President of F R E E BSD: NOT JUST FOR ALPHA GEEKS the FreeBSD Foundation ANYMORE! With a foreword by ROBERT WATSON, • Use advanced security features like packet filtering, virtual machines, and host-based intrusion detection • Build custom live FreeBSD CDs and bootable flash • Manage network services and filesystems • Use DNS and set up email, IMAP, web, and FTP services for both servers and clients • Monitor your system with performance-testing and troubleshooting tools • Run diskless systems “ I L AY F L AT ” This book uses RepKover — a durable binding that won’t snap shut Printed on recycled paper • Integrate FreeBSD-specific SNMP into your network management system Whether you’re just getting started with FreeBSD or you’ve been using it for years, you’ll find this book to be the definitive guide to FreeBSD that you’ve been waiting for ABOUT THE AUTHOR Michael W Lucas is a network engineer and system administrator responsible for a network that stretches across the Western Hemisphere He is the author of the critically acclaimed Absolute OpenBSD, Cisco Routers for the Desperate, and PGP & GPG, all from No Starch Press Despite being from Detroit, Michigan, he knows almost nothing about automobiles He has been using Unix systems for over 20 years and FreeBSD since 1995 Fortunately for the rest of us, his writing keeps him too busy to implement his plans for world domination COMPLETE GUIDE TO FREEBSD MICH A EL W LUC A S $59.95 ($65.95 CDN) SHELVE IN: OPERATING SYSTEMS/UNIX w w w.nostarch.com • Implement redundant disks, without special hardware T H E LUCAS T H E F I N E ST I N G E E K E N T E RTA I N M E N T ™ • Build custom network appliances with embedded FreeBSD F R2 NED E B S D EDITION 2N ND D EE D D II TT II O ON N Absolute FreeBSD, 2nd Edition is your complete guide to FreeBSD, written by FreeBSD committer Michael W Lucas Lucas considers this completely revised and rewritten second edition of his landmark work to be his best work ever; a true product of his love for FreeBSD and the support of the FreeBSD community Absolute FreeBSD, 2nd Edition covers installation, networking, security, network services, system performance, kernel tweaking, filesystems, SMP, upgrading, crash debugging, and much more, including coverage of how to: • Manage schedulers, remap shared libraries, and optimize your system for your hardware and your workload ABSOLUTE FREEBSD FreeBSD—the powerful, flexible, and free Unix-like operating system—is the preferred server for many enterprises But it can be even trickier to use than either Unix or Linux, and harder still to master ABSOLUTE www.it-ebooks.info ® www.it-ebooks.info PRAISE FOR THE FIRST EDITION, ABSOLUTE BSD “Even longtime users of FreeBSD may be surprised at the power and features it can bring to bear as a server platform, and Absolute BSD is an excellent guide to harnessing that power.” —UNIXREVIEW.COM “ provides beautifully written tutorials and reference material to help you make the most of the strengths of this OS.” —LINUXUSER & DEVELOPER MAGAZINE “ a great resource for people new to BSD and those who have been using it for years Michael Lucas has a writing style which is very easy to read and absorb.” —FRESHMEAT “A very fine piece of work, it isn’t about how to implement BSD solutions, but it is about managing systems in situ.” –;LOGIN: “ packed with a lot of information.” —DAEMON NEWS PRAISE FOR ABSOLUTE OPENBSD BY MICHAEL LUCAS “Absolute OpenBSD by Michael Lucas is a broad and mostly gentle introduction into the world of the OpenBSD operating system It is sufficiently complete and deep to give someone new to OpenBSD a solid footing for doing real work and the mental tools for further exploration The potentially boring topic of systems administration is made very readable and even fun by the light tone that Lucas uses.” —CHRIS PALMER, PRESIDENT, SAN FRANCISCO O PENBSD USERS GROUP “ a well-written book that hits its market squarely on target Those new to OpenBSD will appreciate the comprehensive approach that takes them from concept to functional execution Existing and advanced users will benefit from the discussion of OpenBSD-specific topics such as the security features and pf administration.” —SLASHDOT “I recommend Absolute OpenBSD to all programmers and administrators working with the OpenBSD operating system (OS), or considering it.” —UNIXREVIEW.COM www.it-ebooks.info PRAISE FOR PGP & GPG BY MICHAEL LUCAS “PGP & GPG is another excellent book by Michael Lucas I thoroughly enjoyed his other books due to their content and style PGP & GPG continues in this fine tradition If you are trying to learn how to use PGP or GPG, or at least want to ensure you are using them properly, read PGP & GPG.” —TAOSECURITY “The world’s first user-friendly book on email privacy Unless you’re a cryptographer, or never use email, you should read this book.” —LEN SASSAMAN, CODECON FOUNDER “ Excellent tutorial, quick