In the following section, we’ll first look at /etc/rc.conf, the main configuration file.. See page 389, where we set the following flags in the /etc/rc.conf for gw: firewall_enable="YES"
Trang 1FreeBSD configuration files
One of the outstanding things about UNIX is that all system configuration information is
stored in text files, usually in the directory /etc or its subdirectories Some people
consider this method primitive by comparison with a flashy GUI configuration editor or a
‘‘registry,’’ but it has significant advantages In particular, you see the exact system
configuration With a GUI editor, the real configuration is usually stored in a format thatyou can’t read, and even when you can, it’s undocumented Also, you can see more ofthe configuration at a time: a GUI editor usually presents you with only small parts of theconfiguration, and it’s difficult to see the relationships (‘‘standing outside and looking inthrough a window’’)
In the Microsoft world, one of the most common methods of problem resolution is toreinstall the system This is a declaration of bankruptcy: it’s very slow, you’re liable tocause other problems on the way, and you never find out what the problem was If you
have problems with your FreeBSD system configuration, don’t reinstall the system Take
a look at the configuration files, and there’s a good chance that you’ll find the problemthere
Many configuration files are the same across all versions of UNIX This chapter touches
on them briefly, but in many case you can get additional information in books such as the
UNIX System Administration Handbook, by Evi Nemeth, Garth Snyder, Scott Seebass,
and Trent R Hein In all cases, you can get more information from section 5 of the manpages
In the following section, we’ll first look at /etc/rc.conf, the main configuration file We’ll
look at the remaining configuration files on page 559
configfiles.mm,v v4.16 (2003/04/02 04:41:37) 545
Trang 2/etc/rc.conf is the main system configuration file In older releases of FreeBSD, this file was called /etc/sysconfig.
/etc/rc.conf is a shell script that is intended to be the one file that defines the
configuration of your system—that is to say, what the system needs to do when it starts
up It’s not quite that simple, but nearly all site-dependent information is stored here.We’ll walk through the version that was current at the time of writing The files willchange as time goes on, but most of the information will remain relevant
/etc/rc.conf is completely your work When you install the system, there is no such file: you create it, usually implicitly with the aid of sysinstall The system supplies a script /etc/defaults/rc.conf that contains default values for everything you might put in /etc/rc.conf, and which the other configuration files read to get their definitions When the system starts, it first reads /etc/defaults/rc.conf Commands at the end of this file check for the existence of the file /etc/rc.conf and read it in if they find it, so that the definitions in /etc/rc.conf override the defaults in /etc/defaults/rc.conf This makes it
easier to upgrade: just change the file with the defaults, and leave the site-specificconfiguration alone You may still need to change some things, but it’ll be a lot easier
In this section we’ll walk through /etc/defaults/rc.conf As we do, we’ll build up two different /etc/rc.conf files, one for a server and one for a laptop connected with an
802.11b wireless card To avoid too much confusion, I show the text that goes into
/etc/rc.conf inconstant width boldfont, whereas the text in /etc/defaults/rc.conf is
inconstant widthfont
#!/bin/sh
#
# This is rc.conf - a file full of useful variables that you can set
# to change the default startup behavior of your system You should
# not edit this file! Put any overrides into one of the ${rc_conf_files}
# instead and you will be able to update these defaults later without
# spamming your local configuration information.
#
# The ${rc_conf_files} files should only contain values which override
# values set in this file This eases the upgrade path when defaults
# are changed and new features are added.
#
# All arguments must be in double or single quotes.
#
# $FreeBSD: src/etc/defaults/rc.conf,v 1.159 2002/09/05 20:14:40 gordon Exp $
The claim that all arguments must be in double or single quotes is incorrect Both this
file and /etc/rc.conf are Bourne shell scripts, and you only need quotes if the values you
include contain spaces It’s a good idea to stick to this convention, though, in case therepresentation changes
Note the version information on the previous line (1.159) Your /etc/defaults/rc.conf will
almost certainly have a different revision If you have a CVS repository on line (seeChapter 31), you can see what is changed with the following commands:
configfiles.mm,v v4.16 (2003/04/02 04:41:37)
Trang 3rc_ng="YES" # Set to NO to disable new-style rc scripts.
rc_info="YES" # Enables display of informational messages at boot rcshutdown_timeout="30" # Seconds to wait before terminating rc.shutdown
FreeBSD Release 5 has a new method of system startup, called RCng (run commands,
next generation) This method was originally introduced in NetBSD Don’t change these
values unless you know exactly what you are doing If you make a mistake, you may find
it impossible to start the system
swapfile="NO" # Set to name of swapfile if aux swapfile desired.
