- •Table of Contents
- •Dedication
- •Foreword
- •Introduction
- •What Is FreeBSD?
- •How Did FreeBSD Get Here?
- •The BSD License: BSD Goes Public
- •The Birth of Modern FreeBSD
- •FreeBSD Development
- •Committers
- •Contributors
- •Users
- •Other BSDs
- •NetBSD
- •OpenBSD
- •Other UNIXes
- •Solaris
- •Linux
- •IRIX, HPUX, etc.
- •FreeBSD's Strengths
- •Portability
- •Power
- •Simplified Software Management
- •Optimized Upgrade Process
- •Filesystem
- •Who Should Use FreeBSD
- •FreeBSD as Your Desktop
- •Who Should Run Another BSD
- •Who Should Run a Proprietary Operating System
- •How to Read This Book
- •What Must You Know?
- •How to Think About UNIX
- •Channels of Communication
- •Working with Channels
- •The Command Line
- •Chapter 1: Installation
- •FreeBSD Hardware
- •Processor
- •Memory (RAM)
- •Hard Drives
- •Downloading FreeBSD
- •Installing by FTP
- •Other FTP Install Information
- •Hardware Setup
- •Actually Installing FreeBSD
- •Configuring the Kernel for ISA Cards
- •Sysinstall: The Ugly FreeBSD Installer
- •Disk Usage
- •Partitioning
- •Root
- •Swap Space
- •Swap Splitting
- •/var, /usr, and /home
- •A Second Hard Drive
- •Soft Updates
- •Block Size
- •What to Install
- •Installation Media
- •Committing
- •Root Password
- •Adding Users
- •Time Zone
- •Mouse
- •Configuring Network Cards
- •Xfree86
- •Software
- •Restart
- •A Note on Editors
- •Chapter 2: Getting More Help
- •Why Not Mail First?
- •The FreeBSD Attitude
- •Man Pages
- •The FreeBSD Manual
- •Man Page Headings
- •The FreeBSD Documentation
- •The Mailing List Archives
- •Other Web Sites
- •Checking the Handbook/FAQ
- •Checking the Man Pages
- •Checking the Mailing List Archives
- •Using Your Answer
- •Mailing for Help
- •Chapter 3: Read This Before You Break Something Else! (Backup and Recovery)
- •Overview
- •System Backups
- •Tape Devices
- •How to Read Dmesg.boot
- •Controlling Your Tape Drive
- •Device Nodes
- •Using the TAPE Variable
- •The mt Command
- •Backup Programs
- •Dump/Restore
- •Restoring from an Archive
- •Checking the Contents of an Archive
- •Extracting Data from an Archive
- •Restoring Interactively
- •Recording What Happened
- •Revision Control
- •Getting Older Versions
- •Breaking Locks
- •Viewing Log Messages
- •Reviewing a File's Revision History
- •Ident and ident Strings
- •Going Further
- •The Fixit Disk
- •Chapter 4: Kernel Games
- •Overview
- •What Is the Kernel?
- •Configuring Your Kernel
- •Sysctl
- •Changing Sysctls
- •Setting Sysctls at Boot
- •Kernel Configuration with Loader.conf
- •Manually Configuring the Loader
- •Viewing Loaded Modules
- •Loading and Unloading Modules
- •Customizing the Kernel
- •Preparation
- •Your Backup Kernel
- •Editing Kernel Files
- •Basic Options
- •Multiple Processors
- •Device Entries
- •Building Your Kernel
- •Troubleshooting Kernel Builds
- •Booting an Alternate Kernel
- •Adding to the Kernel
- •LINT
- •Fixing Errors with Options
- •Tweaking Kernel Performance
- •Sharing Kernels
- •Chapter 5: Networking
- •Overview
- •Network Layers
- •The Physical Layer
- •The Physical Protocol Layer
- •The Logical Protocol Layer
- •The Application Layer
- •The Network in Practice
- •Mbufs
- •What Is a Bit?