read, and enough humor to make it enjoyable.” —INFOWORLD “An excellent book that shows the end-user in an easy to read and often entertaining style just about everything they need to know to effectively and properly use PGP and OpenPGP.” —SLASHDOT PRAISE FOR CISCO ROUTERS FOR THE DESPERATE BY MICHAEL LUCAS “ this book isn’t a reference—it’s a survival guide, a ‘break glass in case of emergency’ safety harness What I found remarkable was how it was obviously written for people like me—those of us who have little interest in router management but whose jobs depend on the consistent, trusted functioning of such infrastructure —ASP.NETPRO “If only Cisco Routers for the Desperate had been on my bookshelf a few years ago! It would have definitely saved me many hours of searching for configuration help on my Cisco routers I would strongly recommend this book for both IT Professionals looking to get started with Cisco routers, as well as anyone who has to deal with a Cisco router from time to time but doesn’t have the time or technological know-how to tackle a more in-depth book on the subject.” —BLOGCRITICS MAGAZINE www.it-ebooks.info ABSOLUTE FREEBSD 2ND EDITION THE COMPLETE GUIDE TO FREEBSD by Mi chael W L u cas ® San Francisco www.it-ebooks.info ABSOLUTE FREEBSD, 2ND EDITION Copyright © 2008 by Michael W Lucas All rights reserved No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher Printed on recycled paper in the United States of America 11 10 09 08 07 123456789 ISBN-10: 1-59327-151-4 ISBN-13: 978-1-59327-151-0 Publisher: William Pollock Production Editors: Christina Samuell and Megan Dunchak Cover and Interior Design: Octopod Studios Developmental Editor: William Pollock Technical Reviewer: John Baldwin Copyeditor: Dmitry Kirsanov Compositor: Riley Hoffman Proofreader: Alina Kirsanova Indexer: Nancy Guenther For information on book distributors or translations, please contact No Starch Press, Inc directly: No Starch Press, Inc 555 De Haro Street, Suite 250, San Francisco, CA 94107 phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.com Librar y of Congress Cataloging-in-Publication Data Lucas, Michael, 1967Absolute FreeBSD : the complete guide to FreeBSD / Michael W Lucas 2nd ed p cm Includes index ISBN-13: 978-1-59327-145-9 ISBN-10: 1-59327-145-X FreeBSD UNIX (Computer file) Internet service providers Computer programs servers Computer programs Client/server computing I Title QA76.76.O63L83 2007 004'.36 dc22 2007036190 Web No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc Other product and company names mentioned herein may be the trademarks of their respective owners Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark The mark “FreeBSD” is a registered trademark of The FreeBSD Foundation and is used by Michael W Lucas with the permission of The FreeBSD Foundation The FreeBSD Logo is a trademark of The FreeBSD Foundation and is used by Michael W Lucas with the permission of The FreeBSD Foundation The BSD Daemon is copyright Marshall Kirk McKusick and is used with permission The information in this book is distributed on an “As Is” basis, without warranty While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it www.it-ebooks.info For Liz With luck, this one is the right size to plug that dang gopher hole www.it-ebooks.info www.it-ebooks.info BRIEF CONTENTS Foreword by Robert N.M Watson xxvii Acknowledgments xxix Introduction Chapter 1: Getting More Help 19 Chapter 2: Installing FreeBSD 33 Chapter 3: Start Me Up! The Boot Process 61 Chapter 4: Read This Before You Break Something Else! (Backup and Recovery) 89 Chapter 5: Kernel Games 117 Chapter 6: The Network 145 Chapter 7: Securing Your System 177 Chapter 8: Disks and Filesystems 209 Chapter 9: Advanced Security Features 261 Chapter 10: Exploring /etc 301 Chapter 11: Making Your System Useful 315 Chapter 12: Advanced Software Management .343 Chapter 13: Upgrading FreeBSD 371 www.it-ebooks.info Chapter 14: The Internet Road Map: DNS .411 Chapter 15: Small System Services .439 Chapter 16: Spam, Worms, and Viruses (Plus Email, If You Insist) .467 Chapter 17: Web and FTP Services .499 Chapter 18: Disk Tricks with GEOM 529 Chapter 19: System Performance and Monitoring 569 Chapter 20: The Fringe of FreeBSD .603 Chapter 21: System (and Sysadmin) Panics and Crashes 637 Afterword 655 Appendix: Some Interesting sysctl MIBs 661 Index 675 viii B ri ef C on ten t s www.it-ebooks.info following, 580–581 parent-child relationship of, 580 priorities, 584–586 top list of, 578–579 vmstat statistics on, 572 processor See central processing unit (CPU) procfs filesystem, 238 and jails, 295 for Linux, 367 PROCFS option, for kernel, 133 production system, changing clock on, 449 programs attaching shared libraries to, 355–357 compiling, 316–317 /etc/rc.conf to disable, 65 forwarding email to, 479 identifying those listening to network, 207 identifying those requiring