Normally you set up entries for swap partitions in /etc/fstab This entry refers only to swapping on files, not for partitions It requires the md driver, which we looked at on
page 245
apm_enable="NO" # Set to YES to enable APM BIOS functions (or NO) apmd_enable="NO" # Run apmd to handle APM event from userland apmd_flags="" # Flags to apmd (if enabled).
These parameters cover APM, Advanced Power Management.
devd_enable="NO" # Run devd, to trigger programs on device tree changes pccard_enable="NO" # Set to YES if you want to configure PCCARD devices pccard_mem="DEFAULT" # If pccard_enable=YES, this is card memory address.
pccard_beep="2" # pccard beep type.
pccard_ifconfig="NO" # Specialized pccard ethernet configuration (or NO).
pccardd_flags="-z" # Additional flags for pccardd.
pccard_conf="/etc/defaults/pccard.conf" # pccardd(8) config file
pccard_ether_delay="5" # Delay before trying to start dhclient in pccard_ether
These parameters control devd, the device daemon used primarily for hot-pluggable devices such as USB and PC Card, and pccardd, the daemon for the old PC Card code See page 159 for more details of devd, and page 161 for a brief description of pccardd
and the old PC Card code
If you’re running PC Card devices, you would start devd That’s what we put in the /etc/rc.conf for andante:
devd_enable="YES"
Next comes a list of directories that are searched for startup scripts:
configfiles.mm,v v4.16 (2003/04/02 04:41:37)
Trang 4local_startup="/usr/local/etc/rc.d /usr/X11R6/etc/rc.d" # startup script dirs script_name_sep=" " # Change if startup scripts’ names contain spaces
If you come from a System V background, you would expect to find these scripts in the
directories such as /etc/rc2.d.
fsck_y_enable="NO" # Set to YES to fsck -y if the initial preen fails background_fsck="YES" # Attempt to run fsck in the background
extra_netfs_types="NO" # List of network extra filesystem types for delayed
# mount at startup (or NO).
On system startup, the system checks the integrity of all file systems It does this in anumber of steps:
• First, it checks the superblock, the key to the file system, to see whether it was
unmounted before the system stopped If so, it assumes that the file systems areconsistent and continues with the startup
• If any file system was not unmounted, the system probably crashed or was turned offwithout proper shutdown The file system could contain inconsistent data, so the
startup scripts run fsck against the file system.
• If you’re running with soft updates and checkpointing, you may be able to perform
the fsck in the background, in other words in parallel with other activities If you
have a good reason, you can inhibit this behaviour by settingbackground_fsckto
NO
• If the file system is badly damaged, the ‘‘standard strength’’ fsck may not be able torecover the file system In this case, the normal action is to drop into single-usermode and let a human take a look at it
The usual first action of the human is to run fsck with the-yoption, meaning ‘‘answer
yes to all questions from fsck’’ If you setfsck_y_enabletoYES, the startup scriptswill perform this task for you It’s still possible that the check will fail, so this is not
enough to ensure that you will always pass fsck, but it helps.
##############################################################
### Network configuration sub-section ######################
##############################################################
### Basic network and firewall/security options: ###
hostname="" # Set this!
configfiles.mm,v v4.16 (2003/04/02 04:41:37)
Trang 5hostnameis the fully qualified name of the host Always set it in /etc/rc.conf See page
302 for more details In our /etc/rc.conf we’ll put:
hostname="gw.example.org"
hostname="andante.example.org"
Continuing in /etc/defaults/rc.conf,
nisdomainname="NO" # Set to NIS domain if using NIS (or NO).
If you’re using Sun’s NIS, set this We don’t discuss NIS in this book
dhcp_program="/sbin/dhclient" # Path to dhcp client program.
dhcp_flags="" # Additional flags to pass to dhcp client.
The settings for the DHCP client, dhclient Normally you won’t need to change them.
