- •Table of Contents
- •Dedication
- •Foreword
- •Introduction
- •What Is FreeBSD?
- •How Did FreeBSD Get Here?
- •The BSD License: BSD Goes Public
- •The Birth of Modern FreeBSD
- •FreeBSD Development
- •Committers
- •Contributors
- •Users
- •Other BSDs
- •NetBSD
- •OpenBSD
- •Other UNIXes
- •Solaris
- •Linux
- •IRIX, HPUX, etc.
- •FreeBSD's Strengths
- •Portability
- •Power
- •Simplified Software Management
- •Optimized Upgrade Process
- •Filesystem
- •Who Should Use FreeBSD
- •FreeBSD as Your Desktop
- •Who Should Run Another BSD
- •Who Should Run a Proprietary Operating System
- •How to Read This Book
- •What Must You Know?
- •How to Think About UNIX
- •Channels of Communication
- •Working with Channels
- •The Command Line
- •Chapter 1: Installation
- •FreeBSD Hardware
- •Processor
- •Memory (RAM)
- •Hard Drives
- •Downloading FreeBSD
- •Installing by FTP
- •Other FTP Install Information
- •Hardware Setup
- •Actually Installing FreeBSD
- •Configuring the Kernel for ISA Cards
- •Sysinstall: The Ugly FreeBSD Installer
- •Disk Usage
- •Partitioning
- •Root
- •Swap Space
- •Swap Splitting
- •/var, /usr, and /home
- •A Second Hard Drive
- •Soft Updates
- •Block Size
- •What to Install
- •Installation Media
- •Committing
- •Root Password
- •Adding Users
- •Time Zone
- •Mouse
- •Configuring Network Cards
- •Xfree86
- •Software
- •Restart
- •A Note on Editors
- •Chapter 2: Getting More Help
- •Why Not Mail First?
- •The FreeBSD Attitude
- •Man Pages
- •The FreeBSD Manual
- •Man Page Headings
- •The FreeBSD Documentation
- •The Mailing List Archives
- •Other Web Sites
- •Checking the Handbook/FAQ
- •Checking the Man Pages
- •Checking the Mailing List Archives
- •Using Your Answer
- •Mailing for Help
- •Chapter 3: Read This Before You Break Something Else! (Backup and Recovery)
- •Overview
- •System Backups
- •Tape Devices
- •How to Read Dmesg.boot
- •Controlling Your Tape Drive
- •Device Nodes
- •Using the TAPE Variable
- •The mt Command
- •Backup Programs
- •Dump/Restore
- •Restoring from an Archive
- •Checking the Contents of an Archive
- •Extracting Data from an Archive
- •Restoring Interactively
- •Recording What Happened
- •Revision Control
- •Getting Older Versions
- •Breaking Locks
- •Viewing Log Messages
- •Reviewing a File's Revision History
- •Ident and ident Strings
- •Going Further
- •The Fixit Disk
- •Chapter 4: Kernel Games
- •Overview
- •What Is the Kernel?
- •Configuring Your Kernel
- •Sysctl
- •Changing Sysctls
- •Setting Sysctls at Boot
- •Kernel Configuration with Loader.conf
- •Manually Configuring the Loader
- •Viewing Loaded Modules
- •Loading and Unloading Modules
- •Customizing the Kernel
- •Preparation
- •Your Backup Kernel
- •Editing Kernel Files
- •Basic Options
- •Multiple Processors
- •Device Entries
- •Building Your Kernel
- •Troubleshooting Kernel Builds
- •Booting an Alternate Kernel
- •Adding to the Kernel
- •LINT
- •Fixing Errors with Options
- •Tweaking Kernel Performance
- •Sharing Kernels
- •Chapter 5: Networking
- •Overview
- •Network Layers
- •The Physical Layer
- •The Physical Protocol Layer
- •The Logical Protocol Layer
- •The Application Layer
- •The Network in Practice
- •Mbufs
- •What Is a Bit?