libraries, 394 library requirements, 358 logging by name, 590–591 scripts to manage running, 353 sending log messages to, 591 Project Evil, 36 prompt command (FTP), 523 proprietary hardware, 35 proprietary operating system, 12 protocols fitting together, 157 and hardware, 159–160 in network layers, 146–148 provider in GEOM, 530 proxy group, 194 PRUNE_LIST option, for FreeSBIE, 633 PS/2 mouse, setup, 56 ps command, 294, 576 pseudodevices, 129 kernel options, 135–136 PSEUDOFS option, for kernel, 133 pseudorandom number generation, random device for, 135 pseudoterminal, 135, 604, 605 pty device, 135 pub file extension, 441 public key encryption, 280–286 certificates, 282–285 connecting to SSL-protected ports, 285–286 OpenSSL configuration, 281–282 for SSH, 441 put command (FTP), 523 PuTTY, 445 pw command, scripting with, 188 PXE (Preboot Execution Environment), 607 installation, 45 pxeboot file, for diskless clients, 609 Q Qmail, 473 qotd (Quote of the Day), 158 implementing, 454–455 question mark (?), to display commands for loader, 66 quit command, for restore, 104 quotas, for disk space, 40 R rackmount servers, booting, 45 Radius user authentication, 513–515 RAID (Redundant Array of Independent Disks), 541–544 controllers, 541 hardware vs software, 541–542 nested, 553, 555 parity and stripe size, 542–543 types, 543–544 RAID-0 (striping), 543 configuring, 545–547 RAID-1 (mirroring), 543, 547–550 boot disks, 549–550 daily status check of, 550 repairing, 548 RAID-3 (striping with dedicated parity disk), 543, 550–553 destroying, 553 RAID-5 (striping with parity shared across all drives), 543 RAID-10 (stripe of mirrored disks), 544, 553–554 RAM (random access memory), requirements, 37 Rambler search engine, 26 random device, for pseudorandom number generation, 135 random password generator, 182 rc scripts debugging, 353–354 example, 351–352 self-ordering, 350 special providers, 352–353 rc_debug variable, 80 rc_info variable, 80 rcNG (next generation RC scripts), 87 rcorder program, 351 rcs command, breaking locks with, 112 I N D EX www.it-ebooks.info 699 rcsdiff command, 110–111 README file, for Ports Collection, 319 README.TXT directories, 44 read-only mode, 81 for FTP server, 524 mounts, in FFS, 218–219 read-write mounts in FFS, forcing on dirty disks, 224 real memory, listing in startup messages, 77 real-time streaming data, UDP for, 156 @reboot, 466 reboot command, 88 automatic, after system panic, 638, 642 rebuild of software, forcing, 407–408 recpt to: command, 471 recursive query, 412 Red Hat Linux, 315 redirections for email, 478 redundancy in network servers, 175 restoring to RAID-3, 551–552 Redundant Array of Independent Disks (RAID) See RAID (Redundant Array of Independent Disks) Reed, Darren, 273 refresh time, for slave nameserver, 430, 431 refreshing zone, 435 refuse file, 386–387 regular expressions, 597 regular user account, creating, 57 reinstalling ports, 337–338 ReiserFS, 227 rejecting logins, 195 relay control, in mail server, 472 Release Engineering team, 372 Release field, in problem report, 651 release versions of FreeBSD, 372–373 releases directory, 44 reloading nameserver, 435 Remote Name Daemon Control (rndc), 434–435 command, 193, 434–435 remote printers, 459 Remote Procedure Calls (RPC), 313 remote reset of computer, serial console for, 70–75 removable hardware ejecting media, 231 kernel support for, 136 removable media /etc/fstab file and, 231 filesystems, 228–231 700 I ND EX www.it-ebooks.info replication, of slices and partitions, 539–540 require-group statement, in htaccess file, 515 requirehome variable, in login.conf file, 198 rescheduling, for CPU performance, 584 /rescue directory, 65 research, before sending problem report, 647 reserved ports, 158 resolver, 412 configuring, 419–421 nameserver list for, 421 resource limits, 198–199 response to hacking, 300 restore program for dump, 98, 101–104 and further backups, 103 interactive, 104 restoring disklabels, 538 slice table, 533 retensioning tape, 93 retry requirement, for milter-greylist, 490 retry value, for slave nameserver, 430, 431 reverse DNS, 413 zones, 433–434 reversed IP addresses, 418 revision control, 106–113 breaking locks, 112–113 checking back in, 108–109 editing files, 108 initializing, 107–108 reviewing files revision history, 110–111 viewing logs, 109–110 revision history, reviewing, 110–111 rewinding backup tapes, 91, 93 RIP (Routing Information Protocol), 85 rkhunter, 300 rlog command, 109 rmuser program, 188 rndc (Remote Name Daemon Control), 434–435 command, 193, 434–435 rndc-confgen script, 434 ro filesystem mount option, 212 roaming users, email service to, 472 root directory, for tftpd server, 461 partition, 38, 214, 537 device names for, 64 in /etc/fstab, 213 running mtree across, 297–298 in single-user mode, 64 password, 189–190 for jails, 292 resetting, 65 posts, in portmaster, 405 server, 412 user for changing accounts, 186 