We talked about DHCP on page 302.
firewall_enable="NO" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="NO" # Set to YES to enable events logging
Parameters for the ipfw firewall See page 389, where we set the following flags in the /etc/rc.conf for gw:
firewall_enable="YES" # Set to YES to enable firewall functionality firewall_type="client" # Firewall type (see /etc/rc.firewall)
You don’t normally run firewalls on laptops, though there’s no technical reason why not.The problem with firewalls on laptops is that the configuration files are dependent onwhere the system is located, which makes it a pain for systems that frequently change
locations As a result, we won’t add any firewall parameters to the /etc/rc.conf for andante.
ip_portrange_first="NO" # Set first dynamically allocated port
ip_portrange_last="NO" # Set last dynamically allocated port
These values are used to set the numbers of ports that are dynamically allocated.Normally they won’t need changing
ipsec_enable="NO" # Set to YES to run setkey on ipsec_file
ipsec_file="/etc/ipsec.conf" # Name of config file for setkey
Parameters for IPSec We don’t discuss IPSec in this book
natd_program="/sbin/natd" # path to natd, if you want a different one.
natd_enable="NO" # Enable natd (if firewall_enable == YES).
natd_interface="" # Public interface or IPaddress to use.
natd_flags="" # Additional flags for natd.
configfiles.mm,v v4.16 (2003/04/02 04:41:37)
Trang 6Parameters for natd See page 394 for more details In the example there, we’ll add these lines to gw’s /etc/rc.conf :
firewall_enable=YES
gateway_enable="YES" # Set to YES if this host is a gateway.
natd_enable="YES"
natd_interface="dc0"
firewall_script="/etc/rc.nat" # script for NAT only
firewall_type="client" # firewall type if running a firewall
Continuing with /etc/defaults/rc.conf,
ipfilter_enable="NO" # Set to YES to enable ipfilter functionality ipfilter_program="/sbin/ipf" # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
# /usr/src/contrib/ipfilter/rules for examples ipfilter_flags="" # additional flags for ipfilter
ipnat_enable="NO" # Set to YES to enable ipnat functionality
ipnat_program="/sbin/ipnat" # where the ipnat program lives
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
ipnat_flags="" # additional flags for ipnat
ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter or ipnat ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives
ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog"
ipfs_enable="NO" # Set to YES to enable saving and restoring
# of state tables at shutdown and boot ipfs_program="/sbin/ipfs" # where the ipfs program lives
ipfs_flags="" # additional flags for ipfs
These entries define defaults for ipfilter, another firewall package, ipnat, another NAT package, ipmon, an IP monitor package, and ipfs, a utility for saving the state tables of ipfilter, ipnat and ipfilter We don’t discuss any of them in this book.
tcp_extensions="NO" # Disallow RFC1323 extensions (or YES).
log_in_vain="0" # >=1 to log connects to ports w/o listeners tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO).
# For the following option you need to have TCP_DROP_SYNFIN set in your
# kernel Please refer to LINT and NOTES for details.
tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN
# NOTE: this violates the TCP specification icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets
icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets
These are some of the more obscure IP configuration variables You can find more about
them in tcp(4) and icmp(4).
network_interfaces="auto" # List of network interfaces (or "auto").
cloned_interfaces="" # List of cloned network interfaces to create.
#cloned_interfaces="gif0 gif1 gif2 gif3" # Pre-cloning GENERIC config.
ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
#ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry.
#ifconfig_ed0_ipx="ipx 0x00010010" # Sample IPX address family entry.
In previous releases of FreeBSD, you had to setnetwork_interfacesto a list of theinterfaces on the machine Nowadays the valueautoenables the startup scripts to findthem by themselves, so you don’t need to change this variable You still need to set the
interface addresses, of course For gw, we add the following entry to /etc/rc.conf :
configfiles.mm,v v4.16 (2003/04/02 04:41:37)
Trang 7ifconfig_ed0="inet 223.147.37.5 netmask 255.255.255.0"
We don’t need to do anything here for andante: its Ethernet interface is a PC Card card.
We looked at that on page 304
If you’re using DHCP, you don’t hav e an address to specify, of course You still need totell the startup scripts to use DHCP, howev er Do it like this:
ifconfig_ed0="DHCP"
Continuing,
# If you have any sppp(4) interfaces above, you might also want to set
# the following parameters Refer to spppcontrol(8) for their meaning.
sppp_interfaces="" # List of sppp interfaces.
