Index: zh_TW.UTF-8/books/handbook/Makefile
===================================================================
--- zh_TW.UTF-8/books/handbook/Makefile
+++ zh_TW.UTF-8/books/handbook/Makefile
@@ -1,9 +1,18 @@
 #
 # $FreeBSD$
-# Original revision: 1.108
 #
-# Build the FreeBSD Handbook.
+# Build the FreeBSD Handbook (Traditional Chinese).
 #
+# Original revision: r46480
+#
+
+# ------------------------------------------------------------------------
+# To add a new chapter to the Handbook:
+#
+# - Update this Makefile, chapters.ent and book.xml
+# - Add a descriptive entry for the new chapter in preface/preface.xml
+#
+# ------------------------------------------------------------------------
 
 .PATH: ${.CURDIR}/../../share/xml/glossary
 
@@ -20,7 +29,63 @@
 IMAGES_EN+= advanced-networking/isdn-twisted-pair.eps
 IMAGES_EN+= advanced-networking/natd.eps
 IMAGES_EN+= advanced-networking/net-routing.pic
+IMAGES_EN+= advanced-networking/pxe-nfs.png
 IMAGES_EN+= advanced-networking/static-routes.pic
+IMAGES_EN+= bsdinstall/bsdinstall-adduser1.png
+IMAGES_EN+= bsdinstall/bsdinstall-adduser2.png
+IMAGES_EN+= bsdinstall/bsdinstall-adduser3.png
+IMAGES_EN+= bsdinstall/bsdinstall-boot-loader-menu.png
+IMAGES_EN+= bsdinstall/bsdinstall-boot-options-menu.png
+IMAGES_EN+= bsdinstall/bsdinstall-newboot-loader-menu.png
+IMAGES_EN+= bsdinstall/bsdinstall-choose-mode.png
+IMAGES_EN+= bsdinstall/bsdinstall-config-components.png
+IMAGES_EN+= bsdinstall/bsdinstall-config-hostname.png
+IMAGES_EN+= bsdinstall/bsdinstall-config-keymap.png
+IMAGES_EN+= bsdinstall/bsdinstall-config-services.png
+IMAGES_EN+= bsdinstall/bsdinstall-config-crashdump.png
+IMAGES_EN+= bsdinstall/bsdinstall-configure-network-interface-ipv4-dhcp.png
+IMAGES_EN+= bsdinstall/bsdinstall-configure-network-interface-ipv4.png
+IMAGES_EN+= bsdinstall/bsdinstall-configure-network-interface-ipv4-static.png
+IMAGES_EN+= bsdinstall/bsdinstall-configure-network-interface-ipv6.png
+IMAGES_EN+= bsdinstall/bsdinstall-configure-network-interface-ipv6-static.png
+IMAGES_EN+= bsdinstall/bsdinstall-configure-network-interface-slaac.png
+IMAGES_EN+= bsdinstall/bsdinstall-configure-network-interface.png
+IMAGES_EN+= bsdinstall/bsdinstall-configure-network-ipv4-dns.png
+IMAGES_EN+= bsdinstall/bsdinstall-configure-wireless-accesspoints.png
+IMAGES_EN+= bsdinstall/bsdinstall-configure-wireless-scan.png
+IMAGES_EN+= bsdinstall/bsdinstall-configure-wireless-wpa2setup.png
+IMAGES_EN+= bsdinstall/bsdinstall-distfile-extracting.png
+IMAGES_EN+= bsdinstall/bsdinstall-distfile-fetching.png
+IMAGES_EN+= bsdinstall/bsdinstall-distfile-verifying.png
+IMAGES_EN+= bsdinstall/bsdinstall-final-confirmation.png
+IMAGES_EN+= bsdinstall/bsdinstall-finalconfiguration.png
+IMAGES_EN+= bsdinstall/bsdinstall-final-modification-shell.png
+IMAGES_EN+= bsdinstall/bsdinstall-keymap-10.png
+IMAGES_EN+= bsdinstall/bsdinstall-keymap-select-default.png
+IMAGES_EN+= bsdinstall/bsdinstall-mainexit.png
+IMAGES_EN+= bsdinstall/bsdinstall-netinstall-files.png
+IMAGES_EN+= bsdinstall/bsdinstall-netinstall-mirrorselect.png
+IMAGES_EN+= bsdinstall/bsdinstall-part-entire-part.png
+IMAGES_EN+= bsdinstall/bsdinstall-part-guided-disk.png
+IMAGES_EN+= bsdinstall/bsdinstall-part-guided-manual.png
+IMAGES_EN+= bsdinstall/bsdinstall-part-manual-addpart.png
+IMAGES_EN+= bsdinstall/bsdinstall-part-manual-create.png
+IMAGES_EN+= bsdinstall/bsdinstall-part-manual-partscheme.png
+IMAGES_EN+= bsdinstall/bsdinstall-part-review.png
+IMAGES_EN+= bsdinstall/bsdinstall-post-root-passwd.png
+IMAGES_EN+= bsdinstall/bsdinstall-set-clock-local-utc.png
+IMAGES_EN+= bsdinstall/bsdinstall-timezone-confirm.png
+IMAGES_EN+= bsdinstall/bsdinstall-timezone-country.png
+IMAGES_EN+= bsdinstall/bsdinstall-timezone-region.png
+IMAGES_EN+= bsdinstall/bsdinstall-timezone-zone.png
+IMAGES_EN+= bsdinstall/bsdinstall-zfs-disk_info.png
+IMAGES_EN+= bsdinstall/bsdinstall-zfs-disk_select.png
+IMAGES_EN+= bsdinstall/bsdinstall-zfs-geli_password.png
+IMAGES_EN+= bsdinstall/bsdinstall-zfs-menu.png
+IMAGES_EN+= bsdinstall/bsdinstall-zfs-partmenu.png
+IMAGES_EN+= bsdinstall/bsdinstall-zfs-vdev_invalid.png
+IMAGES_EN+= bsdinstall/bsdinstall-zfs-vdev_type.png
+IMAGES_EN+= bsdinstall/bsdinstall-zfs-warning.png
 IMAGES_EN+= geom/striping.pic
 IMAGES_EN+= install/adduser1.scr
 IMAGES_EN+= install/adduser2.scr
@@ -28,6 +93,7 @@
 IMAGES_EN+= install/boot-loader-menu.scr
 IMAGES_EN+= install/boot-mgr.scr
 IMAGES_EN+= install/config-country.scr
+IMAGES_EN+= install/config-keymap.scr
 IMAGES_EN+= install/console-saver1.scr
 IMAGES_EN+= install/console-saver2.scr
 IMAGES_EN+= install/console-saver3.scr
@@ -104,13 +170,6 @@
 IMAGES_EN+= security/ipsec-crypt-pkt.pic
 IMAGES_EN+= security/ipsec-encap-pkt.pic
 IMAGES_EN+= security/ipsec-out-pkt.pic
-IMAGES_EN+= vinum/vinum-concat.pic
-IMAGES_EN+= vinum/vinum-mirrored-vol.pic
-IMAGES_EN+= vinum/vinum-raid10-vol.pic
-IMAGES_EN+= vinum/vinum-raid5-org.pic
-IMAGES_EN+= vinum/vinum-simple-vol.pic
-IMAGES_EN+= vinum/vinum-striped-vol.pic
-IMAGES_EN+= vinum/vinum-striped.pic
 IMAGES_EN+= virtualization/parallels-freebsd1.png
 IMAGES_EN+= virtualization/parallels-freebsd2.png
 IMAGES_EN+= virtualization/parallels-freebsd3.png
@@ -175,7 +234,9 @@
 # XML content
 SRCS+= audit/chapter.xml
 SRCS+= book.xml
+SRCS+= bsdinstall/chapter.xml
 SRCS+= colophon.xml
+SRCS+= dtrace/chapter.xml
 SRCS+= advanced-networking/chapter.xml
 SRCS+= basics/chapter.xml
 SRCS+= bibliography/chapter.xml
@@ -186,6 +247,8 @@
 SRCS+= disks/chapter.xml
 SRCS+= eresources/chapter.xml
 SRCS+= firewalls/chapter.xml
+SRCS+= zfs/chapter.xml
+SRCS+= filesystems/chapter.xml
 SRCS+= geom/chapter.xml
 SRCS+= install/chapter.xml
 SRCS+= introduction/chapter.xml
@@ -205,8 +268,6 @@
 SRCS+= printing/chapter.xml
 SRCS+= security/chapter.xml
 SRCS+= serialcomms/chapter.xml
-SRCS+= users/chapter.xml
-SRCS+= vinum/chapter.xml
 SRCS+= virtualization/chapter.xml
 SRCS+= x11/chapter.xml
 
@@ -230,8 +291,6 @@
 XMLDOCS=	lastmod:::mirrors.lastmod.inc \
 		mirrors-ftp-index:::mirrors.xml.ftp.index.inc \
 		mirrors-ftp:::mirrors.xml.ftp.inc \
-		mirrors-cvsup-index:::mirrors.xml.cvsup.index.inc \
-		mirrors-cvsup:::mirrors.xml.cvsup.inc \
 		eresources-index:::eresources.xml.www.index.inc \
 		eresources:::eresources.xml.www.inc
 DEPENDSET.DEFAULT=	transtable mirror
@@ -245,12 +304,6 @@
 PARAMS.mirrors-ftp+=	--param 'type' "'ftp'" \
 			--param 'proto' "'ftp'" \
 			--param 'target' "'handbook/mirrors/chapter.xml'"
-PARAMS.mirrors-cvsup-index+=	--param 'type' "'cvsup'" \
-				--param 'proto' "'cvsup'" \
-				--param 'target' "'index'"
-PARAMS.mirrors-cvsup+=	--param 'type' "'cvsup'" \
-			--param 'proto' "'cvsup'" \
-			--param 'target' "'handbook/mirrors/chapter.xml'"
 PARAMS.eresources-index+=	--param 'type' "'www'" \
 				--param 'proto' "'http'" \
 				--param 'target' "'index'"
@@ -261,8 +314,6 @@
 SRCS+=		mirrors.lastmod.inc \
 		mirrors.xml.ftp.inc \
 		mirrors.xml.ftp.index.inc \
-		mirrors.xml.cvsup.inc \
-		mirrors.xml.cvsup.index.inc \
 		eresources.xml.www.inc \
 		eresources.xml.www.index.inc
 
Index: zh_TW.UTF-8/books/handbook/basics/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/basics/chapter.xml
+++ zh_TW.UTF-8/books/handbook/basics/chapter.xml
@@ -1,19 +1,26 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
      The FreeBSD Documentation Project
+     The FreeBSD Traditional Chinese Project
 
      $FreeBSD$
-     Original revision: 1.152
+     Original revision: r46052
 -->
-<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="basics">
-  <info><title>UNIX 基礎概念</title>
+<chapter xmlns="http://docbook.org/ns/docbook"
+  xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+  xml:id="basics">
+  <!--
+  <chapterinfo>
     <authorgroup>
-      <author><personname><firstname>Chris</firstname><surname>Shumway</surname></personname><contrib>Rewritten by </contrib></author>
+      <author>
+	<firstname>Chris</firstname>
+	<surname>Shumway</surname>
+	<contrib>Rewritten by in Mar 2000</contrib>
+      </author>
     </authorgroup>
-    
-  </info>
-
-  
+  </chapterinfo>
+  -->
+  <title>UNIX 基礎概念</title>
 
   <sect1 xml:id="basics-synopsis">
     <title>概述</title>
@@ -29,44 +36,61 @@
       <listitem>
         <para>如何使用 FreeBSD 的<quote>virtual consoles</quote>。</para>
       </listitem>
+
       <listitem>
 	<para>&unix; 檔案權限運作的方式以及 &os; 中檔案的 flags。</para>
       </listitem>
+
       <listitem>
 	<para>預設的 &os; 檔案系統配置。</para>
       </listitem>
+
       <listitem>
 	<para>&os; 的磁碟結構。</para>
       </listitem>
+
       <listitem>
 	<para>如何掛載(mount)、卸載(umount)檔案系統</para>
       </listitem>
+
       <listitem>
 	<para>什麼是processes、daemons 以及 signals 。</para>
       </listitem>
+
       <listitem>
 	<para>什麼是 shell ，以及如何變更您預設的登入環境。</para>
       </listitem>
+
       <listitem>
 	<para>如何使用基本的文字編輯器。</para>
       </listitem>
+
       <listitem>
 	<para>什麼是 devices 和 device nodes 。</para>
       </listitem>
+
       <listitem>
 	<para>&os; 下使用的 binary 格式。</para>
       </listitem>
+
       <listitem>
 	<para>如何閱讀 manual pages 以獲得更多的資訊。</para>
       </listitem>
     </itemizedlist>
-
   </sect1>
 
   <sect1 xml:id="consoles">
     <title>Virtual Consoles 和終端機</title>
-    <indexterm><primary>virtual consoles</primary></indexterm>
-    <indexterm><primary>terminals</primary></indexterm>
+
+    <indexterm>
+      <primary>virtual consoles</primary>
+    </indexterm>
+    <indexterm>
+      <primary>terminals</primary>
+    </indexterm>
+    <indexterm>
+      <primary>console</primary>
+    </indexterm>
 
     <para>有很多方法可以操作 FreeBSD ，其中一種就是在文字終端機上打字。
       如此使用 FreeBSD 即可輕易的體會到 &unix; 作業系統的威力和彈性。
@@ -279,6 +303,798 @@
     </sect2>
   </sect1>
 