- •Ethernet
- •Broadcasting
- •Address Resolution
- •Hubs and Switches
- •Netmasks
- •Netmask Tricks
- •Hexadecimal Netmasks
- •Unusable IP Addresses
- •Routing
- •Network Ports
- •Connecting to an Ethernet Network
- •Multiple IP Addresses on One Interface
- •Using Netstat
- •Chapter 6: Upgrading FreeBSD
- •Overview
- •FreeBSD Versions
- •Release
- •Snapshots
- •Security Updates
- •Which Release Should You Use?
- •Upgrade Methods
- •Upgrading via Sysinstall
- •Upgrading via CVSup
- •Simplifying the CVSup Upgrade Process
- •Building a Local CVSup Server
- •Controlling Access
- •Authentication
- •Combining Authentication and Access
- •Chapter 7: Securing Your System
- •Overview
- •Who Is the Enemy?
- •Script Kiddies
- •Disaffected Users
- •Skilled Attackers
- •FreeBSD Security Announcements
- •Subscribing
- •What You'll Get
- •Installation Security Profiles
- •Moderate
- •Extreme
- •Root, Groups, and Permissions
- •The root Password
- •Groups of Users
- •Primary Group
- •Some Interesting Default Groups
- •Group Permissions
- •Changing Permissions
- •Changing File Ownership
- •Assigning Permissions
- •File Flags
- •Viewing a File's Flags
- •Setting Flags
- •Securelevels
- •Setting Securelevels
- •Which Securelevel Do You Need?
- •What Won't Securelevel and File Flags Do?
- •Living with Securelevels
- •Programs That Can Be Hacked
- •Putting It All Together
- •Chapter 8: Advanced Security Features
- •Traffic Control
- •Default Accept vs. Default Deny
- •TCP Wrappers
- •Configuring Wrappers
- •Daemon Name
- •The Client List
- •Putting It All Together
- •Packet Filtering
- •IPFilter
- •IPFW
- •Default Accept and Default Deny in Packet Filtering
- •Basic Concepts of Packet Filtering
- •Implementing IPFilter
- •Configuring Your Server to Use Jail
- •Configuring Your Kernel to Use Jail
- •Client Setup
- •Final Jail Setup
- •Starting the Jail
- •Managing Jails
- •Shutting Down a Jail
- •Monitoring System Security
- •If You're Hacked
- •Chapter 9: Too Much Information About /etc
- •Overview
- •Varieties of /etc Files
- •Default Files
- •/etc/defaults/rc.conf
- •/etc/adduser.conf
- •/etc/crontab
- •/etc/dhclient.conf
- •/etc/fstab
- •/etc/hosts.allow
- •/etc/hosts.equiv
- •/etc/hosts.lpd
- •/etc/inetd.conf
- •/etc/locate.rc
- •/etc/login.access
- •/etc/login.conf
- •Specifying Default Environment Settings
- •/etc/mail/mailer.conf
- •/etc/make.conf and /etc/defaults/make.conf
- •/etc/master.passwd
- •/etc/motd
- •/etc/mtree/*
- •/etc/namedb/*
- •/etc/newsyslog.conf
- •/etc/passwd
- •/etc/periodic.conf and /etc/defaults/periodic.conf
- •/etc/printcap
- •Working with Printcap Entries
- •/etc/profile
- •/etc/protocols
- •/etc/rc.conf and /etc/defaults/rc.conf
- •/etc/resolv.conf
- •/etc/security
- •/etc/services
- •/etc/shells
- •/etc/spwd.db
- •/etc/sysctl.conf
- •/etc/syslog.conf
- •Chapter 10: Making Your System Useful
- •Overview
- •Making Software
- •The Pain and Pleasure of Source Code
- •Debugging
- •The Ports and Packages System
- •Ports
- •Finding Software
- •Legal Restrictions
- •Using Packages
- •Installing via FTP
- •What Does a Package Install?