#sppp_interfaces="isp0" # example: sppp over ISDN
#spppconfig_isp0="authproto=chap myauthname=foo myauthsecret=’top secret’ hisauthnam e=some-gw hisauthsecret=’another secret’"
gif_interfaces="NO" # List of GIF tunnels (or "NO").
#gif_interfaces="gif0 gif1" # Examples typically for a router.
# Choose correct tunnel addrs.
#gifconfig_gif0="10.1.1.1 10.1.2.1" # Examples typically for a router.
#gifconfig_gif1="10.1.1.2 10.1.2.2" # Examples typically for a router.
These are parameters for the sppp implementation for isdn4bsd and the Generic Tunnel Interface, both of which we won’t discuss here See the man pages spp(4) and gif(4) for
more details
# User ppp configuration.
ppp_enable="NO" # Start user-ppp (or NO).
ppp_mode="auto" # Choice of "auto", "ddial", "direct" or "dedicated".
# For details see man page for ppp(8) Default is auto ppp_nat="YES" # Use PPP’s internal network address translation or NO ppp_profile="papchap" # Which profile to use from /etc/ppp/ppp.conf.
ppp_user="root" # Which user to run ppp as
These parameters relate to running user PPP, which we discussed in Chapter 20, on page348
### Network daemon (miscellaneous) ###
syslogd_enable="YES" # Run syslog daemon (or NO).
syslogd_program="/usr/sbin/syslogd" # path to syslogd, if you want a different one syslogd_flags="-s" # Flags to syslogd (if enabled).
#syslogd_flags="-ss" # Syslogd flags to not bind an inet socket
You should always run syslogd unless you have a very good reason not to In previousreleases of FreeBSD,syslogd_flagswas empty, but security concerns have changed
that, and now by default syslogd is started with the-sflag, which stops syslogd from
accepting remote messages If you specify the-ssflag, as suggested in the comment,you will also not be able to log to remote systems
Sometimes it’s very useful to log to a remote system For example, you might want all
systems in example.org to log to gw That way you get one set of log files for the entire
network To do this, you would add the following line at the beginning of
/etc/syslog.conf on each machine:
configfiles.mm,v v4.16 (2003/04/02 04:41:37)
Trang 8We looked at inetd on page 446 Normally you will want to have it enabled, but you won’t need to change the flags Add this line to the /etc/rc.conf for both gw and andante:
inetd_enable="YES"
Continuing, we see:
named_enable="NO" # Run named, the DNS server (or NO).
named_program="/usr/sbin/named" # path to named, if you want a different one.
#named_flags="-u bind -g bind" # Flags for named
These parameters specify whether we should run the name server, and what flags we
should use if we do See page 366 for more details Previous versions of named
required a flag to specify the location of the configuration file, but the location FreeBSDuses has now become the standard, so we no longer need to specify any flags All we put
in /etc/rc.conf for gw is:
named_enable="YES" # Run named, the DNS server (or NO).
Continuing with /etc/defaults/rc.conf,
kerberos4_server_enable="NO" # Run a kerberos IV master server (or NO) kerberos4_server="/usr/sbin/kerberos" # path to kerberos IV KDC
kadmind4_server_enable="NO" # Run kadmind (or NO)
kadmind4_server="/usr/sbin/kadmind" # path to kerberos IV admin daemon
kerberos5_server_enable="NO" # Run a kerberos 5 master server (or NO) kerberos5_server="/usr/libexec/kdc" # path to kerberos 5 KDC
kadmind5_server_enable="NO" # Run kadmind (or NO)
kadmind5_server="/usr/libexec/k5admind" # path to kerberos 5 admin daemon
kerberos_stash="NO" # Is the kerberos master key stashed?
Set these if you want to run Kerberos We don’t discuss Kerberos in this book
rwhod_enable="NO" # Run the rwho daemon (or NO).
rwhod_flags="" # Flags for rwhod
Set this if you want to run the rwhod daemon, which broadcasts information about the
system load
configfiles.mm,v v4.16 (2003/04/02 04:41:37)
Trang 9rarpd_enable="NO" # Run rarpd (or NO).
rarpd_flags="" # Flags to rarpd.
bootparamd_enable="NO" # Run bootparamd (or NO).
bootparamd_flags="" # Flags to bootparamd
xtend_enable="NO" # Run the X-10 power controller daemon.
xtend_flags="" # Flags to xtend (if enabled).