+  <sect1 xml:id="users-synopsis">
+    <title>Users and Basic Account Management</title>
+
+    <para>&os; allows multiple users to use the computer at the same
+      time.  While only one user can sit in front of the screen and
+      use the keyboard at any one time, any number of users can log
+      in to the system through the network.  To use the system, each
+      user should have their own user account.</para>
+
+    <para>This chapter describes:</para>
+
+    <itemizedlist>
+      <listitem>
+	<para>The different types of user accounts on a
+	  &os; system.</para>
+      </listitem>
+
+      <listitem>
+	<para>How to add, remove, and modify user accounts.</para>
+      </listitem>
+
+      <listitem>
+	<para>How to set limits to control the
+	  resources that users and
+	  groups are allowed to access.</para>
+      </listitem>
+
+      <listitem>
+	<para>How to create groups and add users as members of a
+	  group.</para>
+      </listitem>
+    </itemizedlist>
+
+    <sect2 xml:id="users-introduction">
+      <title>Account Types</title>
+
+      <para>Since all access to the &os; system is achieved using
+	accounts and all processes are run by users, user and account
+	management is important.</para>
+
+      <para>There are three main types of accounts: system accounts,
+	user accounts, and the superuser account.</para>
+
+      <sect3 xml:id="users-system">
+	<title>System Accounts</title>
+
+	<indexterm>
+	  <primary>accounts</primary>
+	  <secondary>system</secondary>
+	</indexterm>
+
+	<para>System accounts are used to run services such as DNS,
+	  mail, and web servers.  The reason for this is security; if
+	  all services ran as the superuser, they could act without
+	  restriction.</para>
+
+	<indexterm>
+	  <primary>accounts</primary>
+	  <secondary><systemitem
+	      class="username">daemon</systemitem></secondary>
+	</indexterm>
+	<indexterm>
+	  <primary>accounts</primary>
+	  <secondary><systemitem
+	      class="username">operator</systemitem></secondary>
+	</indexterm>
+
+	<para>Examples of system accounts are
+	  <systemitem class="username">daemon</systemitem>,
+	  <systemitem class="username">operator</systemitem>,
+	  <systemitem class="username">bind</systemitem>,
+	  <systemitem class="username">news</systemitem>, and
+	  <systemitem class="username">www</systemitem>.</para>
+
+	<indexterm>
+	  <primary>accounts</primary>
+	  <secondary><systemitem
+	      class="username">nobody</systemitem></secondary>
+	</indexterm>
+
+	<para><systemitem class="username">nobody</systemitem> is the
+	  generic unprivileged system account.  However, the more
+	  services that use
+	  <systemitem class="username">nobody</systemitem>, the more
+	  files and processes that user will become associated with,
+	  and hence the more privileged that user becomes.</para>
+      </sect3>
+
+      <sect3 xml:id="users-user">
+	<title>User Accounts</title>
+
+	<indexterm>
+	  <primary>accounts</primary>
+	  <secondary>user</secondary>
+	</indexterm>
+
+	<para>User accounts are assigned to real people and are used
+	  to log in and use the system.  Every person accessing the
+	  system should have a unique user account.  This allows the
+	  administrator to find out who is doing what and prevents
+	  users from clobbering the settings of other users.</para>
+
+	<para>Each user can set up their own environment to
+	  accommodate their use of the system, by configuring their
+	  default shell, editor, key bindings, and language
+	  settings.</para>
+
+	<para>Every user account on a &os; system has certain
+	  information associated with it:</para>
+
+	<variablelist>
+	  <varlistentry>
+	    <term>User name</term>
+
+	    <listitem>
+	      <para>The user name is typed at the
+		<prompt>login:</prompt> prompt.  Each user must have
+		a unique user name.  There are a number of rules for
+		creating valid user names which are documented in
+		&man.passwd.5;.  It is recommended to use user names
+		that consist of eight or fewer, all lower case
+		characters in order to maintain backwards
+		compatibility with applications.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term>Password</term>
+
+	    <listitem>
+	      <para>Each account has an associated password.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term>User ID (<acronym>UID</acronym>)</term>
+
+	    <listitem>
+	      <para>The User ID (<acronym>UID</acronym>) is a number
+		used to uniquely identify the user to the &os; system.
+		Commands that allow a user name to be specified will
+		first convert it to the <acronym>UID</acronym>.  It is
+		recommended to use a UID less than 65535, since higher
+		values may cause compatibility issues with some
+		software.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term>Group ID (<acronym>GID</acronym>)</term>
+
+	    <listitem>
+	      <para>The Group ID (<acronym>GID</acronym>) is a number
+		used to uniquely identify the primary group that the
+		user belongs to.  Groups are a mechanism for
+		controlling access to resources based on a user's
+		<acronym>GID</acronym> rather than their
+		<acronym>UID</acronym>.  This can significantly reduce
+		the size of some configuration files and allows users
+		to be members of more than one group.  It is
+		recommended to use a GID of 65535 or lower as higher
+		GIDs may break some software.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term>Login class</term>
+
+	    <listitem>
+	      <para>Login classes are an extension to the group
+		mechanism that provide additional flexibility when
+		tailoring the system to different users.  Login
+		classes are discussed further in
+		<xref linkend="users-limiting"/>.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term>Password change time</term>
+
+	    <listitem>
+	      <para>By default, passwords do not expire.  However,
+		password expiration can be enabled on a per-user
+		basis, forcing some or all users to change their
+		passwords after a certain amount of time has
+		elapsed.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term>Account expiry time</term>
+
+	    <listitem>
+	      <para>By default, &os; does not expire accounts.  When
+		creating accounts that need a limited lifespan, such
+		as student accounts in a school, specify the account
+		expiry date using &man.pw.8;.  After the expiry time
+		has elapsed, the account cannot be used to log in to
+		the system, although the account's directories and
+		files will remain.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term>User's full name</term>
+
+	    <listitem>
+	      <para>The user name uniquely identifies the account to
+		&os;, but does not necessarily reflect the user's real
+		name.  Similar to a comment, this information can
+		contain spaces, uppercase characters, and be more
+		than 8 characters long.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term>Home directory</term>
+
+	    <listitem>
+	      <para>The home directory is the full path to a directory
+		on the system.  This is the user's starting directory
+		when the user logs in.  A common convention is to put
+		all user home directories under <filename
+		  class="directory"><replaceable>/home/username</replaceable></filename>
+		or <filename
+		  class="directory"><replaceable>/usr/home/username</replaceable></filename>.
+		Each user stores their personal files and
+		subdirectories in their own home directory.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term>User shell</term>
+
+	    <listitem>
+	      <para>The shell provides the user's default environment
+		for interacting with the system.  There are many
+		different kinds of shells and experienced users will
+		have their own preferences, which can be reflected in
+		their account settings.</para>
+	    </listitem>
+	  </varlistentry>
+	</variablelist>
+      </sect3>
+
+      <sect3 xml:id="users-superuser">
+	<title>The Superuser Account</title>
+
+	<indexterm>
+	  <primary>accounts</primary>
+	  <secondary>superuser (root)</secondary>
+	</indexterm>
+
+	<para>The superuser account, usually called
+	  <systemitem class="username">root</systemitem>, is used to
+	  manage the system with no limitations on privileges.  For
+	  this reason, it should not be used for day-to-day tasks like
+	  sending and receiving mail, general exploration of the
+	  system, or programming.</para>
+
+	<para>The superuser, unlike other user accounts, can operate
+	  without limits, and misuse of the superuser account may
+	  result in spectacular disasters.  User accounts are unable
+	  to destroy the operating system by mistake, so it is
+	  recommended to login as a user account and to only become
+	  the superuser when a command requires extra
+	  privilege.</para>
+
+	<para>Always double and triple-check any commands issued as
+	  the superuser, since an extra space or missing character can
+	  mean irreparable data loss.</para>
+
+	<para>There are several ways to gain superuser privilege.
+	  While one can log in as
+	  <systemitem class="username">root</systemitem>, this is
+	  highly discouraged.</para>
+
+	<para>Instead, use &man.su.1; to become the superuser.  If
+	  <literal>-</literal> is specified when running this command,
+	  the user will also inherit the root user's environment.  The
+	  user running this command must be in the
+	  <systemitem class="groupname">wheel</systemitem> group or
+	  else the command will fail.  The user must also know the
+	  password for the
+	  <systemitem class="username">root</systemitem> user
+	  account.</para>
+
+	<para>In this example, the user only becomes superuser in
+	  order to run <command>make install</command> as this step
+	  requires superuser privilege.  Once the command completes,
+	  the user types <command>exit</command> to leave the
+	  superuser account and return to the privilege of their user
+	  account.</para>
+
+	<example>
+	  <title>Install a Program As the Superuser</title>
+
+	  <screen>&prompt.user; <userinput>configure</userinput>
+&prompt.user; <userinput>make</userinput>
+&prompt.user; <userinput>su -</userinput>
+Password:
+&prompt.root; <userinput>make install</userinput>
+&prompt.root; <userinput>exit</userinput>
+&prompt.user;</screen>
+	</example>
+
+	<para>The built-in &man.su.1; framework works well for single
+	  systems or small networks with just one system
+	  administrator.  An alternative is to install the
+	  <package>security/sudo</package> package or port.  This
+	  software provides activity logging and allows the
+	  administrator to configure which users can run which
+	  commands as the superuser.</para>
+      </sect3>
+    </sect2>
+
+    <sect2 xml:id="users-modifying">
+      <title>Managing Accounts</title>
+
+      <indexterm>
+	<primary>accounts</primary>
+	<secondary>modifying</secondary>
+      </indexterm>
+
+      <para>&os; provides a variety of different commands to manage
+	user accounts.  The most common commands are summarized in
+	<xref linkend="users-modifying-utilities"/>, followed by some
+	examples of their usage.  See the manual page for each utility
+	for more details and usage examples.</para>
+
+      <table frame="none" pgwide="1"
+	xml:id="users-modifying-utilities">
+	<title>Utilities for Managing User Accounts</title>
+
+	<tgroup cols="2">
+	  <colspec colwidth="1*"/>
+	  <colspec colwidth="2*"/>
+
+	  <thead>
+	    <row>
+	      <entry>Command</entry>
+	      <entry>Summary</entry>
+	    </row>
+	  </thead>
+	  <tbody>
+	    <row>
+	      <entry>&man.adduser.8;</entry>
+	      <entry>The recommended command-line application for
+		adding new users.</entry>
+	    </row>
+
+	    <row>
+	      <entry>&man.rmuser.8;</entry>
+	      <entry>The recommended command-line application for
+		removing users.</entry>
+	    </row>
+
+	    <row>
+	      <entry>&man.chpass.1;</entry>
+	      <entry>A flexible tool for changing user database
+		information.</entry>
+	    </row>
+
+	    <row>
+	      <entry>&man.passwd.1;</entry>
+	      <entry>The command-line tool to change user
+		passwords.</entry>
+	    </row>
+
+	    <row>
+	      <entry>&man.pw.8;</entry>
+	      <entry>A powerful and flexible tool for modifying all
+		aspects of user accounts.</entry>
+	    </row>
+	  </tbody>
+	</tgroup>
+      </table>
+
+      <sect3 xml:id="users-adduser">
+	<title><command>adduser</command></title>
+
+	<indexterm>
+	  <primary>accounts</primary>
+	  <secondary>adding</secondary>
+	</indexterm>
+	<indexterm>
+	  <primary><command>adduser</command></primary>
+	</indexterm>
+	<indexterm>
+	  <primary><filename>/usr/share/skel</filename></primary>
+	</indexterm>
+	<indexterm>
+	  <primary>skeleton directory</primary>
+	</indexterm>
+
+	<para>The recommended program for adding new users is
+	  &man.adduser.8;.  When a new user is added, this program
+	  automatically updates <filename>/etc/passwd</filename> and
+	  <filename>/etc/group</filename>.  It also creates a home
+	  directory for the new user, copies in the default
+	  configuration files from
+	  <filename>/usr/share/skel</filename>, and can optionally
+	  mail the new user a welcome message.  This utility must be
+	  run as the superuser.</para>
+
+	<para>The &man.adduser.8; utility is interactive and walks
+	  through the steps for creating a new user account.  As seen
+	  in <xref linkend="users-modifying-adduser"/>, either input
+	  the required information or press <keycap>Return</keycap>
+	  to accept the default value shown in square brackets.
+	  In this example, the user has been invited into the
+	  <systemitem class="groupname">wheel</systemitem> group,
+	  allowing them to become the superuser with &man.su.1;.
+	  When finished, the utility will prompt to either
+	  create another user or to exit.</para>
+
+	<example xml:id="users-modifying-adduser">
+	  <title>Adding a User on &os;</title>
+
+	  <screen>&prompt.root; <userinput>adduser</userinput>
+Username: <userinput>jru</userinput>
+Full name: <userinput>J. Random User</userinput>
+Uid (Leave empty for default):
+Login group [jru]:
+Login group is jru. Invite jru into other groups? []: <userinput>wheel</userinput>
+Login class [default]:
+Shell (sh csh tcsh zsh nologin) [sh]: <userinput>zsh</userinput>
+Home directory [/home/jru]:
+Home directory permissions (Leave empty for default):
+Use password-based authentication? [yes]:
+Use an empty password? (yes/no) [no]:
+Use a random password? (yes/no) [no]:
+Enter password:
+Enter password again:
+Lock out the account after creation? [no]:
+Username   : jru
+Password   : ****
+Full Name  : J. Random User
+Uid        : 1001
+Class      :
+Groups     : jru wheel
+Home       : /home/jru
+Shell      : /usr/local/bin/zsh
+Locked     : no
+OK? (yes/no): <userinput>yes</userinput>
+adduser: INFO: Successfully added (jru) to the user database.
+Add another user? (yes/no): <userinput>no</userinput>
+Goodbye!
+&prompt.root;</screen>
+	</example>
+
+	<note>
+	  <para>Since the password is not echoed when typed, be
+	    careful to not mistype the password when creating the user
+	    account.</para>
+	</note>
+      </sect3>
+
+      <sect3 xml:id="users-rmuser">
+	<title><command>rmuser</command></title>
+
+	<indexterm>
+	  <primary><command>rmuser</command></primary>
+	</indexterm>
+	<indexterm>
+	  <primary>accounts</primary>
+	  <secondary>removing</secondary>
+	</indexterm>
+
+	<para>To completely remove a user from the system, run
+	  &man.rmuser.8; as the superuser.  This command performs the
+	  following steps:</para>
+
+	<procedure>
+	  <step>
+	    <para>Removes the user's &man.crontab.1; entry, if one
+	      exists.</para>
+	  </step>
+
+	  <step>
+	    <para>Removes any &man.at.1; jobs belonging to the
+	      user.</para>
+	  </step>
+
+	  <step>
+	    <para>Kills all processes owned by the user.</para>
+	  </step>
+
+	  <step>
+	    <para>Removes the user from the system's local password
+	      file.</para>
+	  </step>
+
+	  <step>
+	    <para>Optionally removes the user's home directory, if it
+	      is owned by the user.</para>
+	  </step>
+
+	  <step>
+	    <para>Removes the incoming mail files belonging to the
+	      user from <filename>/var/mail</filename>.</para>
+	  </step>
+
+	  <step>
+	    <para>Removes all files owned by the user from temporary
+	      file storage areas such as
+	      <filename>/tmp</filename>.</para>
+	  </step>
+
+	  <step>
+	    <para>Finally, removes the username from all groups to
+	      which it belongs in <filename>/etc/group</filename>.  If
+	      a group becomes empty and the group name is the same as
+	      the username, the group is removed.  This complements
+	      the per-user unique groups created by
+	      &man.adduser.8;.</para>
+	  </step>
+	</procedure>
+
+	<para>&man.rmuser.8; cannot be used to remove superuser
+	  accounts since that is almost always an indication of
+	  massive destruction.</para>
+
+	<para>By default, an interactive mode is used, as shown
+	  in the following example.</para>
+
+	<example>
+	  <title><command>rmuser</command> Interactive Account
+	    Removal</title>
+
+	  <screen>&prompt.root; <userinput>rmuser jru</userinput>
+Matching password entry:
+jru:*:1001:1001::0:0:J. Random User:/home/jru:/usr/local/bin/zsh
+Is this the entry you wish to remove? <userinput>y</userinput>
+Remove user's home directory (/home/jru)? <userinput>y</userinput>
+Removing user (jru): mailspool home passwd.
+&prompt.root;</screen>
+	</example>
+      </sect3>
+
+      <sect3 xml:id="users-chpass">
+	<title><command>chpass</command></title>
+
+	<indexterm>
+	  <primary><command>chpass</command></primary>
+	</indexterm>
+
+	<para>Any user can use &man.chpass.1; to change their default
+	  shell and personal information associated with their user
+	  account.  The superuser can use this utility to change
+	  additional account information for any user.</para>
+
+	<para>When passed no options, aside from an optional username,
+	  &man.chpass.1; displays an editor containing user
+	  information.  When the user exits from the editor, the user
+	  database is updated with the new information.</para>
+
+	<note>
+	  <para>This utility will prompt for the user's password when
+	    exiting the editor, unless the utility is run as the
+	    superuser.</para>
+	</note>
+
+	<para>In <xref linkend="users-modifying-chpass-su"/>, the
+	  superuser has typed <command>chpass jru</command> and is
+	  now viewing the fields that can be changed for this user.
+	  If <systemitem class="username">jru</systemitem> runs this
+	  command instead, only the last six fields will be displayed
+	  and available for editing.  This is shown in
+	  <xref linkend="users-modifying-chpass-ru"/>.</para>
+
+	<example xml:id="users-modifying-chpass-su">
+	  <title>Using <command>chpass</command> as
+	    Superuser</title>
+
+	  <screen>#Changing user database information for jru.
+Login: jru
+Password: *
+Uid [#]: 1001
+Gid [# or name]: 1001
+Change [month day year]:
+Expire [month day year]:
+Class:
+Home directory: /home/jru
+Shell: /usr/local/bin/zsh
+Full Name: J. Random User
+Office Location:
+Office Phone:
+Home Phone:
+Other information:</screen>
+	</example>
+
+	<example xml:id="users-modifying-chpass-ru">
+	  <title>Using <command>chpass</command> as Regular
+	    User</title>
+
+	  <screen>#Changing user database information for jru.
+Shell: /usr/local/bin/zsh
+Full Name: J. Random User
+Office Location:
+Office Phone:
+Home Phone:
+Other information:</screen>
+	</example>
+
+	<note>
+	  <para>The commands &man.chfn.1; and &man.chsh.1; are links
+	    to &man.chpass.1;, as are &man.ypchpass.1;,
+	    &man.ypchfn.1;, and &man.ypchsh.1;.  Since
+	    <acronym>NIS</acronym> support is automatic, specifying
+	    the <literal>yp</literal> before the command is not
+	    necessary.  How to configure NIS is covered in <xref
+	      linkend="network-servers"/>.</para>
+	</note>
+      </sect3>
+
+      <sect3 xml:id="users-passwd">
+	<title><command>passwd</command></title>
+
+	<indexterm>
+	  <primary><command>passwd</command></primary>
+	</indexterm>
+	<indexterm>
+	  <primary>accounts</primary>
+	  <secondary>changing password</secondary>
+	</indexterm>
+
+	<para>Any user can easily change their password using
+	  &man.passwd.1;.  To prevent accidental or unauthorized
+	  changes, this command will prompt for the user's original
+	  password before a new password can be set:</para>
+
+	<example>
+	  <title>Changing Your Password</title>
+
+	  <screen>&prompt.user; <userinput>passwd</userinput>
+Changing local password for jru.
+Old password:
+New password:
+Retype new password:
+passwd: updating the database...
+passwd: done</screen>
+	</example>
+
+	<para>The superuser can change any user's password by
+	  specifying the username when running &man.passwd.1;.  When
+	  this utility is run as the superuser, it will not prompt for
+	  the user's current password.  This allows the password to be
+	  changed when a user cannot remember the original
+	  password.</para>
+
+	<example>
+	  <title>Changing Another User's Password as the
+	    Superuser</title>
+
+	  <screen>&prompt.root; <userinput>passwd jru</userinput>
+Changing local password for jru.
+New password:
+Retype new password:
+passwd: updating the database...
+passwd: done</screen>
+	</example>
+
+	<note>
+	  <para>As with &man.chpass.1;, &man.yppasswd.1; is a link to
+	    &man.passwd.1;, so <acronym>NIS</acronym> works with
+	    either command.</para>
+	</note>
+      </sect3>
+
+      <sect3 xml:id="users-pw">
+	<title><command>pw</command></title>
+
+	<indexterm>
+	  <primary><command>pw</command></primary>
+	</indexterm>
+
+	<para>The &man.pw.8; utility can create, remove,
+	  modify, and display users and groups.  It functions as a
+	  front end to the system user and group files.  &man.pw.8;
+	  has a very powerful set of command line options that make it
+	  suitable for use in shell scripts, but new users may find it
+	  more complicated than the other commands presented in this
+	  section.</para>
+      </sect3>
+    </sect2>
+
+    <sect2 xml:id="users-groups">
+      <title>Managing Groups</title>
+
+      <indexterm>
+	<primary>groups</primary>
+      </indexterm>
+      <indexterm>
+	<primary><filename>/etc/groups</filename></primary>
+      </indexterm>
+      <indexterm>
+	<primary>accounts</primary>
+	<secondary>groups</secondary>
+      </indexterm>
+
+      <para>A group is a list of users.  A group is identified by its
+	group name and <acronym>GID</acronym>.  In &os;, the kernel
+	uses the <acronym>UID</acronym> of a process, and the list of
+	groups it belongs to, to determine what the process is allowed
+	to do.  Most of the time, the <acronym>GID</acronym> of a user
+	or process usually means the first group in the list.</para>
+
+      <para>The group name to <acronym>GID</acronym> mapping is listed
+	in <filename>/etc/group</filename>.  This is a plain text file
+	with four colon-delimited fields.  The first field is the
+	group name, the second is the encrypted password, the third
+	the <acronym>GID</acronym>, and the fourth the comma-delimited
+	list of members.  For a more complete description of the
+	syntax, refer to &man.group.5;.</para>
+
+      <para>The superuser can modify <filename>/etc/group</filename>
+	using a text editor.  Alternatively, &man.pw.8; can be used to
+	add and edit groups.  For example, to add a group called
+	<systemitem class="groupname">teamtwo</systemitem> and then
+	confirm that it exists:</para>
+
+      <example>
+	<title>Adding a Group Using &man.pw.8;</title>
+
+	<screen>&prompt.root; <userinput>pw groupadd teamtwo</userinput>
+&prompt.root; <userinput>pw groupshow teamtwo</userinput>
+teamtwo:*:1100:</screen>
+      </example>
+
+      <para>In this example, <literal>1100</literal> is the
+	<acronym>GID</acronym> of
+	<systemitem class="groupname">teamtwo</systemitem>.  Right
+	now, <systemitem class="groupname">teamtwo</systemitem> has no
+	members.  This command will add
+	<systemitem class="username">jru</systemitem> as a member of
+	<systemitem class="groupname">teamtwo</systemitem>.</para>
+
+      <example>
+	<title>Adding User Accounts to a New Group Using
+	  &man.pw.8;</title>
+
+	<screen>&prompt.root; <userinput>pw groupmod teamtwo -M jru</userinput>
+&prompt.root; <userinput>pw groupshow teamtwo</userinput>
+teamtwo:*:1100:jru</screen>
+      </example>
+
+      <para>The argument to <option>-M</option> is a comma-delimited
+	list of users to be added to a new (empty) group or to replace
+	the members of an existing group.  To the user, this group
+	membership is different from (and in addition to) the user's
+	primary group listed in the password file.  This means that
+	the user will not show up as a member when using
+	<option>groupshow</option> with &man.pw.8;, but will show up
+	when the information is queried via &man.id.1; or a similar
+	tool.  When &man.pw.8; is used to add a user to a group, it
+	only manipulates <filename>/etc/group</filename> and does not
+	attempt to read additional data from
+	<filename>/etc/passwd</filename>.</para>
+
+      <example>
+	<title>Adding a New Member to a Group Using &man.pw.8;</title>
+
+	<screen>&prompt.root; <userinput>pw groupmod teamtwo -m db</userinput>
+&prompt.root; <userinput>pw groupshow teamtwo</userinput>
+teamtwo:*:1100:jru,db</screen>
+      </example>
+
+      <para>In this example, the argument to <option>-m</option> is a
+	comma-delimited list of users who are to be added to the
+	group.  Unlike the previous example, these users are appended
+	to the group and do not replace existing users in the
+	group.</para>
+
+      <example>
+	<title>Using &man.id.1; to Determine Group Membership</title>
+
+	<screen>&prompt.user; <userinput>id jru</userinput>
+uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)</screen>
+      </example>
+
+      <para>In this example,
+	<systemitem class="username">jru</systemitem> is a member of
+	the groups <systemitem class="groupname">jru</systemitem> and
+	<systemitem class="groupname">teamtwo</systemitem>.</para>
+
+      <para>For more information about this command and the format of
+	<filename>/etc/group</filename>, refer to &man.pw.8; and
+	&man.group.5;.</para>
+    </sect2>
+  </sect1>
+
   <sect1 xml:id="permissions">
     <title>權限</title>
     <indexterm><primary>UNIX</primary></indexterm>
Index: zh_TW.UTF-8/books/handbook/book.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/book.xml
+++ zh_TW.UTF-8/books/handbook/book.xml
@@ -1,24 +1,32 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE book PUBLIC "-//FreeBSD//DTD DocBook XML V5.0-Based Extension//EN"
 	"http://www.FreeBSD.org/XML/share/xml/freebsd50.dtd" [
-<!ENTITY % chapters SYSTEM "chapters.ent">
-%chapters;
-<!ENTITY % txtfiles SYSTEM "txtfiles.ent">
-%txtfiles;
-]>
 <!--
      The FreeBSD Documentation Project
+     The FreeBSD Traditional Chinese Documentation Project
 
+     Original revision: r45698
      $FreeBSD$
-     Original revision: 1.163
 -->
-<book xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:lang="zh_TW">
-  <info><title>FreeBSD 使用手冊</title>
-    
 
-    <author><orgname>FreeBSD 文件計畫</orgname></author>
+<!ENTITY % chapters SYSTEM "chapters.ent">
+%chapters;
+<!ENTITY % txtfiles SYSTEM "txtfiles.ent">
+%txtfiles;
+]>
+
+<book xmlns="http://docbook.org/ns/docbook"
+  xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+  xml:lang="zh_tw">
+
+  <info>
+    <title>FreeBSD 使用手冊</title>
+
+    <author>
+      <orgname>FreeBSD 文件計畫</orgname>
+    </author>
 
-    <pubdate>February 1999</pubdate>
+    <pubdate>$FreeBSD$</pubdate>
 
     <releaseinfo>$FreeBSD$</releaseinfo>
 
@@ -37,6 +45,12 @@
       <year>2006</year>
       <year>2007</year>
       <year>2008</year>
+      <year>2009</year>
+      <year>2010</year>
+      <year>2011</year>
+      <year>2012</year>
+      <year>2013</year>
+      <year>2014</year>
       <holder>FreeBSD 文件計畫</holder>
     </copyright>
 
@@ -50,9 +64,8 @@
       &tm-attrib.adaptec;
       &tm-attrib.adobe;
       &tm-attrib.apple;
-      &tm-attrib.corel;
       &tm-attrib.creative;
-      &tm-attrib.cvsup;
+      &tm-attrib.google;
       &tm-attrib.heidelberger;
       &tm-attrib.ibm;
       &tm-attrib.ieee;
@@ -60,19 +73,12 @@
       &tm-attrib.intuit;
       &tm-attrib.linux;
       &tm-attrib.lsilogic;
-      &tm-attrib.m-systems;
-      &tm-attrib.macromedia;
       &tm-attrib.microsoft;
-      &tm-attrib.netscape;
-      &tm-attrib.nexthop;
       &tm-attrib.opengroup;
       &tm-attrib.oracle;
-      &tm-attrib.powerquest;
       &tm-attrib.realnetworks;
       &tm-attrib.redhat;
-      &tm-attrib.sap;
       &tm-attrib.sun;
-      &tm-attrib.symantec;
       &tm-attrib.themathworks;
       &tm-attrib.thomson;
       &tm-attrib.usrobotics;
@@ -86,6 +92,7 @@
 
     <abstract>
       <para>歡迎使用FreeBSD！ 本使用手冊涵蓋範圍包括了
+	<emphasis>FreeBSD &rel3.current;-RELEASE</emphasis>、
 	<emphasis>FreeBSD &rel2.current;-RELEASE</emphasis> 和
 	<emphasis>FreeBSD &rel.current;-RELEASE</emphasis> 的安裝和日常使用。
 	這份使用手冊是很多人的集體創作，而且仍然『持續不斷』的進行中。
@@ -140,6 +147,7 @@
     </partintro>
 
     &chap.introduction;
+    &chap.bsdinstall;
     &chap.install;
     &chap.basics;
     &chap.ports;
@@ -177,7 +185,6 @@
       </itemizedlist>
 
       <para>這些章節中有些需要您預先閱讀些相關文件，在各章節開頭的概要內會提及。</para>
-
     </partintro>
 
     &chap.desktop;
@@ -202,17 +209,18 @@
 
     &chap.config;
     &chap.boot;
-    &chap.users;
     &chap.security;
     &chap.jails;
     &chap.mac;
     &chap.audit;
     &chap.disks;
     &chap.geom;
-    &chap.vinum;
+    &chap.zfs;
+    &chap.filesystems;
     &chap.virtualization;
     &chap.l10n;
     &chap.cutting-edge;
+    &chap.dtrace;
   </part>
 
   <part xml:id="network-communication">
Index: zh_TW.UTF-8/books/handbook/bsdinstall/Makefile
===================================================================
--- /dev/null
+++ zh_TW.UTF-8/books/handbook/bsdinstall/Makefile
@@ -0,0 +1,15 @@
+#
+# Build the Handbook with just the content from this chapter.
+#
+# $FreeBSD: head/en_US.ISO8859-1/books/handbook/bsdinstall/Makefile 39631 2012-10-01 09:53:01Z gabor $
+#
+
+CHAPTERS= 	bsdinstall/chapter.xml
+
+VPATH=		..
+
+MASTERDOC=	${.CURDIR}/../${DOC}.${DOCBOOKSUFFIX}
+
+DOC_PREFIX?= 	${.CURDIR}/../../../..
+
+.include "../Makefile"
Index: zh_TW.UTF-8/books/handbook/chapters.ent
===================================================================
--- zh_TW.UTF-8/books/handbook/chapters.ent
+++ zh_TW.UTF-8/books/handbook/chapters.ent
@@ -8,7 +8,7 @@
      Chapters should be listed in the order in which they are referenced.
 
      $FreeBSD$
-     Original revision: 1.33
+     Original revision: r45602
 -->
 
 <!ENTITY chap.preface			SYSTEM "preface/preface.xml">
@@ -17,6 +17,7 @@
 <!-- Part One -->
   <!ENTITY chap.introduction	SYSTEM "introduction/chapter.xml">
   <!ENTITY chap.install		SYSTEM "install/chapter.xml">
+  <!ENTITY chap.bsdinstall	SYSTEM "bsdinstall/chapter.xml">
   <!ENTITY chap.basics		SYSTEM "basics/chapter.xml">
   <!ENTITY chap.ports		SYSTEM "ports/chapter.xml">
   <!ENTITY chap.x11		SYSTEM "x11/chapter.xml">
@@ -31,15 +32,14 @@
 <!-- Part Three -->
   <!ENTITY chap.config		SYSTEM "config/chapter.xml">
   <!ENTITY chap.boot		SYSTEM "boot/chapter.xml">
-  <!ENTITY chap.users		SYSTEM "users/chapter.xml">
   <!ENTITY chap.security	SYSTEM "security/chapter.xml">
   <!ENTITY chap.jails		SYSTEM "jails/chapter.xml">
   <!ENTITY chap.mac		SYSTEM "mac/chapter.xml">
   <!ENTITY chap.audit		SYSTEM "audit/chapter.xml">
   <!ENTITY chap.disks		SYSTEM "disks/chapter.xml">
   <!ENTITY chap.geom		SYSTEM "geom/chapter.xml">
+  <!ENTITY chap.zfs		SYSTEM "zfs/chapter.xml">
   <!ENTITY chap.filesystems	SYSTEM "filesystems/chapter.xml">
-  <!ENTITY chap.vinum		SYSTEM "vinum/chapter.xml">
   <!ENTITY chap.virtualization	SYSTEM "virtualization/chapter.xml">
   <!ENTITY chap.l10n		SYSTEM "l10n/chapter.xml">
   <!ENTITY chap.cutting-edge	SYSTEM "cutting-edge/chapter.xml">
@@ -55,14 +55,12 @@
 
 <!-- Part Five (appendices) -->
   <!ENTITY chap.mirrors		SYSTEM "mirrors/chapter.xml">
-  <!ENTITY chap.mirrors.lastmod.inc	SYSTEM "mirrors.lastmod.inc">
-  <!ENTITY chap.mirrors.ftp.index.inc	SYSTEM "mirrors.xml.ftp.index.inc">
+  <!ENTITY chap.mirrors.lastmod.inc         SYSTEM "mirrors.lastmod.inc">
+  <!ENTITY chap.mirrors.ftp.index.inc SYSTEM "mirrors.xml.ftp.index.inc">
   <!ENTITY chap.mirrors.ftp.inc	SYSTEM "mirrors.xml.ftp.inc">
-  <!ENTITY chap.mirrors.cvsup.index.inc	SYSTEM "mirrors.xml.cvsup.index.inc">
-  <!ENTITY chap.mirrors.cvsup.inc	SYSTEM "mirrors.xml.cvsup.inc">
   <!ENTITY chap.bibliography	SYSTEM "bibliography/chapter.xml">
   <!ENTITY chap.eresources	SYSTEM "eresources/chapter.xml">
-  <!ENTITY chap.eresources.www.index.inc	SYSTEM "eresources.xml.www.index.inc">
+  <!ENTITY chap.eresources.www.index.inc      SYSTEM "eresources.xml.www.index.inc">
   <!ENTITY chap.eresources.www.inc	SYSTEM "eresources.xml.www.inc">
   <!ENTITY chap.pgpkeys		SYSTEM "pgpkeys/chapter.xml">
   <!ENTITY chap.freebsd-glossary	SYSTEM "../../share/xml/glossary.ent">
Index: zh_TW.UTF-8/books/handbook/colophon.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/colophon.xml
+++ zh_TW.UTF-8/books/handbook/colophon.xml
@@ -2,20 +2,19 @@
 <!--
      The FreeBSD Documentation Project
 
