2>
<sect2 id="security-ssh-keygen">
- <title><application>ssh-keygen</application></title>
+ <title>&man.ssh-keygen.1;</title>
- <para>Instead of using passwords, &man.ssh-keygen.1; can
- be used to generate DSA or RSA keys to authenticate a
- user:</para>
+ <para>Instead of using passwords, &man.ssh-keygen.1; can be used
+ to generate <acronym>DSA</acronym> or <acronym>RSA</acronym>
+ keys to authenticate a user:</para>
<screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput>
Generating public/private dsa key pair.
@@ -3335,7 +2916,7 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com</screen>
in <filename>~/.ssh/id_dsa</filename> or
<filename>~/.ssh/id_rsa</filename>, whereas the public key
is stored in <filename>~/.ssh/id_dsa.pub</filename> or
- <filename>~/.ssh/id_rsa.pub</filename>, respectively for
+ <filename>~/.ssh/id_rsa.pub</filename>, respectively for the
<acronym>DSA</acronym> and <acronym>RSA</acronym> key types.
The public key must be placed in the
<filename>~/.ssh/authorized_keys</filename> file of the
@@ -3343,45 +2924,60 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com</screen>
<acronym>DSA</acronym> keys in order for the setup to
work.</para>
- <para>This will allow connection to the remote machine based
- upon SSH keys instead of passwords.</para>
-
- <para>If a passphrase is used in &man.ssh-keygen.1;, the user
- will be prompted for a password each time in order to use
- the private key. &man.ssh-agent.1; can alleviate the strain
- of repeatedly entering long passphrases, and is explored in
- the <xref linkend="security-ssh-agent"/> section
- below.</para>
+ <para>This setup allows connections to the remote machine based
+ upon <acronym>SSH</acronym> keys instead of passwords.</para>
<warning>
- <para>The various options and files can be different
- according to the <application>OpenSSH</application>
- version you have on your system; to avoid problems you
- should consult the &man.ssh-keygen.1; manual page.</para>
+ <para>Many users believe that keys are secure by design and
+ will use a key without a passphrase. This is
+ <emphasis>dangerous</emphasis> behavior and the method
+ an administrator may use to verify keys have a passphrase
+ is to view the key manually. If the private key file
+ contains the word <literal>ENCRYPTED</literal> the key
+ owner is using a passphrase. While it may still be a weak
+ passphrase, at least if the system is compromised, access
+ to other sites will still require some level of password
+ guessing. In addition, to better secure end users, the
+ <literal>from</literal> may be placed in the public key
+ file. For example, adding
+ <literal>from="192.168.10.5</literal> in the front of
+ <literal>ssh-rsa</literal> or <literal>rsa-dsa</literal>
+ prefix will only allow that specific user to login from
+ that host <acronym>IP</acronym>.</para>
+ </warning>
+
+ <para>If a passphrase is used in &man.ssh-keygen.1;, the user
+ will be prompted for the passphrase each time in order to use
+ the private key. &man.ssh-agent.1; can alleviate the strain
+ of repeatedly entering long passphrases, and is explored in
+ <xref linkend="security-ssh-agent"/>.</para>
+
+ <warning>
+ <para>The various options and files can be different according
+ to the <application>OpenSSH</application> version. To avoid
+ problems, consult &man.ssh-keygen.1;.</para>
</warning>
</sect2>
<sect2 id="security-ssh-agent">
- <title><application>ssh-agent</application> and <application>ssh-add</application></title>
+ <title>Using SSH Agent To Cache Keys</title>
- <para>The &man.ssh-agent.1; and &man.ssh-add.1; utilities
- provide methods for <application>SSH</application> keys to
- be loaded into memory for use, without needing to type the
- passphrase each time.</para>
+ <para>To load <acronym>SSH</acronym> keys into memory for use,
+ without needing to type the passphrase each time, use
+ &man.ssh-agent.1; and &man.ssh-add.1;.</para>
- <para>The &man.ssh-agent.1; utility will handle the
- authentication using the private key(s) that are loaded into
- it. &man.ssh-agent.1; should be used to launch another
- application. At the most basic level, it could spawn a
- shell or at a more advanced level, a window manager.</para>
+ <para>Authentication is handled by &man.ssh-agent.1;, using the
+ private key(s) that are loaded into it. Then,
+ &man.ssh-agent.1; should be used to launch another
+ application. At the most basic level, it could spawn a shell
+ or a window manager.</para>
- <para>To use &man.ssh-agent.1; in a shell, first it will need
- to be spawned with a shell as an argument. Secondly, the
- identity needs to be added by running &man.ssh-add.1; and
- providing it the passphrase for the private key. Once these
- steps have been completed the user will be able to
- &man.ssh.1; to any host that has the corresponding public
- key installed. For example:</para>
+ <para>To use &man.ssh-agent.1; in a shell, start it with a shell
+ as an argument. Next, add the identity by running
+ &man.ssh-add.1; and providing it the passphrase for the
+ private key. Once these steps have been completed, the user
+ will be able to &man.ssh.1; to any host that has the
+ corresponding public key installed. For example:</para>
<screen>&prompt.user; ssh-agent <replaceable>csh</replaceable>
&prompt.user; ssh-add
@@ -3389,24 +2985,26 @@ Enter passphrase for /home/user/.ssh/id_dsa:
Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
&prompt.user;</screen>
- <para>To use &man.ssh-agent.1; in X11, a call to
- &man.ssh-agent.1; will need to be placed in
- <filename>~/.xinitrc</filename>. This will provide the
- &man.ssh-agent.1; services to all programs launched in X11.