- •Uninstalling Packages
- •Package Information
- •Controlling Pkg_add
- •Package Problems
- •Forcing an Install
- •Using Ports
- •Installing a Port
- •Using Make Install
- •Uninstalling and Reinstalling
- •Cleaning Up with Make Clean
- •Building Packages
- •Changing the Install Path
- •Setting Make Options Permanently
- •Upgrading Ports and Packages
- •Upgrading the Ports Collection
- •Ports Collection Upgrade Issues
- •Checking Software Versions
- •Hints for Upgrading
- •Chapter 11: Advanced Software Management
- •Overview
- •Startup and Shutdown Scripts
- •Typical Startup Script
- •Using Scripts to Manage Running Programs
- •Managing Shared Libraries
- •Ldconfig
- •Running Software from the Wrong OS
- •Recompilation
- •Emulation
- •ABI Implementation
- •Foreign Software Libraries
- •Installing and Enabling Linux Mode
- •Identifying Programs
- •What Is Linux_base?
- •Adding to Linux_base
- •Configuring Linux Shared Libraries
- •Installing Extra Linux Packages as RPMs
- •What Is SMP?
- •Kernel Assumptions
- •FreeBSD 3.0 SMP
- •FreeBSD 5 SMP
- •Using SMP
- •SMP and Upgrades
- •Chapter 12: Finding Hosts With DNS
- •How DNS Works
- •Basic DNS Tools
- •The Host Command
- •Getting Detailed Information with Dig
- •Looking Up Hostnames with Dig
- •More Dig Options
- •Configuring a DNS Client: The Resolver
- •Domain or Search Keywords
- •The Nameserver List
- •DNS Information Sources
- •The Hosts File
- •The Named Daemon
- •Zone Files
- •A Real Sample Zone
- •named.conf
- •/var/named/master/absolutebsd.com
- •Making Changes Work
- •Starting Named at Boottime
- •Checking DNS
- •Named Configuration Errors
- •Named Security
- •Controlling Information Order
- •More About BIND
- •Chapter 13: Managing Small Network Services
- •Bandwidth Control
- •Configuring IPFW
- •Reviewing IPFW Rules
- •Dummynet Queues
- •Directional Traffic Shaping
- •Certificates
- •Create a Request
- •Being Your Own CA
- •Testing SSH
- •Enabling SSH
- •Basics of SSH
- •Creating Keys
- •Confirming SSH Identity
- •SSH Clients
- •Connecting via SSH
- •Configuring SSH
- •System Time
- •Setting the Time Zone
- •Network Time Protocol
- •Ntpdate
- •Ntpd
- •Inetd
- •/etc/inetd.conf
- •Configuring Programs in Inetd
- •Inetd Security
- •Starting Inetd
- •Changing Inetd's Behavior
- •Chapter 14: Email Services
- •Email Overview
- •Where FreeBSD Fits In
- •The Email Protocol
- •Email Programs
- •Who Needs Sendmail?
- •Replacing Sendmail
- •Installing Postfix
- •Pieces of Postfix
- •Configuring Postfix
- •Email Aliases
- •Email Logging
- •Virtual Domains
- •Postfix Commands
- •Finding the Correct Mail Host
- •Undeliverable Mail
- •Installing POP3
- •Testing POP3
- •POP3 Logging
- •POP3 Modes
- •Qpopper Preconfiguration Questions
- •Default Qpopper Configuration
- •APOP Setup
- •Configuring Pop3ssl
- •Qpopper Security
- •Chapter 15: Web and FTP Services
- •Overview
- •How a Web Server Works
- •The Apache Web Server
- •Apache Configuration Files
- •Configuring Apache
- •Controlling Apache
- •Virtual Hosting
- •Tweaking Virtual Hosts
- •.NET on FreeBSD
- •Installing the SSCLI
- •FTP Security
- •The FTP Client
- •The FTP Server
- •Chapter 16: Filsystems and Disks
- •Device Nodes
- •Hard Disks and Partitions
- •The /etc/fstab File
- •Disk Basics
- •The Fast File System
- •Vnodes
- •FFS Mount Types
- •FFS Mount Options
- •What's Mounted Now?