-      $FreeBSD$
+     $FreeBSD$
 -->
-<colophon xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="colophon">
+<colophon xmlns="http://docbook.org/ns/docbook"
+  xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+  xml:id="colophon">
+
   <para>This book is the combined work of hundreds of contributors to
     <quote>The FreeBSD Documentation Project</quote>.  The text is
-    authored in SGML
-    according to the DocBook DTD and is formatted from SGML into many
-    different presentation formats using <application>Jade</application>,
-    an open source DSSSL
-    engine.  Norm Walsh's DSSSL stylesheets were used with an
-    additional customization layer to provide the presentation
-    instructions for <application>Jade</application>.  The printed
-    version of this document would not be possible without Donald
-    Knuth's &tex; typesetting language,
-    Leslie Lamport's <application>LaTeX</application>, or Sebastian
-    Rahtz's <application>JadeTeX</application> macro package.</para>
+    authored in XML according to the DocBook DTD and is formatted
+    from XML into many different presentation formats using
+    XSLT.  The printed version of this
+    document would not be possible without Donald Knuth's
+    &tex; typesetting language, Leslie
+    Lamport's <application>LaTeX</application>, or Sebastian Rahtz's
+    <application>JadeTeX</application> macro package.</para>
 </colophon>
Index: zh_TW.UTF-8/books/handbook/config/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/config/chapter.xml
+++ zh_TW.UTF-8/books/handbook/config/chapter.xml
@@ -1,26 +1,49 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
      The FreeBSD Documentation Project
+     The FreeBSD Traditional Chinese Project
 
      $FreeBSD$
-     Original revision: 1.213
-     Chased revision: 1.221
+     Original revision: r46049
 -->
-<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="config-tuning">
-  <info><title>設定與效能調校(Tuning)</title>
+<chapter xmlns="http://docbook.org/ns/docbook"
+  xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+  xml:id="config-tuning">
+
+  <info>
+    <title>設定與效能調校(Tuning)</title>
+
     <authorgroup>
-      <author><personname><firstname>Chern</firstname><surname>Lee</surname></personname><contrib>Written by </contrib></author>
+      <author>
+	<personname>
+	  <firstname>Chern</firstname>
+	  <surname>Lee</surname>
+	</personname>
+	<contrib>Written by </contrib>
+      </author>
     </authorgroup>
+
     <authorgroup>
-      <author><personname><firstname>Mike</firstname><surname>Smith</surname></personname><contrib>Based on a tutorial written by </contrib></author>
+      <author>
+	<personname>
+	  <firstname>Mike</firstname>
+	  <surname>Smith</surname>
+	</personname>
+	<contrib>Based on a tutorial written by </contrib>
+      </author>
     </authorgroup>
+
     <authorgroup>
-      <author><personname><firstname>Matt</firstname><surname>Dillon</surname></personname><contrib>Also based on tuning(7) written by </contrib></author>
+      <author>
+	<personname>
+	  <firstname>Matt</firstname>
+	  <surname>Dillon</surname>
+	</personname>
+	<contrib>Also based on tuning(7) written by </contrib>
+      </author>
     </authorgroup>
   </info>
 
-  
-
   <sect1 xml:id="config-synopsis">
     <title>概述</title>
 
@@ -70,6 +93,7 @@
     </itemizedlist>
   </sect1>
 
+  <!-- moved to bsdinstall/chapter.xml
   <sect1 xml:id="configtuning-initial">
     <title>一開始的規劃</title>
 
@@ -172,6 +196,7 @@
     </sect2>
 
   </sect1>
+  -->
 
   <sect1 xml:id="configtuning-core-configuration">
     <title>最主要的設定檔</title>
Index: zh_TW.UTF-8/books/handbook/cutting-edge/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/cutting-edge/chapter.xml
+++ zh_TW.UTF-8/books/handbook/cutting-edge/chapter.xml
@@ -1,1178 +1,1803 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
      The FreeBSD Documentation Project
+     The FreeBSD Traditional Chinese Project
 
      $FreeBSD$
-     Original revision: 1.225
+     Original revision: 46272
 -->
-<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="cutting-edge">
-  <info><title>更新、升級 FreeBSD</title>
+<chapter xmlns="http://docbook.org/ns/docbook"
+  xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+  xml:id="updating-upgrading">
+
+  <info>
+    <title>更新、升級 &os;</title>
+
     <authorgroup>
-      <author><personname><firstname>Jim</firstname><surname>Mock</surname></personname><contrib>Restructured, reorganized, and parts updated by </contrib></author>
+      <author>
+	<personname>
+	  <firstname>Jim</firstname>
+	  <surname>Mock</surname>
+	</personname>
+	<contrib>Restructured, reorganized, and parts updated
+	  by </contrib>
+      </author>
       <!-- Mar 2000 -->
     </authorgroup>
+
     <authorgroup>
-      <author><personname><firstname>Jordan</firstname><surname>Hubbard</surname></personname><contrib>Original work by </contrib></author>
-      <author><personname><firstname>Poul-Henning</firstname><surname>Kamp</surname></personname></author>
-      <author><personname><firstname>John</firstname><surname>Polstra</surname></personname></author>
-      <author><personname><firstname>Nik</firstname><surname>Clayton</surname></personname></author>
+      <author>
+	<personname>
+	  <firstname>Jordan</firstname>
+	  <surname>Hubbard</surname>
+	</personname>
+	<contrib>Original work by </contrib>
+      </author>
+
+      <author>
+	<personname>
+	  <firstname>Poul-Henning</firstname>
+	  <surname>Kamp</surname>
+	</personname>
+      </author>
+
+      <author>
+	<personname>
+	  <firstname>John</firstname>
+	  <surname>Polstra</surname>
+	</personname>
+      </author>
+
+      <author>
+	<personname>
+	  <firstname>Nik</firstname>
+	  <surname>Clayton</surname>
+	</personname>
+      </author>
     </authorgroup>
-    
   </info>
 
-  
-
-  <sect1 xml:id="cutting-edge-synopsis">
+  <sect1 xml:id="updating-upgrading-synopsis">
     <title>概述</title>
 
-    <para>&os; 是個持續發展的作業系統。對於喜歡追求新鮮、刺激的使用者而言，
-      有很多方法可以使您的系統輕鬆更新為最新版。
-      注意：並非每個人都適合這麼做！　本章主要是協助您決定到底要跟開發版本，
-      或是要使用較穩定的釋出版。
-      </para>
+    <para>&os; 是個持續發展的作業系統。有些人喜歡官方釋出的版本，
+有些人則喜歡和官方最新的開發版本保持同步。然而即使是官方釋出的版本仍然時常有安全性更新或和其他緊急修復。無論使用哪種版本，&os;都提供所有必須的工具來讓系統保持最新，而且可以輕易升級不同版本。本章將描述如何追蹤開發版本，和保持&os;系統維持最新的基本工具。</para>
 
     <para>讀完這章，您將了解︰</para>
 
     <itemizedlist>
-      <listitem><para>&os.stable; 與 &os.current;　這兩分支的不同之處；</para>
+      <listitem>
+	<para>如何使用
+	  <application>freebsd-update</application>,
+	  <application>Subversion</application>, 或
+	  <application>CTM</application> 讓 &os; 系統保持在最新的版本。</para>
       </listitem>
-      <listitem><para>如何以
-	  <application>CSup</application>,
-	  <application>CVSup</application>,
-	  <application>CVS</application> 或
-	  <application>CTM</application> 來更新你的系統</para>
+
+      <listitem>
+	<para>如何比較安裝系統和原始複製的狀態。</para>
       </listitem>
-      <listitem><para>如何以 <command>make buildworld</command>
-      等指令來重新編譯、安裝整個 base system。</para>
+
+      <listitem>
+	<para>如何使用
+	  <application>Subversion</application>或是documentation
+	  ports<!--, and <application>Docsnap</application>-->來使已安裝的文件保持最新。</para>
+      </listitem>
+
+      <listitem>
+	<para>兩個開發分支的差異：&os.stable; 和 &os.current;。</para>
       </listitem>
 
+      <listitem>
+	<para>如何重新編譯和重新安裝整個基礎系統。</para>
+      </listitem>
     </itemizedlist>
 
     <para>在開始閱讀這章之前，您需要︰</para>
 
     <itemizedlist>
-      <listitem><para>先設好你的網路(<xref linkend="advanced-networking"/>)。
-	</para>
+      <listitem>
+	<para>設定好你的網路
+	  (<xref linkend="advanced-networking"/>)。</para>
+      </listitem>
+
+      <listitem>
+	<para>知道如何安裝第三方軟體
+	  (<xref linkend="ports"/>).</para>
       </listitem>
-      <listitem><para>知道如何透過 port/package 安裝軟體(<xref linkend="ports"/>)。</para></listitem>
     </itemizedlist>
+
+    <note>
+      <para>本章中，使用 <command>svn</command> 來獲得和更新 &os; 原始碼。
+        為了能使用他，首先要安裝 <package>devel/subversion</package>
+        port 或 package。</para>
+    </note>
   </sect1>
 
-  <sect1 xml:id="current-stable">
-    <title>&os.current; vs. &os.stable;</title>
-    <indexterm><primary>-CURRENT</primary></indexterm>
-    <indexterm><primary>-STABLE</primary></indexterm>
+  <sect1 xml:id="updating-upgrading-freebsdupdate">
+    <info>
+      <title>&os; Update</title>
 
-    <para>FreeBSD 有兩個發展分支：&os.current; 及
-      &os.stable;。本節將會陸續介紹，並介紹它們分別又是如何更新。
-      首先，先介紹 &os.current;，接著再介紹 &os.stable;。</para>
+      <authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Tom</firstname>
+	    <surname>Rhodes</surname>
+	  </personname>
+	  <contrib>Written by </contrib>
+	</author>
+      </authorgroup>
 
-    <sect2 xml:id="current">
-      <title>使用最新的 &os; CURRENT</title>
+      <authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Colin</firstname>
+	    <surname>Percival</surname>
+	  </personname>
+	  <contrib>Based on notes provided by </contrib>
+	</author>
+      </authorgroup>
+    </info>
 
-      <para>這裡再次強調，&os.current; 是 &os; 開發的 <quote>最前線</quote>。
-	&os.current; 使用者須有較強的技術能力，
-	而且應該要有能力自己解決困難的系統問題。  若您是 &os; 新手，
-	那麼請在安裝前最好先三思。</para>
-
-      <sect3>
-	<title>什麼是 &os.current;？</title>
-	<indexterm><primary>snapshot</primary></indexterm>
-
-	<para>&os.current; 是 &os; 的最新版。它包含：
-	  仍在研發階段、實驗性質的修改、過渡時期的機制，
-	  這些東西在下一次正式 relase 的版本可能會有，也可能不會有的。
-	  儘管有許多 &os; 開發者每天都會編譯 &os.current; source code，
-	  但有時這些原始碼是無法編譯成功。  雖然，這些問題通常會儘快解決，
-	  但 &os.current; 到底是帶來浩劫或是多了想要用的新功能、改善，
-	  這點主要取決於您更新原始碼的時機為何而定！</para>
-      </sect3>
+    <indexterm>
+      <primary>Updating and Upgrading</primary>
+    </indexterm>
+    <indexterm>
+      <primary>freebsd-update</primary>
+      <see>updating-upgrading</see>
+    </indexterm>
 
-      <sect3>
-	<title>誰需要 &os.current;？</title>
+    <para>即時應用安全性更新與升級作業系統到新的發行版本對一個持續運作的系統是重要的。&os; 包括一個叫 <command>freebsd-update</command> 的工具程式可以執行這兩項任務。</para>
+    <para>這個工具程式支援 &os; 二進制安全性與和錯誤更新，
+不需要手動編譯和安裝修復或新核心。
+安全性團隊目前支援的所有架構和發行版都可以取得二進制更新。
+目前支援的發行版列表和他們的支援期限都列於
+      <uri
+	xlink:href="http://www.FreeBSD.org/security/">http://www.FreeBSD.org/security/</uri>。</para>
+
+    <para>這個工具程式也支援作業系統升級到次要的發行版本和升級到令一個發行版分支升級到新的發行版本前，要檢查他的發行宣告，因為他包含發行版本相關的重要資訊。發行公告可以由<uri
+	xlink:href="http://www.FreeBSD.org/releases/">http://www.FreeBSD.org/releases/</uri>取得。</para>
+
+    <note>
+      <para>如果有使用<command>crontab</command>來執行
+	&man.freebsd-update.8;，那必須在升級作業系統前先停用。</para>
+    </note>
+
+    <para>這節描述 <command>freebsd-update</command> 使用的設定檔，
+示範如何運用安全性修補和如何升級到主要或次要的作業系統發行版，
+以及討論某些升級作業系統的考量。 </para>
+
+    <sect2 xml:id="freebsdupdate-config-file">
+      <title>設定檔</title>
+
+      <para>
+	<command>freebsd-update</command>預設的設定檔不需變更即可運作。
+有些使用者可能想要調校預設的設定檔 <filename>/etc/freebsd-update.conf</filename>
+來對程序有更好的控制。這個設定檔的註解說明了可以使用的選項，
+但以下可能需要更多一些的解釋：
+	</para>
 
-	<para>&os.current; 適合下列這三類人：</para>
+      <programlisting># Components of the base system which should be kept updated.
+Components world kernel</programlisting>
 
-	<orderedlist>
-	  <listitem>
-	    <para>&os; 社群成員：積極專注於 source tree 的某一部份，
-	      以及認為保持為 <quote>current(最新狀態)</quote>
-	      為絕對需求的人。</para>
-	  </listitem>
+      <para>這個參數控制 &os; 的哪個部份將保持最新。
+	預設是將更新整個 base system 和核心。
+個別元件可以被指定，
+例如：<literal>src/base</literal> 或 <literal>src/sys</literal>。
+然而最好的選項是維持預設設定，
+因為改變設定去包括特定項目，則每個需要的項目都必須要列出。
+時間一久可能會因為原始碼和二進制檔案沒有更新而造成慘重的後果。</para>
+
+      <programlisting># Paths which start with anything matching an entry in an IgnorePaths
+# statement will be ignored.
+IgnorePaths /boot/kernel/linker.hints</programlisting>
+
+      <para>保持特定的目錄，例如
+	<filename>/bin</filename> 或 <filename>/sbin</filename>,
+	在更新過程不被更動，可以將他們的路徑加到此敘述中。
+	這個選項可以防止 <command>freebsd-update</command>覆蓋本機的修改。</para>
+
+      <programlisting># Paths which start with anything matching an entry in an UpdateIfUnmodified
+# statement will only be updated if the contents of the file have not been
+# modified by the user (unless changes are merged; see below).
+UpdateIfUnmodified /etc/ /var/ /root/ /.cshrc /.profile</programlisting>
+
+      <para>這個選項只會更新特定目錄中未修改的設定檔。
+	任何使用者修改的檔案都不會自動更新。
+	有另一個選項──
+	<literal>KeepModifiedMetadata</literal>會指示
+	<command>freebsd-update</command> 在合併時將改變儲存下來</para>
+
+      <programlisting># When upgrading to a new &os; release, files which match MergeChanges
+# will have any local changes merged into the version from the new release.
+MergeChanges /etc/ /var/named/etc/ /boot/device.hints</programlisting>
+
+      <para>列出 <command>freebsd-update</command>應嘗試合併的設定檔目錄。
+	檔案合併過程是一系列類似&man.mergemaster.8;的&man.diff.1;修補，
+但是選項比較少。
+	合併可以接受，開啟編輯器，或是令<command>freebsd-update</command>中止。
+如果有疑慮，備份 <filename>/etc</filename>，然後同意合併。
+	更多關於<command>mergemaster</command>的資訊，
+參見 <xref linkend="mergemaster"/>。
+	</para>
 
-	  <listitem>
-	    <para>&os; 社群成員：為了確保 &os.current;
-	      能夠儘可能地維持在最穩定的狀態，
-	      而主動花時間解決問題的測試者。  此外，還有對 &os;
-	      能提出具體建議以及改善方向，並提出 patch 修正檔的人。</para>
-	  </listitem>
+      <programlisting># Directory in which to store downloaded updates and temporary
+# files used by &os; Update.
+# WorkDir /var/db/freebsd-update</programlisting>
+
+      <para>這個目錄是所有修補檔和暫存檔放置處。
+	當使用者進行版本升級時，這個位置應該要有至少1GB的可用磁碟空間。</para>
+
+      <programlisting># When upgrading between releases, should the list of Components be
+# read strictly (StrictComponents yes) or merely as a list of components
+# which *might* be installed of which &os; Update should figure out
+# which actually are installed and upgrade those (StrictComponents no)?
+# StrictComponents no</programlisting>
+
+      <para>當這個選項設定為<literal>yes</literal>，
+	<command>freebsd-update</command> 將會假設
+	<literal>Components</literal> 列表已完成，將不會嘗試做列表外的改變。
+	實際上 <command>freebsd-update</command>將嘗試更新每一個屬於
+	<literal>Components</literal> 列表的檔案。</para>
+    </sect2>
 
-	  <listitem>
-	    <para>只是關心或者想參考(比如，只是<emphasis>閱讀</emphasis>，
-	      而非執行)的人。
-	      這些人有時也會做些註解，或貢獻原始碼。</para>
-	  </listitem>
-	</orderedlist>
-      </sect3>
+    <sect2 xml:id="freebsdupdate-security-patches">
+      <title>運用安全性修補</title>
 
-      <sect3>
-	<title>&os.current; <emphasis>並不是</emphasis> 什麼？</title>
+      <para>運用 &os; 安全性修補的過程已經被簡化，
+	允許系統管理員使用<command>freebsd-update</command>保持系統更新。
+	更多關於&os; 安全性報告的資訊可以參考
+	<xref linkend="security-advisories"/>。</para>
 
-	<orderedlist>
-	  <listitem>
-	    <para>追求最新功能。  聽說裡面有些很酷的新功能，
-	      並希望成為您周圍的人中第一個嘗試的人，
-	      因此將 &os.current; 視為取得搶鮮版的捷徑。
-	      儘管，您能夠因此首先瞭解到最新的功能，
-	      但這也意味著若出現新的 bug 時，您也是首當其衝。</para>
-	  </listitem>
+      <para>&os; 安全性修補可以使用以下指令下載與安裝。
+	第一個指令將決定是否有尚未完成的修補，如果有，將列出執行修補將會變更的檔案清單。第二個指令將會執行修補。
+	</para>
 
-	  <listitem>
-	    <para>修復 bug 的速成法。  因為 &os.current;
-	      的任何版本在修復已知 bug 的同時，又可能會產生新的 bug。
-	      </para>
-	  </listitem>
+      <screen>&prompt.root; <userinput>freebsd-update fetch</userinput>
+&prompt.root; <userinput>freebsd-update install</userinput></screen>
 
-	  <listitem>
-	    <para>無所不在的 <quote>officially supported</quote>。
-	      我們會盡力協助上述 &os.current; 的那三種類別的
-	      <quote>legitimate</quote> 使用者，
-	      但我們<emphasis>沒時間</emphasis>為他們提供技術支援。
-	      這不代表我們很惡劣，或是不想幫助人(若是的話，
-	      我們也不會為 &os; 努力了)
-	      ，實在是因為我們分身乏術，無法每天回答數百個問題，
-	      <emphasis>而同時</emphasis>繼續開發 &os;。
-	      可以確定的一點就是，
-	      在改善 &os; 或是回答大量有關實驗碼的問題之間，
-	      若要做個選擇的話，開發者會選擇前者。</para>
-	  </listitem>
-	</orderedlist>
-      </sect3>
+      <para>如果更新執行任何核心修補，系統將會重新開機以使用修補過的核心。
+如果在任何執行中的二進位檔進行修補，被影響的應用程式將會重新啟動來使用修補過的二進位檔。</para>
 
-      <sect3>
-	<title>使用 &os.current;</title>
+      <para>將以下項目加入 <filename>/etc/crontab</filename> 系統可以每天自動檢查是否有更新:</para>
 
-	<orderedlist>
-	  <listitem>
-	    <para>加入 &a.current.name;<indexterm><primary>-CURRENT</primary><secondary>using</secondary></indexterm> 及 &a.cvsall.name; 論壇。
-	      這不單只是個建議，也是 <emphasis>必須</emphasis> 作的。
-	      若您沒訂閱 <emphasis>&a.current.name;</emphasis>
-	      ，那麼就會錯過別人對目前系統狀態的說明，而枯耗在別人已解的問題。
-	      更重要的是，可能會錯失一些對己身所管系統安危相當重要的公告。
-	      </para>
-
-	    <para>在 &a.cvsall.name; 上則可以看到每個 commit 紀錄，
-	      因為這些記錄會連帶影響其他相關資訊。</para>
-
-	    <para>要訂閱這些論壇或其他論壇，請參考 &a.mailman.lists.link;
-	      並點選想訂閱的部分即可。  至於其他後續步驟如何進行，
-	      在那裡會有說明。</para>
-	  </listitem>
+      <programlisting>@daily                                  root    freebsd-update cron</programlisting>
 
-	  <listitem>
-	    <para>從 &os; <link linkend="mirrors">mirror 站</link>
-	      取得原始碼。  有兩種方式可以達成：</para>
+      <para>如果有新的修補，它們將會自動下載，但是還不會執行。
+	管理者<systemitem
+	  class="username">root</systemitem> 將會收到email來檢視修補然後手動執行
+	<command>freebsd-update install</command> 來安裝</para>
 
-	    <orderedlist>
-	      <listitem>
-		<para>以 <link linkend="cvsup">csup</link><indexterm><primary><command>cvsup</command></primary></indexterm> 或
-		  <link linkend="cvsup">cvsup</link> 程式搭配位於
-		  <filename>/usr/share/examples/cvsup</filename> 檔名為
-		  <filename>standard-supfile</filename> 的
-		  <filename>supfile</filename>。
-		  這是大家最常推薦的方式，因為它可以讓您把整個 tree 都抓回來，
-		  之後就只取有更新的部分即可。
-		  此外，許多人會把 <command>csup</command> 或
-		  <command>cvsup</command> 放到
-		  <command>cron</command><indexterm><primary><command>cron</command></primary></indexterm> 以定期自動更新。
- 		  您須要自訂前述的 <filename>supfile</filename> 範例檔，
-		  並針對自身網路環境以調整 <link linkend="cvsup">csup</link>
-		  或 <link linkend="cvsup">cvsup</link><indexterm><primary>-CURRENT</primary><secondary>Syncing with <application>CVSup</application></secondary></indexterm> 相關設定。</para>
-	      </listitem>
-
-	      <listitem>
-		<para>使用 <application>CTM</application><indexterm><primary>-CURRENT</primary><secondary>Syncing with CTM</secondary></indexterm> 工具。  若網路環境不佳
-		  (上網費用貴，或只能用 email 而已)
-		  <application>CTM</application> 會比較適合您的需求。
-		  然而，這也有一些爭議並且常抓到一些有問題的檔案。  因此，
-		  很少人會用它。  這也註定了不能長期依賴這個更新方式。
-		  若是使用 9600&nbsp;bps modem 或頻寬更大的上網者，建議使用
-		  <application>CVSup</application>
-		  。</para>
-	      </listitem>
-	    </orderedlist>
-	  </listitem>
+      <para>如果有發生任何錯誤，<command>freebsd-update</command>
+	可以使用以下指令回溯最後的變更：</para>
 
-	  <listitem>
-	    <para>若抓 source code 是要用來跑的，而不僅只是看看而已，
-	      那麼就抓 <emphasis>整個</emphasis> &os.current;，而不要只抓部分。
-	      因為大部分的 source code 都會相依到其他 source code 環節部分，
-	      若是您只編譯其中一部份，保證會很麻煩。</para>
-
-	    <para>在編譯 &os.current;<indexterm><primary>-CURRENT</primary><secondary>compiling</secondary></indexterm> 之前，請仔細閱讀
-	      <filename>/usr/src</filename> 內的 <filename>Makefile</filename>。
-	      儘管只是升級部分東西而已，您至少也要先 <link linkend="makeworld">
-	      裝新的 kernel 以及重新編譯 world</link>。  此外，多多閱讀
-	      &a.current; 以及 <filename>/usr/src/UPDATING</filename>
-	      也是必須的，
-	      才能知道目前進度是怎樣以及下一版會有什麼新東西。</para>
-	  </listitem>
+      <screen>&prompt.root; <userinput>freebsd-update rollback</userinput>
+Uninstalling updates... done.</screen>
 