- An example <filename>~/.xinitrc</filename> file might look
- like this:</para>
+ <para>To use &man.ssh-agent.1; in
+ <application>&xorg;</application>, a call to &man.ssh-agent.1;
+ needs to be placed in <filename>~/.xinitrc</filename>. This
+ provides the &man.ssh-agent.1; services to all programs
+ launched in <application>&xorg;</application>. An example
+ <filename>~/.xinitrc</filename> file might look like
+ this:</para>
<programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting>
- <para>This would launch &man.ssh-agent.1;, which would in turn
- launch <application>XFCE</application>, every time X11
- starts. Then once that is done and X11 has been restarted so
- that the changes can take effect, simply run &man.ssh-add.1;
- to load all of your SSH keys.</para>
+ <para>This launches &man.ssh-agent.1;, which in turn launches
+ <application>XFCE</application>, every time
+ <application>&xorg;</application> starts. Once
+ <application>&xorg;</application> has been restarted so that
+ the changes can take effect, run &man.ssh-add.1; to load all
+ of the <acronym>SSH</acronym> keys.</para>
</sect2>
<sect2 id="security-ssh-tunneling">
- <title>SSH Tunneling</title>
+ <title><acronym>SSH</acronym> Tunneling</title>
<indexterm>
<primary>OpenSSH</primary>
@@ -3418,22 +3016,20 @@ Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
encrypted session.</para>
<para>The following command tells &man.ssh.1; to create a
- tunnel for <application>telnet</application>:</para>
+ tunnel for &man.telnet.1;:</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput>
&prompt.user;</screen>
- <para>The <command>ssh</command> command is used with the
- following options:</para>
+ <para>This example uses the following options:</para>
<variablelist>
<varlistentry>
<term><option>-2</option></term>
<listitem>
- <para>Forces <command>ssh</command> to use version 2 of
- the protocol. (Do not use if you are working with
- older SSH servers)</para>
+ <para>Forces &man.ssh.1; to use version 2 to connect to
+ the server.</para>
</listitem>
</varlistentry>
@@ -3442,8 +3038,7 @@ Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
<listitem>
<para>Indicates no command, or tunnel only. If omitted,
- <command>ssh</command> would initiate a normal
- session.</para>
+ &man.ssh.1; initiates a normal session.</para>
</listitem>
</varlistentry>
@@ -3451,8 +3046,7 @@ Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
<term><option>-f</option></term>
<listitem>
- <para>Forces <command>ssh</command> to run in the
- background.</para>
+ <para>Forces &man.ssh.1; to run in the background.</para>
</listitem>
</varlistentry>
@@ -3462,7 +3056,7 @@ Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
<listitem>
<para>Indicates a local tunnel in
<replaceable>localport:remotehost:remoteport</replaceable>
- fashion.</para>
+ format.</para>
</listitem>
</varlistentry>
@@ -3470,30 +3064,32 @@ Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
<term><option>user@foo.example.com</option></term>
<listitem>
- <para>The remote SSH server.</para>
+ <para>The login name to use on the specified remote
+ <acronym>SSH</acronym> server.</para>
</listitem>
</varlistentry>
</variablelist>
- <para>An SSH tunnel works by creating a listen socket on
- <hostid>localhost</hostid> on the specified port. It then
- forwards any connection received on the local host/port via
- the SSH connection to the specified remote host and
- port.</para>
+ <para>An <acronym>SSH</acronym> tunnel works by creating a
+ listen socket on <hostid>localhost</hostid> on the specified
+ port. It then forwards any connections received on the local
+ host/port via the <acronym>SSH</acronym> connection to the
+ specified remote host and port.</para>
<para>In the example, port <replaceable>5023</replaceable> on
- <hostid>localhost</hostid> is being forwarded to port
+ <hostid>localhost</hostid> is forwarded to port
<replaceable>23</replaceable> on <hostid>localhost</hostid>
of the remote machine. Since <replaceable>23</replaceable>
- is <application>telnet</application>, this would create a
- secure <application>telnet</application> session through an
- SSH tunnel.</para>
+ is used by &man.telnet.1;, this creates an encrypted
+ &man.telnet.1; session through an
+ <acronym>SSH</acronym> tunnel.</para>
<para>This can be used to wrap any number of insecure TCP
- protocols such as SMTP, POP3, FTP, etc.</para>
+ protocols such as SMTP, POP3, and FTP.</para>
<example>
- <title>Using SSH to Create a Secure Tunnel for SMTP</title>
+ <title>Using &man.ssh.1; to Create a Secure Tunnel
+ for SMTP</title>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user@mailserver.example.com</replaceable></userinput>
user@mailserver.example.com's password: <userinput>*****</userinput>
@@ -3503,66 +3099,60 @@ Connected to localhost.
Escape character is '^]'.
220 mailserver.example.com ESMTP</screen>
- <para>This can be used in conjunction with an
- &man.ssh-keygen.1; and additional user accounts to create
- a more seamless/hassle-free SSH tunneling environment.
- Keys can be used in place of typing a password, and the
- tunnels can be run as a separate user.</para>
+ <para>This can be used in conjunction with &man.ssh-keygen.1;
+ and additional user accounts to create a more seamless
+ <acronym>SSH</acronym> tunneling environment. Keys can be
+ used in place of typing a password, and the tunnels can be
+ run as a separate user.</para>
</example>
<sect3>
- <title>Practical SSH Tunneling Examples</title>
+ <title>Practical <acronym>SSH</acronym> Tunneling
+ Examples</title>
<sect4>
<title>Secure Access of a POP3 Server</title>
- <para>At work, there is an SSH server that accepts
- connections from the outside. On the same office
- network resides a mail server running a POP3 server.
- The network, or network path between your home and
- office may or may not be completely trustable. Because
- of this, you need to check your e-mail in a secure
- manner. The solution is to create an SSH connection to
- your office's SSH server, and tunnel through to the mail
- server.</para>
+ <para>In this example, there is an <acronym>SSH</acronym>
+ server that accepts connections from the outside. On the
+ same network resides a mail server running a POP3 server.