minimizing use of, 57 NFS server and, 246 ownership of non-Unix filesystem, 228 status mail to, 586 using groups to avoid, 191–194 zone, in named.conf file, 425 rootmfs plug-in, for FreeSBIE, 635 root_rw_mount variable, 81 rotatelogs program, 504–505 rotating logs, 593 file size as basis, 595 flags for actions, 596 time as basis for, 595–596 route command, 163 router_enable knob, 85 Routing Information Protocol (RIP), 85 RPC (Remote Procedure Calls), 313 rpcbind program, 289 RSA key files, 441 rtld program, 355–356 running processes, 576 run-time tunable sysctl, 122 rw filesystem mount option, 212 S safe mode, booting in, 63 Samba, 248 SAS drives, 37 SASL (Simple Authentication and Security Layer), 491 testing, 493 saslauthd daemon, 492 SATA drives, 37 savecore program, 640, 641 /sbin directory, commands in, 64–65 sbsize variable, in login.conf file, 199 schedulers, 349–350 scheduling adjusting for CPU performance, 584 binary updates, 380 tasks, 463–466 schg file flag, 202 scp program, 446, 527 screen, blank, for idle system, 85 script command, 114 script kiddies, 178 and twist for system overload, 270 scripts for customizing NanoBSD, 627–628 to manage running programs, 353 shutdown, 350–354 from vendor, 353 SCSI drives, 37 numbering, 238–239 tape, 90 device nodes, 91 wiring down, 238–239 SCSI_DELAY option, for kernel, 133 SCTP (Stream Control Transmission Protocol), 157 sdiff command, 392 search keyword, in /etc/resolv.conf, 421 sections, specifying for man search, 24 sectors in disk drives, 210, 531 Secure Shell (SSH), 82, 282 See also SSH (Secure Shell) daemon Secure Sockets Layer (SSL) See SSL (Secure Sockets Layer) secure websites, 520, 521 securelevels, 204–207 definitions, 204–205 and file flags, 201 limitations, 206 security default accept vs default deny, 264–265 for diskless NFS, 610 Ethernet and, 159 file flags, 201–203 limitations, 206 for file transfer, 522 FreeBSD announcements, 180 for geom_gate, 562 groups of users, 190–191 to avoid root user, 191–194 default, 194 HyperThreading and, 348 for inetd, 453 intrusion preparation with mtree, 296–299 jails, 286–296 and /etc/rc.conf, 293 client setup, 290–291 host server setup, 287–289 in-jail setup, 291–292 and kernel, 289–290 limitations, 295–296 managing, 294–295 shutdown, 293–294, 295–296 startup, 293–294 and LD_LIBRARY_PATH environment variable, 358 for nameserver, 436–437 network targets, 206 network traffic control, 263–264 I N D EX www.it-ebooks.info 701 security, continued packet filtering, 272–280 activating rules, 279–280 configuring, 275–277 default accept and default deny, 273–274 rule sample, 278–279 and stateful inspection, 274–275 for ports and packages, 340–341 potential attackers, 178–180 public key encryption, 280–286 certificates, 282–285 connecting to SSL-protected ports, 285–286 OpenSSL configuration, 281–282 response to hacking, 300 restricting login ability, 195–197 restricting system usage, 197–201 risks, 177–178 root password, 189–190 securelevels, 204–207 definitions, 204–205 limitations, 206 shells, 188–189 for SNMP, 600 system monitoring, 299–300 TCP wrappers, 265–272 configuring, 265–271 example, 271–272 unprivileged users, 261–263 user accounts, 181–188 creating, 181–183 deleting, 188 editing, 183–188 and vmcore file, 645–646 workstation vs server, 207 security facility, 588 security.bsd.hardlink_check_gid sysctl, 674 security.bsd.overworked_admin sysctl, 674 security.bsd.see_other_gids sysctl, 674 security.bsd.see_other_uids sysctl, 674 security.bsd.unprivileged_read_msgbuf sysctl, 674 security.jail.allow_raw_sockets security.jail.allow_raw_sockets sysctl, 673 sysctl value, 290 security.jail.chflags_allowed sysctl, 673 security.jail.chflags_allowed sysctl value, 290 security.jail.enforce_statfs sysctl, 673 security.jail.enforce_statfs sysctl value, 290 security.jail.jailed sysctl, 673 security.jail.jailed sysctl value, 290 security.jail.list sysctl, 673 security.jail.list sysctl value, 290 702 I ND EX www.it-ebooks.info security.jail.set_hostname_allowed security.jail.set_hostname_allowed sysctl, 673 sysctl value, 289 security.jail.socket_unixiproute_only sysctl, 673 security.jail.socket_unixiproute_only sysctl value, 289 security.jail.sysvipc_allowed sysctl, security.jail.sysvipc_allowed sysctl 673 value, 289–290 SELECT command, for IMAP, 497 selecting options from sysinstall menus, spacebar for, 50 Sendmail Mail Transfer Agent, 86, 473–476 attaching milter-greylist to, 490–491 authentication with SASL, 491–493 configuration options, 475, 476–481 Makefile for, 484–485 submission vs reception, 474–475 sendmail.cf file, 483 building, 492–493 sendmail_enable variable, 86 sendmail_outbound_enable variable, 86 send-pr, 649 serial consoles, 70–75 disconnection, 75 hardware, 71 and panics, 641 physical setup, 73 software, 71–72 speeds for Soekris, 626–627, 628 use, 73–75 Serial Line Internet Protocol (SLIP), 135 serial number, of zone file, 429–430 