- •Dirty Disks
- •Fsck
- •Mounting and Unmounting Disks
- •Mounting Standard Filesystems
- •Mounting with Options
- •Mounting All Standard Filesystems
- •Mounting at Nonstandard Locations
- •Unmounting
- •Soft Updates
- •Enabling Soft Updates
- •IDE Write Caching and Soft Updates
- •Virtual Memory Directory Caching
- •Mounting Foreign Filesystems
- •Using Foreign Mounts
- •Foreign Filesystem Types
- •Mount Options and Foreign Filesystems
- •Filesystem Permissions
- •Removable Media and /etc/fstab
- •Creating a Floppy
- •Creating an FFS Filesystem
- •The Basics of SCSI
- •SCSI Types
- •SCSI Adapters
- •SCSI Buses
- •Termination and Cabling
- •SCSI IDs and LUNs
- •FreeBSD and SCSI
- •Wiring Down Devices
- •Adding New Hard Disks
- •Creating Slices
- •Creating Partitions
- •Configuring /etc/fstab
- •Installing Existing Files onto New Disks
- •Temporary Mounts
- •Moving Files
- •Stackable Mounts
- •Chapter 17: RAID
- •Hardware vs. Software RAID
- •RAID Levels
- •Software RAID
- •Vinum Disk Components
- •Vinum Plex Types
- •Preparing Vinum Drives
- •Dedicating Partitions to Vinum
- •Configuring Vinum
- •Concatenated Plex
- •Removing Vinum Configuration
- •Striped Volumes
- •Mirrored Volumes
- •Starting Vinum at Boot
- •Other Vinum Commands
- •Replacing a Failed Mirrored Plex
- •Chapter 18: System Performance
- •Overview
- •Computer Resources
- •Disk Input/Output
- •Network Bandwidth
- •CPU and Memory
- •Using Top
- •Memory Usage
- •Swap Space Usage
- •CPU Usage
- •When Swap Goes Bad
- •Paging
- •Swapping
- •Are You Swapping or Paging?
- •Fairness in Benchmarking
- •The Initial Test
- •Using Both CPUs
- •Directory Caching
- •Moving /usr/obj
- •Lessons Learned
- •Chapter 19: Now What's It Doing?
- •Status Mails
- •Forwarding Reports
- •Logging with Syslogd
- •Facilities
- •Levels
- •Syslog.conf
- •Wildcards
- •Rotating Logs with Newsyslog.conf
- •Reporting with SNMP
- •Basics of SNMP
- •MIBs
- •Snmpwalk
- •Specific Snmpwalk Queries
- •Translating Between Numbers and Names
- •Setting Up Snmpd
- •Index Numbers
- •Configuring MRTG
- •Sample mrtg.cfg Entry
- •Testing MRTG
- •Tracking Other System Values
- •Monitoring a Single MIB
- •Customizing MRTG
- •MRTG Index Page
- •Sample MRTG Configurations
- •Chapter 20: System Crashes and Panics
- •What Causes Panics?
- •What Does a Panic Look Like?
- •Responding to a Panic
- •Prerequisites
- •Crash Dump Process
- •The Debugging Kernel
- •kernel.debug
- •Dumpon
- •Savecore
- •Upon a Crash
- •Dumps and Bad Kernels
- •Using the Dump
- •Advanced Kernel Debugging
- •Examining Lines
- •Examining Variables
- •Apparent Gdb Weirdness
- •Results
- •Vmcore and Security
- •Symbols vs. No Symbols
- •Serial Consoles
- •Hardware Serial Console
- •Software Serial Console
- •Changing the Configuration
- •Using a Serial Console
- •Serial Login
- •Emergency Logon Setup
- •Disconnecting the Serial Console
- •Submitting a Problem Report
- •Problem Report System
- •What's in a PR?
- •Filling Out the Form
- •PR Results
- •Chapter 21: Desktop FreeBSD
- •Overview
- •Accessing File Shares
- •Prerequisites
- •Character Sets
- •Kernel Support for CIFS
- •SMB Tools
- •Configuring CIFS
- •Minimum Configuration: Name Resolution
- •Other smbutil Functions
- •Mounting a Share
- •Other mount_smbfs Options
- •Sample nsmb.conf Entries
- •CIFS File Ownership
- •Serving Windows File Shares
- •Accessing Print Servers
- •Running a Local Lpd
- •Printer Testing
- •Local Printers
- •X: A Graphic Interface
- •X Prerequisites
- •X Versions
- •Configuring X
- •Making X Look Decent
- •Desktop Applications
- •Web Browsers
- •Email Readers
- •Office Suites
- •Music
- •Graphics
- •Desk Utilities
- •Games
- •Afterword
- •Overview
- •The Community
- •What Can You Do?