-	  <listitem>
-	    <para>熱血！若您正在跑 &os.current;，
-	      我們很想知道您對於它的想法是什麼，尤其是加強哪些功能，
-	      或該修正哪些錯誤的建議。  如果您在建議時能附上相關程式碼的話，
-	      那真是太棒了！</para>
-	  </listitem>
-	</orderedlist>
-      </sect3>
+      <para>再次，如果核心或任何核心模組有變更，系統將重新開機，受影響的二進位檔會重新執行。
+	</para>
+
+      <para>只有 <filename>GENERIC</filename> 核心可以自動被
+	<command>freebsd-update</command> 更新。
+	如果有安裝自訂的核心，在<command>freebsd-update</command>
+	完成安裝更新後，將會被重新編譯和重新安裝。
+	然而，如果 <filename>/boot/GENERIC</filename> 存在，
+	<command>freebsd-update</command>將會偵測和更新 <filename>GENERIC</filename> 核心，
+	即使他並非目前系統正在執行的核心。</para>
+
+      <note>
+	<para>永遠在 <filename>/boot/GENERIC</filename> 保留一份 <filename>GENERIC</filename>
+	  核心的備份。這對於診斷不同的問題與版本的升級有幫助。
+	  參考<xref
+	    linkend="freebsd-update-custom-kernel-9x"/> 或 <xref
+	    linkend="freebsd-update-custom-kernel-8x"/> 關於如何備份
+	  <filename>GENERIC</filename> 核心的說明</para>
+      </note>
+
+      <para>除非 <filename>/etc/freebsd-update.conf</filename> 的預設設定被改變，
+	<command>freebsd-update</command>將安裝更新過的核心原始碼和其餘的更新
+	然後就可以照平常的方式重新編譯和重新安裝新的自訂核心。</para>
+
+      <para>以 <command>freebsd-update</command> 發行的更新並非總是包含核心。
+	如果核心的原始碼沒有被 <command>freebsd-update install</command> 變更，並不需要重新編譯自訂核心。
+	然而 <command>freebsd-update</command> 總是會更新
+	<filename>/usr/src/sys/conf/newvers.sh</filename>。目前修補的程度，
+	如同執行 <command>uname -r</command> 顯示的 <literal>-p</literal>
+	數字是由這個檔案取得。
+	即使沒有做任何改變，重新編譯核心會讓 <command>uname</command> 正確地報告目前系統修補的程度。
+	這對於維護多個系統特別有幫助，可以讓你快速評估每個系統安裝的更新。</para>
     </sect2>
 
-    <sect2 xml:id="stable">
-      <title>使用最新的 &os; STABLE</title>
+    <sect2 xml:id="freebsdupdate-upgrade">
+      <title>執行主要和次要的版本升級</title>
+
+      <para>從&os;的次要版本升級到另一個版本，例如從
+	&os;&nbsp;9.0 到 &os;&nbsp;9.1, 叫作
+	<firstterm>次要版本</firstterm>更新。
+	<firstterm>主要版本</firstterm>更新發生在當 &os;
+	從一個主要版本升級到主要版本升級到另一個主要版本時
+，例如從 &os;&nbsp;9.X 到 &os;&nbsp;10.X。
+兩種更新都可以透過提供 <command>freebsd-update</command> 發行版本來執行。</para>
+
+      <note>
+	<para>如果系統正在執行自訂的核心，開始升級前，
+	確定 <filename>GENERIC</filename> 核心的副本在
+	  <filename>/boot/GENERIC</filename>。
+	   參考<xref
+	    linkend="freebsd-update-custom-kernel-9x"/> 或 <xref
+	    linkend="freebsd-update-custom-kernel-8x"/> 關於如何製作
+	  <filename>GENERIC</filename>核心副本的說明。</para>
+      </note>
+
+      <para>以下的指令執行在 &os;&nbsp;9.0 系統時，
+	將會把系統升級至 &os;&nbsp;9.1：</para>
+
+       <screen>&prompt.root; <userinput>freebsd-update -r 9.1-RELEASE upgrade</userinput></screen>
+
+      <para>當收到這個指令後，
+	<command>freebsd-update</command> 將會評估設定檔和目前的系統來收集升級需要的資訊。
+	螢幕上的清單會顯示偵測到或沒偵測到哪些元件。例如： </para>
+      <screen>Looking up update.FreeBSD.org mirrors... 1 mirrors found.
+Fetching metadata signature for 9.0-RELEASE from update1.FreeBSD.org... done.
+Fetching metadata index... done.
+Inspecting system... done.
+
+The following components of FreeBSD seem to be installed:
+kernel/smp src/base src/bin src/contrib src/crypto src/etc src/games
+src/gnu src/include src/krb5 src/lib src/libexec src/release src/rescue
+src/sbin src/secure src/share src/sys src/tools src/ubin src/usbin
+world/base world/info world/lib32 world/manpages
+
+The following components of FreeBSD do not seem to be installed:
+kernel/generic world/catpages world/dict world/doc world/games
+world/proflibs
+
+Does this look reasonable (y/n)? <userinput>y</userinput></screen>
+
+      <para>此時，<command>freebsd-update</command> 將嘗試下載所有升級需要的檔案。
+在某些案例，使用者會被提示一些關於安裝什麼或是如何進行的問題。</para>
+
+      <para>當使用自訂核心，上述的步驟將會產生如下列的警告：</para>
+
+      <screen>WARNING: This system is running a "<replaceable>MYKERNEL</replaceable>" kernel, which is not a
+kernel configuration distributed as part of FreeBSD 9.0-RELEASE.
+This kernel will not be updated: you MUST update the kernel manually
+before running "/usr/sbin/freebsd-update install"</screen>
+
+      <para>這個警告可以安全地忽略，升級過程將會立即使用更新過的
+	 <filename>GENERIC</filename> 核心</para>
+
+      <para>一旦所有的修補都被下載到本地的系統，
+	它們將會被運用。這個過程可能會花點時間，取決於機器的速度和工作量
+	設定檔將會被合併。
+	合併的過程中當檔案被合併或是手動合併螢幕上出現編輯器時需要使用者介入。
+	每一個成功合併的結果將會顯示給使用者。
+	失敗或是被忽略的合併將會使程序中斷。使用者稍候可能想要備份
+	<filename>/etc</filename> 和手動合併重要的檔案，例如：
+	<filename>master.passwd</filename> 或
+	<filename>group</filename> 。</para>
+
+      <note>
+	<para>當所有修補和合併在另一個目錄進行時，系統還不會被警告。
+	  一旦所有修補都成功運用，所有設定檔都被合併，而且過程順利，使用者可以以下指令來將這些改變付諸於磁碟上：</para>
+
+	<screen>&prompt.root; <userinput>freebsd-update install</userinput></screen>
+      </note>
 
-      <sect3>
-	<title>什麼是 &os.stable;？</title>
-	<indexterm><primary>-STABLE</primary></indexterm>
-
-	<para>&os.stable; 是我們的開發分支，主要的發行版就由此而來。
-	  這個分支會以不同速度作修改變化，並且假設這些是第一次進入 &os.current;
-	  進行測試。  然而，這 <emphasis>仍然</emphasis> 屬於開發中的分支，
-	  也就是說在某些時候，&os.stable; 可能會、也可能不會符合一些特殊需求。
-	  它只不過是另一個開發分支而已，可能不太適合一般使用者。</para>
+      <para>核心和核心模組將會先被修補。如果系統正在執行自訂核心，使用
+	&man.nextboot.8; 指令設定下次開機的核心為更新過的
+	<filename>/boot/GENERIC</filename>：</para>
+
+      <screen>&prompt.root; <userinput>nextboot -k GENERIC</userinput></screen>
+
+      <warning>
+	<para>如果機器以遠端遙控來更新，
+	  使用<filename>GENERIC</filename>核心重新開機前，
+	  確定他包含所有系統開機需要的驅動程式而且連接網路，
+	  特別是當執行的自訂核心包含核心模組提供內建功能時，
+	  確定暫時地使用 <filename>/boot/loader.conf</filename> 工具載入這些模組到 <filename>GENERIC</filename> 核心。
+	  建議停用非必須的服務和磁碟與網路掛載直到升級程序完成。
+	  </para>
+      </warning>
+
+      <para>機器現在應該更新過的核心重新開機：
+	</para>
+
+      <screen>&prompt.root; <userinput>shutdown -r now</userinput></screen>
+
+      <para>一旦系統重新上線，使用以下指令重新開始
+	<command>freebsd-update</command>。
+	因為程序的狀態已被儲存，
+	<command>freebsd-update</command> 將不會重頭開始，他會進行到下一個階段
+	，移除所有舊的共用程式庫和目標檔。</para>
+
+      <screen>&prompt.root; <userinput>freebsd-update install</userinput></screen>
+
+      <note>
+	<para>根據程式庫版本編號， 可能有兩個而不是三個安裝階段。</para>
+      </note>
+
+      <para>升級程序現在完成了。如果這是主要的版本升級，參考
+	<xref linkend="freebsdupdate-portsrebuild"/>
+	的描述重新安裝所有的ports和套件。</para>
+
+      <sect3 xml:id="freebsd-update-custom-kernel-9x">
+	<title> &os;&nbsp;9.X 以上自訂核心</title>
+
+	<para>使用 <command>freebsd-update</command> 前，確定有一份核心的副本, ensure
+	  that a copy of the <filename>GENERIC</filename> kernel
+	  exists in <filename>/boot/GENERIC</filename>.  If a custom
+	  kernel has only been built once, the kernel in
+	  <filename>/boot/kernel.old</filename> is the
+	  <literal>GENERIC</literal> kernel.  Simply rename this
+	  directory to <filename>/boot/kernel</filename>.</para>
+
+	<para>If a custom kernel has been built more than once or if
+	  it is unknown how many times the custom kernel has been
+	  built, obtain a copy of the <literal>GENERIC</literal>
+	  kernel that matches the current version of the operating
+	  system.  If physical access to the system is available, a
+	  copy of the <literal>GENERIC</literal> kernel can be
+	  installed from the installation media:</para>
+
+	<screen>&prompt.root; <userinput>mount /cdrom</userinput>
+&prompt.root; <userinput>cd /cdrom/usr/freebsd-dist</userinput>
+&prompt.root; <userinput>tar -C/ -xvf kernel.txz boot/kernel/kernel</userinput></screen>
+
+	<para>Alternately, the <literal>GENERIC</literal> kernel may
+	  be rebuilt and installed from source:</para>
+
+	<screen>&prompt.root; <userinput>cd /usr/src</userinput>
+&prompt.root; <userinput>make kernel __MAKE_CONF=/dev/null SRCCONF=/dev/null</userinput></screen>
+
+	<para>For this kernel to be identified as the
+	  <literal>GENERIC</literal> kernel by
+	  <command>freebsd-update</command>, the
+	  <filename>GENERIC</filename> configuration file must not
+	  have been modified in any way.  It is also suggested that
+	  the kernel is built without any other special
+	  options.</para>
+
+	<para>Rebooting into the <filename>GENERIC</filename> kernel
+	  is not required as <command>freebsd-update</command> only
+	  needs <filename>/boot/GENERIC</filename> to exist.</para>
       </sect3>
 
-      <sect3>
-	<title>誰需要 &os.stable;？</title>
+      <sect3 xml:id="freebsd-update-custom-kernel-8x">
+	<title>&os;&nbsp;8.X 自訂核心</title>
 
-	<para>若您有興趣去追蹤、貢獻 FreeBSD 開發過程或作些貢獻，
-	  尤其是會跟 FreeBSD 接下來的 <quote>關鍵性</quote> 發行有關，
-	  應該考慮採用 &os.stable;。</para>
-
-	<para>雖然安全漏洞的修補也會進入 &os.stable; 分支，
-	  但不必僅僅因此而 <emphasis>需要</emphasis> 去用 &os.stable;。
-	  FreeBSD 每項 security advisory(安全公告)
-	  都會解說如何去修復有受到影響的版本
-	  <footnote><para>然而，這也不一定是正確，我們不可能永遠支援 FreeBSD
-	    昔日的各種發行版本，儘管每個發行版發佈之後，都仍會持續支援數年之久。
-	    若欲瞭解 FreeBSD 目前對於舊版的支援政策細節，請參閱 <link xlink:href="&url.base;/security/">http://www.FreeBSD.org/security/</link>
-	    。</para>
-	  </footnote>
-	  ，若僅因為安全因素而去採用開發分支，雖然會解決現有已知問題，
-	  但也可能帶來一些潛藏的問題。</para>
-
-	<para>儘管我們盡力確保 &os.stable; 分支在任何時候均能正確編譯、運作，
-	  但沒人能夠擔保它隨時都可以符合上述目的。  此外，雖然原始碼在進入
-	  &os.stable; 之前，都會先在 &os.current; 開發完畢，但使用 &os.current;
-	  的人畢竟遠比 &os.stable; 使用者來的少，所以通常有些問題，可能在
-	  &os.current; 比較沒人注意到，隨著 &os.stable;
-	  使用者的廣泛使用才會浮現。</para>
-
-	<para>由於上述這些理由，我們<emphasis>並不推薦</emphasis> 盲目追隨
-	  &os.stable;，而且更重要的是，別在原始碼尚未經完整測試之前，
-	  就衝動把 production server 轉移到 &os.stable; 環境。</para>
+	<para>On an &os;&nbsp;8.X system, the instructions for
+	  obtaining or building a <filename>GENERIC</filename> kernel
+	  differ slightly.</para>
+
+	<para>Assuming physical access to the machine is possible, a
+	  copy of the <filename>GENERIC</filename> kernel can be
+	  installed from the installation media using the following
+	  commands:</para>
+
+	<screen>&prompt.root; <userinput>mount /cdrom</userinput>
+&prompt.root; <userinput>cd /cdrom/<replaceable>X.Y-RELEASE</replaceable>/kernels</userinput>
+&prompt.root; <userinput>./install.sh GENERIC</userinput></screen>
+
+	<para>Replace <filename
+	    ><replaceable>X.Y-RELEASE</replaceable></filename>
+	  with the version of the release being used.  The
+	  <filename>GENERIC</filename> kernel will be installed in
+	  <filename>/boot/GENERIC</filename> by default.</para>
+
+	<para>To instead build the <filename>GENERIC</filename> kernel
+	  from source:</para>
+
+	<screen>&prompt.root; <userinput>cd /usr/src</userinput>
+&prompt.root; <userinput>env DESTDIR=/boot/GENERIC make kernel __MAKE_CONF=/dev/null SRCCONF=/dev/null</userinput>
+&prompt.root; <userinput>mv /boot/GENERIC/boot/kernel/* /boot/GENERIC</userinput>
+&prompt.root; <userinput>rm -rf /boot/GENERIC/boot</userinput></screen>
+
+	<para>For this kernel to be picked up as
+	  <filename>GENERIC</filename> by
+	  <command>freebsd-update</command>, the
+	  <filename>GENERIC</filename> configuration file must not
+	  have been modified in any way.  It is also suggested that it
+	  is built without any other special options.</para>
 
-	<para>若您沒有這些多的時間、精神的話，那推薦您使用最新的 FreeBSD
-	  發行版即可，並採用其所提供的 binary 更新機制來完成升級轉移。</para>
+	<para>Rebooting into the <filename>GENERIC</filename> kernel
+	  is not required.</para>
       </sect3>
 
-      <sect3>
-	<title>使用 &os.stable;</title>
+      <sect3 xml:id="freebsdupdate-portsrebuild">
+	<title>主要版本更新後更新 Packages</title>
 
-	<orderedlist>
-	  <listitem>
-	    <para>訂閱 &a.stable.name;<indexterm><primary>-STABLE</primary><secondary>using</secondary></indexterm> list。  可以讓您隨時瞭解 &os.stable;
-	      的軟體編譯時的相依關係，以及其他需特別注意的問題。
-	      開發者在考慮一些有爭議的修正或更新時，就會先在這裡發信說明，
-	      給使用者有機會可以反應，
-	      看他們對所提的更改是否有什麼建議或問題。</para>
+	<para>一般來說，次要版本更新後安裝的應用程式可以沒有問題地繼續執行。
+	  主要版本間使用不同的應用程式二進位介面 Application Binary Interfaces
+	  (<acronym>ABI</acronym>s)，會破壞大部份第三方應用程式。
+	  主要版本更新後，所有安裝的套件和 ports 需要使用應用程式來升級，例如
+	  <package>ports-mgmt/portmaster</package>
+	  重新編譯所有應用程式，可以使用以下指令完成：</para>
 
-	    <para>而 &a.cvsall.name; list 這邊可以看到每個 commit log，
-	      其中包括了許多中肯的資訊，例如一些可能發生的邊際效應等等。</para>
+	<screen>&prompt.root; <userinput>portmaster -af</userinput></screen>
 
-	    <para>想要加入這些通信論壇的話，只要到 &a.mailman.lists.link;
-	      點下想訂閱的 list 即可。  其餘的步驟在網頁上會有說明。</para>
-	  </listitem>
+	<para>這個指令將會顯示每個程式的設定選項設定畫面，等待使用者的互動。
+	  如果要使用預設的選項，可以在上述指令使用<option>-G</option>選項。
+	  </para>
 
-	  <listitem>
-	    <para>若打算要安裝一個全新的系統，並且希望裝  &os.stable;
-	      每月定期的 snapshot，那麼請參閱 <link xlink:href="&url.base;/snapshots/">Snapshots</link> 網頁以瞭解相關細節。
-	      此外，也可從 <link linkend="mirrors">mirror 站</link>
-	      來安裝最新的 &os.stable; 發行版，並透過下列的的說明來更新到最新的
-	      &os.stable; 原始碼。</para>
-
-	    <para>若已裝的是 &os; 以前的版本，而想透過原始碼方式來升級，
-	      那麼也是可以利用 &os; <link linkend="mirrors">mirror 站</link>
-	      來完成。  以下介紹兩種方式：</para>
-
-	    <orderedlist>
-	      <listitem>
-		<para>以 <link linkend="cvsup">csup</link><indexterm><primary><command>cvsup</command></primary></indexterm> 或
-		  <link linkend="cvsup">cvsup</link> 程式搭配位於
-		  <filename>/usr/share/examples/cvsup</filename> 檔名為
-		  <filename>stable-supfile</filename> 的
-		  <filename>supfile</filename>。  這是大家最常推薦的方式，
-		  因為它可以讓你把整個 tree 都抓回來，
-		  之後就只取有更新的部分即可。
-		  此外，許多人會把 <command>csup</command> 或
-		  <command>cvsup</command> 放到 <command>cron</command><indexterm><primary><command>cron</command></primary></indexterm>
-		  以定期自動更新。  您須要自訂前述的
-		  <filename>supfile</filename> 範例檔，並針對自身網路環境以調整
-		  <link linkend="cvsup">csup</link> 或
-		  <link linkend="cvsup">cvsup</link><indexterm><primary>-STABLE</primary><secondary>syncing with <application>CVSup</application></secondary></indexterm> 相關設定。</para>
-	      </listitem>
-
-	      <listitem>
-		<para>使用 <application>CTM</application><indexterm><primary>-STABLE</primary><secondary>syncing with CTM</secondary></indexterm> 更新工具。
-		  若網路不快或網路費用貴，那麼可以考慮採用。</para>
-	      </listitem>
-	   </orderedlist>
-	 </listitem>
+	<para>一旦軟體升級完成, 執行
+	  <command>freebsd-update</command> 來完成所有升級過程的零碎事情 ：</para>
 
-	  <listitem>
-	    <para>一般而言，若常需存取最新原始碼，而不計較網路頻寬的話，
-	      可以使用 <command>csup</command> 或 <command>cvsup</command>
-	      或 <command>ftp</command>。  否則，就考慮
-	      <application>CTM</application>。</para>
-	  </listitem>
+	<screen>&prompt.root; <userinput>freebsd-update install</userinput></screen>
 
-	  <listitem>
-	    <para>在編譯 &os.stable;<indexterm><primary>-STABLE</primary><secondary>compiling</secondary></indexterm> 之前，請先仔細閱讀
-	      <filename>/usr/src</filename> 內的 <filename>Makefile</filename>
-	      檔。  儘管只是升級部分東西而已，您至少也要先 <link linkend="makeworld">裝新的 kernel 以及重新編譯 world</link>。
-	      此外，多多閱讀 &a.stable; 以及
-	      <filename>/usr/src/UPDATING</filename> 也是必備的，
-	      這樣才能知道目前進度是怎樣，以及下一版會有哪些新東西。</para>
-	  </listitem>
-	</orderedlist>
+	<para>如果是暫時使用 <filename>GENERIC</filename> 核心，
+	  現在請使用
+	<xref linkend="kernelconfig"/>的說明編譯和安裝新的自訂核心。</para>
+
+	<para>重新開機進入新版的 &os;。現在已經完成升級過程了。
+	  </para>
       </sect3>
     </sect2>
-  </sect1>
 
-  <sect1 xml:id="synching">
-    <title>更新你的 Source</title>
+    <sect2 xml:id="freebsdupdate-system-comparison">
+      <title>系統狀態比較</title>
 
-    <para>&os; 計劃原始碼有許多透過網路(或 email)的方式來更新，
-      無論是更新那一塊領域，這些全由您自行決定。  我們主要提供的是 <link linkend="anoncvs">Anonymous CVS</link>、<link linkend="cvsup">CVSup</link>
-      、<link linkend="ctm">CTM</link>。</para>
+      <para>已安裝的 &os; 版本可以使用 <command>freebsd-update IDS</command>
+來跟另一個已知好的複製版本來做測試。
+這個指令評估系統應用程式，程式庫和設定檔案目前的版本，
+可以被當成內建的入侵偵測系統來使用 (<acronym>IDS</acronym>)。</para>
 
-    <warning>
-      <para>雖然可以只更新部分原始碼，但唯一支援的更新流程是更新整個 tree，
-	並且重編 userland(比如：由使用者去執行的所有程式，像是
-	<filename>/bin</filename>、<filename>/sbin</filename> 內的程式)以及
-	kernel 原始碼。
-        若只更新部分的 source tree、或只有 kernel 部分、或只有 userland
-	部分，通常會造成一些錯誤，像是：編譯錯誤、kernel panic、資料毀損等
-	。</para>
-    </warning>
+      <warning>
+	<para>這個指令不是取代真正的
+	  <acronym>IDS</acronym> ，例如
+	  <package>security/snort</package>。當
+	  <command>freebsd-update</command> 儲存資料在磁碟裡，是有被竄改的可能性
+	  可以使用 <varname>kern.securelevel</varname>
+	  或是將沒有在使用的 <command>freebsd-update</command>
+	  的資料儲存在唯讀檔案系統來減少這樣的可能性，
+	  比較好的解決方法是將系統和安全的磁碟，例如
+	  <acronym>DVD</acronym> 或是安全的外接
+	  <acronym>USB</acronym> 磁碟裝置做比較。
+	  另類的方法是使用在 <xref linkend="security-ids"/> 描述的內建應用程式提供的
+	  <acronym>IDS</acronym> 功能</para>
+      </warning>
 
-    <indexterm>
-      <primary>CVS</primary>
-      <secondary>anonymous</secondary>
-    </indexterm>
+      <para>為了開始比較，先指定特定的輸出檔案來儲存結果：</para>
 
-    <para><application>Anonymous CVS</application> 及
-      <application>CVSup</application> 均是採 <emphasis>pull</emphasis>
-      模式來更新原始碼。  以 <application>CVSup</application> 為例，
-      使用者(或 <command>cron</command> script)會執行 <command>cvsup</command>
-      程式，後者會與某一台 <command>cvsupd</command> 伺服器作些互動，
-      以更新相關原始碼檔案。  您所收到更新會是當時最新的，
-      而且只會收到需更新的部分。  此外，也可以很輕鬆去設定要更新的範圍。
-      更新會由伺服器跟本機比對之後，丟出當時您所需要的更新檔案給你。
-      <application>Anonymous CVS</application> 的概念相對於
-      <application>CVSup</application> 來得更簡單些，因為它只是
-      <application>CVS</application> 的延伸而已，一樣讓你可從遠端的
-      CVS repository 取出最新原始碼。  然而 <application>CVSup</application>
-      在這方面會更有效率，不過 <application>Anonymous CVS</application>
-      對新手而言，是用起來比較簡單。</para>
+      <screen>&prompt.root; <userinput>freebsd-update IDS &gt;&gt; outfile.ids</userinput></screen>
 