+ To check email in a secure manner, create an
+ <acronym>SSH</acronym> connection to the
+ <acronym>SSH</acronym> server, and tunnel through to the
+ mail server.</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>2110:mail.example.com:110 user@ssh-server.example.com</replaceable></userinput>
user@ssh-server.example.com's password: <userinput>******</userinput></screen>
- <para>When the tunnel is up and running, you can point
- your mail client to send POP3 requests to
-
- <hostid>localhost</hostid> port 2110. A connection here
- will be forwarded securely across the tunnel to
+ <para>Once the tunnel is up and running, point the email
+ client to send POP3 requests to <hostid>localhost</hostid>
+ on port 2110. This connection will be forwarded securely
+ across the tunnel to
<hostid>mail.example.com</hostid>.</para>
</sect4>
<sect4>
<title>Bypassing a Draconian Firewall</title>
- <para>Some network administrators impose extremely
- draconian firewall rules, filtering not only incoming
- connections, but outgoing connections. You may be only
- given access to contact remote machines on ports 22 and
- 80 for SSH and web surfing.</para>
+ <para>Some network administrators impose firewall rules
+ which filter both incoming and outgoing connections. For
+ example, it might limit access from remote machines to
+ ports 22 and 80 to only allow &man.ssh.1; and web surfing.
+ This prevents access to any other service which uses a
+ port other than 22 or 80.</para>
- <para>You may wish to access another (perhaps non-work
- related) service, such as an Ogg Vorbis server to stream
- music. If this Ogg Vorbis server is streaming on some
- other port than 22 or 80, you will not be able to access
- it.</para>
-
- <para>The solution is to create an SSH connection to a
- machine outside of your network's firewall, and use it
- to tunnel to the Ogg Vorbis server.</para>
+ <para>The solution is to create an <acronym>SSH</acronym>
+ connection to a machine outside of the network's firewall
+ and use it to tunnel to the desired service.</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>8888:music.example.com:8000 user@unfirewalled-system.example.org</replaceable></userinput>
user@unfirewalled-system.example.org's password: <userinput>*******</userinput></screen>
- <para>Your streaming client can now be pointed to
- <hostid>localhost</hostid> port 8888, which will be
- forwarded over to <hostid>music.example.com</hostid>
- port 8000, successfully evading the firewall.</para>
+ <para>In this example, a streaming Ogg Vorbis client can now
+ be pointed to <hostid>localhost</hostid> port 8888, which
+ will be forwarded over to
+ <hostid>music.example.com</hostid> on port 8000,
+ successfully bypassing the firewall.</para>
</sect4>
</sect3>
</sect2>
@@ -3571,17 +3161,15 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
<title>The <varname>AllowUsers</varname> Option</title>
<para>It is often a good idea to limit which users can log in
- and from where. The <literal>AllowUsers</literal> option is
- a good way to accomplish this. For example, to only allow
- the <username>root</username> user to log in from
- <hostid role="ipaddr">192.168.1.32</hostid>, something like
- this would be appropriate in the
- <filename>/etc/ssh/sshd_config</filename> file:</para>
+ and from where using <literal>AllowUsers</literal>. For
+ example, to only allow <username>root</username> to log in
+ from <hostid role="ipaddr">192.168.1.32</hostid>, add this
+ line to <filename>/etc/ssh/sshd_config</filename>:</para>
<programlisting>AllowUsers root@192.168.1.32</programlisting>
- <para>To allow the user <username>admin</username> to log in
- from anywhere, just list the username by itself:</para>
+ <para>To allow <username>admin</username> to log in from
+ anywhere, list that username by itself:</para>
<programlisting>AllowUsers admin</programlisting>
@@ -3591,14 +3179,13 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
<programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
<note>
- <para>It is important that you list each user that needs to
- log in to this machine; otherwise they will be locked
- out.</para>
+ <para>It is important to list each user that needs to log into
+ this machine; otherwise, they will be locked out.</para>
</note>
<para>After making changes to
- <filename>/etc/ssh/sshd_config</filename> you must tell
- &man.sshd.8; to reload its config files, by running:</para>
+ <filename>/etc/ssh/sshd_config</filename>, tell &man.sshd.8;
+ to reload its configuration file by running:</para>
<screen>&prompt.root; <userinput>service sshd reload</userinput></screen>
</sect2>
@@ -3606,14 +3193,15 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
<sect2>
<title>Further Reading</title>
- <para><ulink
- url="http://www.openssh.com/">OpenSSH</ulink></para>
+ <para>The <ulink url="http://www.openssh.com/">OpenSSH</ulink>
+ website.</para>
- <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
- &man.ssh-agent.1; &man.ssh-add.1; &man.ssh.config.5;</para>
+ <para>&man.ssh.1;, &man.scp.1;, &man.ssh-keygen.1;,
+ &man.ssh-agent.1;, &man.ssh-add.1;, and &man.ssh.config.5; for
+ client options.</para>
- <para>&man.sshd.8; &man.sftp-server.8;
- &man.sshd.config.5;</para>
+ <para>&man.sshd.8;, &man.sftp-server.8;, and &man.sshd.config.5;
+ for server options.</para>
</sect2>
</sect1>
@@ -3628,35 +3216,33 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
</authorgroup>
</sect1info>
- <title>File System Access Control Lists
+ <title>Filesystem Access Control Lists
(<acronym>ACL</acronym>s)</title>
<indexterm>
<primary>ACL</primary>
</indexterm>
- <para>In conjunction with file system enhancements like
- snapshots, FreeBSD offers the security of File System Access
- Control Lists (<acronym>ACL</acronym>s).</para>
+ <para>Filesystem Access Control Lists (<acronym>ACL</acronym>s)
+ extend the standard &unix; permission model in a &posix;.1e
+ compatible way. This permits an administrator to make use of
+ and take advantage of a more sophisticated security
+ model.</para>
- <para>Access Control Lists extend the standard &unix; permission
- model in a highly compatible (&posix;.1e) way. This feature
- permits an administrator to make use of and take advantage of
- a more sophisticated security model.</para>
-
- <para>To enable <acronym>ACL</acronym> support for
- <acronym>UFS</acronym> file systems, the following:</para>
+ <para>The &os; <filename>GENERIC</filename> kernel provides
+ <acronym>ACL</acronym> support for <acronym>UFS</acronym> file
+ systems. Users who prefer to compile a custom kernel must
+ include the following option in their custom kernel
+ configuration file:</para>
<programlisting>options UFS_ACL</programlisting>
- <para>must be compiled into the kernel. If this option has not
- been compiled in, a warning message will be displayed when
- attempting to mount a file system supporting
- <acronym>ACL</acronym>s. This option is included in the
- <filename>GENERIC</filename> kernel. <acronym>ACL</acronym>s
- rely on extended attributes being enabled on the file system.