These entries relate to the rarpd, bootparamd and the X-10 daemons, which we don’t
discuss in this book See the respective man pages
pppoed_enable="NO" # Run the PPP over Ethernet daemon.
pppoed_provider="*" # Provider and ppp(8) config file entry.
pppoed_flags="-P /var/run/pppoed.pid" # Flags to pppoed (if enabled).
pppoed_interface="fxp0" # The interface that pppoed runs on.
pppoed is the PPP Over Ethernet daemon We discussed it briefly on page 348.
sshd_enable="NO" # Enable sshd
sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one.
sshd_flags="" # Additional flags for sshd.
sshd is the Secure Shell Daemon which we talked about on page 451 You don’t need to change anything here to run ssh, but if you want to connect to this system with ssh, you’ll need to run sshd In gw’s /etc/rc.conf we put:
sshd_enable="YES"
Next, we see:
amd_enable="NO" # Run amd service with $amd_flags (or NO).
amd_flags="-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map"
amd_map_program="NO" # Can be set to "ypcat -k amd.master"
These entries relate to the automounter, which we don’t discuss in this book See amd(8)
for details
nfs_client_enable="NO" # This host is an NFS client (or NO).
nfs_access_cache="2" # Client cache timeout in seconds
nfs_server_enable="NO" # This host is an NFS server (or NO).
nfs_server_flags="-u -t -n 4" # Flags to nfsd (if enabled).
mountd_enable="NO" # Run mountd (or NO).
mountd_flags="-r" # Flags to mountd (if NFS server enabled).
weak_mountd_authentication="NO" # Allow non-root mount requests to be served nfs_reserved_port_only="NO" # Provide NFS only on secure port (or NO).
nfs_bufpackets="DEFAULT" # bufspace (in packets) for client (or DEFAULT) rpc_lockd_enable="NO" # Run NFS rpc.lockd needed for client/server rpc_statd_enable="NO" # Run NFS rpc.statd needed for client/server rpcbind_enable="NO" # Run the portmapper service (YES/NO).
rpcbind_program="/usr/sbin/rpcbind" # path to rpcbind, if you want a different one rpcbind_flags="" # Flags to rpcbind (if enabled).
rpc_ypupdated_enable="NO" # Run if NIS master and SecureRPC (or NO).
Flags for NFS Some of these have changed from previous releases of FreeBSD Inparticular,single_mountd_enable is now calledmountd_enable, and portmap has been replaced by rpcbind, so portmap_enable is now called rpcbind_enable,
portmap_programis now calledrpcbind_programandportmap_flagis now called
configfiles.mm,v v4.16 (2003/04/02 04:41:37)
Trang 10rpcbind_flags See page 438 We set the following values in /etc/rc.conf for gw:
nfs_client_enable="YES" # This host is an NFS client (or NO).
nfs_server_enable="YES" # This host is an NFS server (or NO).
For andante, we enable only the client (the first line) Next, we see:
keyserv_enable="NO" # Run the SecureRPC keyserver (or NO).
keyserv_flags="" # Flags to keyserv (if enabled).
These entries refer to the Secure RPC key server, which we don’t discuss in this book
See the man pages keyserv(8) for more details.
### Network Time Services options: ###
timed_enable="NO" # Run the time daemon (or NO).
timed_flags="" # Flags to timed (if enabled).
ntpdate_enable="NO" # Run ntpdate to sync time on boot (or NO).
ntpdate_program="/usr/sbin/ntpdate" # path to ntpdate, if you want a different one ntpdate_flags="-b" # Flags to ntpdate (if enabled).
ntpd_enable="NO" # Run ntpd Network Time Protocol (or NO).
ntpd_program="/usr/sbin/ntpd" # path to ntpd, if you want a different one.
ntpd_flags="-p /var/run/ntpd.pid" # Flags to ntpd (if enabled).
timed, ntpdate and ntpd are three different ways of synchronizing your machine with the current date and time As we saw on page 155, we’ll use ntpd We add the following line to /etc/rc.conf for each system:
ntpd_enable="YES" # Run ntpd Network Time Protocol (or NO).