- •Ethernet
- •Broadcasting
- •Address Resolution
- •Hubs and Switches
- •Netmasks
- •Netmask Tricks
- •Hexadecimal Netmasks
- •Unusable IP Addresses
- •Routing
- •Network Ports
- •Connecting to an Ethernet Network
- •Multiple IP Addresses on One Interface
- •Using Netstat
- •Chapter 6: Upgrading FreeBSD
- •Overview
- •FreeBSD Versions
- •Release
- •Snapshots
- •Security Updates
- •Which Release Should You Use?
- •Upgrade Methods
- •Upgrading via Sysinstall
- •Upgrading via CVSup
- •Simplifying the CVSup Upgrade Process
- •Building a Local CVSup Server
- •Controlling Access
- •Authentication
- •Combining Authentication and Access
- •Chapter 7: Securing Your System
- •Overview
- •Who Is the Enemy?
- •Script Kiddies
- •Disaffected Users
- •Skilled Attackers
- •FreeBSD Security Announcements
- •Subscribing
- •What You'll Get
- •Installation Security Profiles
- •Moderate
- •Extreme
- •Root, Groups, and Permissions
- •The root Password
- •Groups of Users
- •Primary Group
- •Some Interesting Default Groups
- •Group Permissions
- •Changing Permissions
- •Changing File Ownership
- •Assigning Permissions
- •File Flags
- •Viewing a File's Flags
- •Setting Flags
- •Securelevels
- •Setting Securelevels
- •Which Securelevel Do You Need?
- •What Won't Securelevel and File Flags Do?
- •Living with Securelevels
- •Programs That Can Be Hacked
- •Putting It All Together
- •Chapter 8: Advanced Security Features
- •Traffic Control
- •Default Accept vs. Default Deny
- •TCP Wrappers
- •Configuring Wrappers
- •Daemon Name
- •The Client List
- •Putting It All Together
- •Packet Filtering
- •IPFilter
- •IPFW
- •Default Accept and Default Deny in Packet Filtering
- •Basic Concepts of Packet Filtering
- •Implementing IPFilter
- •Configuring Your Server to Use Jail
- •Configuring Your Kernel to Use Jail
- •Client Setup
- •Final Jail Setup
- •Starting the Jail
- •Managing Jails
- •Shutting Down a Jail
- •Monitoring System Security
- •If You're Hacked
- •Chapter 9: Too Much Information About /etc
- •Overview
- •Varieties of /etc Files
- •Default Files
- •/etc/defaults/rc.conf
- •/etc/adduser.conf
- •/etc/crontab
- •/etc/dhclient.conf
- •/etc/fstab
- •/etc/hosts.allow
- •/etc/hosts.equiv
- •/etc/hosts.lpd
- •/etc/inetd.conf
- •/etc/locate.rc
- •/etc/login.access
- •/etc/login.conf
- •Specifying Default Environment Settings
- •/etc/mail/mailer.conf
- •/etc/make.conf and /etc/defaults/make.conf
- •/etc/master.passwd
- •/etc/motd
- •/etc/mtree/*
- •/etc/namedb/*
- •/etc/newsyslog.conf
- •/etc/passwd
- •/etc/periodic.conf and /etc/defaults/periodic.conf
- •/etc/printcap
- •Working with Printcap Entries
- •/etc/profile
- •/etc/protocols
- •/etc/rc.conf and /etc/defaults/rc.conf
- •/etc/resolv.conf
- •/etc/security
- •/etc/services
- •/etc/shells
- •/etc/spwd.db
- •/etc/sysctl.conf
- •/etc/syslog.conf
- •Chapter 10: Making Your System Useful
- •Overview
- •Making Software
- •The Pain and Pleasure of Source Code
- •Debugging
- •The Ports and Packages System
- •Ports
- •Finding Software
- •Legal Restrictions
- •Using Packages
- •Installing via FTP
- •What Does a Package Install?