- •Getting Things Done
- •Second Opinions
- •Appendix: Some Useful SYSCTL MIBs
- •List of Figures
- •Chapter 1: Installation
- •Chapter 5: Networking
- •Chapter 6: Upgrading FreeBSD
- •Chapter 19: Now What's It Doing?
- •List of Tables
- •Chapter 4: Kernel Games
- •Chapter 5: Networking
- •Chapter 8: Advanced Security Features
- •Chapter 9: Too Much Information About /etc
- •List of Sidebars
- •Chapter 15: Web and FTP Services
Chapter 13: Managing Small Network Services
Even a server with a very narrow, specific purpose (like a Web server) needs a variety of smaller, helper services, like basic administration tools. In this chapter, we'll consider some smaller Internet servers, such as the time server, SSH, and inetd, and discuss the tools that FreeBSD makes available for them. We'll also discuss some basic tools that you'll use when managing larger servers, such as bandwidth management and secure certificates.
Note You'll see clearly marked references throughout this chapter to topics that we won't cover. When possible, I refer you to authoritative references for further information. (If you're running a high−volume Internet server—say, handling a million or more email messages an hour—you'll probably want to get your hands on a reference with something more than the few pages you'll find here!)
Bandwidth Control
Today's computing hardware is relatively inexpensive, and software is cheap, but the cost of Internet bandwidth is high. If your company offers "unlimited bandwidth" Web service to clients, you'll soon find yourself with a flooded Internet circuit and no corresponding income. As such, it can be vital to restrict the bandwidth any one site can consume, as well as the amount of bandwidth used by any one service. That's where dummynet comes in. Luigi Rizzo invented dummynet to simulate poor or lossy links so he could test network protocols under such adverse conditions. D u m m y n e t i s q u i t e f l e x i b l e ; y o u ' l l e v e n f i n d a n e x a m p l e o n R i z z o ' s W e b p a g e (http://www.iet.unipi.it/~luigi/ip_dummynet/) simulating an ADSL link to the Moon! (Dummynet is part of IPFW, which we touched on in Chapter 8.)
Although designed to test network protocols, dummynet has since been used to throttle the amount of bandwidth used by any one network service— bandwidth control is simply one side result of this sort of experimentation. And, because dummynet works on specified ports, IP addresses, and protocols, you can use it to restrict the bandwidth usage of IPSec tunnels, sendmail, and such.
You must have IPFW compiled into your kernel to use dummynet. If you followed our example in Chapter 4, you should be all set, but to double−check, run kldstat −v | grep ipfw to list all IPFW modules. If you find that your kernel lacks IPFW support, add the following to your kernel configuration, rebuild, and reboot.
...............................................................................................
options IPFIREWALL options IPFIREWALL_VERBOSE options DUMMYNET
options IPFIREWALL_DEFAULT_TO_ACCEPT
...............................................................................................
Note Since we're using IPFW for bandwidth control instead of packet filtering, we set things to the default accept mode. If you're doing packet filtering with IPFW instead of IPF, leave out the "default to accept" option entirely.
293
Configuring IPFW
The IPFW packet filtering works by comparing each packet against a rule, in order. Rules say either that a packet is accepted, rejected, or dumped into some other function, such as divert(4) or dummynet.
Because we're using IPFilter for packet filtering, all we have to worry about is the subset of IPFW that handles traffic shaping. Dummynet requires two rules within this subset: an IPFW rule to redirect a packet to dummynet and a dummynet rule describing the bandwidth permitted. We'll see examples of both shortly.
We'll use ipfw(8) to configure IPFW, while logged in as root. But first, since (like many other programs) ipfw acts differently depending on its arguments, first check your initial rules with ipfw list.
...............................................................................................
# ipfw list
65535 allow ip from any to any
#
...............................................................................................
As you can see in the preceding example, rules are listed first with a rule number, followed by the name of the rule. IPFW rules are numbered from 1 to 65535. Simple enough, it seems. Since we used the "default to accept" kernel option, the last possible rule (rule number 65535) passes all traffic. If we hadn't used that, the last possible rule would have been to deny all traffic.