- Extended attributes are natively supported in the next
- generation &unix; file system, <acronym>UFS2</acronym>.</para>
+ <para>If this option is not compiled in, a warning message will be
+ displayed when attempting to mount a filesystem supporting
+ <acronym>ACL</acronym>s. <acronym>ACL</acronym>s rely on
+ extended attributes being enabled on the filesystem. Extended
+ attributes are natively supported in
+ <acronym>UFS2</acronym>.</para>
<note>
<para>A higher level of administrative overhead is required to
@@ -3664,9 +3250,7 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
than on <acronym>UFS2</acronym>. The performance of
extended attributes on <acronym>UFS2</acronym> is also
substantially higher. As a result, <acronym>UFS2</acronym>
- is generally recommended in preference to
- <acronym>UFS1</acronym> for use with access control
- lists.</para>
+ is recommended for use with <acronym>ACL</acronym>s.</para>
</note>
<para><acronym>ACL</acronym>s are enabled by the mount-time
@@ -3674,50 +3258,46 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
to <filename>/etc/fstab</filename>. The mount-time flag can
also be automatically set in a persistent manner using
&man.tunefs.8; to modify a superblock <acronym>ACL</acronym>s
- flag in the file system header. In general, it is preferred
+ flag in the filesystem header. In general, it is preferred
to use the superblock flag for several reasons:</para>
<itemizedlist>
<listitem>
<para>The mount-time <acronym>ACL</acronym>s flag cannot be
- changed by a remount (&man.mount.8; <option>-u</option>),
- only by means of a complete &man.umount.8; and fresh
- &man.mount.8;. This means that <acronym>ACL</acronym>s
- cannot be enabled on the root file system after boot. It
- also means that you cannot change the disposition of a
- file system once it is in use.</para>
+ changed by a remount using <option>mount -u</option>. It
+ requires a complete &man.umount.8; and fresh &man.mount.8;.
+ This means that <acronym>ACL</acronym>s cannot be enabled on
+ the root filesystem after boot. It also means that the
+ disposition of a filesystem cannot be changed once it is in
+ use.</para>
</listitem>
<listitem>
- <para>Setting the superblock flag will cause the file system
- to always be mounted with <acronym>ACL</acronym>s enabled
+ <para>Setting the superblock flag will cause the filesystem
+ to always be mounted with <acronym>ACL</acronym>s enabled,
even if there is not an <filename>fstab</filename> entry
or if the devices re-order. This prevents accidental
- mounting of the file system without
- <acronym>ACL</acronym>s enabled, which can result in
- <acronym>ACL</acronym>s being improperly enforced, and
- hence security problems.</para>
+ mounting of the filesystem without <acronym>ACL</acronym>s
+ enabled, which can result in the security problem of
+ <acronym>ACL</acronym>s being improperly enforced.</para>
</listitem>
</itemizedlist>
<note>
- <para>We may change the <acronym>ACL</acronym>s behavior to
- allow the flag to be enabled without a complete fresh
- &man.mount.8;, but we consider it desirable to discourage
- accidental mounting without <acronym>ACL</acronym>s enabled,
- because you can shoot your feet quite nastily if you enable
- <acronym>ACL</acronym>s, then disable them, then re-enable
- them without flushing the extended attributes. In general,
- once you have enabled <acronym>ACL</acronym>s on a file
- system, they should not be disabled, as the resulting file
+ <para>It is desirable to discourage accidental mounting without
+ <acronym>ACL</acronym>s enabled, because nasty things can
+ happen if <acronym>ACL</acronym>s are enabled, then disabled,
+ then re-enabled without flushing the extended attributes. In
+ general, once <acronym>ACL</acronym>s are enabled on a
+ filesystem, they should not be disabled, as the resulting file
protections may not be compatible with those intended by the
users of the system, and re-enabling <acronym>ACL</acronym>s
may re-attach the previous <acronym>ACL</acronym>s to files
that have since had their permissions changed, resulting in
- other unpredictable behavior.</para>
+ unpredictable behavior.</para>
</note>
- <para>File systems with <acronym>ACL</acronym>s enabled will
+ <para>Filesystems with <acronym>ACL</acronym>s enabled will
show a <literal>+</literal> (plus) sign in their permission
settings when viewed. For example:</para>
@@ -3727,22 +3307,21 @@ drwxrwx---+ 2 robert robert 512 Dec 22 10:20 directory2
drwxrwx---+ 2 robert robert 512 Dec 27 11:57 directory3
drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
- <para>Here we see that the
+ <para>In this example,
<filename class="directory">directory1</filename>,
<filename class="directory">directory2</filename>, and
- <filename class="directory">directory3</filename> directories
- are all taking advantage of <acronym>ACL</acronym>s. The
- <filename class="directory">public_html</filename> directory
+ <filename class="directory">directory3</filename>
+ are all taking advantage of <acronym>ACL</acronym>s, whereas
+ <filename class="directory">public_html</filename>
is not.</para>
<sect2>
<title>Making Use of <acronym>ACL</acronym>s</title>
- <para>The file system <acronym>ACL</acronym>s can be viewed by
- the &man.getfacl.1; utility. For instance, to view the
- <acronym>ACL</acronym> settings on the
- <filename>test</filename> file, one would use the
- command:</para>
+ <para>Filesystem <acronym>ACL</acronym>s can be viewed using
+ &man.getfacl.1;. For instance, to view the
+ <acronym>ACL</acronym> settings on