- •Uninstalling Packages
- •Package Information
- •Controlling Pkg_add
- •Package Problems
- •Forcing an Install
- •Using Ports
- •Installing a Port
- •Using Make Install
- •Uninstalling and Reinstalling
- •Cleaning Up with Make Clean
- •Building Packages
- •Changing the Install Path
- •Setting Make Options Permanently
- •Upgrading Ports and Packages
- •Upgrading the Ports Collection
- •Ports Collection Upgrade Issues
- •Checking Software Versions
- •Hints for Upgrading
- •Chapter 11: Advanced Software Management
- •Overview
- •Startup and Shutdown Scripts
- •Typical Startup Script
- •Using Scripts to Manage Running Programs
- •Managing Shared Libraries
- •Ldconfig
- •Running Software from the Wrong OS
- •Recompilation
- •Emulation
- •ABI Implementation
- •Foreign Software Libraries
- •Installing and Enabling Linux Mode
- •Identifying Programs
- •What Is Linux_base?
- •Adding to Linux_base
- •Configuring Linux Shared Libraries
- •Installing Extra Linux Packages as RPMs
- •What Is SMP?
- •Kernel Assumptions
- •FreeBSD 3.0 SMP
- •FreeBSD 5 SMP
- •Using SMP
- •SMP and Upgrades
- •Chapter 12: Finding Hosts With DNS
- •How DNS Works
- •Basic DNS Tools
- •The Host Command
- •Getting Detailed Information with Dig
- •Looking Up Hostnames with Dig
- •More Dig Options
- •Configuring a DNS Client: The Resolver
- •Domain or Search Keywords
- •The Nameserver List
- •DNS Information Sources
- •The Hosts File
- •The Named Daemon
- •Zone Files
- •A Real Sample Zone
- •named.conf
- •/var/named/master/absolutebsd.com
- •Making Changes Work
- •Starting Named at Boottime
- •Checking DNS
- •Named Configuration Errors
- •Named Security
- •Controlling Information Order
- •More About BIND
- •Chapter 13: Managing Small Network Services
- •Bandwidth Control
- •Configuring IPFW
- •Reviewing IPFW Rules
- •Dummynet Queues
- •Directional Traffic Shaping
- •Certificates
- •Create a Request
- •Being Your Own CA
- •Testing SSH
- •Enabling SSH
- •Basics of SSH
- •Creating Keys
- •Confirming SSH Identity
- •SSH Clients
- •Connecting via SSH
- •Configuring SSH
- •System Time
- •Setting the Time Zone
- •Network Time Protocol
- •Ntpdate
- •Ntpd
- •Inetd
- •/etc/inetd.conf
- •Configuring Programs in Inetd
- •Inetd Security
- •Starting Inetd
- •Changing Inetd's Behavior
- •Chapter 14: Email Services
- •Email Overview
- •Where FreeBSD Fits In
- •The Email Protocol
- •Email Programs
- •Who Needs Sendmail?
- •Replacing Sendmail
- •Installing Postfix
- •Pieces of Postfix
- •Configuring Postfix
- •Email Aliases
- •Email Logging
- •Virtual Domains
- •Postfix Commands
- •Finding the Correct Mail Host
- •Undeliverable Mail
- •Installing POP3
- •Testing POP3
- •POP3 Logging
- •POP3 Modes
- •Qpopper Preconfiguration Questions
- •Default Qpopper Configuration
- •APOP Setup
- •Configuring Pop3ssl
- •Qpopper Security
- •Chapter 15: Web and FTP Services
- •Overview
- •How a Web Server Works
- •The Apache Web Server
- •Apache Configuration Files
- •Configuring Apache
- •Controlling Apache
- •Virtual Hosting
- •Tweaking Virtual Hosts
- •.NET on FreeBSD
- •Installing the SSCLI
- •FTP Security
- •The FTP Client
- •The FTP Server
- •Chapter 16: Filsystems and Disks
- •Device Nodes
- •Hard Disks and Partitions
- •The /etc/fstab File
- •Disk Basics
- •The Fast File System
- •Vnodes
- •FFS Mount Types
- •FFS Mount Options
- •What's Mounted Now?