Continuing with /etc/defaults/rc.conf,
# Network Information Services (NIS) options: All need rpcbind_enable="YES" ### nis_client_enable="NO" # We’re an NIS client (or NO).
nis_client_flags="" # Flags to ypbind (if enabled).
nis_ypset_enable="NO" # Run ypset at boot time (or NO).
nis_ypset_flags="" # Flags to ypset (if enabled).
nis_server_enable="NO" # We’re an NIS server (or NO).
nis_server_flags="" # Flags to ypserv (if enabled).
nis_ypxfrd_enable="NO" # Run rpc.ypxfrd at boot time (or NO).
nis_ypxfrd_flags="" # Flags to rpc.ypxfrd (if enabled).
nis_yppasswdd_enable="NO" # Run rpc.yppasswdd at boot time (or NO).
nis_yppasswdd_flags="" # Flags to rpc.yppasswdd (if enabled).
More parameters for configuring NIS As mentioned above, this book does not deal withNIS
### Network routing options: ###
defaultrouter="NO" # Set to default gateway (or NO).
static_routes="" # Set to static route list (or leave empty).
gateway_enable="NO" # Set to YES if this host will be a gateway.
See page 310 for more information on routing On gw we add the following line to /etc/rc.conf :
configfiles.mm,v v4.16 (2003/04/02 04:41:37)
Trang 11defaultrouter="139.130.136.133" # Set to default gateway (or NO).
gateway_enable="YES" # Set to YES if this host will be a gateway.
andante gets its routing information from DHCP, so we don’t need to do anything here.
router_enable="NO" # Set to YES to enable a routing daemon.
router="/sbin/routed" # Name of routing daemon to use if enabled.
router_flags="-q" # Flags for routing daemon.
mrouted_enable="NO" # Do multicast routing (see /etc/mrouted.conf) mrouted_flags="" # Flags for multicast routing daemon.
These parameters relate to the routing daemons routed and mrouted In the
configura-tions we considered, you don’t need them
ipxgateway_enable="NO" # Set to YES to enable IPX routing.
ipxrouted_enable="NO" # Set to YES to run the IPX routing daemon.
ipxrouted_flags="" # Flags for IPX routing daemon.
IPX is a Novell proprietary networking protocol designed to be similar to IP FreeBSD
supplies the daemon IPXrouted (note the capitalization) which handles IPX routing tables See the man page IPXrouted(8) for further details.
arpproxy_all="NO" # replaces obsolete kernel option ARP_PROXYALL forward_sourceroute="NO" # do source routing
accept_sourceroute="NO" # accept source routed packets to us
### ATM interface options: ###
atm_enable="NO" # Configure ATM interfaces (or NO).
#atm_netif_hea0="atm 1" # Network interfaces for physical interface.
#atm_sigmgr_hea0="uni31" # Signalling manager for physical interface.
#atm_prefix_hea0="ILMI" # NSAP prefix (UNI interfaces only) (or ILMI).
#atm_macaddr_hea0="NO" # Override physical MAC address (or NO).
#atm_arpserver_atm0="0x47.0005.80.999999.9999.9999.9999.999999999999.00"
#atm_scsparp_atm0="NO" # Run SCSP/ATMARP on network interface (or NO) atm_pvcs="" # Set to PVC list (or leave empty).
atm_arps="" # Set to permanent ARP list (or leave empty).
### ISDN interface options: (see also: /usr/share/examples/isdn) ###
isdn_enable="NO" # Enable the ISDN subsystem (or NO).
isdn_fsdev="NO" # Output device for fullscreen mode
isdn_flags="-dn -d0x1f9" # Flags for isdnd
isdn_ttype="cons25" # terminal type for fullscreen mode
isdn_screenflags="NO" # screenflags for ${isdn_fsdev}
isdn_trace="NO" # Enable the ISDN trace subsystem (or NO).