-    <indexterm>
-      <primary><application>CTM</application></primary>
-    </indexterm>
-    <para>另一種方式則是 <application>CTM</application>。
-      它並不是以交談式介面來比對您所擁有的 sources 和伺服器上的 sources
-      或是您取得的更新部份。  相反的，會有一個 script
-      檔專門用來辨識變更過的檔案，這個程式是由 CTM 伺服器來執行，
-      每天會比對數次，並把兩次執行期間內變更過的檔案加以壓縮，
-      並給它們一個序號，然後就加以編碼(只用 printable ASCII 字元)，
-      並以 email 的方式寄出。  當您收到它的時候，這些 <quote>CTM deltas</quote>
-      就可以由 &man.ctm.rmail.1; 程式來處理，該程式會自動解碼、確認、
-      套用這些變更。 這程序比 <application>CVSup</application> 來說是快得多了，
-      而且，這個模式對我們的伺服器來說是比較輕鬆的，因為這是一個
-      <emphasis>push</emphasis> 的模式，而非 <emphasis>pull</emphasis>
-      的模式。</para>
-
-    <para>當然，這樣做也會帶來一些不便。  若不小心把您部份的程式清除掉了，
-      <application>CVSup</application> 會偵測出來，並自動為您把不足的部份補齊。
-      <application>CTM</application> 並不會為您做這些動作。
-      若清掉了您的部份 source (而且沒備份)，您可以從頭開始(從最新的 CVS
-      <quote>base delta</quote>)並用 <application>CTM</application> 來重建它們
-      ，或是用 <application>Anonymous CVS</application> 來完成，
-      只要把不正確的地方砍掉，再重新做同步的動作即可。</para>
+      <para>現在系統將會被檢查，
+	而包含已知發行版和現在安裝版的<acronym>SHA256</acronym>雜湊值
+	的冗長檔案清單將會被送至指定的輸出檔。</para>
+
+      <para>清單的項目相當長，但是輸出格式很容易被分析。
+	例如，要獲得一個和發行版不同的檔案清單，可以下以下指令：</para>
+
+      <screen>&prompt.root; <userinput>cat outfile.ids | awk '{ print $1 }' | more</userinput>
+/etc/master.passwd
+/etc/motd
+/etc/passwd
+/etc/pf.conf</screen>
+
+      <para>這個輸出範例已經被截短，原來有更多的檔案存在。
+	有些檔案自然會有修改。例如，如果有使用者被加入系統，
+	<filename>/etc/passwd</filename> 會被修改
+	如果 <command>freebsd-update</command> 有更新過，核心模組可能會不同
+	 為了要排除特定的檔案或目錄，把它們加到<filename>/etc/freebsd-update.conf</filename> 裡的 <literal>IDSIgnorePaths</literal> 選項。</para>
+    </sect2>
   </sect1>
 
-  <sect1 xml:id="makeworld">
-    <title>重新編譯 <quote>world</quote></title>
+  <sect1 xml:id="updating-upgrading-documentation">
+    <title>更新文件組</title>
+
+    <indexterm><primary>更新和升級</primary></indexterm>
 
     <indexterm>
-      <primary>Rebuilding <quote>world</quote></primary>
+      <primary>文件</primary>
+      <see>更新和升級</see>
     </indexterm>
-    <para>在更新 &os; 的 source tree 到最新之後(無論是 &os.stable;、
-      &os.current; 等等)，接下來就可以用這些 source tree 來重新編譯系統
-      。</para>
 
-    <warning>
-      <title>做好備份</title>
+    <para>文件是&os;作業系統不可或缺的一部份。
+      最新版本的 &os; 文件可以在
+      &os; 網站取得(<link
+	xlink:href="&url.base;/doc/">http://www.freebsd.org/doc/</link>),
+      很方便有一份最新的&os;
+      網站，使用手冊， <acronym>常見問答</acronym>和文章的本地端副本。</para>
 
-      <para>在作任何大動作 <emphasis>之前</emphasis>
-	要記得先把系統作備份的重要性無須強調。 儘管重新編譯 world 是
-	(只要有照文件指示去作的話)一件很簡單的事情，但出錯也是在所難免的。
-	另外，別人在 source tree 不慎搞混的錯誤，也可能會造成系統無法開機
-	。</para>
-
-      <para>請確認自己已作妥相關備份，並且手邊有 fixit 磁片或開機光碟。
-	您可能永遠也用不到這些東西，
-	但安全第一總比事後說抱歉來得好吧！</para>
-    </warning>
+    <para>這一節描述如何使用原始碼或是
+	&os; Ports 管理機制將
+	本地端&os;文件保持最新。</para>
 
-    <warning>
-      <title>訂閱相關的 Mailing List</title>
+    <para>編輯和發佈文件更正的資訊
+     請參考 &os; 文件計劃新貢獻者入門書
+      (<link
+	  xlink:href="&url.books.fdp-primer;">http://www.freebsd.org/doc/en_US.ISO8859-1/books/fdp-primer/</link>).</para>
 
-      <indexterm><primary>mailing list</primary></indexterm>
-      <para>&os.stable; 以及 &os.current; 分支，本質上就是屬於 <emphasis>
-	開發階段</emphasis>。  為 &os; 作貢獻的也都是人，偶爾也會犯錯誤。</para>
-
-      <para>有時候這些錯誤並無大礙，只是會讓系統產生新的錯誤警告而已。
-	有時則是災難，可能會導致不能開機或檔案系統的毀損(或更糟)。</para>
-
-      <para>若遇到類似問題，貼封標題為 <quote>heads up(注意)</quote>
-	開頭的信到相關的 mailing list，並講清楚問題點以及會影響哪些系統。
-	在問題獲解決後，再貼標題為 <quote>all clear(已解決)</quote>
-	開頭的聲明信。</para>
+    <sect2 xml:id="updating-installed-documentation">
+      <title>從原始碼更新文件</title>
 
-      <para>若用的是 &os.stable; 或 &os.current;，卻又不閱讀 &a.stable; 或
-	&a.current; 的討論，那麼會是自找麻煩而已。</para>
-    </warning>
+      <para>重新從原始碼編譯&os; 文件需要一些不是屬於
+	&os; 基礎系統的工具
+	這些需要的工具包括
+	<application>svn</application> 可以從
+	<package>textproc/docproj</package> 套件安裝或是
+	&os; 文件計劃的開發的port</para>
 
-    <warning>
-      <title>不要用 <command>make world</command></title>
+      <para>一旦安裝好，請使用 <application>svn</application>
+	來取得乾淨的文件原始碼副本。
+	將 <replaceable>https://svn0.us-west.FreeBSD.org</replaceable>
+	置換成 <xref linkend="svn-mirrors"/> 裡地理位置和你最近的鏡像站：</para>
 
-      <para>一堆早期的舊文件都會建議說使用 <command>make world</command>。
-	這樣做會跳過一些重要步驟，建議只有在你知道自己在作什麼，再這麼做。
-	在絕大多數的情況下，請不要亂用 <command>make world</command>，
-	而該改用下面介紹的方式。</para>
-    </warning>
+      <screen>&prompt.root; <userinput>svn checkout <replaceable>https://svn0.us-west.FreeBSD.org</replaceable>/doc/head /usr/doc</userinput></screen>
 
-    <sect2>
-      <title>更新系統的標準方式</title>
+      <para>第一次下載文件原始碼需要花點時間，請讓他執行完畢</para>
 
-      <para>要升級系統前，一定要先查閱 <filename>/usr/src/UPDATING</filename>
-	文件，以瞭解 buildworld 之前需要作哪些事情或注意事項，
-	然後才用下列步驟：</para>
-
-      <screen>&prompt.root; <userinput>make buildworld</userinput>
-&prompt.root; <userinput>make buildkernel</userinput>
-&prompt.root; <userinput>make installkernel</userinput>
-&prompt.root; <userinput>reboot</userinput></screen>
+      <para>將來文件原始碼更新的取得可以執行：</para>
 
-      <note>
-	<para>在少數狀況，可能需要先在 <buildtarget>buildworld</buildtarget>
-	  步驟之前先作 <command>mergemaster -p</command> 才能完成。
-	  至於何時需要或不需要，請參閱 <filename>UPDATING</filename> 內的說明。
-	  一般來說，只要不是進行跨版號(major)的 &os; 版本升級，
-	  就可略過這步驟。</para>
-      </note>
+      <screen>&prompt.root; <userinput>svn update /usr/doc</userinput></screen>
 
-      <para>完成 <buildtarget>installkernel</buildtarget> 之後，需要重開機並切到
-	single user 模式(舉例：也可以在 loader 提示符號後面加上
-	<command>boot -s</command>)。  接下來執行：</para>
-
-      <screen>&prompt.root; <userinput>mergemaster -p</userinput>
-&prompt.root; <userinput>make installworld</userinput>
-&prompt.root; <userinput>mergemaster</userinput>
-&prompt.root; <userinput>reboot</userinput></screen>
+      <para>當最新的文件原始碼快照已經抓取到
+	<filename>/usr/doc</filename>，一切都已就緒可以對已安裝的文件進行更新。</para>
 
-      <warning>
-	<title>Read Further Explanations</title>
+      <para>要完整更新所有語言，可以執行:</para>
 
-	<para>上述步驟只是協助您升級的簡單說明而已，若要清楚瞭解每一步驟，
-	  尤其是若欲自行打造 kernel 設定，就更該閱讀下面的內容。</para>
-      </warning>
-    </sect2>
+      <screen>&prompt.root; <userinput>cd /usr/doc</userinput>
+&prompt.root; <userinput>make install clean</userinput></screen>
+
+      <para>如果只要更新一個特定的語言，可以在 <filename>/usr/doc</filename>
+中特定語言的子目錄執行 <command>make</command>:</para>
+
+      <screen>&prompt.root; <userinput>cd /usr/doc/en_US.ISO8859-1</userinput>
+&prompt.root; <userinput>make install clean</userinput></screen>
+
+      <para>另一個更新文件的方法是在 <filename>/usr/doc</filename>
+或特定語言的子目錄執行:</para>
+
+      <screen>&prompt.root; <userinput>make update</userinput></screen>
+
+      <para>輸出格式可以經由設定 <varname>FORMATS</varname> 來指：</para>
+
+      <screen>&prompt.root; <userinput>cd /usr/doc</userinput>
+&prompt.root; <userinput>make FORMATS='html html-split' install clean</userinput></screen>
 
-    <sect2>
-      <title>閱讀 <filename>/usr/src/UPDATING</filename></title>
+      <para>有幾個選項可以使得只要更新部份文件或是建立特定翻譯的過程更加簡易。
+這些選項可以在 <filename>/etc/make.conf</filename> 中設定成整個系統的選項，
+或是經由命令列傳送給 <command>make</command>。</para>
 
-      <para>在作任何事情之前，請務必先閱讀
-	<filename>/usr/src/UPDATING</filename> (或在 source code 內類似的文件)
-	。  這份文件會寫到可能遭遇的問題，或指定那些會執行的指令順序為何。
-	如果你機器現在的 <filename>UPDATING</filename>
-	文件與這邊的描述有衝突、矛盾之處，那麼請以機器上的
-	<filename>UPDATING</filename> 為準。</para>
-
-      <important>
-	<para>然而，如同先前所述，單單只靠閱讀 <filename>UPDATING</filename>
-	  並不能完全取代 mailing list。  這兩者都是互補的，而不相排斥。</para>
-      </important>
+      <para>這些選項包括:</para>
+
+      <variablelist>
+	<varlistentry>
+	  <term><varname>DOC_LANG</varname></term>
+
+	  <listitem>
+	    <para>要建立或是安裝的語言和編碼清單，例如英文文件用
+	      <literal>en_US.ISO8859-1</literal>。</para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><varname>FORMATS</varname></term>
+
+	  <listitem>
+	    <para>單一格式或是要建立的輸出格式清單。目前支援 <literal>html</literal>,
+	      <literal>html-split</literal>, <literal>txt</literal>,
+	      <literal>ps</literal>, 和 <literal>pdf</literal>。</para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term><varname>DOCDIR</varname></term>
+
+	  <listitem>
+	    <para>安裝文件的位置。預設裝在
+	      <filename>/usr/share/doc</filename>。</para>
+	  </listitem>
+	</varlistentry>
+      </variablelist>
+
+      <para>更多關於&os;全系統的<command>make</command> 變數，
+	請參考&man.make.conf.5;。</para>
     </sect2>
 
-    <sect2>
-      <title>檢查 <filename>/etc/make.conf</filename></title>
+    <sect2 xml:id="doc-ports-install-package">
+      <info>
+	<title>從 Ports 更新文件</title>
+
+	<authorgroup>
+	  <author>
+	    <personname>
+	      <firstname>Marc</firstname>
+	      <surname>Fonvieille</surname>
+	    </personname>
+	    <contrib>Based on the work of </contrib>
+	  </author>
+	</authorgroup>
+      </info>
+
       <indexterm>
-        <primary><filename>make.conf</filename></primary>
+	<primary>Updating and Upgrading</primary>
       </indexterm>
 
-      <para>檢查
-	<filename>/usr/share/examples/etc/make.conf</filename>
-	以及
-	<filename>/etc/make.conf</filename>。  第一份文件乃是一些系統預設值
-	&ndash; 不過，大部分都被註解起來。  為了在重新編譯時能夠使用這些，
-	請把這些設定加到 <filename>/etc/make.conf</filename>。  請注意在
-	<filename>/etc/make.conf</filename> 的任何設定也會影響到每次使用
-	<command>make</command> 的結果，
-	因此設定一些適合自己系統的選項會是不錯的作法。</para>
-
-      <para>一般使用者通常會從
-	<filename>/usr/share/examples/etc/make.conf</filename> 複製
-	<varname>CFLAGS</varname> 以及 <varname>NO_PROFILE</varname>
-	之類的設定到 <filename>/etc/make.conf</filename>，並解除相關註解印記
-	。</para>
+      <indexterm>
+	<primary>documentation package</primary>
+	<see>Updating and Upgrading</see>
+      </indexterm>
 
-      <para>此外，也可以試試看其他設定 (<varname>COPTFLAGS</varname>、
-	<varname>NOPORTDOCS</varname> 等等)，是否符合自己所需。</para>
-    </sect2>
+      <para>前一節說明了從原始碼更新 &os; 文件的方法。本節敘述使用 Ports Collection 的另一種方法：</para>
 
-    <sect2>
-      <title>更新 <filename>/etc</filename> 內的設定檔</title>
+      <itemizedlist>
+	<listitem>
+	  <para>Install pre-built packages of the documentation,
+	    without having to locally build anything or install the
+	    documentation toolchain.</para>
+	</listitem>
+
+	<listitem>
+	  <para>Build the documentation sources through the ports
+	    framework, making the checkout and build steps a bit
+	    easier.</para>
+	</listitem>
+      </itemizedlist>
+
+      <para>This method of updating the &os; documentation is
+	supported by a set of documentation ports and packages which
+	are updated by the &a.doceng; on a monthly basis.  These are
+	listed in the &os; Ports&nbsp;Collection, under the docs
+	category (<link
+	  xlink:href="http://www.freshports.org/docs/">http://www.freshports.org/docs/</link>).</para>
+
+      <para>Organization of the documentation ports is as
+	follows:</para>
+
+      <itemizedlist>
+	<listitem>
+	  <para>The <package>misc/freebsd-doc-en</package> package or
+	    port installs all of the English documentation.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <package>misc/freebsd-doc-all</package>
+	    meta-package or port installs all documentation in all
+	    available languages.</para>
+	</listitem>
+
+	<listitem>
+	  <para>There is a package and port for each translation, such
+	    as <package>misc/freebsd-doc-hu</package> for the
+	    Hungarian documentation.</para>
+	</listitem>
+      </itemizedlist>
+
+      <para>When binary packages are used, the &os; documentation will
+	be installed in all available formats for the given language.
+	For example, the following command will install the latest
+	package of the Hungarian documentation:</para>
 
-      <para>在 <filename>/etc</filename> 目錄會有系統的相關設定檔，
-	以及開機時的各項服務啟動 script。  有些 script 隨 FreeBSD
-	版本的不同而有些差異。</para>
-
-      <para>其中有些設定檔會在每日運作的系統裡也會用到。  尤其是
-	<filename>/etc/group</filename>。</para>
-
-      <para>有時候在 <command>make installworld</command> 安裝過程中，
-	會需要先建立某些特定帳號或群組。  在進行升級之前，它們可能並不存在，
-	因此升級時就會造成問題。  有時候 <command>make buildworld</command>
-	會先檢查這些所需的帳號或群組是否已有存在。</para>
-
-      <para>舉個這樣的例子，像是某次升級之後必須新增 <systemitem class="username">smmsp</systemitem>
-	帳號。  若使用者尚未新增該帳號就要完成升級操作的話，
-	會在 &man.mtree.8; 嘗試建立 <filename>/var/spool/clientmqueue</filename>
-	時發生失敗。</para>
-
-      <para>解法是在 buildworld 階段之前，先執行 &man.mergemaster.8; 並搭配
-	<option>-p</option> 選項。  它會比對那些執行
-	<buildtarget>buildworld</buildtarget> 或
-	<buildtarget>installworld</buildtarget> 所需之關鍵設定檔。
-	若你所用的是早期仍未支援 <option>-p</option> 的
-	<command>mergemaster</command> 版本，那麼直接使用 source tree
-	內的新版即可：</para>
-
-      <screen>&prompt.root; <userinput>cd /usr/src/usr.sbin/mergemaster</userinput>
-&prompt.root; <userinput>./mergemaster.sh -p</userinput></screen>
-
-      <tip>
-	<para>若您是偏執狂(paranoid)，
-	  可以像下面這樣去試著檢查系統上有哪些檔案屬於已改名或被刪除的群組
-	  ：</para>
-
-	<screen>&prompt.root; <userinput>find / -group GID -print</userinput></screen>
-
-	<para>這會顯示所有符合要找的 <replaceable>GID</replaceable> 群組
-	  (可以是群組名稱，或者是群組的數字代號)的所有檔案。</para>
-      </tip>
-    </sect2>
+      <screen>&prompt.root; <userinput>pkg install hu-freebsd-doc</userinput></screen>
 
-    <sect2 xml:id="makeworld-singleuser">
-      <title>切換到 Single User 模式</title>
-      <indexterm><primary>single-user mode</primary></indexterm>
+      <note>
+	<para>Packages use a format that differs from the
+	  corresponding port's name:
+	  <literal><replaceable>lang</replaceable>-freebsd-doc</literal>,
+	  where <replaceable>lang</replaceable> is the short format of
+	  the language code, such as <literal>hu</literal> for
+	  Hungarian, or <literal>zh_cn</literal> for Simplified
+	  Chinese.</para>
+      </note>
 
-      <para>您可能會想在 single user 模式下編譯系統。
-	除了可以明顯更快完成之外，安裝過程中將會牽涉許多重要的系統檔案，
-	包括所有系統 binaries、libraries、include 檔案等。
-	若在運作中的系統(尤其有許多使用者在用的時候)內更改這些檔案，
-	那簡直是自找麻煩的作法。</para>
-
-      <indexterm><primary>multi-user mode</primary></indexterm>
-      <para>另一種模式是先在 multi-user 模式下編譯好系統，然後再切到 single user
-	模式去安裝。  若您比較喜歡這種方式，只需在 build(編譯過程) 完成之後，
-	再去執行下面的步驟即可。  一直到可切換 single user 模式時，再去執行
-	<buildtarget>installkernel</buildtarget> 或
-	<buildtarget>installworld</buildtarget> 即可。</para>
-
-      <para>切換為 root 身份打：</para>
-
-      <screen>&prompt.root; <userinput>shutdown now</userinput></screen>
-
-      <para>這樣就會從原本的 multi-user 模式切換到 single user 模式。</para>
-
-      <para>除此之外也可以重開機，接著在開機選單處選擇
-	<quote>single user</quote> 選項。  如此一來就會進入 single user 模式，
-	然後在 shell 提示符號處輸入：</para>
+      <para>To specify the format of the documentation, build the port
+	instead of installing the package.  For example, to build and
+	install the English documentation:</para>
+
+      <screen>&prompt.root; <userinput>cd /usr/ports/misc/freebsd-doc-en</userinput>
+&prompt.root; <userinput>make install clean</userinput></screen>
+
+      <para>The port provides a configuration menu where the format to
+	build and install can be specified.  By default, split
+	<acronym>HTML</acronym>, similar to the format used on <uri
+	  xlink:href="http://www.FreeBSD.org">http://www.FreeBSD.org</uri>,
+	and <acronym>PDF</acronym> are selected.</para>
+
+      <para>Alternately, several <command>make</command> options can
+	be specified when building a documentation port,
+	including:</para>
+
+      <variablelist>
+	<varlistentry>
+	  <term><varname>WITH_HTML</varname></term>
 
-      <screen>&prompt.root; <userinput>fsck -p</userinput>
-&prompt.root; <userinput>mount -u /</userinput>
-&prompt.root; <userinput>mount -a -t ufs</userinput>
-&prompt.root; <userinput>swapon -a</userinput></screen>
+	  <listitem>
+	    <para>Builds the HTML format with a single HTML file per
+	      document.  The formatted documentation is saved to a
+	      file called <filename>article.html</filename>, or
+	      <filename>book.html</filename>.</para>
+	  </listitem>
+	</varlistentry>
 
-      <para>這樣會先檢查檔案系統，並重新將 <filename>/</filename>
-	改以可讀寫的模式掛載，以及 <filename>/etc/fstab</filename>
-	內所設定的其他 UFS 檔案系統，最後啟用 swap 磁區。</para>
+	<varlistentry>
+	  <term><varname>WITH_PDF</varname></term>
 
+	  <listitem>
+	    <para>The formatted documentation is saved to a file
+	      called <filename>article.pdf</filename> or
+	      <filename>book.pdf</filename>.</para>
+	  </listitem>
+	</varlistentry>
 
-        <note>
-          <para>若 CMOS 時鐘是設為當地時間，而非 GMT 時區(若 &man.date.1;
-	    指令沒顯示正確的時間、時區)，那可能需要再輸入下列指令：</para>
-<screen>&prompt.root; <userinput>adjkerntz -i</userinput></screen>
-
-          <para>這步驟可以確認您的當地時區設定是否正確 &mdash;
-	    否則日後會造成一些問題。</para>
-        </note>
+	<varlistentry>
+	  <term><varname>DOCBASE</varname></term>
 
-    </sect2>
+	  <listitem>
+	    <para>Specifies where to install the documentation.  It
+	      defaults to
+	      <filename>/usr/local/share/doc/freebsd</filename>.</para>
+	  </listitem>
+	</varlistentry>
+      </variablelist>
 
-    <sect2>
-      <title>移除 <filename>/usr/obj</filename></title>
+      <para>This example uses variables to install the Hungarian
+	documentation as a <acronym>PDF</acronym> in the specified
+	directory:</para>
+
+      <screen>&prompt.root; cd /usr/ports/misc/freebsd-doc-hu
+&prompt.root; make -DWITH_PDF DOCBASE=share/doc/freebsd/hu install clean</screen>
+
+      <para>Documentation packages or ports can be updated using the
+	instructions in <xref linkend="ports"/>.  For example, the
+	following command updates the installed Hungarian
+	documentation using <package>ports-mgmt/portmaster</package>
+	by using packages only:</para>
 
-      <para>在重新編譯系統的過程中，編譯結果會放到(預設情況)
-	<filename>/usr/obj</filename> 內。  這裡面的目錄會對應到
-	<filename>/usr/src</filename> 的目錄結構。</para>
-
-      <para>砍掉這目錄，可以讓以後的 <command>make buildworld</command>
-	過程更快一些，而且可避免以前編譯的東西跟現在的混淆在一起的相依錯亂
-	。</para>
-
-      <para>而有些 <filename>/usr/obj</filename> 內的檔案可能會設定不可更動的
-	flag(細節請參閱 &man.chflags.1;)，而必須先拿掉這些 flag 設定才行
-	。</para>
-
-      <screen>&prompt.root; <userinput>cd /usr/obj</userinput>
-&prompt.root; <userinput>chflags -R noschg *</userinput>
-&prompt.root; <userinput>rm -rf *</userinput></screen>
+      <screen>&prompt.root; <userinput>portmaster -PP hu-freebsd-doc</userinput></screen>
     </sect2>
+  </sect1>
+
+  <sect1 xml:id="current-stable">
+    <title>追蹤發展分支</title>
 
-    <sect2 xml:id="cutting-edge-compilebase">
-      <title>重新編譯 Base System</title>
+    <indexterm><primary>-CURRENT</primary></indexterm>
+    <indexterm><primary>-STABLE</primary></indexterm>
 
-      <sect3>
-	<title>保留編譯的紀錄</title>
+    <para>&os; 有兩個發展分支： &os.current; and
+      &os.stable;.</para>
 