- •Dirty Disks
- •Fsck
- •Mounting and Unmounting Disks
- •Mounting Standard Filesystems
- •Mounting with Options
- •Mounting All Standard Filesystems
- •Mounting at Nonstandard Locations
- •Unmounting
- •Soft Updates
- •Enabling Soft Updates
- •IDE Write Caching and Soft Updates
- •Virtual Memory Directory Caching
- •Mounting Foreign Filesystems
- •Using Foreign Mounts
- •Foreign Filesystem Types
- •Mount Options and Foreign Filesystems
- •Filesystem Permissions
- •Removable Media and /etc/fstab
- •Creating a Floppy
- •Creating an FFS Filesystem
- •The Basics of SCSI
- •SCSI Types
- •SCSI Adapters
- •SCSI Buses
- •Termination and Cabling
- •SCSI IDs and LUNs
- •FreeBSD and SCSI
- •Wiring Down Devices
- •Adding New Hard Disks
- •Creating Slices
- •Creating Partitions
- •Configuring /etc/fstab
- •Installing Existing Files onto New Disks
- •Temporary Mounts
- •Moving Files
- •Stackable Mounts
- •Chapter 17: RAID
- •Hardware vs. Software RAID
- •RAID Levels
- •Software RAID
- •Vinum Disk Components
- •Vinum Plex Types
- •Preparing Vinum Drives
- •Dedicating Partitions to Vinum
- •Configuring Vinum
- •Concatenated Plex
- •Removing Vinum Configuration
- •Striped Volumes
- •Mirrored Volumes
- •Starting Vinum at Boot
- •Other Vinum Commands
- •Replacing a Failed Mirrored Plex
- •Chapter 18: System Performance
- •Overview
- •Computer Resources
- •Disk Input/Output
- •Network Bandwidth
- •CPU and Memory
- •Using Top
- •Memory Usage
- •Swap Space Usage
- •CPU Usage
- •When Swap Goes Bad
- •Paging
- •Swapping
- •Are You Swapping or Paging?
- •Fairness in Benchmarking
- •The Initial Test
- •Using Both CPUs
- •Directory Caching
- •Moving /usr/obj
- •Lessons Learned
- •Chapter 19: Now What's It Doing?
- •Status Mails
- •Forwarding Reports
- •Logging with Syslogd
- •Facilities
- •Levels
- •Syslog.conf
- •Wildcards
- •Rotating Logs with Newsyslog.conf
- •Reporting with SNMP
- •Basics of SNMP
- •MIBs
- •Snmpwalk
- •Specific Snmpwalk Queries
- •Translating Between Numbers and Names
- •Setting Up Snmpd
- •Index Numbers
- •Configuring MRTG
- •Sample mrtg.cfg Entry
- •Testing MRTG
- •Tracking Other System Values
- •Monitoring a Single MIB
- •Customizing MRTG
- •MRTG Index Page
- •Sample MRTG Configurations
- •Chapter 20: System Crashes and Panics
- •What Causes Panics?
- •What Does a Panic Look Like?
- •Responding to a Panic
- •Prerequisites
- •Crash Dump Process
- •The Debugging Kernel
- •kernel.debug
- •Dumpon
- •Savecore
- •Upon a Crash
- •Dumps and Bad Kernels
- •Using the Dump
- •Advanced Kernel Debugging
- •Examining Lines
- •Examining Variables
- •Apparent Gdb Weirdness
- •Results
- •Vmcore and Security
- •Symbols vs. No Symbols
- •Serial Consoles
- •Hardware Serial Console
- •Software Serial Console
- •Changing the Configuration
- •Using a Serial Console
- •Serial Login
- •Emergency Logon Setup
- •Disconnecting the Serial Console
- •Submitting a Problem Report
- •Problem Report System
- •What's in a PR?
- •Filling Out the Form
- •PR Results
- •Chapter 21: Desktop FreeBSD
- •Overview
- •Accessing File Shares
- •Prerequisites
- •Character Sets
- •Kernel Support for CIFS
- •SMB Tools
- •Configuring CIFS
- •Minimum Configuration: Name Resolution
- •Other smbutil Functions
- •Mounting a Share
- •Other mount_smbfs Options
- •Sample nsmb.conf Entries
- •CIFS File Ownership
- •Serving Windows File Shares
- •Accessing Print Servers
- •Running a Local Lpd
- •Printer Testing
- •Local Printers
- •X: A Graphic Interface
- •X Prerequisites
- •X Versions
- •Configuring X
- •Making X Look Decent
- •Desktop Applications
- •Web Browsers
- •Email Readers
- •Office Suites
- •Music
- •Graphics
- •Desk Utilities
- •Games
- •Afterword
- •Overview
- •The Community
- •What Can You Do?