+ <filename>test</filename>:</para>
<screen>&prompt.user; <userinput>getfacl <filename>test</filename></userinput>
#file:test
@@ -3753,27 +3332,25 @@ drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
other::r--</screen>
<para>To change the <acronym>ACL</acronym> settings on this
- file, invoke the &man.setfacl.1; utility. Observe:</para>
+ file, use &man.setfacl.1;:</para>
<screen>&prompt.user; <userinput>setfacl -k <filename>test</filename></userinput></screen>
- <para>The <option>-k</option> flag will remove all of the
- currently defined <acronym>ACL</acronym>s from a file or
- file system. The more preferable method would be to use
+ <para>To remove all of the currently defined
+ <acronym>ACL</acronym>s from a file or filesystem, one can use
+ <option>-k</option>. However, the preferred method is to use
<option>-b</option> as it leaves the basic fields required
for <acronym>ACL</acronym>s to work.</para>
<screen>&prompt.user; <userinput>setfacl -m u:trhodes:rwx,group:web:r--,o::--- <filename>test</filename></userinput></screen>
- <para>In the aforementioned command, the <option>-m</option>
- option was used to modify the default <acronym>ACL</acronym>
- entries. Since there were no pre-defined entries, as they
- were removed by the previous command, this will restore the
- default options and assign the options listed. Take care to
- notice that if you add a user or group which does not exist
- on the system, an <errorname>Invalid argument</errorname>
- error will be printed to
- <devicename>stdout</devicename>.</para>
+ <para>In this example, <option>-m</option> is used to modify the
+ default <acronym>ACL</acronym> entries. Since there were no
+ pre-defined entries, as they were removed by the previous
+ command, it restores the default options and assign the
+ options listed. If a user or group is added which does not
+ exist on the system, an <errorname>Invalid
+ argument</errorname> error will be displayed.</para>
</sect2>
</sect1>
@@ -3791,7 +3368,7 @@ drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
<title>Monitoring Third Party Security Issues</title>
<indexterm>
- <primary>Portaudit</primary>
+ <primary>portaudit</primary>
</indexterm>
<para>In recent years, the security world has made many
@@ -3800,33 +3377,32 @@ drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
are installed and configured for virtually any operating
system available today.</para>
- <para>Vulnerability assessment is a key factor in security, and
- while &os; releases advisories for the base system, doing so
+ <para>Vulnerability assessment is a key factor in security.
+ While &os; releases advisories for the base system, doing so
for every third party utility is beyond the &os; Project's
capability. There is a way to mitigate third party
vulnerabilities and warn administrators of known security
issues. A &os; add on utility known as
- <application>Portaudit</application> exists solely for this
+ <application>portaudit</application> exists solely for this
purpose.</para>
<para>The
<filename role="package">ports-mgmt/portaudit</filename>
- port polls a database, updated and maintained by the &os;
- Security Team and ports developers, for known security
+ port polls a database, which is updated and maintained by the
+ &os; Security Team and ports developers, for known security
issues.</para>
- <para>To begin using <application>Portaudit</application>, one
- must install it from the Ports Collection:</para>
+ <para>To install <application>portaudit</application> from the
+ Ports Collection:</para>
<screen>&prompt.root; <userinput>cd /usr/ports/ports-mgmt/portaudit && make install clean</userinput></screen>
- <para>During the install process, the configuration files for
+ <para>During the installation, the configuration files for
&man.periodic.8; will be updated, permitting
- <application>Portaudit</application> output in the daily
- security runs. Ensure the daily security run emails, which
+ <application>portaudit</application> output in the daily
+ security runs. Ensure that the daily security run emails, which
are sent to <username>root</username>'s email account, are
- being read. No more configuration will be required
- here.</para>
+ being read. No other configuration is required.</para>
<para>After installation, an administrator can update the
database and view known vulnerabilities in installed packages
@@ -3835,20 +3411,19 @@ drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
<screen>&prompt.root; <userinput>portaudit -Fda</userinput></screen>
<note>
- <para>The database will automatically be updated during the
- &man.periodic.8; run; thus, the previous command is
- completely optional. It is only required for the following
- examples.</para>
+ <para>The database is automatically updated during the
+ &man.periodic.8; run. The above command is optional and can
+ be used to manually update the database now.</para>
</note>
<para>To audit the third party utilities installed as part of
- the Ports Collection at anytime, an administrator need only
- run the following command:</para>
+ the Ports Collection at anytime, an administrator can run the
+ following command:</para>
<screen>&prompt.root; <userinput>portaudit -a</userinput></screen>
- <para><application>Portaudit</application> will produce
- something like this for vulnerable packages:</para>
+ <para><application>portaudit</application> will display messages
+ for any installed vulnerable packages:</para>
<programlisting>Affected package: cups-base-1.1.22.0_1
Type of problem: cups-base -- HPGL buffer overflow vulnerability.