isdn_traceflags="-f /var/tmp/isdntrace0" # Flags for isdntrace
A few miscellaneous IP options and parameters for ATM and ISDN This book doesn’tdiscuss any of them
### Miscellaneous network options: ###
icmp_bmcastecho="NO" # respond to broadcast ping packets
This parameter relates to the so-called smurf ‘‘denial of service’’ attack: according to the
RFCs, a machine should respond to a ping to its broadcast address But what happens ifsomebody pings a remote network’s broadcast address across the Internet, as fast as hecan? Each system on the remote network will reply, completely overloading the outgoingInternet interface Yes, this is silly, but there are silly people out there If you leave this
parameter as it is, your system will not be vulnerable See sories/CA-98.01.smurf.html for more details.
http://www.cert.org/advi-configfiles.mm,v v4.16 (2003/04/02 04:41:37)
Trang 12Next come a large number of options for IPv6, the new Internet protocol standard This
book doesn’t deal with IPv6, and they’re liable to change, so they’re not printed here.Next, we find:
##############################################################
### System console options #################################
##############################################################
keymap="NO" # keymap in /usr/share/syscons/keymaps/*
keyrate="NO" # keyboard rate to: slow, normal, fast
keybell="NO" # bell to duration.pitch or normal or visual
keychange="NO" # function keys default values
cursor="NO" # cursor type {normal|blink|destructive}
scrnmap="NO" # screen map in /usr/share/syscons/scrnmaps/* font8x16="NO" # font 8x16 from /usr/share/syscons/fonts/*
font8x14="NO" # font 8x14 from /usr/share/syscons/fonts/*
font8x8="NO" # font 8x8 from /usr/share/syscons/fonts/*
blanktime="300" # blank time (in seconds) or "NO" to turn it off saver="NO" # screen saver: Uses /boot/kernel/${saver}_saver.ko
These parameters describe the use of alternate keyboard mappings when using the
standard character-based terminals only See the files in /usr/share/syscons/keymaps for key map files, and /usr/share/syscons/fonts for alternate fonts These parameters have no
effect on the X-based displays that this book assumes You can enable a screen saver bysetting the variablesavertoYES
moused_enable="NO" # Run the mouse daemon.
moused_type="auto" # See man page for available settings.
moused_port="/dev/psm0" # Set to your mouse port.
moused_flags="" # Any additional flags to moused.
mousechar_start="NO" # if 0xd0-0xd3 default range is occuped in your
# language code table, specify alternative range
# start like mousechar_start=3, see vidcontrol(1) allscreens_flags="" # Set this vidcontrol mode for all virtual screens allscreens_kbdflags="" # Set this kbdcontrol mode for all virtual screens
Parameters for moused, a mouse driver for the character-based terminals, and global flags for virtual screens If you’re using an X server, you should run moused On andante, we add this line to /etc/rc.conf :
moused_enable="YES"
Next follow some definitions for the alternative console driver pcvt, which we don’t look
at here, followed by a section describing the mail configuration:
##############################################################
### Mail Transfer Agent (MTA) options ######################
##############################################################
mta_start_script="/etc/rc.sendmail"
# Script to start your chosen MTA
# Settings for /etc/rc.sendmail:
sendmail_enable="NO" # Run the sendmail inbound daemon (YES/NO).
sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server)
sendmail_submit_enable="YES" # Start a localhost-only MTA for mail submission sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
# Flags for localhost-only MTA sendmail_outbound_enable="YES" # Dequeue stuck mail (YES/NO).
sendmail_outbound_flags="-L sm-queue -q30m" # Flags to sendmail (outbound only) sendmail_msp_queue_enable="YES" # Dequeue stuck clientmqueue mail (YES/NO).
configfiles.mm,v v4.16 (2003/04/02 04:41:37)
Trang 13sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q30m"
# Flags for sendmail_msp_queue daemon.
Since FreeBSD Release 5, sendmail MTA is no longer enabled by default If you have been running sendmail on an older release of FreeBSD, you’ll must add an entry to /etc/rc.conf to keep it running.
##############################################################
### Miscellaneous administrative options ###################
##############################################################
cron_enable="YES" # Run the periodic job daemon.
cron_program="/usr/sbin/cron" # Which cron executable to run (if enabled).
cron_flags="" # Which options to pass to the cron daemon.
Run cron, the daemon responsible for running things at specific times See page 151 for
a description of cron Leave this enabled unless you have a good reason not to.
lpd_enable="NO" # Run the line printer daemon.
lpd_program="/usr/sbin/lpd" # path to lpd, if you want a different one.
lpd_flags="" # Flags to lpd (if enabled).