- •Getting Things Done
- •Second Opinions
- •Appendix: Some Useful SYSCTL MIBs
- •List of Figures
- •Chapter 1: Installation
- •Chapter 5: Networking
- •Chapter 6: Upgrading FreeBSD
- •Chapter 19: Now What's It Doing?
- •List of Tables
- •Chapter 4: Kernel Games
- •Chapter 5: Networking
- •Chapter 8: Advanced Security Features
- •Chapter 9: Too Much Information About /etc
- •List of Sidebars
- •Chapter 15: Web and FTP Services
Appendix: Some Useful SYSCTL MIBs
This appendix is a dictionary of some useful sysctl MIBs. The tools for manipulating MIBs are discussed in Chapter 4. (When a MIB is detailed elsewhere in this book, reference is made to the appropriate chapter.) Your system certainly has many more sysctls than these, but the ones described here are the ones I frequently trip over in day−to−day work.
Warning Thoughtless use of sysctls can easily damage or destroy a working system. For example, if you set a limit on resources below the amount being used, you can crash the system in a fairly spectacular manner. Be sure you understand the implications of what you're doing before setting sysctls.
When writing this appendix, I was tempted to only describe sysctls that are safe for new administrators, but doing so would have limited the utility of this section. Instead, I'm asking you to please take the dangers of sysctl fiddling to heart. If you don't understand what a sysctl does, don't play with it!
For example, some sysctls allow you to adjust vnode operations. Attempts to fine−tune vnodes will most probably harm system performance, but there are situations where you will want to do exactly that. Similarly, don't go rummaging through the virtual memory system unless you understand virtual memory! Search the man pages and mailing list archives for further details on individual sysctls before playing with them.
Note Some sysctls are described as "toggles." In this case, a value of 1 means that the sysctl provides the service described. A setting of 0 means that the service is disabled.
Without further ado, here are the sysctls, each followed by a typical value and an explanation of what it does.
...............................................................................................
kern.maxvnodes: 20973
set at: /boot/loader.conf
...............................................................................................
The maximum number of vnodes (virtual filesystem nodes) the system can have open simultaneously.
...............................................................................................
kern.maxproc: 1044
set at: /boot/loader.conf
...............................................................................................
The maximum number of processes that the system can be running at any one time.
...............................................................................................
kern.maxfiles: 2088
set at: runtime
...............................................................................................
495
The maximum number of files that the system can have open at any one time.
...............................................................................................
kern.argmax: 65536
set at: read−only
...............................................................................................
The maximum number of bytes you can use in an argument to execve(2). Basically, this is the maximum number of characters you can use in a single command line. You might run up against this in some unusual circumstances. If you do, please see xargs(1).
...............................................................................................
kern.securelevel: −1
set at: runtime or /etc/rc.conf
...............................................................................................
The current kernel security level. See Chapter 7.
...............................................................................................
kern.maxfilesperproc: 2088 set at: runtime
The maximum number of files any one process can open.
...............................................................................................
kern.maxprocperuid: 1043
set at: runtime
...............................................................................................
The maximum number of processes one user ID can run.
...............................................................................................
kern.dumpdev: /dev/ad0s1b
set at: /etc/rc.conf
...............................................................................................
The name of the swap device where a kernel panic will be dumped, as set by dumpon(8) during the boot process. The swap partition must be larger than or equal to the system's physical memory. We discuss dumping and panics in some detail in Chapter 20.
...............................................................................................
kern.ipc.somaxconn: 128
set at: runtime
...............................................................................................
496
The maximum number of new connections the system can accept at any one time. The default is 128. If you're running a heavily loaded server, kick this up to 512 or even 1024.