@@ -3858,15 +3433,15 @@ Reference: <http://www.FreeBSD.org/ports/portaudit/40a3bca2-6809-11d9-a9e7-00
You are advised to update or deinstall the affected package(s) immediately.</programlisting>
- <para>By pointing a web browser to the <acronym>URL</acronym>
- shown, an administrator may obtain more information about the
- vulnerability in question. This will include versions
- affected, by &os; Port version, along with other web sites
- which may contain security advisories.</para>
+ <para>By pointing a web browser to the displayed
+ <acronym>URL</acronym>, an administrator may obtain more
+ information about the vulnerability. This will include the
+ versions affected, by &os; port version, along with other web
+ sites which may contain security advisories.</para>
- <para>In short, <application>Portaudit</application> is a
- powerful utility and extremely useful when coupled with the
- <application>Portupgrade</application> port.</para>
+ <para><application>portaudit</application> is a powerful utility
+ and is extremely useful when coupled with the
+ <application>portmaster</application> port.</para>
</sect1>
<sect1 id="security-advisories">
@@ -3883,23 +3458,22 @@ You are advised to update or deinstall the affected package(s) immediately.</pro
<title>&os; Security Advisories</title>
<indexterm>
- <primary>FreeBSD Security Advisories</primary>
+ <primary>&os; Security Advisories</primary>
</indexterm>
<para>Like many production quality operating systems, &os;
publishes <quote>Security Advisories</quote>. These
advisories are usually mailed to the security lists and noted
in the Errata only after the appropriate releases have been
- patched. This section will work to explain what an advisory
- is, how to understand it, and what measures to take in order
- to patch a system.</para>
+ patched. This section explains what an advisory is, how to
+ understand it, and what measures to take in order to patch a
+ system.</para>
<sect2>
<title>What Does an Advisory Look Like?</title>
- <para>The &os; security advisories look similar to the one
- below, taken from the &a.security-notifications.name;
- mailing list.</para>
+ <para>&os; security advisories use the format seen in this
+ example:</para>
<programlisting>=============================================================================
FreeBSD-SA-XX:XX.UTIL Security Advisory
@@ -3951,10 +3525,10 @@ VII. References <co id="co-ref"/></programlisting>
<calloutlist>
<callout arearefs="co-topic">
- <para>The <literal>Topic</literal> field indicates exactly
- what the problem is. It is basically an introduction to
- the current security advisory and notes the utility with
- the vulnerability.</para>
+ <para>The <literal>Topic</literal> field specifies the
+ problem. It provides an introduction to the security
+ advisory and notes the utility affected by the
+ vulnerability.</para>
</callout>
<callout arearefs="co-category">
@@ -3966,28 +3540,26 @@ VII. References <co id="co-ref"/></programlisting>
component of the &os; operating system. The
<literal>contrib</literal> category means that the
vulnerability affects software contributed to the &os;
- Project, such as <application>sendmail</application>.
- Finally the <literal>ports</literal> category indicates
- that the vulnerability affects add on software available
- as part of the Ports Collection.</para>
+ Project, such as <application>Sendmail</application>.
+ The <literal>ports</literal> category indicates that the
+ vulnerability affects add on software available through
+ the Ports Collection.</para>
</callout>
<callout arearefs="co-module">
<para>The <literal>Module</literal> field refers to the
- component location, for instance <literal>sys</literal>.
- In this example, we see that the module,
- <literal>sys</literal>, is affected; therefore, this
+ component location. In this example, the
+ <literal>sys</literal> module is affected; therefore, this
vulnerability affects a component used within the
kernel.</para>
</callout>
<callout arearefs="co-announce">
<para>The <literal>Announced</literal> field reflects the
- date said security advisory was published, or announced
+ date the security advisory was published, or announced
to the world. This means that the security team has
- verified that the problem does exist and that a patch
- has been committed to the &os; source code
- repository.</para>
+ verified that the problem exists and that a patch has
+ been committed to the &os; source code repository.</para>
</callout>
<callout arearefs="co-credit">
@@ -4000,13 +3572,13 @@ VII. References <co id="co-ref"/></programlisting>
<para>The <literal>Affects</literal> field explains which
releases of &os; are affected by this vulnerability.
For the kernel, a quick look over the output from
- <command>ident</command> on the affected files will help
- in determining the revision. For ports, the version
- number is listed after the port name in
- <filename class="directory">/var/db/pkg</filename>. If
- the system does not sync with the &os;
- Subversion repository and rebuilt daily,
- chances are that it is affected.</para>
+ &man.ident.1; on the affected files will help in
+ determining the revision. For ports, the version number
+ is listed after the port name in <filename
+ class="directory">/var/db/pkg</filename>. If the
+ system does not sync with the &os; Subversion repository
+ and is not rebuilt daily, chances are that it is
+ affected.</para>
</callout>
<callout arearefs="co-corrected">
@@ -4017,24 +3589,24 @@ VII. References <co id="co-ref"/></programlisting>
<callout arearefs="co-cve">
<para>Reserved for the identification information used to
- look up vulnerabilities in the Common Vulnerabilities
- Database system.</para>
+ look up vulnerabilities in the <ulink
+ url="http://cve.mitre.org">Common Vulnerabilities
+ and Exposures</ulink> database.</para>
</callout>
<callout arearefs="co-backround">
<para>The <literal>Background</literal> field gives
- information on exactly what the affected utility is.