-	<para>建議養成好習慣，把執行 &man.make.1; 時產生的紀錄存起來。
-	  這樣若有哪邊出錯，就會有錯誤訊息的紀錄。  雖然單單這樣，
-	  你可能不知道如何分析是哪邊出了岔，但若把你問題記錄貼到 &os; 相關的
-	  mailing list 就可以有人可以幫忙看是怎麼一回事情。</para>
-
-	<para>最簡單的方是就是用 &man.script.1; 指令，並加上參數
-	  (你想存放記錄的檔案位置、檔名)即可。
-	  這步驟應該在重新編譯系統時就要作，然後在完成編譯後輸入
-	  <userinput>exit</userinput> 即可離開。</para>
-
-	<screen>&prompt.root; <userinput>script /var/tmp/mw.out</userinput>
-Script started, output file is /var/tmp/mw.out
-&prompt.root; <userinput>make TARGET</userinput>
-<emphasis>&hellip; compile, compile, compile &hellip;</emphasis>
-&prompt.root; <userinput>exit</userinput>
-Script done, &hellip;</screen>
-
-	<para>對了，還有一點儘量<emphasis>別把</emphasis>檔案存到
-	  <filename>/tmp</filename> 目錄內。  因為重開機之後，
-	  這目錄內的東西都會被清空。  比較妥善的地方是
-	  <filename>/var/tmp</filename> (如上例所示) 或者是
-	  <systemitem class="username">root</systemitem> 的家目錄。</para>
-      </sect3>
+    <para>本節將將解釋每個分支和他的預設的使用者，以及如何保持每個分支系統在最新。</para>
+
+    <sect2 xml:id="current">
+      <title>使用 &os.current;</title>
+
+      <para>&os.current; 是 &os; 開發的<quote>最前線</quote>，&os.current;的使用者應有較強的技術能力。
+	技術能力較弱的使用者想追蹤發展分支應該追蹤 &os.stable;。</para>
+
+      <para>&os.current; 是 &os; 最新的原始碼，包括正在進行的工作，
+	實驗性的改變，以及可能會或可能不會在下一個官方發行版出現的過渡時期機制。
+	而許多 &os; 開發者每天編譯
+	&os.current; 原始碼，可能有一段短暫的時間原始碼無法編譯成功。
+	這些問題會儘快被解決，但是無論
+	&os.current; 帶來災難或是新功能，在同步原始碼時都要考量的問題。</para>
+
+      <para>&os.current; 適合下列三類人：</para>
+
+      <orderedlist>
+	<listitem>
+	  <para>積極致力於某一部份原始碼樹的 &os; 社群成員。</para>
+	</listitem>
+
+	<listitem>
+	  <para>擔任積極測試者的 &os; 社群成員。
+	    他們願意花時間解決問題，提出 &os; 改變的建議和的大方向，並發布修補。</para>
+	</listitem>
+
+	<listitem>
+	  <para>關注某些事物，或是想參考目前的原始碼，或是偶爾提供註解或貢獻原始碼的使用者。</para>
+	</listitem>
+      </orderedlist>
+
+      <para>&os.current; <emphasis>不應該</emphasis>被認為是在下一版發行前
+	取得最新功能的快速途徑，因為尚未發行的功能並未被完整測試，很可能有bug。
+	他也不是一個取得bug修補的快速方式，
+	因為任何已知bug的修補有可能產生新的bug。
+	&os.current; 沒有任何
+	<quote>官方支援</quote>。</para>
+
+      <indexterm>
+	<primary>-CURRENT</primary>
+	<secondary>using</secondary>
+      </indexterm>
 
-      <sect3 xml:id="make-buildworld">
-	<title>編譯 Base System</title>
+      <para>追蹤 &os.current;：</para>
 
-	<para>首先請先切換到 <filename>/usr/src</filename> 目錄：</para>
+      <orderedlist>
+	<listitem>
+	  <para>加入 &a.current.name; 和
+	    &a.svn-src-head.name; 郵件論壇。這是<emphasis>必須的</emphasis>
+	    以查看人們關於系統目前狀態的評論並接收 &os.current; 目前狀態的重要公告。</para>
+
+	  <para> &a.svn-src-head.name; 論壇紀錄每一次修改的紀錄，
+	    和可能產生的副作用的相關資訊 </para>
+
+	  <para>前往 &a.mailman.lists.link;，點選論壇來訂閱，照網頁指示的步驟作，
+	    為了追蹤整個原始碼樹，不是只有 &os.current; 的改變，請訂閱
+	    &a.svn-src-all.name;論壇。</para>
+	</listitem>
+
+	<listitem>
+	  <para>同步 &os.current; 原始碼。
+	    通常使用 <link linkend="svn">svn</link> 來檢查<xref linkend="svn-mirrors"/>
+	    列出的 Subversion 鏡像站 <literal>head</literal> 分支的-CURRENT 原始碼。</para>
+
+	  <para>網路很慢或是受到限制的使用者可以如<xref linkend="ctm"/>
+	    所描述的，使用 CTM 來替代，但是他並不如 <application>svn</application>
+	    一樣值得信賴， <application>svn</application> 是建議的同步原始碼的方法。</para>
+	</listitem>
+
+	<listitem>
+	  <para> 由於程式碼庫的大小的，
+	    有些使用者選擇只同步部份他們有興趣或提供修補貢獻的部份原始碼。然而，
+	    計劃從原始碼編譯整個作業系統的使用者必須下載 <emphasis>全部</emphasis>
+	    的&os.current;，而不是只有選擇的部份。</para>
+
+	  <para>編譯 &os.current; 前
+	    <indexterm>
+	      <primary>-CURRENT</primary>
+		<secondary>compiling</secondary>
+	    </indexterm>，請非常仔細地閱讀 <filename>/usr/src/Makefile</filename>
+	    並遵從 <xref linkend="makeworld"/>的指示。
+	    閱讀 &a.current; 和 <filename>/usr/src/UPDATING</filename>
+	    來掌握下一發行版的最新狀態。</para>
+	</listitem>
+
+	<listitem>
+	  <para>熱血！很鼓勵 &os.current; 使用者
+	    發表他們對加強哪些功能或是修復哪些錯誤的建議。
+	    如果您在建議時能附上相關程式碼的話， 那真是太棒了！</para>
+	</listitem>
+      </orderedlist>
+    </sect2>
+
+    <sect2 xml:id="stable">
+      <title>使用 &os.stable;</title>
 
-	<screen>&prompt.root; <userinput>cd /usr/src</userinput></screen>
+      <para>主要發行版就是由 &os.stable; 這個開發分支而來。
+	修改進入這個分支的速度比較慢，
+	並且假設這些修改已經先在 &os.current; 測試過。
+	這<emphasis>仍然</emphasis>是一個開發分支，而且在任何時候，&os.stable; 的原始碼都可能適合或不適合一般的使用。他就只是另一個開發分支，不是給終端使用者用的。
+	沒有要進行測試的使用者應該執行最新的 &os; 發行版。</para>
+
+      <para>若有興趣去追蹤、貢獻 &os; 開發過程，尤其是會跟
+	&os;接下來的發行版有關的人,應該考慮採用 &os.stable;。</para>
+
+      <para>儘管 &os.stable; 應該在任何時候均能正確編譯、運作，但是沒有人能擔保一定如此。因為使用 &os.stable; 的人比 &os.current;多，無可避免地，
+	有時候會在 &os.stable; 發現錯誤和極端的狀況，而這在 &os.current; 並非顯而易見。
+	由於上述這些理由，我們並不建議盲目追隨 &os.stable;。
+	特別重要的是
+	<emphasis>不要</emphasis>在沒有於開發或測試環境完整測試程式碼之前，
+	升級任何上線的伺服器到 &os.stable;。</para>
+
+      <para>追蹤 &os.stable;:</para>
+
+      <indexterm>
+	<primary>-STABLE</primary>
+	  <secondary>using</secondary>
+      </indexterm>
+      <orderedlist>
+	<listitem>
+	  <para>訂閱&a.stable.name;論壇來隨時瞭解 &os.stable; 編譯時的相依關係
+	    或是其他特別需要注意的議題。
+	    開發者在考慮一些有爭議的修正或更新時，就會先在這裡發信說明， 給使用者有機會可以反應， 看他們對所提的更改是否有什麼建議或問題。</para>
+
+	  <para>訂閱要追蹤分支的 <application>svn</application>相關論壇。
+	    例如，追蹤9-STABLE分支的使用者應該訂閱&a.svn-src-stable-9.name;論壇。
+	    這個論壇紀錄每一次修改的紀錄，和可能產生的副作用的相關資訊。</para>
+
+	  <para>前往&a.mailman.lists.link;，點選論壇來訂閱，照網頁指示的步驟作，
+	    為了追蹤整個原始碼樹，請訂閱&a.svn-src-all.name;論壇。</para>
+	</listitem>
+
+	<listitem>
+	  <para>要安裝一個新的 &os.stable; 系統，
+	    從<link linkend="mirrors"> &os; 鏡像站</link>安裝最新的 &os.stable; 發行版
+	    或使用從 &os.stable;每個月的 snapshot built來安裝。更多關於快照的資訊，
+	    請參考<link xlink:href="&url.base;/snapshots/">www.freebsd.org/snapshots</link>。</para>
+
+	  <para>要編譯或升級已經安裝的 &os; 系統至 &os.stable;，
+	    請使用<link linkend="svn">svn</link>
+	      <indexterm>
+		<primary>Subversion</primary>
+	      </indexterm> 來檢查要安裝分支的原始碼。
+	    分支的名稱，例如
+	    <literal>stable/9</literal>，列在<link
+	      xlink:href="&url.base;/releng/">www.freebsd.org/releng</link>。
+	    如果沒有可靠的網際網路連線可以使用CTM (<xref linkend="ctm"/>) 。
+</para>
+	</listitem>
+
+	<listitem>
+	  <para>在編譯或升級到 &os.stable; 之前
+	    <indexterm>
+	      <primary>-STABLE</primary>
+		<secondary>compiling</secondary>
+	    </indexterm>， 請仔細閱讀 <filename>/usr/src/Makefile</filename>
+	    並遵照<xref
+	      linkend="makeworld"/>的指示。閱讀 &a.stable; 和
+	    <filename>/usr/src/UPDATING</filename>下一發行版的最新狀態。</para>
+	</listitem>
+      </orderedlist>
+    </sect2>
+  </sect1>
 
-	<para>(當然，除非你把 source code 放到其他地方，若真是這樣，
-	  就切換到那個目錄即可)。</para>
-	<indexterm><primary><command>make</command></primary></indexterm>
+  <sect1 xml:id="synching">
+    <title>同步原始碼</title>
 
-	<para>使用 &man.make.1; 指令來重新編譯 world。
-	  這指令會從 <filename>Makefile</filename> 檔(這檔會寫 &os;
-	  的程式該如何重新編譯、以哪些順序來編譯等等)去讀取相關指令。</para>
+    <para>有幾種不同的方法保持 &os; 原始碼在最新狀態。
+	這節比較這兩個主要的方法： <application>Subversion</application> 和 <application>CTM</application>。</para>
 
-	<para>一般下指令的格式如下：</para>
+    <warning>
+      <para>雖然有可能只更新部份原始碼樹，但是唯一支援的更新步驟是更新整個樹併重新編譯所有在使用者空間的程式，
+	例如在<filename>/bin</filename> 和
+	<filename>/sbin</filename>，以及核心原始碼。
+	只更新部份原始碼樹，只更新核心，或只更新使用者空間的程式時常會導致編譯錯誤，核心錯誤或是資料惡化等問題。</para>
+    </warning>
 
-	<screen>&prompt.root; <userinput>make -x -DVARIABLE target</userinput></screen>
+    <indexterm>
+      <primary>Subversion</primary>
+    </indexterm>
 
-	<para>在這個例子，<option>-<replaceable>x</replaceable></option>
-	  是你想傳給 &man.make.1; 的選項，細節說明請參閱 &man.make.1; 說明，
-	  裡面有相關範例說明。</para>
+    <para><application>Subversion</application>使用更新原始碼的
+      <emphasis>pull</emphasis> 模型。使用者，或是
+      <command>cron</command> 手稿語言, 呼叫更新本地端原始碼的
+      <command>svn</command> 程式。
+      <application>Subversion</application> is the
+      preferred method for updating local source trees as updates are
+      up-to-the-minute and the user controls when updates are
+      downloaded.  It is easy to restrict updates to specific files or
+      directories and the requested updates are generated on the fly
+      by the server.  如何使用How to synchronize source using
+      <application>Subversion</application>同步原始碼，描述於<xref
+	linkend="svn"/>。</para>
 
-	<para><option>-D<replaceable>VARIABLE</replaceable></option>
-	  則是把變數設定傳給 <filename>Makefile</filename>。  這些變數會控制
-	  <filename>Makefile</filename> 的行為。  這些設定與
-	  <filename>/etc/make.conf</filename> 的變數設定是一樣，
-	  只是另一種設定方式而已。</para>
+    <indexterm>
+      <primary><application>CTM</application></primary>
+    </indexterm>
+    <para><application>CTM</application> does not interactively
+      compare the local sources with those on the master archive or
+      otherwise pull them across.  Instead, a script which identifies
+      changes in files since its previous run is executed several
+      times a day on the master CTM machine.  Any detected changes are
+      compressed, stamped with a sequence-number, and encoded for
+      transmission over email in printable <acronym>ASCII</acronym>
+      only.  Once downloaded, these <firstterm>deltas</firstterm> can
+      be run through <command>ctm.rmail</command> which will
+      automatically decode, verify, and apply the changes to the
+      user's copy of the sources.  This process is more efficient than
+      <application>Subversion</application> and places less strain on
+      server resources since it is a <emphasis>push</emphasis>, rather
+      than a <emphasis>pull</emphasis>, model.  Instructions for using
+      <application>CTM</application> to synchronize source can be
+      found at <xref linkend="ctm"/>.</para>
+
+    <para>If a user inadvertently wipes out portions of the local
+      archive, <application>Subversion</application> will detect and
+      rebuild the damaged portions.  <application>CTM</application>
+      will not, and if a user deletes some portion of the source tree
+      and does not have a backup, they will have to start from scratch
+      from the most recent <firstterm>base delta</firstterm> and
+      rebuild it all with <application>CTM</application>.</para>
+  </sect1>
 
-	<screen>&prompt.root; <userinput>make -DNO_PROFILE target</userinput></screen>
+  <sect1 xml:id="makeworld">
+    <title>重新編譯 World</title>
 
-	<para>上面的例子則是另一種設定方式，也就是哪些不要。
-	  這個例子中的意思是不去編譯 profiled libraries，效果就如同設定在
-	  <filename>/etc/make.conf</filename> 的</para>
+    <indexterm>
+      <primary>Rebuilding <quote>world</quote></primary>
+    </indexterm>
+    <para>一旦本地端的原始碼樹和 &os; 的特定版本同步後，
+      例如 &os.stable; or &os.current;，原始碼樹就可以用來重新編譯系統。
+      這個過程叫重新編譯 world。</para>
+
+    <para>重新編譯 world <emphasis>之前</emphasis> ，請確定執行以下任務:</para>
+
+    <procedure>
+      <title>編譯 world <emphasis>之前</emphasis> 執行這些任務</title>
+
+      <step>
+	<para>備份所有重要資料到另一個系統或是可攜式媒體，
+	  檢查備份的完整性，手邊準備一個可以開機的安裝媒體。
+	  再次強調在重新編譯系統
+	  <emphasis>之前</emphasis>，製作系統的備份是非常重要的。 While
+	  rebuilding world is an easy task, there will inevitably be
+	  times when mistakes in the source tree render the system
+	  unbootable.  You will probably never have to use the backup,
+	  but it is better to be safe than sorry!</para>
+      </step>
+
+      <step>
+	<indexterm><primary>mailing list</primary></indexterm>
+	<para>Review the recent &a.stable.name; or &a.current.name;
+	  entries, depending upon the branch being tracked.  Be aware
+	  of any known problems and which systems are affected.  If a
+	  known issue affects the version of synchronized code, wait
+	  for an <quote>all clear</quote> announcement to be posted
+	  stating that the problem has been solved.  Resynchronize the
+	  sources to ensure that the local version of source has the
+	  needed fix.</para>
+      </step>
+
+      <step>
+	<para>Read <filename>/usr/src/UPDATING</filename> for any
+	  extra steps necessary for that version of the source.  This
+	  file contains important information about potential problems
+	  and may specify the order to run certain commands.  Many
+	  upgrades require specific additional steps such as renaming
+	  or deleting specific files prior to installing the new
+	  world.  These will be listed at the end of this file where
+	  the currently recommended upgrade sequence is explicitly
+	  spelled out.  If <filename>UPDATING</filename> contradicts
+	  any steps in this chapter, the instructions in
+	  <filename>UPDATING</filename> take precedence and should be
+	  followed.</para>
+      </step>
+    </procedure>
 
-	<programlisting>NO_PROFILE=    true 	#    Avoid compiling profiled libraries</programlisting>
+    <warning>
+      <title>不要使用 <command>make world</command></title>
 
-	<para><replaceable>target</replaceable> 則是告訴 &man.make.1;
-	  該去做哪些。  每個 <filename>Makefile</filename> 都會定義不同的
-	  <quote>targets</quote>，然後依您所給的 target 就會決定會做哪些動作
-	  。</para>
+      <para>某些比較老的文件建議使用 <command>make
+	  world</command>。然而，這個指令掠略過某些重要的步驟，只適合專家使用。
+	大部分的情況，使用 <command>make world</command>都是錯誤的，應該用這裡描述的步驟代替。
+	</para>
+    </warning>
 
-	<para>Some targets are listed in the
-	  <filename>Makefile</filename>, but are not meant for you to run.
-	  Instead, they are used by the build process to break out the
-	  steps necessary to rebuild the system into a number of
-	  sub-steps.</para>
+    <sect2 xml:id="canonical-build">
+      <title>程序概要</title>
 
-	<para>Most of the time you will not need to pass any parameters to
-	    &man.make.1;, and so your command like will look like
-	    this:</para>
+      <para>The build world process assumes an upgrade from an older
+	&os; version using the source of a newer version that was
+	obtained using the instructions in <xref
+	  linkend="synching"/>.</para>
+
+      <para>In &os;, the term <quote>world</quote> includes the
+	kernel, core system binaries, libraries, programming files,
+	and built-in compiler.  The order in which these components
+	are built and installed is important.</para>
+
+      <para>For example, the old compiler might have a bug and not be
+	able to compile the new kernel.  Since the new kernel should
+	be built with the new compiler, the new compiler must be
+	built, but not necessarily installed, before the new kernel is
+	built.</para>
+
+      <para>The new world might rely on new kernel features, so the
+	new kernel must be installed before the new world is
+	installed.  The old world might not run correctly on the new
+	kernel, so the new world must be installed immediately upon
+	installing the new kernel.</para>
+
+      <para>Some configuration changes must be made before the new
+	world is installed, but others might break the old world.
+	Hence, two different configuration upgrade steps are used.
+	For the most part, the update process only replaces or adds
+	files and existing old files are not deleted.  Since this can
+	cause problems, <filename>/usr/src/UPDATING</filename> will
+	indicate if any files need to be manually deleted and at which
+	step to do so.</para>
 
-	<screen>&prompt.root; <userinput>make target</userinput></screen>
+      <para>These concerns have led to the recommended upgrade
+	sequence described in the following procedure.</para>
 
-	<para>Where <replaceable>target</replaceable> will be one of
-	  many build options.  The first target should always be
-	  <varname>buildworld</varname>.</para>
+      <note>
+	<para>It is a good idea to save the output from running
+	  <command>make</command> to a file.  If something goes wrong,
+	  a copy of the error message can be posted to one of the &os;
+	  mailing lists.</para>
+
+	<para>The easiest way to do this is to use
+	  <command>script</command> with a parameter that specifies
+	  the name of the file to save all output to.  Do not save the
+	  output to <filename>/tmp</filename> as this directory may be
+	  cleared at next reboot.  A better place to save the file is
+	  <filename>/var/tmp</filename>.  Run this command immediately
+	  before rebuilding the world, and then type
+	  <userinput>exit</userinput> when the process has
+	  finished:</para>
 
-	<para>As the names imply, <buildtarget>buildworld</buildtarget>
-	  builds a complete new tree under <filename>/usr/obj</filename>,
-	  and <buildtarget>installworld</buildtarget>, another target, installs this tree on
-	  the current machine.</para>
+	<screen>&prompt.root; <userinput>script <replaceable>/var/tmp/mw.out</replaceable></userinput>
+Script started, output file is /var/tmp/mw.out</screen>
+      </note>
 
-	<para>Having separate options is very useful for two reasons.  First, it allows you
-	  to do the build safe in the knowledge that no components of
-	  your running system will be affected.  The build is
-	  <quote>self hosted</quote>.  Because of this, you can safely
-	  run <buildtarget>buildworld</buildtarget> on a machine running
-	  in multi-user mode with no fear of ill-effects.  It is still
-	  recommended that you run the
-	  <buildtarget>installworld</buildtarget> part in single user
-	  mode, though.</para>
+      <procedure>
+	<title>Overview of Build World Process</title>
 
-	<para>Secondly, it allows you to use NFS mounts to upgrade
-	  multiple machines on your network.  If you have three machines,
-	  <systemitem>A</systemitem>, <systemitem>B</systemitem> and <systemitem>C</systemitem> that you want to upgrade, run <command>make
-	  buildworld</command> and <command>make installworld</command> on
-	  <systemitem>A</systemitem>.  <systemitem>B</systemitem> and <systemitem>C</systemitem> should then NFS mount <filename>/usr/src</filename>
-	  and <filename>/usr/obj</filename> from <systemitem>A</systemitem>, and you can then run
-	  <command>make installworld</command> to install the results of
-	  the build on <systemitem>B</systemitem> and <systemitem>C</systemitem>.</para>
+	<para>The commands used in the build world process should be
+	  run in the order specified here.  This section summarizes
+	  the function of each command.</para>
+
+	<step>
+	  <para>If the build world process has previously been run on
+	    this system, a copy of the previous build may still exist
+	    in <filename>/usr/obj</filename>.  To
+	    speed up the new build world process, and possibly save
+	    some dependency headaches, remove this directory if it
+	    already exists:</para>
+
+	  <screen>&prompt.root; <userinput>chflags -R noschg /usr/obj/*</userinput>
+&prompt.root; <userinput>rm -rf /usr/obj</userinput></screen>
+	</step>
+
+	<step>
+	  <para>Compile the new compiler and a few related tools, then
+	    use the new compiler to compile the rest of the new world.
+	    The result is saved to <filename
+	      >/usr/obj</filename>.</para>
+
+	  <screen>&prompt.root; <userinput>cd /usr/src</userinput>
+&prompt.root; <userinput>make buildworld</userinput></screen>
+	</step>
+
+	<step>
+	  <para>Use the new compiler residing in <filename
+	      >/usr/obj</filename> to build the new
+	    kernel, in order to protect against compiler-kernel
+	    mismatches.  This is necessary, as certain memory
+	    structures may have changed, and programs like
+	    <command>ps</command> and <command>top</command> will fail
+	    to work if the kernel and source code versions are not the
+	    same.</para>
+
+	  <screen>&prompt.root; <userinput>make buildkernel</userinput></screen>
+	</step>
+
+	<step>
+	  <para>Install the new kernel and kernel modules, making it
+	    possible to boot with the newly updated kernel.  If
+	    <varname>kern.securelevel</varname> has been raised above
+	    <literal>1</literal> <emphasis>and</emphasis>
+	    <literal>noschg</literal> or similar flags have been set
+	    on the kernel binary, drop the system into single-user
+	    mode first.  Otherwise, this command can be run from
+	    multi-user mode without problems.  See &man.init.8; for
+	    details about <varname>kern.securelevel</varname> and
+	    &man.chflags.1; for details about the various file
+	    flags.</para>
+
+	  <screen>&prompt.root; <userinput>make installkernel</userinput></screen>
+	</step>
+
+	<step>
+	  <para>Drop the system into single-user mode in order to
+	    minimize problems from updating any binaries that are
+	    already running.  It also minimizes any problems from
+	    running the old world on a new kernel.</para>
 
-	<para>Although the <buildtarget>world</buildtarget> target still exists,
-	  you are strongly encouraged not to use it.</para>
+	  <screen>&prompt.root; <userinput>shutdown now</userinput></screen>
 
-	<para>Run</para>
+	  <para>Once in single-user mode, run these commands if the
+	    system is formatted with UFS:</para>
 
-	<screen>&prompt.root; <userinput>make buildworld</userinput></screen>
+	  <screen>&prompt.root; <userinput>mount -u /</userinput>
+&prompt.root; <userinput>mount -a -t ufs</userinput>
+&prompt.root; <userinput>swapon -a</userinput></screen>
 