serial port logging in through, 606 on Soekris, as default console, 617 server farm, diskless system for, 606 Server Message Block (SMB), 248 ServerName, for Apache, 503 ServerRoot setting, for Apache, 502 servers device node management on, 253 security, vs workstation, 207 SERVERS provider, for rc scripts, 352 server-side includes, 509 set command, to change variables, 67 setenv command, 92 setenv variable, in login.conf, 200 setuid programs, preventing running, 220 Severity field, in problem report, 651 sftp program, 447, 527 shared libraries, 87, 354–358 attaching to programs, 355–357 remapping, 360–361 versions, 354 shell variable, in login.conf, 200 shells, 188–189 changing for user account, 185 kernel option to choose, 64 for user account, 182 for users, 58 show command, 67 shrinking FreeBSD, 396–397 shutdown, 88 of Apache, 521 jails, 293–294, 295–296 and memory disk erasure, 233 scripts, 350–354 from vendor, 353 syncer at, 224 signatures, in email, 30 Silicon Graphics, IRIX, Simple Authentication and Security Layer (SASL), 491 testing, 493 simple device, 616 Simple Mail Transfer Protocol (SMTP), 470–472 Simple Network Management Protocol (SNMP), 598–601 client (agent), 598 Management Information Base (MIB), 598–600 definitions and browsers, 599–600 security for, 600 Single Unix Specification, single-user mode for boot process, 63–66 disks in, 64 network in, 65 programs available, 64–65 fixit disk for, 114–115 root command prompt in, 605 triggering panic in, 645–646 upgrades and, 395–396 64-bit computing, 369 skilled attackers, 179–180 sl device, 135 slash notation for IP addresses, 153 for configuring interface, 162 slashes (//), for comments, 424 slave domain, configuring, 426–427 sleeping processes, 576 slice table backups, 533 changing, 533–536 viewing with fdisk, 532–533 slices, 211, 531 creating, 240 fdisk for splitting hard drive into, 534–536 partitioning, 536–537 replication of, 539–540 SLIP (Serial Line Internet Protocol), 135 smart hosts, for email, 484–485 SMB (Server Message Block), 248 smbfs.ko module, 249 smbutil crypt command, 250 smbutil login command, 250 smmsp group, 194 SMP (symmetric multiprocessing) See symmetric multiprocessing (SMP) SMTP (Simple Mail Transfer Protocol), 470–472 snappnd file flag, 202 snapshots in FFS, 222 of FreeBSD, 375–376 snapshots directory, 44 SNMP (Simple Network Management Protocol) See Simple Network Management Protocol (SNMP) Snort, 334, 335 SOA (Start of Authority) record, 428–429 sockstat program, 167–168, 207 Soekris, 138, 616 serial console speeds, 626–627, 628 serial port as default console, 617 soft updates, 219, 220–221 vs journaling, 555 kernel options, 132 software finding, 320–322 by keyword, 321–322 by name, 321 forcing rebuild, 407–408 identifying and upgrading, 406–407 identifying unneeded, 406 make for, 316 management, 10 performance tuning, 586 recompilation, 362 running from other operating system, 86–87, 361–365 and source code, 316–317 software packages, 317–320, 322–331 See also libraries adding, 56–57 to NanoBSD, 628 building, 339 on CDs, 322–323 from FTP, 324–325 I N D EX www.it-ebooks.info 703 software packages, continued information, 329–330 installing, 325 on diskless systems, 613–615 listing installed with description, 329 problems, 330–331 result of installing, 327–328 security, 340–341 uninstalling, 328–329 software serial consoles, 71–72 Solaris, recompiling software for, 362 sound plug-in, for FreeSBIE, 635 source code, 377 building FreeBSD, 388–396 GENERIC kernel, 389 installing userland, 393–395 make buildworld command, 388–389 optimizing with parallel builds, 390 preparing for userland install, 390–393 and software, 316–317 updating, 387 for upgrading FreeBSD, 382–387 spacebar, for selecting options from sysinstall menus, 50 spam See also junk email mail server access for, 472 rejecting sources, 485–486 spambots, retransmission times, 490 spamd program, 487 Spamhaus, 486 spamming tools, and backup MXs, 469 SPARC servers, sparc64, 34 spawn option, for TCP wrappers, 270–271 specification for mtree, 297–298 saving, 298–299 spool directory, for printer, 461 SRC_CONF option, for FreeSBIE, 633 SRCDIR option, for FreeSBIE, 632 SSH (Secure Shell) daemon, 82, 167–168, 439–447 clients, 445–447 copying files, 446–447 server (sshd), 289, 440–442 configuring, 442–444 stopping, 440 user management, 444–445 SSH keys, for diskless system, 614 SSH login, option to configure, 56 sshd group, 194 sshd script, 88 ssh-keygen command, 441–442 704 I ND EX www.it-ebooks.info SSL (Secure Sockets Layer), 282 connecting to protected ports, 285–286 host key, 283 for web traffic, 520 ssl_cert_file variable, for Dovecot, 494–495 ssl_key_file variable, 494–495 stackable mounts, 242–243 stacksize variable, in login.conf file, 199 staff group, 194 standard error, 14–15 standard input, 14 standard output, 14 Start of Authority (SOA) record, 428–429 startup See also boot process