- Most of the time this is why the utility exists in &os;,
- what it is used for, and a bit of information on how the
- utility came to be.</para>
+ information about the affected utility. Most of the time
+ this is why the utility exists in &os;, what it is used
+ for, and a bit of information on how the utility came to
+ be.</para>
</callout>
<callout arearefs="co-descript">
<para>The <literal>Problem Description</literal> field
explains the security hole in depth. This can include
information on flawed code, or even how the utility
- could be maliciously used to open a security
- hole.</para>
+ could be maliciously used to open a security hole.</para>
</callout>
<callout arearefs="co-impact">
@@ -4047,28 +3619,26 @@ VII. References <co id="co-ref"/></programlisting>
<callout arearefs="co-workaround">
<para>The <literal>Workaround</literal> field offers a
- feasible workaround to system administrators who may be
- incapable of upgrading the system. This may be due to
- time constraints, network availability, or a slew of
- other reasons. Regardless, security should not be taken
- lightly, and an affected system should either be patched
- or the security hole workaround should be
- implemented.</para>
+ workaround to system administrators who cannot
+ upgrade the system due to time constraints, network
+ availability, or other reasons. Security should not be
+ taken lightly, and an affected system should either be
+ patched or the workaround implemented.</para>
</callout>
<callout arearefs="co-solution">
<para>The <literal>Solution</literal> field offers
- instructions on patching the affected system. This is a
+ instructions for patching the affected system. This is a
step by step tested and verified method for getting a
system patched and working securely.</para>
</callout>
<callout arearefs="co-details">
<para>The <literal>Correction Details</literal> field
- displays the Subversion branch or release
- name with the periods changed to underscore characters.
- It also shows the revision number of the affected files
- within each branch.</para>
+ displays the Subversion branch or release name with the
+ periods changed to underscore characters. It also shows
+ the revision number of the affected files within each
+ branch.</para>
</callout>
<callout arearefs="co-ref">
@@ -4099,22 +3669,22 @@ VII. References <co id="co-ref"/></programlisting>
</indexterm>
<para>Process accounting is a security method in which an
- administrator may keep track of system resources used,
+ administrator may keep track of system resources used and
their allocation among users, provide for system monitoring,
and minimally track a user's commands.</para>
- <para>This indeed has its own positive and negative points. One
+ <para>This indeed has both positive and negative points. One
of the positives is that an intrusion may be narrowed down to
the point of entry. A negative is the amount of logs
generated by process accounting, and the disk space they may
- require. This section will walk an administrator through the
+ require. This section walks an administrator through the
basics of process accounting.</para>
<sect2>
<title>Enabling and Utilizing Process Accounting</title>
- <para>Before making use of process accounting, it must be
- enabled. To do this, execute the following commands:</para>
+ <para>Before using process accounting, it must be enabled using
+ the following commands:</para>
<screen>&prompt.root; <userinput>touch <filename>/var/account/acct</filename></userinput>
@@ -4122,31 +3692,142 @@ VII. References <co id="co-ref"/></programlisting>
&prompt.root; <userinput>echo 'accounting_enable="YES"' >> <filename>/etc/rc.conf</filename></userinput></screen>
- <para>Once enabled, accounting will begin to track
- <acronym>CPU</acronym> stats, commands, etc. All accounting
- logs are in a non-human readable format and may be viewed
- using the &man.sa.8; utility. If issued without any
- options, <command>sa</command> will print information
- relating to the number of per user calls, the total elapsed
- time in minutes, total <acronym>CPU</acronym> and user time
- in minutes, average number of I/O operations, etc.</para>
+ <para>Once enabled, accounting will begin to track information
+ such as <acronym>CPU</acronym> statistics and executed
+ commands. All accounting logs are in a non-human readable
+ format which can be viewed using &man.sa.8;. If issued
+ without any options, &man.sa.8; prints information relating to
+ the number of per-user calls, the total elapsed time in
+ minutes, total <acronym>CPU</acronym> and user time in
+ minutes, and the average number of I/O operations.</para>
- <para>To view information about commands being issued, one
- would use the &man.lastcomm.1; utility. The
- <command>lastcomm</command> command may be used to print out
- commands issued by users on specific &man.ttys.5;, for
- example:</para>
+ <para>To view information about commands being issued, use
+ &man.lastcomm.1;. This command displays the commands issued
+ by users on specific &man.ttys.5;. For example, this command
+ prints out all known usage of &man.ls.1; by
+ <username>trhodes</username> on the <literal>ttyp1</literal>
+ terminal:</para>
<screen>&prompt.root; <userinput>lastcomm ls
<username>trhodes</username> ttyp1</userinput></screen>
- <para>Would print out all known usage of the
- <command>ls</command> by <username>trhodes</username> on the
- <literal>ttyp1</literal> terminal.</para>
-
<para>Many other useful options exist and are explained in the
- &man.lastcomm.1;, &man.acct.5; and &man.sa.8; manual
- pages.</para>
+ &man.lastcomm.1;, &man.acct.5;, and &man.sa.8;.</para>
</sect2>
</sect1>
+
+ <sect1 id="security-resourcelimits">
+ <sect1info>
+ <authorgroup>
+ <author>
+ <firstname>Tom</firstname>
+ <surname>Rhodes</surname>
+ <contrib>Contributed by </contrib>
+ </author>
+ </authorgroup>
+ </sect1info>
+
+ <title>Resource Limits</title>
+
+ <indexterm>
+ <primary>Resource limits</primary>
+ </indexterm>
+
+ <para>For years, &os; has used a resource limits
+ database controlled through a flat file,
+ <filename>/etc/login.conf</filename>. While it has
+ been discussed previously and is still supported, it
+ is not the most optimal method of controlling resources.
+ The flat file requires users to be divided into various
+ group labels known as classes, which require changes not
+ only to this flat file but also the password database.