See page 263 for a discussion of printing In older releases of FreeBSD,lpd_enable
was set toYES Now, to run lpd, we need to put the following line in /etc/rc.conf for both gw and adagio:
lpd_enable="YES" # Run the line printer daemon.
Next, we see:
usbd_enable="NO" # Run the usbd daemon.
usbd_flags="" # Flags to usbd (if enabled).
Run usbd, the Universal Serial Bus or USB daemon See the man pages usbd(8) and usb(4) for more information.
dumpdev="NO" # Device name to crashdump to (if enabled).
dumpdir="/var/crash" # Directory where crash dumps are to be stored savecore_flags="" # Used if dumpdev is enabled above, and present.
These parameters specify how to take dumps when the system panics See page 83 for
details As mentioned there, it is preferable to set this value in /boot/loader.conf : that way you can still get a dump if your system panics before reading /etc/rc.conf, so we
don’t change anything here
Continuing with /etc/defaults/rc.conf,
enable_quotas="NO" # turn on quotas on startup
check_quotas="YES" # Check quotas on startup
accounting_enable="NO" # Turn on process accounting
ibcs2_enable="NO" # Ibcs2 (SCO) emulation loaded at startup
ibcs2_loaders="coff" # List of additional Ibcs2 loaders
sysvipc_enable="NO" # Load System V IPC primitives at startup
linux_enable="NO" # Linux binary compatibility loaded at startup svr4_enable="NO" # SysVR4 emulation loaded at startup
osf1_enable="NO" # Alpha OSF/1 emulation loaded at startup
configfiles.mm,v v4.16 (2003/04/02 04:41:37)
Trang 14We don’t discuss quotas or accounting in this book We looked at the parameters
ibcs2_enable on page 164 andlinux_enable on page 163 We also don’t discussSystem V and OSF-1 emulation
clear_tmp_enable="NO" # Clear /tmp at startup.
In the old days, the startup sequence automatically deleted everything in the file system
/tmp Sometimes this wasn’t desirable, so now it’s your choice Change this value to
YESif you want the old behaviour
Note that if you use a /tmp based on MFS (memory file system), this variable has no
effect The contents of MFS file systems disappear on reboot
ldconfig_insecure="NO" # Set to YES to disable ldconfig security checks ldconfig_paths="/usr/lib/compat /usr/X11R6/lib /usr/local/lib"
# shared library search paths ldconfig_paths_aout="/usr/lib/compat/aout /usr/X11R6/lib/aout /usr/local/lib/aout"
# a.out shared library search paths
ldconfig maintains the dynamic library cache required for finding libraries when starting most processes Potentially this can be a security issue, and ldconfig makes a number of
security checks before accepting libraries If you really want to, you can disable thesechecks by setting ldconfig_insecure The two other variables are lists of the
directories that are searched to find ELF and a.out dynamic libraries, respectively See
page 628 for more details You would normally not remove anything from these lists, butyou might want to add something
kern_securelevel_enable="NO" # kernel security level (see init(8)),
kern_securelevel="-1" # range: -1 3 ; ‘-1’ is the most insecure
update_motd="YES" # update version info in /etc/motd (or NO)
The kernel runs with five different levels of security Any super-user process can raise
the security level, but only init can lower it The security levels are:
-1 Permanently insecure mode: always run the system in level 0 mode This is thedefault initial value
0 Insecure mode: the immutable and append-only flags may be turned off All devicesmay be read or written subject to their permissions
1 Secure mode: the immutable and append-only flags may not be turned off Disks for
mounted filesystems, /dev/mem and /dev/kmem may not be opened for writing.
2 Highly secure mode This is the same as secure mode with the addition that disks
may not be opened for writing (except by mount(2)), whether or not they are
mounted This level precludes tampering with filesystems by unmounting them, but
it also prevents running newfs(8) while the system is multi-user.
3 Network secure mode This is the same as highly secure mode with the addition that
IP packet filter rules (see page 389) can not be changed and dummynet configurationcan not be adjusted We don’t discuss dummynet in this book
configfiles.mm,v v4.16 (2003/04/02 04:41:37)