options in /etc/rc.conf file, 80 messages, 76–79 /var/run/dmesg.boot for storing, 78 scripts, 350–354 from vendor, 353 state of process, 579 stateful inspection, and packet filtering, 274–275 stateful protocol, 156 stateless protocol, 156 status command (GEOM), 544 stop command, for service, 88 storage devices, device nodes for, 211 Stream Control Transmission Protocol (SCTP), 157 streaming protocol, 156 strings, as sysctl value, 121 stripe of mirrored disks (RAID-10), 544, 553–554 striped provider, creating, 546 striping (RAID-0), 543 configuring, 545–547 with dedicated parity disk (RAID-3), 543, 550–553 with parity shared across all drives (RAID-5), 543 su command (switch user), 189 subdirectories, displaying size in blocks, 216 submit.cf file, 483 subnet statement, for DHCP clients, 458–459 Subsystem sftp setting, for SSH, 444 Sun Microsystems, 3, sunlnk file flag, 202 superuser, password changes by, 184–185 supfiles, 383–384 examples, 386 modifying, 384–385 for upgrading FreeBSD, 398 SVR4 (System V Release 4), 364 swap space, 212 analysis, 581–582 encrypting with GELI, 561 in /etc/fstab, 213 /etc/fstab file entry for, 241 /etc/rc.conf file setting for, 80 and panic preparation, 640 partition for, 38–39, 537 and performance, 583 splitting among multiple drives, 41 swap-backed disks, 232 creating, 233 swapfind plug-in, for FreeSBIE, 635 switch user command (su), 189 switches for Ethernet, 159 failure, 159–160 quality of, 171 symbol versioning, 354 symbols files, 641, 644 symlinks, 509 disabling, 220 for library, 354 SymLinksIfOwnerMatch option, for Apache, 509 symmetric multiprocessing (SMP), 143, 344–349 current implementation, 346–347 first implementation, 345–346 kernel options, 134 processors and, 347–348 using, 348–349 SYN-ACK packets, forged, 274 syncer at shutdown in FFS, 224 synchronization of time, 448 synchronous mounts in FFS, 219 Synopsis field, in problem report, 650, 652 sys group, 194 /sys/conf/NOTES file, 138 sysctl command, 121–122 sysctl values, 69, 121, 661–674 changing, 122–124 for device drivers, 123–124 setting automatically, 122 viewing, 121–122 sysinstall for adding hard disks, 240–243 for upgrades, 377 screen, 49–50 for reconfiguring system, 59 syslog facility, 588 syslogd daemon, 82, 587–593 customization, 592–593 facilities for log entry, 587–588 on jail host server, 288 levels for log message, 588–589 processing messages with, 589–592 syslogd.conf, for diskless system, 615 syslogd_enable variable, 82 syslogd_flags variable, 82 SyslogFacility AUTH, for SSH, 443 systat, 571 system accounts, 192 backups, 90 binaries, preventing replacement with trojan versions, 203 console, physical protection of, 189 keeping up to date, 180 memory, Windows loading of, 315 monitoring, 299–300 tar to backup, 95 traps, vmstat information on, 573 System-V-style shared memory, options to enable, 133 T tables, in /etc/pf.conf file, 276 tail command, 476 tape drives and dump, 99 moving backwards on, 105 $TAPE variable, 91–92 tapes for backups, 90–93 erasing, 93 multiple backups on one tape, 105–106 retensioning, 93 rewinding, 91, 93 tar (tape archiver) program, 94–97 modes, 94–96 for moving files to new drives, 242 tarball, 94 creating, 96 tar.gz file extension, 97 tar.Z file extension, 97 taz file extension, 97 tclhttpd, 500 TCP (Transmission Control Protocol) See Transmission Control Protocol (TCP) TCP wrappers, 265–272, 456 and access to network daemons, 264 configuring, 265–271 ALL keyword, 268 client list, 266–267 daemon name, 266 I N D EX www.it-ebooks.info 705 TCP wrappers; configuring, continued logging, 269 options, 269 spawn option, 270–271 twist option, 269–270 example, 271–272 tcp_extensions variable, 83 TCP/IP, 2, 145 configuring, 54–55 kernel options, 132 network layers, 146–148 variables for, 83 tcsh shell, nice command, 585 telnet, 285–286, 440 to connect to SMTP port, 470 to connect to SSH TCP port, 440–441 /temp directory, for memory filesystem, 232 Templates directory, for Ports Collection, 319 term variable, in login.conf, 200 terminals, 604 emulators, 74 servers, 73 testing boot-time tunable sysctls, 124 for FreeBSD, 376 IMAPS, 497–498 kernel remotely, 141–142 Linux mode, 366–367 network interface configuration, 166 POP3S, 496–497 SASL (Simple Authentication and Security Layer), 493 text editors for problem report, 649 for user management, 185 XEmacs, 13 text wrap, in email, 30 TFTP (Trivial File Transfer Protocol), 461–463 tftpd server, 461 and boot loader, 609 configuring, 462–463 file ownership, 462 and read-write files, 462 tgz file extension, 97 third-party directory services, authentication against, 513 32-bit computing, 369 threaded programs, and multiple processors, 348–349 threading libraries, 359–360 threads, 346, 358–359 waiting for CPU time, 576 three-way handshake, 156 706 I ND EX www.it-ebooks.info three-way mirror, for database, 550 Thunderbird, FreeBSD support for, 493 Tier NTP servers, 448 