+ Potentially a single, more constrained user would require
+ an additional label added, the resource database needs to be
+ built using <command>cap_mkdb</command>, edits made to
+ the <filename>/etc/master.passwd</filename> file. In
+ addition, the password database must be rebuilt using
+ <command>pwd_mkdb</command>. This multi-step process could be
+ very time consuming depending on how many users must be
+ singled out.</para>
+
+ <para>A new command in &os;, &man.rctl.8;, allows for a more
+ fine grained method of controlling resources limits for
+ users. This command will support much more than users,
+ it will also set resource constraints on processes, jails,
+ and the original login class. These advanced features
+ provide administrators and users with methods to control
+ resources through the command line and set rules on
+ system initialization using a configuration
+ file.</para>
+
+ <para>To enable this feature, add these lines to
+ <filename>GENERIC</filename>, or the custom kernel
+ configuration file, and rebuild.:</para>
+
+ <programlisting>options RACCT
+options RCTL</programlisting>
+
+ <para>The entire system will need rebuilt. See <xref
+ linkend="kernelconfig"/>, which will provide instructions for
+ the process. Once this is complete, the <command>rctl</command>
+ may be used to set rules for the system.</para>
+
+ <para>Rule syntax is simple, controlled through the use of
+ a <emphasis>subject</emphasis>, a <emphasis>subject-id</emphasis>,
+ <emphasis>resource</emphasis>, and <emphasis>action</emphasis>.
+ Take the following example rule:</para>
+
+ <programlisting>user:trhodes:<literal>maxproc</literal>:<literal>deny</literal>=10/user</programlisting>
+
+ <para>This rule shows a basic premise of a rule, here the
+ subject is <literal>user</literal> and the subject-id
+ is <literal>trhodes</literal>. The maxproc is, of course,
+ max number of processes, which is considered the action.
+ The action here is set to <literal>deny</literal>, which blocks
+ any new processes from being created. In the previous example,
+ the user, <literal>trhodes</literal> will be constrained
+ to <literal>10</literal> (ten) processes and no greater.
+ Other actions are available and could be log to the console,
+ pass a notification to &man.devd.8;, or
+ send a sigterm to the process.</para>
+
+ <para>Some care must be taken while adding rules. The one above
+ will unfortunately block my user from doing the most simple tasks
+ after I have logged in and executed a <command>screen</command>
+ session. When a resource limit has been hit, an error will
+ be printed, as in this example:</para>
+
+ <screen>&prompt.user; <userinput>man test</userinput>
+ /usr/bin/man: Cannot fork: Resource temporarily unavailable
+eval: Cannot fork: Resource temporarily unavailable</screen>
+
+ <para>For another example, &man.rctl.8; can be used to prevent
+ a jail from exceeding a memory limit. This rule could be
+ written as:</para>
+
+ <screen>&prompt.root; <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput></screen>
+
+ <para>Rules may also persist across reboots if they have been
+ added to <filename>/etc/rctl.conf</filename> file. The
+ format is a rule, without the preceding command. For example,
+ the previous rule could be added like the following:</para>
+
+ <programlisting># Block jail from using more than 2G memory:
+jail:httpd:memoryuse:deny=2G/jail</programlisting>
+
+ <para>To remove a rule, just ask <command>rctl</command> to
+ remove it from the list:</para>
+
+ <screen>&prompt.root; <userinput>rctl -r user:trhodes:maxproc:deny=10/user</userinput></screen>
+
+ <para>The manual page shows a method for removing all rules;
+ however, if removing all rules for a single user is required,
+ this command may be issued:</para>
+
+ <screen>&prompt.root; <userinput>rctl -r user:trhodes</userinput></screen>
+
+ <para>Many other resources exist which can be used to excert
+ additional control over various <literal>subjects</literal>.
+ See &man.rctl.8; to learn about them.</para>
+ </sect1>
</chapter>
diff --git a/en_US.ISO8859-1/books/handbook/users/chapter.xml b/en_US.ISO8859-1/books/handbook/users/chapter.xml
index c6be01a81e..4ac3616b48 100644
--- a/en_US.ISO8859-1/books/handbook/users/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/users/chapter.xml
@@ -1034,4 +1034,49 @@ uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)</screen>
<filename>/etc/group</filename>, refer to &man.pw.8; and
&man.group.5;.</para>
</sect1>
+
+ <sect1 id="users-becomesuper">
+ <title>Becoming Superuser</title>
+
+ <para>There are several ways to do things as the superuser. The
+ worst way is to log in as <username>root</username> directly.
+ Usually very little activity requires <username>root</username>
+ so logging off and logging in as <username>root</username>,
+ performing tasks, then logging off and on again as a normal user
+ is a waste of time.</para>
+
+ <para>A better way is to use &man.su.1; without providing a login
+ but using <literal>-</literal> to inherit the root environment.
+ Not providing a login will imply super user. For this to work
+ the login that must be in the <groupname>wheel</groupname> group.
+ An example of a typical software installation would involve the
+ administrator unpacking the software as a normal user and then
+ elevating their privileges for the build and installation of
+ the software.</para>
+
+ <example>
+ <title>Install a Program As The Superuser</title>
+
+ <screen>&prompt.user; <userinput>configure</userinput>
+&prompt.user; <userinput>make</userinput>
+&prompt.user; <userinput>su -</userinput>
+Password:
+&prompt.root; <userinput>make install</userinput>
+&prompt.root; <userinput>exit</userinput>
+&prompt.user;</screen>
+ </example>
+
+ <para>Note in this example the transition to
+ <username>root</username> is less painful than logging off
+ and back on twice.</para>
+
+ <para>Using &man.su.1; works well for single systems or small
+ networks with just one system administrator. For more complex
+ environments (or even for these simple environments)
+ <command>sudo</command> should be used. It is provided as a port,
+ <filename role="package">security/sudo</filename>. It allows for
+ things like activity logging, granting users the ability to only
+ run certain commands as the superuser, and several other
+ options.</para>
+ </sect1>
</chapter>