-        <para>It is possible to specify a <option>-j</option> option to
-          <command>make</command> which will cause it to spawn several
-          simultaneous processes.  This is most useful on multi-CPU machines.
-          However, since much of the compiling process is IO bound rather
-          than CPU bound it is also useful on single CPU machines.</para>
+	  <para>If the system is instead formatted with ZFS, run these
+	    two commands.  This example assumes a zpool name of
+	    <literal>zroot</literal>:</para>
+
+	  <screen>&prompt.root; <userinput>zfs set readonly=off zroot</userinput>
+&prompt.root; <userinput>zfs mount -a</userinput></screen>
+	</step>
+
+	<step>
+	  <para>Optional: If a keyboard mapping other than the default
+	    US English is desired, it can be changed with
+	    &man.kbdmap.1;:</para>
+
+	  <screen>&prompt.root; <userinput>kbdmap</userinput></screen>
+	</step>
+
+	<step>
+	  <para>Then, for either file system, if the
+	    <acronym>CMOS</acronym> clock is set to local time (this
+	    is true if the output of &man.date.1; does not show the
+	    correct time and zone), run:</para>
+
+	  <screen>&prompt.root; <userinput>adjkerntz -i</userinput></screen>
+	</step>
+
+	<step>
+	  <para>Remaking the world will not update certain
+	    directories, such as <filename>/etc</filename>,
+	    <filename>/var</filename> and <filename>/usr</filename>,
+	    with new or changed configuration files.  The next step is
+	    to perform some initial configuration file updates
+	    to <filename>/etc</filename> in
+	    preparation for the new world.  The following command
+	    compares only those files that are essential for the
+	    success of <buildtarget>installworld</buildtarget>.  For
+	    instance, this step may add new groups, system accounts,
+	    or startup scripts which have been added to &os; since the
+	    last update.  This is necessary so that the
+	    <buildtarget>installworld</buildtarget> step will be able
+	    to use any new system accounts, groups, and scripts.
+	    Refer to <xref linkend="mergemaster"/> for more detailed
+	    instructions about this command:</para>
+
+	  <screen>&prompt.root; <userinput>mergemaster -p</userinput></screen>
+	</step>
+
+	<step>
+	  <para>Install the new world and system binaries from
+	    <filename>/usr/obj</filename>.</para>
 
-	<para>On a typical single-CPU machine you would run:</para>
+	  <screen>&prompt.root; <userinput>cd /usr/src</userinput>
+&prompt.root; <userinput>make installworld</userinput></screen>
+	</step>
 
-	  <screen>&prompt.root; <userinput>make -j4 buildworld</userinput></screen>
+	<step>
+	  <para>Update any remaining configuration files.</para>
 
-	<para>&man.make.1; will then have up to 4 processes running at any one
-	  time.  Empirical evidence posted to the mailing lists shows this
-	  generally gives the best performance benefit.</para>
+	  <screen>&prompt.root; <userinput>mergemaster -iF</userinput></screen>
+	</step>
 
-	<para>If you have a multi-CPU machine and you are using an SMP
-	  configured kernel try values between 6 and 10 and see how they speed
-	  things up.</para>
-      </sect3>
+	<step>
+	  <para>Delete any obsolete files.  This is important as they
+	    may cause problems if left on the disk.</para>
+
+	  <screen>&prompt.root; <userinput>make delete-old</userinput></screen>
+	</step>
+
+	<step>
+	  <para>A full reboot is now needed to load the new kernel and
+	    new world with the new configuration files.</para>
+
+	  <screen>&prompt.root; <userinput>reboot</userinput></screen>
+	</step>
+
+	<step>
+	  <para>Make sure that all installed ports have first been
+	    rebuilt before old libraries are removed using the
+	    instructions in  <xref linkend="ports-upgrading"/>.  When
+	    finished, remove any obsolete libraries to avoid conflicts
+	    with newer ones.  For a more detailed description of this
+	    step, refer to <xref linkend="make-delete-old"/>.</para>
+
+	  <screen>&prompt.root; <userinput>make delete-old-libs</userinput></screen>
+	</step>
+      </procedure>
 
-      <sect3>
-	<title>Timings</title>
-	<indexterm>
-	  <primary>rebuilding <quote>world</quote></primary>
-	  <secondary>timings</secondary>
-	</indexterm>
+      <indexterm><primary>single-user mode</primary></indexterm>
 
-        <para>Many factors influence the build time, but fairly recent
-          machines may only take a one or two hours to build
-          the &os.stable; tree, with no tricks or shortcuts used during the
-          process.  A &os.current; tree will take somewhat longer.</para>
-      </sect3>
+      <para>If the system can have a window of down-time, consider
+	compiling the system in single-user mode instead of compiling
+	the system in multi-user mode, and then dropping into
+	single-user mode for the installation.  Reinstalling the
+	system touches a lot of important system files, all the
+	standard system binaries, libraries, and include files.
+	Changing these on a running system, particularly one with
+	active users, is asking for trouble.</para>
     </sect2>
 
-    <sect2>
-      <title>Compile and Install a New Kernel</title>
+    <sect2 xml:id="src-updating">
+      <title>Configuration Files</title>
+
       <indexterm>
-        <primary>kernel</primary>
-	<secondary>compiling</secondary>
+	<primary><filename>make.conf</filename></primary>
       </indexterm>
 
-      <para>To take full advantage of your new system you should recompile the
-	kernel.  This is practically a necessity, as certain memory structures
-	may have changed, and programs like &man.ps.1; and &man.top.1; will
-	fail to work until the kernel and source code versions are the
-	same.</para>
-
-      <para>The simplest, safest way to do this is to build and install a
-	kernel based on <filename>GENERIC</filename>.  While
-	<filename>GENERIC</filename> may not have all the necessary devices
-	for your system, it should contain everything necessary to boot your
-	system back to single user mode.  This is a good test that the new
-	system works properly.  After booting from
-	<filename>GENERIC</filename> and verifying that your system works you
-	can then build a new kernel based on your normal kernel	configuration
-	file.</para>
-
-      <para>On &os; it is important to <link linkend="make-buildworld">build world</link> before building a
-        new kernel.</para>
-
-      <note><para>If you want to build a custom kernel, and already have a configuration
-	file, just use <literal>KERNCONF=MYKERNEL</literal>
-	like this:</para>
+      <para>This build world process uses several configuration
+	files.</para>
 
-      <screen>&prompt.root; <userinput>cd /usr/src</userinput>
-&prompt.root; <userinput>make buildkernel KERNCONF=MYKERNEL</userinput>
-&prompt.root; <userinput>make installkernel KERNCONF=MYKERNEL</userinput></screen>
-      </note>
+      <para>The <filename>Makefile</filename> located in
+	<filename>/usr/src</filename> describes how the programs that
+	comprise &os; should be built and the order in which they
+	should be built.</para>
+
+      <para>The options available to <command>make</command> are
+	described in &man.make.conf.5; and some common examples are
+	included in
+	<filename>/usr/share/examples/etc/make.conf</filename>.  Any
+	options which are added to <filename>/etc/make.conf</filename>
+	will control the how <command>make</command> runs and builds
+	programs.  These options take effect every time
+	<command>make</command> is used, including compiling
+	applications from the Ports Collection, compiling custom C
+	programs, or building the &os; operating system.  Changes to
+	some settings can have far-reaching and potentially surprising
+	effects.  Read the comments in both locations and keep in mind
+	that the defaults have been chosen for a combination of
+	performance and safety.</para>
 
-      <para>Note that if you have raised <literal>kern.securelevel</literal>
-	above 1 <emphasis>and</emphasis> you have set either the
-	<literal>noschg</literal> or similar flags to your kernel binary, you
-	might find it necessary to drop into single user mode to use
-	<buildtarget>installkernel</buildtarget>.  Otherwise you should be able
-	to run both these commands from multi user mode without
-	problems.  See &man.init.8; for details about
-	<literal>kern.securelevel</literal> and &man.chflags.1; for details
-	about the various file flags.</para>
-    </sect2>
-
-    <sect2>
-      <title>Reboot into Single User Mode</title>
-      <indexterm><primary>single-user mode</primary></indexterm>
+      <indexterm>
+	<primary><filename>src.conf</filename></primary>
+      </indexterm>
 
-      <para>You should reboot into single user mode to test the new kernel
-	works.  Do this by following the instructions in
-	<xref linkend="makeworld-singleuser"/>.</para>
+      <para>How the operating system is built from source code is
+	controlled by <filename>/etc/src.conf</filename>.  Unlike
+	<filename>/etc/make.conf</filename>, the contents of
+	<filename>/etc/src.conf</filename> only take effect when the
+	&os; operating system itself is being built.  Descriptions of
+	the many options available for this file are shown in
+	&man.src.conf.5;.  Be cautious about disabling seemingly
+	unneeded kernel modules and build options.  Sometimes there
+	are unexpected or subtle interactions.</para>
     </sect2>
 
-    <sect2 xml:id="make-installworld">
-      <title>Install the New System Binaries</title>
+    <sect2 xml:id="make-buildworld">
+      <title>Variables and Targets</title>
 
-      <para>If you were building a version of &os; recent enough to have
-	used <command>make buildworld</command> then you should now use
-	<buildtarget>installworld</buildtarget> to install the new system
-	binaries.</para>
+      <para>The general format for using <command>make</command> is as
+	follows:</para>
 
-      <para>Run</para>
+      <screen>&prompt.root; <userinput>make -<replaceable>x</replaceable> -D<replaceable>VARIABLE</replaceable> <replaceable>target</replaceable></userinput></screen>
 
-      <screen>&prompt.root; <userinput>cd /usr/src</userinput>
-&prompt.root; <userinput>make installworld</userinput></screen>
+      <para>In this example,
+	<option>-<replaceable>x</replaceable></option> is an option
+	passed to <command>make</command>.  Refer to &man.make.1; for
+	examples of the available options.</para>
+
+      <para>To pass a variable, specify the variable name with
+	<option>-D<replaceable>VARIABLE</replaceable></option>.  The
+	behavior of the <filename>Makefile</filename> is controlled by
+	variables.  These can either be set in
+	<filename>/etc/make.conf</filename> or they can be specified
+	when using <command>make</command>.  For example, this
+	variable specifies that profiled libraries should not be
+	built:</para>
+
+      <screen>&prompt.root; <userinput>make -DNO_PROFILE <replaceable>target</replaceable></userinput></screen>
+
+      <para>It corresponds with this setting in
+	<filename>/etc/make.conf</filename>:</para>
+
+      <programlisting>NO_PROFILE=    true     #    Avoid compiling profiled libraries</programlisting>
+
+      <para>The <replaceable>target</replaceable> tells
+	<command>make</command> what to do and the
+	<filename>Makefile</filename> defines the available targets.
+	Some targets are used by the build process to break out the
+	steps necessary to rebuild the system into a number of
+	sub-steps.</para>
+
+      <para>Having separate options is useful for two reasons.  First,
+	it allows for a build that does not affect any components of a
+	running system.  Because of this,
+	<buildtarget>buildworld</buildtarget> can be safely run on a
+	machine running in multi-user mode.  It is still recommended
+	that <buildtarget>installworld</buildtarget> be run in part in
+	single-user mode, though.</para>
+
+      <para>Secondly, it allows <acronym>NFS</acronym> mounts to be
+	used to upgrade multiple machines on a network, as described
+	in <xref linkend="small-lan"/>.</para>
+
+      <para>It is possible to specify <option>-j</option> which will
+	cause <command>make</command> to spawn several simultaneous
+	processes.  Since much of the compiling process is
+	<acronym>I/O</acronym>-bound rather than
+	<acronym>CPU</acronym>-bound, this is useful on both single
+	<acronym>CPU</acronym> and multi-<acronym>CPU</acronym>
+	machines.</para>
+
+      <para>On a single-<acronym>CPU</acronym> machine, run the
+	following command to have up to 4 processes running at any one
+	time.  Empirical evidence posted to the mailing lists shows
+	this generally gives the best performance benefit.</para>
+
+      <screen>&prompt.root; <userinput>make -j4 buildworld</userinput></screen>
+
+      <para>On a multi-<acronym>CPU</acronym> machine, try values
+	between <literal>6</literal> and <literal>10</literal> to see
+	how they speed things up.</para>
+
+      <indexterm>
+	<primary>rebuilding <quote>world</quote></primary>
+	<secondary>timings</secondary>
+      </indexterm>
 
       <note>
-	<para>If you specified variables on the <command>make
-	    buildworld</command> command line, you must specify the same
-	  variables in the <command>make installworld</command> command
-	  line.  This does not necessarily hold true for other options;
-	  for example, <option>-j</option> must never be used with
-	  <buildtarget>installworld</buildtarget>.</para>
+	<para>If any variables were specified to <command>make
+	    buildworld</command>, specify the same variables to
+	  <command>make installworld</command>.  However,
+	  <option>-j</option> must <emphasis>never</emphasis> be used
+	  with <buildtarget>installworld</buildtarget>.</para>
 
-	<para>For example, if you ran:</para>
+	<para>For example, if this command was used:</para>
 
 	<screen>&prompt.root; <userinput>make -DNO_PROFILE buildworld</userinput></screen>
 
-	<para>you must install the results with:</para>
+	<para>Install the results with:</para>
 
 	<screen>&prompt.root; <userinput>make -DNO_PROFILE installworld</userinput></screen>
 
-	<para>otherwise it would try to install profiled libraries that
-	  had not been built during the <command>make buildworld</command>
-	  phase.</para>
+	<para>Otherwise, the second command will try to install
+	  profiled libraries that were not built during the
+	  <command>make buildworld</command> phase.</para>
       </note>
     </sect2>
 
-    <sect2>
-      <title>Update Files Not Updated by <command>make installworld</command></title>
-
-      <para>Remaking the world will not update certain directories (in
-	particular, <filename>/etc</filename>, <filename>/var</filename> and
-	<filename>/usr</filename>) with new or changed configuration files.</para>
-
-      <para>The simplest way to update these files is to use
-        &man.mergemaster.8;, though it is possible to do it manually
-        if you would prefer to do that.  Regardless of which way you
-	choose, be sure to make a backup of <filename>/etc</filename> in
-	case anything goes wrong.</para>
-
-    <sect3 xml:id="mergemaster">
-      <info><title><command>mergemaster</command></title>
-	<authorgroup>
-	  <author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed by </contrib></author>
-	</authorgroup>
-      </info>
-      
-        <indexterm><primary><command>mergemaster</command></primary></indexterm>
-
-      <para>The &man.mergemaster.8; utility is a Bourne script that will
-        aid you in determining the differences between your configuration files
-        in <filename>/etc</filename>, and the configuration files in
-        the source tree <filename>/usr/src/etc</filename>. This is
-        the recommended solution for keeping the system configuration files up to date
-        with those located in the source tree.</para>
-
-      <para>To begin simply type <command>mergemaster</command> at your prompt, and
-        watch it start going.  <command>mergemaster</command> will then build a
-        temporary root environment, from <filename>/</filename> down, and populate
-        it with various system configuration files.  Those files are then compared
-        to the ones currently installed in your system.  At this point, files that
-        differ will be shown in &man.diff.1; format, with the <option>+</option> sign
-        representing added or modified lines, and <option>-</option> representing
-        lines that will be either removed completely, or replaced with a new line.
-        See the &man.diff.1; manual page for more information about the &man.diff.1;
-        syntax and how file differences are shown.</para>
-
-      <para>&man.mergemaster.8; will then show you each file that displays variances,
-        and at this point you will have the option of either deleting the new file (referred
-        to as the temporary file), installing the temporary file in its unmodified state,
-        merging the temporary file with the currently installed file, or viewing the
-        &man.diff.1; results again.</para>
-
-      <para>Choosing to delete the temporary file will tell &man.mergemaster.8; that we
-        wish to keep our current file unchanged, and to delete the new version.
-        This option is not recommended, unless you see no
-        reason to change the current file.  You can get help at any time by
-        typing <keycap>?</keycap> at the &man.mergemaster.8; prompt.  If the user
-        chooses to skip a file, it will be presented again after all other files
-        have been dealt with.</para>
-
-      <para>Choosing to install the unmodified temporary file will replace the
-        current file with the new one.  For most unmodified files, this is the best
-        option.</para>
-
-      <para>Choosing to merge the file will present you with a text editor,
-        and the contents of both files.  You can now merge them by
-        reviewing both files side by side on the screen, and choosing parts from
-        both to create a finished product.  When the files are compared side by side,
-        the <keycap>l</keycap> key will select the left contents and the
-        <keycap>r</keycap> key will select contents from your right.
-        The final output will be a file consisting of both parts, which can then be
-        installed.  This option is customarily used for files where settings have been
-        modified by the user.</para>
-
-      <para>Choosing to view the &man.diff.1; results again will show you the file differences
-        just like &man.mergemaster.8; did before prompting you for an option.</para>
-
-      <para>After &man.mergemaster.8; is done with the system files you will be
-        prompted for other options.  &man.mergemaster.8; may ask if you want to rebuild
-        the password file and will finish up with an option to
-        remove left-over temporary files.</para>
-      </sect3>
+    <sect2 xml:id="mergemaster">
+      <info>
+      <title>Merging Configuration Files</title>
+
+	  <authorgroup>
+	    <author>
+	      <personname>
+		<firstname>Tom</firstname>
+		<surname>Rhodes</surname>
+	      </personname>
+	      <contrib>Contributed by </contrib>
+	    </author>
+	  </authorgroup>
+	</info>
 
-      <sect3>
-	<title>Manual Update</title>
-
-      <para>If you wish to do the update manually, however,
-        you cannot just copy over the files from
-	<filename>/usr/src/etc</filename> to <filename>/etc</filename> and
-	have it work.  Some of these files must be <quote>installed</quote>
-	first.  This is because the <filename>/usr/src/etc</filename>
-	directory <emphasis>is not</emphasis> a copy of what your
-	<filename>/etc</filename> directory should look like.  In addition,
-	there are files that should be in <filename>/etc</filename> that are
-	not in <filename>/usr/src/etc</filename>.</para>
-
-      <para>If you are using &man.mergemaster.8; (as recommended),
-        you can skip forward to the <link linkend="cutting-edge-rebooting">next
-	section</link>.</para>
-
-      <para>The simplest way to do this by hand is to install the
-	files into a new directory, and then work through them looking
-	for differences.</para>
+	<indexterm>
+	  <primary>
+	    <command>mergemaster</command>
+	  </primary>
+	</indexterm>
 
-      <warning>
-	<title>Backup Your Existing <filename>/etc</filename></title>
+      <para>&os; provides the &man.mergemaster.8; Bourne script to aid
+	in determining the differences between the configuration files
+	in <filename>/etc</filename>, and the configuration files in
+	<filename>/usr/src/etc</filename>.  This is the recommended
+	solution for keeping the system configuration files up to date
+	with those located in the source tree.</para>
+
+      <para>Before using <command>mergemaster</command>, it is
+	recommended to first copy the existing
+	<filename>/etc</filename> somewhere safe.  Include
+	<option>-R</option> which does a recursive copy and
+	<option>-p</option> which preserves times and the ownerships
+	on files:</para>
+
+      <screen>&prompt.root; <userinput>cp -Rp /etc /etc.old</userinput></screen>
+
+      <para>When run, <command>mergemaster</command> builds a
+	temporary root environment, from <filename>/</filename> down,
+	and populates it with various system configuration files.
+	Those files are then compared to the ones currently installed
+	in the system.  Files that differ will be shown in
+	&man.diff.1; format, with the <option>+</option> sign
+	representing added or modified lines, and <option>-</option>
+	representing lines that will be either removed completely or
+	replaced with a new file.  Refer to &man.diff.1; for more
+	information about how file differences are shown.</para>
+
+      <para>Next, <command>mergemaster</command> will display each
+	file that differs, and present options to: delete the new
+	file, referred to as the temporary file, install the temporary
+	file in its unmodified state, merge the temporary file with
+	the currently installed file, or view the results
+	again.</para>
+
+      <para>Choosing to delete the temporary file will tell
+	<command>mergemaster</command> to keep the current file
+	unchanged and to delete the new version.  This option is not
+	recommended.  To get help at any time, type
+	<keycap>?</keycap> at the <command>mergemaster</command>
+	prompt.  If the user chooses to skip a file, it will be
+	presented again after all other files have been dealt
+	with.</para>
+
+      <para>Choosing to install the unmodified temporary file will
+	replace the current file with the new one.  For most
+	unmodified files, this is the best option.</para>
+
+      <para>Choosing to merge the file will present a text editor, and
+	the contents of both files.  The files can be merged by
+	reviewing both files side by side on the screen, and choosing
+	parts from both to create a finished product.  When the files
+	are compared side by side, <keycap>l</keycap> selects the left
+	contents and <keycap>r</keycap> selects contents from the
+	right.  The final output will be a file consisting of both
+	parts, which can then be installed.  This option is
+	customarily used for files where settings have been modified
+	by the user.</para>
+
+      <para>Choosing to view the results again will redisplay the file
+	differences.</para>
+
+      <para>After <command>mergemaster</command> is done with the
+	system files, it will prompt for other options.  It may prompt
+	to rebuild the password file and will finish up with an option
+	to remove left-over temporary files.</para>
+<!--
+Probably not needed as changes should be minimal and mergemaster does
+a good job of merging.
+	<tip>
+	  <title>Name the New Root Directory
+	    (<filename>/var/tmp/root</filename>)
+	    with a Time Stamp, so You Can Easily Compare Differences
+	    Between Versions</title>
+
+	  <para>Frequently rebuilding world entails frequently
+	    updating <filename>/etc</filename>
+	    as well, which can be a bit of a chore.</para>
+
+	  <para>To speed up this process, use the following
+	    procedure to keep a copy of the last set of changed files
+	    that were merged into <filename>/etc</filename>.</para>
+
+	  <procedure>
+	    <step>
+	      <para>Make the world as normal.  When updating
+		<filename>/etc</filename> and the
+		other directories, give the target directory a name
+		based on the current date:</para>
 
-	<para>Although, in theory, nothing is going to touch this directory
-	  automatically, it is always better to be sure.  So copy your
-	  existing <filename>/etc</filename> directory somewhere safe.
-	  Something like:</para>
+	      <screen>&prompt.root; <userinput>mkdir /var/tmp/root-20130214</userinput>
+&prompt.root; <userinput>cd /usr/src/etc</userinput>
+&prompt.root; <userinput>make DESTDIR=/var/tmp/root-20130214 \
+    distrib-dirs distribution</userinput></screen>
+	    </step>
 
-	<screen>&prompt.root; <userinput>cp -Rp /etc /etc.old</userinput></screen>
+	    <step>
+	      <para>Merge in the changes from this directory as
+		outlined above.  <emphasis>Do not</emphasis> remove
+		the <filename>/var/tmp/root-20130214</filename>
+		directory when you have finished.</para>
+	    </step>
+
+	    <step>
+	      <para>After downloading the latest version of the
+		source and remaking it, follow step 1.  Create a new
+		directory, which reflects the new date.  This example
+		uses
+		<filename>/var/tmp/root-20130221</filename>.</para>
+	    </step>
+
+	    <step>
+	      <para>Use &man.diff.1; to see the differences that have
+		been made in the intervening week by creating a
+		recursive diff between the two directories:</para>
+
+	      <screen>&prompt.root; <userinput>cd /var/tmp</userinput>
+&prompt.root; <userinput>diff -r root-20130214 root-20130221</userinput></screen>
+
+	      <para>Typically, this will be a much smaller set of
+		differences than those between
+		<filename>/var/tmp/root-20130221/etc</filename> and
+		<filename>/etc</filename>.  Because the set of
+		differences is smaller, it is easier to migrate those
+		changes across into <filename>/etc</filename>.</para>
+	    </step>
+
+	    <step>
+	      <para>When finished, remove the older of the two
+		<filename>/var/tmp/root-*</filename>
+		directories:</para>
+
+	      <screen>&prompt.root; <userinput>rm -rf /var/tmp/root-20130214</userinput></screen>
+	    </step>
+
+	    <step>
+	      <para>Repeat this process whenever merging
+		in changes to <filename>/etc</filename>.</para>
+	    </step>
+	  </procedure>
+
+	  <para>Use &man.date.1; to automate the generation of the
+	    directory names:</para>
+
+	  <screen>&prompt.root; <userinput>mkdir /var/tmp/root-`date "+%Y%m%d"`</userinput></screen>
+	</tip>
+	-->
+    </sect2>
 