Tier NTP servers, 448 tilde (~) in environment fields for user home directory, 200 for tip program, 75 time for log rotation, 595–596 network, 447–450 specifying for crontab, 465 time servers, 448 time slice, 345 time zone setting, 56, 447 timecounter, identifier in startup messages, 76 timeout, for FTP session, 524 time-to-live (TTL) in dig answer, 415 for zones, 428 times.allow option, 201 times.deny option, 201 timestamps, and dump, 100 timezone variable, in login.conf, 200 tip program, 74–75, 617 disconnecting serial console, 75 /tmp directory, 39 tmpfs memory filesystem, 233–234 tmpmfs variable, 80 tmpmfs_flags variable, 80 tmpsize variable, 80 toggles, 662 tools directory, 44, 319 top tool, 575 and I/O, 579 torrents directory, 44 touch command, 462, 512 tracking changes, revision control for, 106–113 tracks in disk drives, 210, 530 Transmission Control Protocol (TCP), 147, 156–157 handshake, 156 status of, 169 port, Apache binding to, 502 transport layer, in OSI, 147–148, 149, 150 trap function, 644–645 trimming kernel, 131–136 basic options, 131–134 CPU types, 131 device drivers, 134 multiple processors, 134 pseudodevices, 135–136 removable hardware, 136 Trivial File Transfer Protocol (TFTP), 461–463 trojan versions of binaries, preventing replacement with, 203 troubleshooting kernel builds, 137 NanoBSD build, 625–626 result of refuse files, 387 truncate command, 565 trunk ports, 405 truss program, 368–369 TTL (time-to-live) See time-to-live (TTL) tty group, 194 tun device, 135 tunables, 662 low-level kernel vs run-time, 123 turnables, 79 tutorials, 25 twist option for TCP wrappers, 269–270 variables, 271 tzsetup program, 447 U uappnd file flag, 202 uchg file flag, 202 UDF (Universal Data Format), 226 setting, in adduser.conf file, 183 UDP (User Datagram Protocol), 147, 155–156 wrappers and, 265 ufs (Unix Fast File System), 212 UFS (Unix File System), 217 access control lists, kernel options, 132 UFS2, snapshot facility, 99 UFS_DIRHASH option, for kernel, 132 UID (user ID) See user ID (UID) UIDs file, for Ports Collection, 319 ULE scheduler, 349–350 umask variable, in login.conf, 200 umount command, 215, 231 for foreign filesystems, 226 uname command, -a option, 29 undeliverable email, 469 uninstalling ports, 337–338 software packages, 327, 328–329 Universal Data Format (UDF), 226 Universal Time Clock (UTC), 447 University of California, Unix, Unix Fast File System (ufs), 212 Unix Systems Laboratories (USL), Unix-like systems, vs Unix, UNKNOWN keyword, in TCP wrappers, 267 udotdir unload command, 68 in GEOM, 544 unloading kernel modules, 125 unmounting disks, for configuring mirroring, 547 and ejecting removable media, 231 partitions, 215 unprivileged users, 261–263 untarring, 95 Update server, building, 380 updating blocking, 386–387 installed ports, 404–409 UPDATING file, for Ports Collection, 319 upgrading Ports Collection, 403–404 software, 406–407 upgrading FreeBSD, 371–409 binary updates, 378–380 cross-building, 399 methods, 377 procedure for, 11 and single-user mode, 395–396 via source, 382–387 supfiles and make for, 398 via sysinstall, 380–381 versions, 372–377 decision on use, 376–377 FreeBSD-current, 373–374 FreeBSD-stable, 374–375 releases, 372–373 snapshots, 375–376 testing, 376 uptime, statistics on, 576 USB hardware FAT filesystem for, 228–230 filesystems for, 230 kernel support for, 136 tape drives, 90 user accounts, 181–188 See also root, user changing shell, 185 creating, 181–183 deleting, 188 editing, 183–188 for jail, 292 user command, 496 user crontabs, vs /etc/crontab, 463 User Datagram Protocol (UDP), 147, 155–156 wrappers and, 265 User distribution, 42 user facility, 588 user ID (UID), 181 for administrative users, 192–193 in /etc/master.passwd file, 187 I N D EX www.it-ebooks.info 707 user mapping, 481–483 User option, for Apache, 502 user processes, 577 user sessions, logging to, 591 userland for diskless clients, NFS server and, 609–610 installing, 390, 393–395 usernames, 57 in /etc/master.passwd file, 187 for FTP, 522 users, adding, 57–58 Apache configuration by, 510–511 home directories, 40 unprivileged, 261–263 user’s class field, in /etc/master.passwd file, 187 user’s home directory field, in /etc/master.passwd file, 188 user’s shell field, in /etc/master.passwd file, 188 USL (Unix Systems Laboratories), /usr partition, 40 /usr/bin/sendmail file, 474 /usr/compat/linux, 366 /usr/local/bin directory, 14 /usr/local directory, 339 /usr/local/etc/dhcpd.conf file, 457–459 /usr/local/etc/dovecot.conf file, 494 /usr/local/etc/mail/greylist.conf file, 488 /usr/local/etc/rc.d script, 207, 350 /usr/local/lib directory, 356 /usr/local/share/dovecot directory, 495 /usr/local/share/freesbie directory, 631 /usr/local/share/freesbie/conf, 631 /usr/ports directory, 318 /usr/ports/emulators directory, 363 /usr/ports/games directory, 42 /usr/ports/INDEX-7 file, 320 /usr/ports/LEGAL file, 322 /usr/ports/mail/dovecot