...............................................................................................
kern.ipc.maxsockets: 2088
set at: /boot/loader.conf
...............................................................................................
The total number of sockets available on the system.
...............................................................................................
kern.logsigexit: 1
set at: runtime
...............................................................................................
When a program exits abnormally, it usually sends a signal. When this toggle is set, the name of the program and the exiting signal are logged to /var/log/ messages.
...............................................................................................
kern.init_path: /sbin/init:/sbin/oinit:/sbin/init.bak:/stand/sysinstall
set at: /boot/loader.conf
...............................................................................................
Init(8) is the process that actually starts the system. If you've damaged your system (say, during a source upgrade gone very bad), you can use this sysctl to offer another path to an init program. If you're doing this, however, you're probably in very bad shape.
...............................................................................................
kern.module_path: /;/boot/;/modules/
set at: runtime
...............................................................................................
The path where kldload(8) checks for kernel modules.
...............................................................................................
kern.timecounter.method: 0
set at: runtime
...............................................................................................
FreeBSD has two different methods to determine the time since the system booted. One is extremely accurate, but takes more system resources to use. The other is faster, but not as accurate. The difference between the two is measured in milliseconds, but if you're using an application that requires extremely precise timing, those milliseconds can make a difference. Set this sysctl to 1 to use the slow, hyper−accurate method. The default is good enough for almost all applications.
497
...............................................................................................
kern.coredump: 1
set at: runtime
...............................................................................................
This toggle controls kernel core dumps. When set to 1, the kernel will dump the core on a panic. See Chapter 20 to find out what to do with it.
...............................................................................................
kern.quantum: 100000
set at: runtime
...............................................................................................
The maximum number of microseconds a process can run for if other processes are waiting for CPU time. If you're considering changing this, you are probably doing something wrong.
...............................................................................................
kern.filedelay: 30
set at: runtime
...............................................................................................
Controls how often the system synchronizes file data between the vnode buffer cache and the disk. This one is for experienced systems administrators only!
...............................................................................................
kern.dirdelay: 29
set at: runtime
...............................................................................................
Controls how often the system synchronizes directory data from the vnode buffer cache to the disk. Again, for experienced systems admins only!
...............................................................................................
kern.metadelay: 28
set at: runtime
...............................................................................................
Controls how often the system synchronizes filesystem metadata from the vnode buffer cache and the disk. Again, this is for experienced systems administrators only!
...............................................................................................
vm.v_free_min: 582
set at: runtime
...............................................................................................
498
The minimum number of pages of cache and free memory that must be available before a process waiting on memory will be awakened.
...............................................................................................
vm.v_free_target: 2513
set at: runtime
...............................................................................................
The total number of pages of free and cache memory that the virtual memory manager tries to keep or exceed.
...............................................................................................
vm.v_free_reserved: 185
set at: runtime
...............................................................................................
If the number of pages of free memory falls below this reserved value, running a process will tell the virtual memory manager to start swapping out memory.
...............................................................................................
vm.v_inactive_target: 3769
set at: runtime
...............................................................................................
The number of pages of memory that the virtual memory system will try to free up when it kicks in.
...............................................................................................
vm.v_cache_min: 2513
set at: runtime
...............................................................................................
The minimum desired size of the virtual memory cache queue.
...............................................................................................
vm.v_cache_max: 5026
set at: runtime
...............................................................................................
The maximum desired size of the virtual memory cache queue.
...............................................................................................
vm.swap_enabled: 1
set at: /boot/loader.conf
...............................................................................................
499
This controls the use of swap space. If set to 0, your system will not swap. If your swap disk is damaged, or if you're running −current and someone broke swapping, you might want to try this.
...............................................................................................
vm.swap_idle_enabled: 0 vm.swap_idle_threshold1: 2 vm.swap_idle_threshold2: 10 set at: runtime
If you're constantly swapping on a large system, setting the swap_idle_enabled sysctl tells the virtual memory manager to pull idle processes into virtual memory more quickly than other processes. The threshold sysctls tell the system how many seconds to wait before considering different sorts of processes idle. The defaults are probably fine; just enabling vm.swap_idle_enabled should do the trick. Do not enable this unless you're having heavy virtual memory use!