To tell IPFW to send packets through dummynet, you must create an IPFW rule to direct that particular type of network traffic to a dummynet rule. The syntax for an IPFW−to−dummynet rule must include the following:
∙An IPFW rule number
∙A statement that this rule will redirect traffic to some other sort of rule (a dummynet rule)
∙A number for this other sort of rule
∙A traffic description
...............................................................................................
number pipe pipenumber ip from sourceaddr sourceport to destaddr destport
...............................................................................................
In the preceding statement, number is the IPFW rule number, and pipenumber is the number of the pipe that handles this bandwidth rule. (A pipe is an add−on IPFW rule that performs special handling, such as dummynet.) The sourceaddr and sourceport entries define the IP address and port number where the traffic is coming from, while destaddr and destport specify where the traffic is going to. The port numbers are optional; if no port is specified, all traffic to or from that IP address is affected. (Both the source and destination can use the special keyword any to match
294
any possible address.)
Here's a simple IPFW−to−dummynet rule:
...............................................................................................
100 pipe 1 ip from 192.168.99.100 80 to any
...............................................................................................
In this example, 100 is the IPFW rule. pipe is the marker that indicates that this rule is going to redirect traffic through another set of rules. The pipe rule number is 1, and the remainder of the rule is the traffic description.
Traffic Descriptions
The description of the traffic you want to pump through dummynet is very important. Describing the traffic incorrectly will result in programs having either too much bandwidth or too little.
The basic format for a traffic description is as follows:
...............................................................................................
protocol from address port to address port
...............................................................................................
On the Internet, the protocol is almost always ip. The from and to are labels, indicating where the traffic is coming from and where it is going to. The address labels are IP addresses, and the ports are port numbers. If you want to specify all IP addresses and ports possible, you can use the any keyword.
For example, let's say our Web server has an IP address of 192.168.99.100. We want to describe all traffic coming from the Web server and going to any address anywhere on the Internet. A description of this traffic would look like this:
...............................................................................................
ip from 192.168.99.100 80 to any
...............................................................................................
Creating IPFW Rules
Say we want to filter the amount of bandwidth for our Web server at IP address 192.168.99.100, running on port 80. We've already written a description of this traffic in the previous section. Now we want to include that, and add the necessary information to redirect this sort of traffic into a dummynet rule.
To create the IPFW rule, we need an IPFW rule number and a pipe rule number. IPFW rules are processed in numerical order, but you can create any numbering scheme you like. Since we aren't using IPFW to filter packets, but just to direct packets to dummynet, the order isn't that important. I usually number rules in even increments of 100 to leave room for modifications between existing rules. Order in pipe rules is not important, so I number them consecutively. In keeping with this, I'll
295
number the IPFW rule 100 and the pipe rule 1.
This would give us an IPFW rule like this:
...............................................................................................
100 pipe 1 ip from 192.168.99.100 80 to any
...............................................................................................
Adding IPFW Rules
Now that you know what you want your IPFW rule to say, you need to add it to IPFW. Use ipfw add for this:
.......................................................................
ipfw add 100 pipe 1 ip from 192.168.99.100 80 to any
...............................................................................................
This rule tells IPFW to take any traffic coming from port 80 on 192.168.99.100, and redirect it through the pipe rule numbered 1.
Creating Pipe Rules
So, IPFW is directing traffic of a certain description to a dummynet (or pipe) rule. It would help if that pipe rule existed, now wouldn't it? Dummynet rules use the following syntax:
...............................................................................................
pipe pipenumber config bw bandwidth
...............................................................................................
The leading pipe in the preceding statement indicates that this is a pipe rule. For pipenumber we use the same number we used in the IPFW rule: 1. For bandwidth we specify this connection's permitted bandwidth. For our example, let's say that we want 128 kilobits per second (Kbps) of traffic.
Install this rule into IPFW with ipfw add:
...............................................................................................
ipfw add pipe 1 config bw 128Kbit/s
...............................................................................................
So, now all traffic from the Web site on that IP address is redirected through this dummynet rule, which limits total traffic to 128Kbps.
296