directory, 494 /usr/ports/mail/mutt, 30 /usr/ports/mail/sendmail, 491 /usr/ports/net/cvsup-mirror port, 400 /usr/ports/security/nessus utility, 300 /usr/ports/sysutils/lsof utility, 300 /usr/ports/www directory, 500 /usr/share/syscons/fonts directory, 85 /usr/share/syscons/keymaps directory, 85 /usr/src/tools/tools/nanobsd directory, 618 /usr/src/UPDATING file, 388 UTC (Universal Time Clock), 447 uucp facility, 588 708 I ND EX www.it-ebooks.info uucp group, 194 uunlnk file flag, 203 V ,v file extension, 107 /var partition, 39–40 /var/crash directory, 643 /var/db/pkg directory, 327 /var/db/sup/refuse file, 386 variables, 662 for loader, 67 in loader.conf file, 70 set command to change, 67 in sysctl.out file, 119 /var/log/maillog file, 476 for Dovecot errors, 496 /var/log/messages, 84, 347 for DNS configuration errors, 436 varmfs plug-in, for FreeSBIE, 635 /var/run/dmesg.boot file, 63, 78 for problem solving, 29 and tape drive recognition by system, 90 /var/tmp directory, 39 VAXes, verbose logging, 593 booting with, 63 verbose mode for tar, 96 verbose_loading variable, 69 VeriSign, 282 version numbers, in revision control, 107 version of FreeBSD, in startup messages, 76 VersionAddendum, 442 vfs.ffs.doasyncfree sysctl, 667 vfs.ffs.doreallocblks sysctl, 667 vfs.nfs.diskless_rootaddr sysctl, 667 vfs.nfs.diskless_rootpath sysctl, 667 vfs.nfs.diskless_valid sysctl, 611, 667 vfs.usermount sysctl, 667 vfs.usermount sysctl variable, 228 vfs.vmiodirenable sysctl, 667 vi, Revision Control System and, 108 video card, with serial port, 71 video, redirecting to serial port, 71 view command (smbutil), 251 Vigor, 185 vipw utility, 186–188 virtual domains, 481–483 virtual hosting in Apache web server, 517–519 SSL configuration, 520 virtual memory disk space for, 38–39 statistics, 571 virtual nodes (vnodes), 218 writing to disk at shutdown, 224 virtual terminal, 604 viruses, 179 vmcore file, 643 and security, 645–646 vm.exec_map_entries sysctl, 667 vmstat program, 571–574 continuous, 574 using, 573–574 vm.swap_enabled sysctl, 666 vm.swap_idle_enabled sysctl, 667 vm.swap_idle_threshold1 sysctl, 667 vm.swap_idle_threshold2 sysctl, 667 vm.v_cache_max sysctl, 666 vm.v_cache_min sysctl, 666 vm.v_free_min sysctl, 666 vm.v_free_reserved sysctl, 666 vm.v_free_target sysctl, 583, 666 vm.v_inactive_target sysctl, 666 vnode-backed disks, 232 creating, 233 vnodes (virtual nodes), 218 writing to disk as shutdown, 224 voluntary context switches, 579 W warning level for syslog protocol, 588 warnings, from self-signed certificates, 285 web server See also Apache web server estimating needs, 173 functioning of, 500 websites, HTTPS, 520 welcome variable, in login.conf, 200 whatis, for man page searches, 23 wheel group, 189, 190, 194 whereis command, 406 whitelist, 487 wildcards, for logging, 589 window size, for network incoming connections, 174–175 Windows (Microsoft) background, and Unix administration, 13 NT/200/XP filesystem, 226–227 WINS server, 459 wired memory, 578 wiring down SCSI devices, 238–239 WITHOUT_ options, for customizing FreeBSD, 397 WITNESS kernel option, 347 wlan_wep.ko module, 125 workgroup keyword, in /etc/nsmb.conf file, 249 workstation, security, vs server, 207 worms, 179 wrappers See TCP wrappers wrapping text, in email, 30 write caching in FFS, 221 write-only mode, for FTP server, 524 www group, 194 X X Window System, 42, 323 dependencies required, 328 X11Forwarding, for SSH, 443–444 xautostart plug-in, for FreeSBIE, 635 xbox, 34 xconfig plug-in, for FreeSBIE, 635 xconfigure-probe plug-in, for FreeSBIE, 635 X-Developer distribution, 42 XEmacs, 13 Xenix (Microsoft), XFS partitions, 227 X-Kern-Developer distribution, 42 xorg package, 328 X-User distribution, 42 Y Yahoo!, 5, 499 Z ZEN blacklist, 486 ZFS, 227 zone files, 428–434 dots and termination in, 433 example, 432 reloading, 435 secondary nameservers update, serial number and, 430 zone transfers, controlling, 436–437 zones in named.conf, 424 I N D EX www.it-ebooks.info 709 5IFSFTNPSFUPLFFQJOH 'SFF#4%GSFF UIBONFFUTUIFFZF 4HEYWORKHARDBEHINDTHESCENESANDYOUHARDLY EVERSEETHEM4HEYRE4HE&REE"3$&OUNDATION ANDTHEYQUIETLYFUNDANDMANAGEPROJECTS SPONSOR &REE"3$EVENTS $EVELOPER3UMMITSANDPROVIDE TRAVELGRANTSTO&REE"3$DEVELOPERS4HE&REE"3$ &OUNDATIONREPRESENTSTHE0ROJECTINEXECUTING CONTRACTS LICENSEAGREEMENTS ... MAGAZINE www.it-ebooks.info ABSOLUTE FREEBSD 2ND EDITION THE COMPLETE GUIDE TO FREEBSD by Mi chael W L u cas ® San Francisco www.it-ebooks.info ABSOLUTE FREEBSD, 2ND EDITION Copyright © 2008 by...www.it-ebooks.info PRAISE FOR THE FIRST EDITION, ABSOLUTE BSD “Even longtime users of FreeBSD may be surprised at the power and features it can bring to bear as a server platform, and Absolute BSD is an excellent... situ.” –;LOGIN: “ packed with a lot of information.” —DAEMON NEWS PRAISE FOR ABSOLUTE OPENBSD BY MICHAEL LUCAS Absolute OpenBSD by Michael Lucas is a broad and mostly gentle introduction into