...............................................................................................
vfs.vmiodirenable: 1
set at: runtime
...............................................................................................
Allows FFS to use the virtual memory system to cache directory lookups, increasing disk performance. Combined with the directory hashing code and soft updates, this increases disk access by as much as 6000 percent.
...............................................................................................
vfs.usermount: 0
set at: runtime
...............................................................................................
If set, users may mount filesystems. This allows people to use floppy disks and CD−ROMs. The user must own the mount point.
...............................................................................................
net.inet.ip.forwarding: 0
set at: runtime
...............................................................................................
Controls the kernel's ability to forward packets. If you have multiple network cards, you might want your FreeBSD system to act as a gateway, router, or firewall. When set, the system will forward packets internally. You can turn forwarding on and off at will.
...............................................................................................
net.inet.ip.redirect: 1
set at: runtime
...............................................................................................
500
Toggles the ability to send ICMP redirect packets if the system is providing routing services. It has no effect if the system is not performing routing.
...............................................................................................
net.inet.ip.ttl: 64
set at: runtime
...............................................................................................
The maximum number of hops any non−ICMP protocol can take across the network.
...............................................................................................
net.inet.ip.sourceroute: 0
set at: runtime
...............................................................................................
Toggles forwarding of source−routed packets.
...............................................................................................
net.inet.ip.accept_sourceroute: 0
set at: runtime
...............................................................................................
If set to 1, the system will accept source−routed packets aimed at it. If you don't know what source−routing is, just accept my word that this is not usually a good idea.
...............................................................................................
net.inet.ip.fastforwarding: 0
set at: runtime
...............................................................................................
If you're providing routing services, this sysctl greatly accelerates packet throughput. It does so by eliminating most of the sanity checks performed on packets and by completely bypassing any packet−filtering rules.
...............................................................................................
net.inet.icmp.drop_redirect: 0
set at: runtime
...............................................................................................
If set to 1, your system will ignore ICMP redirect packets. These are not commonly used on the public Internet, and only rarely used inside private networks.
...............................................................................................
net.inet.icmp.log_redirect: 0
set at: runtime
...............................................................................................
501
In normal circumstances, your system should never see an ICMP redirect. While they have legitimate administrative uses, if they're in use you'll know. Enabling this sysctl makes the system log any ICMP redirects it receives.
...............................................................................................
net.inet.icmp.bmcastecho: 1
set at: runtime
...............................................................................................
When set, the system will respond to ICMP requests to the broadcast address of a network—the highest−numbered address in the block of IP addresses. This is required for standards compliance, but was such a source of trouble that it's disabled by default now.
...............................................................................................
net.inet.tcp.rfc1323: 1
set at: runtime
...............................................................................................
Enables the window−scaling algorithms described in RFC 1323.
...............................................................................................
net.inet.tcp.rfc1644: 0
set at: runtime
...............................................................................................
Enables Transactional TCP, as described in RFC 1644.
...............................................................................................
net.inet.tcp.sendspace: 16384
net.inet.tcp.recvspace: 16384
set at: runtime
...............................................................................................
The number of bits reserved for send and receive buffers. Whenever a connection is opened, the system sets aside a send and a receive buffer for use by that connection. These values both default to 16384, or 16KB. If you have a small number of high−bandwidth connections, you can increase these sysctl values. 32768 is a decent value in this case. Do not alter this sysctl if you have a large number of connections—you'll increase system load dramatically and kill your performance. These values are vital parts of the NMBCLUSTERS kernel memory calculation; if you increase them, you increase the amount of kernel memory set aside for mbufs. Crank these up too high, and you can panic your kernel during boot.
...............................................................................................
net.inet.tcp.log_in_vain: 0
set at: runtime
...............................................................................................
502
Logs attempts to connect to any TCP port where no program is listening.
...............................................................................................
net.inet.tcp.blackhole: 0
set at: runtime
...............................................................................................
By default, TCP/IP returns an error code when you attempt to connect to a closed port. This shows up as a "connection reset by peer" error. If you set this to 1, attempts to connect to a closed TCP port are dropped, but no error is sent. This slows down ports scans, and can add some semblance of security to your system. It is not a replacement for packet filtering, however!
...............................................................................................
net.inet.tcp.delayed_ack: 1
set at: runtime
...............................................................................................
Tells the system to try to include the TCP connection teardown information on a data packet, rather than sending additional packets to signal the end of the connection.
...............................................................................................
net.inet.tcp.path_mtu_discovery: 1
set at: runtime
...............................................................................................
Enables Path MTU discovery.
...............................................................................................
net.inet.tcp.slowstart_flightsize: 1
set at: runtime
...............................................................................................
Specifies the number of packets that can be sent during the slow−start portion of a TCP transaction across a wide area network.
...............................................................................................
net.inet.tcp.local_slowstart_flightsize: 65535
set at: runtime
...............................................................................................
This is the number of packets that can be sent during the slow−start portion of a TCP transaction across a local network.
...............................................................................................
503
net.inet.tcp.newreno: 1 set at: runtime
...............................................................................................
Toggles RFC2582 connection recovery, also known as the TCP NewReno Algorithm.
...............................................................................................
net.inet.tcp.do_tcpdrain: 1
set at: runtime
...............................................................................................
Tells the system to flush packets from the reassembly queue when it is low on mbufs.
...............................................................................................
net.inet.tcp.always_keepalive: 1
set at: runtime
...............................................................................................
If you set this to 1, old dead connections will eventually be found and killed. It increases the amount of network traffic by a smidgeon, but will clean up many situations that come from having a server up for 30 months straight. If set to 0, connections will remain alive even on unreliable connections. This is a trade−off between long−term stability and short−term convenience.
...............................................................................................
net.inet.udp.log_in_vain: 0
set at: runtime
...............................................................................................
Logs attempts to connect to any UDP port where no program is listening.
...............................................................................................
net.inet.udp.blackhole: 0
set at: runtime
...............................................................................................
By default, TCP/IP returns an error code when you attempt to connect to a closed port. This shows up as a "connection reset by peer" error. If you set this to 1, attempts to connect to a closed UDP port are dropped, but no error is sent. This slows down ports scans, and can add some semblance of security to your system. It is not a replacement for packet filtering, however!
...............................................................................................
hw.ata.ata_dma
set at: /boot/loader.conf
...............................................................................................
504
Controls use of DMA in IDE devices. This is the modern standard. Set this to 0 if your hardware uses PIO instead of DMA. (If you have PIO hardware, you probably know it.)
...............................................................................................
hw.ata.wc
set at: /boot/loader.conf
...............................................................................................
Controls the use of write−caching in IDE drives. Setting it to 1 will improve performance at the cost of data integrity in the case of a system crash.
...............................................................................................
hw.ata.tags: 0
set at: /boot/loader.conf
...............................................................................................
Enables tagged queuing. Only certain IBM hard drives support this. If you have it, it will be clearly marked on the packaging.
...............................................................................................
hw.ata.atapi_dma: 0
set at: /boot/loader.conf
...............................................................................................
Controls the use of the DMA access model in ATAPI devices. Check your hardware manual to see if your hardware supports DMA. ATAPI can have problems with DMA, so this defaults to "off". You can try it, but it might very well hang your system.
...............................................................................................
jail.set_hostname_allowed: 1
set at: runtime
...............................................................................................
Controls whether jail owners can change the hostname of their jails. See Chapter 8.
...............................................................................................
jail.socket_unixiproute_only: 1
set at: runtime
...............................................................................................
Controls whether jail owners can use protocols other than TCP/IP. See Chapter 8.
...............................................................................................
jail.sysvipc_allowed: 0
...............................................................................................
505
Controls whether jail owners can use System V IPC calls. See Chapter 8.
...............................................................................................
compat.linux
set at: read−only
...............................................................................................
These sysctls provide information for the Linux compatibility kernel module. See Chapter 11.
506