-	<para><option>-R</option> does a recursive copy, <option>-p</option>
-	  preserves times, ownerships on files and suchlike.</para>
-      </warning>
+    <sect2 xml:id="make-delete-old">
+      <info>
+	<title>Deleting Obsolete Files and Libraries</title>
 
-      <para>You need to build a dummy set of directories to install the new
-	<filename>/etc</filename> and other files into.
-	<filename>/var/tmp/root</filename> is a reasonable choice, and
-	there are a number of subdirectories required under this as
-	well.</para>
+	<authorgroup>
+	  <author>
+	    <personname>
+	      <firstname>Anton</firstname>
+	      <surname>Shterenlikht</surname>
+	    </personname>
+	    <contrib>Based on notes provided by </contrib>
+	  </author>
+	</authorgroup>
+      </info>
 
-      <screen>&prompt.root; <userinput>mkdir /var/tmp/root</userinput>
-&prompt.root; <userinput>cd /usr/src/etc</userinput>
-&prompt.root; <userinput>make DESTDIR=/var/tmp/root distrib-dirs distribution</userinput></screen>
+      <indexterm>
+	<primary>Deleting obsolete files and directories</primary>
+      </indexterm>
 
-      <para>This will build the necessary directory structure and install the
-	files.  A lot of the subdirectories that have been created under
-	<filename>/var/tmp/root</filename> are empty and should be deleted.
-	The simplest way to do this is to:</para>
-
-      <screen>&prompt.root; <userinput>cd /var/tmp/root</userinput>
-&prompt.root; <userinput>find -d . -type d | xargs rmdir 2&gt;/dev/null</userinput></screen>
-
-      <para>This will remove all empty directories.  (Standard error is
-        redirected to <filename>/dev/null</filename> to prevent the warnings
-        about the directories that are not empty.)</para>
-
-      <para><filename>/var/tmp/root</filename> now contains all the files that
-	should be placed in appropriate locations below
-	<filename>/</filename>.  You now have to go through each of these
-	files, determining how they differ with your existing files.</para>
-
-      <para>Note that some of the files that will have been installed in
-	<filename>/var/tmp/root</filename> have a leading <quote>.</quote>.  At the
-	time of writing the only files like this are shell startup files in
-	<filename>/var/tmp/root/</filename> and
-	<filename>/var/tmp/root/root/</filename>, although there may be others
-	(depending on when you are reading this).  Make sure you use
-	<command>ls -a</command> to catch them.</para>
-
-      <para>The simplest way to do this is to use &man.diff.1; to compare the
-	two files:</para>
-
-      <screen>&prompt.root; <userinput>diff /etc/shells /var/tmp/root/etc/shells</userinput></screen>
-
-      <para>This will show you the differences between your
-	<filename>/etc/shells</filename> file and the new
-	<filename>/var/tmp/root/etc/shells</filename> file.  Use these to decide whether to
-	merge in changes that you have made or whether to copy over your old
-	file.</para>
-
-      <tip>
-	<title>Name the New Root Directory
-	  (<filename>/var/tmp/root</filename>) with a Time Stamp, so You Can
-	  Easily Compare Differences Between Versions</title>
-
-	<para>Frequently rebuilding the world means that you have to update
-	<filename>/etc</filename> frequently as well, which can be a bit of
-	  a chore.</para>
-
-	<para>You can speed this process up by keeping a copy of the last set
-	  of changed files that you merged into <filename>/etc</filename>.
-	  The following procedure gives one idea of how to do this.</para>
-
-	<procedure>
-	  <step>
-	    <para>Make the world as normal.  When you want to update
-	      <filename>/etc</filename> and the other directories, give the
-	      target directory a name based on the current date.  If you were
-	      doing this on the 14th of February 1998 you could do the
-	      following:</para>
+      <para>As a part of the &os; development lifecycle, files and
+	their contents occasionally become obsolete.  This may be
+	because functionality is implemented elsewhere, the version
+	number of the library has changed, or it was removed from the
+	system entirely.  These obsoleted files, libraries, and
+	directories should be removed when updating the system.
+	This ensures that the system is not cluttered with old files
+	which take up unnecessary space on the storage and backup
+	media.  Additionally, if the old library has a security or
+	stability issue, the system should be updated to the newer
+	library to keep it safe and to prevent crashes caused by the
+	old library.  Files, directories, and libraries which are
+	considered obsolete are listed in
+	<filename>/usr/src/ObsoleteFiles.inc</filename>.  The
+	following instructions should be used to remove obsolete files
+	during the system upgrade process.</para>
+
+      <para>After the <command>make installworld</command> and the
+	subsequent <command>mergemaster</command> have finished
+	successfully, check for obsolete files and libraries:</para>
 
-	    <screen>&prompt.root; <userinput>mkdir /var/tmp/root-19980214</userinput>
-&prompt.root; <userinput>cd /usr/src/etc</userinput>
-&prompt.root; <userinput>make DESTDIR=/var/tmp/root-19980214 \
-    distrib-dirs distribution</userinput></screen>
-	  </step>
+      <screen>&prompt.root; <userinput>cd /usr/src</userinput>
+&prompt.root; <userinput>make check-old</userinput></screen>
 
-	  <step>
-	    <para>Merge in the changes from this directory as outlined
-	      above.</para>
-
-	    <para><emphasis>Do not</emphasis> remove the
-	      <filename>/var/tmp/root-19980214</filename> directory when you
-	      have finished.</para>
-	  </step>
-
-	  <step>
-	    <para>When you have downloaded the latest version of the source
-	      and remade it, follow step 1.  This will give you a new
-	      directory, which might be called
-	      <filename>/var/tmp/root-19980221</filename> (if you wait a week
-	      between doing updates).</para>
-	  </step>
-
-	  <step>
-	    <para>You can now see the differences that have been made in the
-	      intervening week using &man.diff.1; to create a recursive diff
-	      between the two directories:</para>
-
-	    <screen>&prompt.root; <userinput>cd /var/tmp</userinput>
-&prompt.root; <userinput>diff -r root-19980214 root-19980221</userinput></screen>
-
-	    <para>Typically, this will be a much smaller set of differences
-	      than those between
-	      <filename>/var/tmp/root-19980221/etc</filename> and
-	      <filename>/etc</filename>.  Because the set of differences is
-	      smaller, it is easier to migrate those changes across into your
-	      <filename>/etc</filename> directory.</para>
-	  </step>
-
-	  <step>
-	    <para>You can now remove the older of the two
-	      <filename>/var/tmp/root-*</filename> directories:</para>
-
-	    <screen>&prompt.root; <userinput>rm -rf /var/tmp/root-19980214</userinput></screen>
-	  </step>
-
-	  <step>
-	    <para>Repeat this process every time you need to merge in changes
-	      to <filename>/etc</filename>.</para>
-	  </step>
-	</procedure>
+      <para>If any obsolete files are found, they can be deleted using
+	the following command:</para>
 
-	<para>You can use &man.date.1; to automate the generation of the
-	  directory names:</para>
+      <screen>&prompt.root; <userinput>make delete-old</userinput></screen>
 
-	<screen>&prompt.root; <userinput>mkdir /var/tmp/root-`date "+%Y%m%d"`</userinput></screen>
-      </tip>
-      </sect3>
-    </sect2>
+      <para>A prompt is displayed before deleting each obsolete file.
+	To skip the prompt and let the system remove these files
+	automatically, use
+	<varname>BATCH_DELETE_OLD_FILES</varname>:</para>
 
-    <sect2 xml:id="cutting-edge-rebooting">
-      <title>Rebooting</title>
+      <screen>&prompt.root; <userinput>make -DBATCH_DELETE_OLD_FILES delete-old</userinput></screen>
 
-      <para>You are now done.  After you have verified that everything appears
-	to be in the right place you can reboot the system.  A simple
-	&man.shutdown.8; should do it:</para>
+      <para>The same goal can be achieved by piping these commands
+	through <command>yes</command>:</para>
 
-      <screen>&prompt.root; <userinput>shutdown -r now</userinput></screen>
-    </sect2>
+      <screen>&prompt.root; <userinput>yes|make delete-old</userinput></screen>
 
-    <sect2>
-      <title>Finished</title>
+      <warning>
+	<title>Warning</title>
 
-      <para>You should now have successfully upgraded your &os; system.
-	Congratulations.</para>
+	<para>Deleting obsolete files will break applications that
+	  still depend on those obsolete files.  This is especially
+	  true for old libraries.  In most cases, the programs, ports,
+	  or libraries that used the old library need to be recompiled
+	  before <command>make delete-old-libs</command> is
+	  executed.</para>
+      </warning>
 
-      <para>If things went slightly wrong, it is easy to rebuild a particular
-        piece of the system.  For example, if you accidentally deleted
-        <filename>/etc/magic</filename> as part of the upgrade or merge of
-        <filename>/etc</filename>, the &man.file.1; command will stop working.
-        In this case, the fix would be to run:</para>
+      <para>Utilities for checking shared library dependencies include
+	<package>sysutils/libchk</package> and
+	<package>sysutils/bsdadminscripts</package>.</para>
+
+      <para>Obsolete shared libraries can conflict with newer
+	libraries, causing messages like these:</para>
+
+      <screen>/usr/bin/ld: warning: libz.so.4, needed by /usr/local/lib/libtiff.so, may conflict with libz.so.5
+/usr/bin/ld: warning: librpcsvc.so.4, needed by /usr/local/lib/libXext.so, may conflict with librpcsvc.so.5</screen>
+
+      <para>To solve these problems, determine which port installed
+	the library:</para>
+
+      <screen>&prompt.root; <userinput>pkg which /usr/local/lib/libtiff.so</userinput>
+  /usr/local/lib/libtiff.so was installed by package tiff-3.9.4
+&prompt.root; <userinput>pkg which /usr/local/lib/libXext.so</userinput>
+  /usr/local/lib/libXext.so was installed by package libXext-1.1.1,1</screen>
+
+      <para>Then deinstall, rebuild, and reinstall the port.  To
+	automate this process,
+	<package>ports-mgmt/portmaster</package> can be used.  After
+	all ports are rebuilt and no longer use the old libraries,
+	delete the old libraries using the following command:</para>
+
+      <screen>&prompt.root; <userinput>make delete-old-libs</userinput></screen>
+
+      <para>If something goes wrong, it is easy to rebuild a
+	particular piece of the system.  For example, if
+	<filename>/etc/magic</filename> was accidentally deleted as
+	part of the upgrade or merge of <filename>/etc</filename>,
+	<command>file</command> will stop working.  To fix this,
+	run:</para>
 
-	<screen>&prompt.root; <userinput>cd /usr/src/usr.bin/file</userinput>
+      <screen>&prompt.root; <userinput>cd /usr/src/usr.bin/file</userinput>
 &prompt.root; <userinput>make all install</userinput></screen>
     </sect2>
 
-    <sect2>
-      <title>Questions</title>
+    <sect2 xml:id="updating-questions">
+      <title>Common Questions</title>
 
-      <qandaset>
-	<qandaentry>
-	  <question>
-	    <para>Do I need to re-make the world for every change?</para>
-	  </question>
-
-	  <answer>
-            <para>There is no easy answer to this one, as it depends on the
-	      nature of the change.  For example, if you just ran <application>CVSup</application>, and
-	      it has shown the following files as being updated:</para>
+      <variablelist>
+	<varlistentry>
+	  <term>Do I need to re-make the world for every
+	      change?</term>
+
+	  <listitem>
+	    <para>It depends upon the nature of the change.  For
+	      example, if <application>svn</application> only shows
+	      the following files as being updated:</para>
 
 	    <screen><filename>src/games/cribbage/instr.c</filename>
 <filename>src/games/sail/pl_main.c</filename>
@@ -1180,356 +1805,272 @@
 <filename>src/release/sysinstall/media.c</filename>
 <filename>src/share/mk/bsd.port.mk</filename></screen>
 
-	    <para>it probably is not worth rebuilding the entire world.
-	      You could just go to the appropriate sub-directories and
-	      <command>make all install</command>, and that's about it.  But
-	      if something major changed, for example
-	      <filename>src/lib/libc/stdlib</filename> then you should either
-	      re-make the world, or at least those parts of it that are
-	      statically linked (as well as anything else you might have added
-	      that is statically linked).</para>
-
-	    <para>At the end of the day, it is your call.  You might be happy
-	      re-making the world every fortnight say, and let changes
-	      accumulate over that fortnight.  Or you might want to re-make
-	      just those things that have changed, and be confident you can
-	      spot all the dependencies.</para>
-
-	    <para>And, of course, this all depends on how often you want to
-	      upgrade, and whether you are tracking &os.stable; or
-	      &os.current;.</para>
-	  </answer>
-	</qandaentry>
-
-	<qandaentry>
-	  <question>
-	    <para>My compile failed with lots of signal 11<indexterm>
-	      <primary>signal 11</primary></indexterm> (or other signal
-	      number) errors.  What has happened?</para>
-	  </question>
-
-	  <answer>
-	    <para>This is normally indicative of hardware problems.
-	      (Re)making the world is an effective way to stress test your
-	      hardware, and will frequently throw up memory problems.  These
-	      normally manifest themselves as the compiler mysteriously dying
-	      on receipt of strange signals.</para>
-
-	    <para>A sure indicator of this is if you can restart the make and
-	      it dies at a different point in the process.</para>
-
-	    <para>In this instance there is little you can do except start
-	      swapping around the components in your machine to determine
-	      which one is failing.</para>
-	  </answer>
-	</qandaentry>
-
-	<qandaentry>
-	  <question>
-	    <para>Can I remove <filename>/usr/obj</filename> when I have
-	      finished?</para>
-	  </question>
-
-	  <answer>
-	    <para>The short answer is yes.</para>
-
-	    <para><filename>/usr/obj</filename> contains all the object files
-	      that were produced during the compilation phase.  Normally, one
-	      of the first steps in the <command>make buildworld</command> process is to
-	      remove this directory and start afresh.  In this case, keeping
-	      <filename>/usr/obj</filename> around after you have finished
-	      makes little sense, and will free up a large chunk of disk space
-	      (currently about 340&nbsp;MB).</para>
-
-	    <para>However, if you know what you are doing you can have
-	      <command>make buildworld</command> skip this step.  This will make subsequent
-	      builds run much faster, since most of sources will not need to
-	      be recompiled.  The flip side of this is that subtle dependency
-	      problems can creep in, causing your build to fail in odd ways.
-	      This frequently generates noise on the &os; mailing lists,
-	      when one person complains that their build has failed, not
-	      realizing that it is because they have tried to cut
-	      corners.</para>
-	  </answer>
-	</qandaentry>
-
-	<qandaentry>
-	  <question>
-	    <para>Can interrupted builds be resumed?</para>
-	  </question>
-
-	  <answer>
-	    <para>This depends on how far through the process you got before
-	      you found a problem.</para>
-
-	    <para><emphasis>In general</emphasis> (and this is not a hard and
-	      fast rule) the <command>make buildworld</command> process builds new
-	      copies of essential tools (such as &man.gcc.1;, and
-	      &man.make.1;) and the system libraries.  These tools and
-	      libraries are then installed.  The new tools and libraries are
-	      then used to rebuild themselves, and are installed again. The
-	      entire system (now including regular user programs, such as
-		&man.ls.1; or &man.grep.1;) is then rebuilt with the new
-	      system files.</para>
-
-	    <para>If you are at the last stage, and you know it (because you
-	      have looked through the output that you were storing) then you
-	      can (fairly safely) do:</para>
+	    <para>it probably is not worth rebuilding the entire
+	      world.  Instead, go into the appropriate sub-directories
+	      and run <command>make all install</command>.  But if
+	      something major changes, such as
+	      <filename>src/lib/libc/stdlib</filename>, consider
+	      rebuilding world.</para>
+
+	    <para>Some users rebuild world every fortnight and let
+	      changes accumulate over that fortnight.  Others only
+	      re-make those things that have changed and are careful
+	      to spot all the dependencies.  It all depends on how
+	      often a user wants to upgrade and whether they are
+	      tracking &os.stable; or &os.current;.</para>
+	  </listitem>
+	</varlistentry>
 
-	    <screen><emphasis>&hellip; fix the problem &hellip;</emphasis>
-&prompt.root; <userinput>cd /usr/src</userinput>
-&prompt.root; <userinput>make -DNO_CLEAN all</userinput></screen>
+	<varlistentry>
+	  <term>What would cause a compile to fail with lots of
+	    signal 11<indexterm>
+	      <primary>signal 11</primary>
+	    </indexterm>
+	    (or other signal number) errors?</term>
 
-	    <para>This will not undo the work of the previous
-	      <command>make buildworld</command>.</para>
+	  <listitem>
+	    <para>This normally indicates a hardware problem.
+	      Building world is an effective way to stress test
+	      hardware, especially memory.  A sure indicator of a
+	      hardware issue is when <application>make</application>
+	      is restarted and it dies at a different point in the
+	      process.</para>
+
+	    <para>To resolve this error, swap out the components in
+	      the machine, starting with RAM, to determine which
+	      component is failing.</para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term>Can <filename>/usr/obj</filename>
+	      be removed when finished?</term>
 
-	    <para>If you see the message:</para>
+	  <listitem>
+	    <para>This directory contains all the object files that
+	      were produced during the compilation phase.  Normally,
+	      one of the first steps in the <command>make
+		buildworld</command> process is to remove this
+	      directory and start afresh.  Keeping
+	      <filename>/usr/obj</filename> around when finished makes
+	      little sense, and its removal frees up a approximately
+	      2GB of disk space.</para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term>Can interrupted builds be resumed?</term>
+
+	  <listitem>
+	    <para>This depends on how far into the process the
+	      problem occurs.  In general, <command>make
+		buildworld</command> builds new copies of essential
+	      tools and the system libraries.  These tools and
+	      libraries are then installed, used to rebuild
+	      themselves, and are installed again.  The rest of the
+	      system is then rebuilt with the new system
+	      tools.</para>
+
+	    <para>During the last stage, it is fairly safe to run
+	      these commands as they will not undo the work of the
+	      previous <command>make buildworld</command>:</para>
 
-	      <screen>--------------------------------------------------------------
+	    <screen>&prompt.root; <userinput>cd /usr/src</userinput>
+&prompt.root; <userinput>make -DNO_CLEAN all</userinput></screen>
+
+	    <para>If this message appears:</para>
+
+	    <screen>--------------------------------------------------------------
 Building everything..
 --------------------------------------------------------------</screen>
 
-	    <para>in the <command>make buildworld</command> output then it is
-	      probably fairly safe to do so.</para>
+	    <para>in the <command>make buildworld</command> output,
+	      it is probably fairly safe to do so.</para>
 
-	    <para>If you do not see that message, or you are not sure, then it
-	      is always better to be safe than sorry, and restart the build
+	    <para>If that message is not displayed, it is always
+	      better to be safe than sorry and to restart the build
 	      from scratch.</para>
-	  </answer>
-	</qandaentry>
+	  </listitem>
+	</varlistentry>
 
-	<qandaentry>
-	  <question>
-	    <para>How can I speed up making the world?</para>
-          </question>
-
-          <answer>
-	    <itemizedlist>
-	      <listitem>
-		<para>Run in single user mode.</para>
-	      </listitem>
-
-	      <listitem>
-		<para>Put the <filename>/usr/src</filename> and
-		  <filename>/usr/obj</filename> directories on separate
-		  file systems held on separate disks.  If possible, put these
-		  disks on separate disk controllers.</para>
-	      </listitem>
-
-	      <listitem>
-		<para>Better still, put these file systems across multiple
-		  disks using the &man.ccd.4; (concatenated disk
-		  driver) device.</para>
-	      </listitem>
-
-	      <listitem>
-		<para>Turn off profiling (set <quote>NO_PROFILE=true</quote> in
-		  <filename>/etc/make.conf</filename>).  You almost certainly
-		  do not need it.</para>
-	      </listitem>
-
-	      <listitem>
-		<para>Also in <filename>/etc/make.conf</filename>, set
-		  <varname>CFLAGS</varname> to something like <option>-O
-		  -pipe</option>.  The optimization <option>-O2</option> is much
-		  slower, and the optimization difference between
-		  <option>-O</option> and <option>-O2</option> is normally
-		  negligible.  <option>-pipe</option> lets the compiler use
-		  pipes rather than temporary files for communication, which
-		  saves disk access (at the expense of memory).</para>
-	      </listitem>
-
-	      <listitem>
-		<para>Pass the <option>-j<replaceable>n</replaceable></option> option to &man.make.1; to
-		  run multiple processes in parallel.  This usually helps
-		  regardless of whether you have a single or a multi processor
-		  machine.</para>
-	      </listitem>
-
-	      <listitem><para>The file system holding
-		  <filename>/usr/src</filename> can be mounted (or remounted)
-		  with the <option>noatime</option> option.  This prevents the
-		  file system from recording the file access time.  You probably
-		  do not need this information anyway.</para>
-
-		  <screen>&prompt.root; <userinput>mount -u -o noatime /usr/src</userinput></screen>
-
-		  <warning>
-		    <para>The example assumes <filename>/usr/src</filename> is
-		      on its own file system.  If it is not (if it is a part of
-		      <filename>/usr</filename> for example) then you will
-		      need to use that file system mount point, and not
-		      <filename>/usr/src</filename>.</para>
-		  </warning>
-	      </listitem>
-
-	      <listitem>
-		<para>The file system holding <filename>/usr/obj</filename> can
-		  be mounted (or remounted) with the <option>async</option>
-		  option.  This causes disk writes to happen asynchronously.
-		  In other words, the write completes immediately, and the
-		  data is written to the disk a few seconds later.  This
-		  allows writes to be clustered together, and can be a
-		  dramatic performance boost.</para>
-
-		<warning>
-		  <para>Keep in mind that this option makes your file system
-		    more fragile.  With this option there is an increased
-		    chance that, should power fail, the file system will be in
-		    an unrecoverable state when the machine restarts.</para>
-
-		  <para>If <filename>/usr/obj</filename> is the only thing on
-		    this file system then it is not a problem.  If you have
-		    other, valuable data on the same file system then ensure
-		    your backups are fresh before you enable this
-		    option.</para>
-		</warning>
-
-		<screen>&prompt.root; <userinput>mount -u -o async /usr/obj</userinput></screen>
-
-		<warning>
-		  <para>As above, if <filename>/usr/obj</filename> is not on
-		    its own file system, replace it in the example with the
-		    name of the appropriate mount point.</para>
-		</warning>
-	      </listitem>
-	    </itemizedlist>
-	  </answer>
-	</qandaentry>
-
-        <qandaentry>
-          <question>
-            <para>What do I do if something goes wrong?</para>
-          </question>
-
-          <answer>
-            <para>Make absolutely sure your environment has no
-              extraneous cruft from earlier builds.  This is simple
-              enough.</para>
+	<varlistentry>
+	  <term>Is it possible to speed up making the world?</term>
 
-            <screen>&prompt.root; <userinput>chflags -R noschg /usr/obj/usr</userinput>
+	  <listitem>
+	    <para>Several actions can speed up the build world
+	      process.  For example, the entire process can be run
+	      from single-user mode.  However, this will prevent users
+	      from having access to the system until the process is
+	      complete.</para>
+
+	    <para>Careful file system design or the use of ZFS
+	      datasets can make a difference.  Consider putting
+	      <filename>/usr/src</filename> and
+	      <filename>/usr/obj</filename> on
+	      separate file systems.  If possible, place the file
+	      systems on separate disks on separate disk controllers.
+	      When mounting <filename
+		>/usr/src</filename>, use
+	      <option>noatime</option> which prevents the file system
+	      from recording the file access time.  If <filename
+		>/usr/src</filename> is not on its
+	      own file system, consider remounting <filename
+		>/usr</filename> with
+	      <option>noatime</option>.</para>
+
+	    <para>The file system holding <filename
+		>/usr/obj</filename> can be mounted
+	      or remounted with <option>async</option> so that disk
+	      writes happen asynchronously.  The write completes
+	      immediately, and the data is written to the disk a few
+	      seconds later.  This allows writes to be clustered
+	      together, and can provide a dramatic performance
+	      boost.</para>
+
+	    <warning>
+	      <para>Keep in mind that this option makes the file
+		system more fragile.  With this option, there is an
+		increased chance that, should power fail, the file
+		system will be in an unrecoverable state when the
+		machine restarts.</para>
+
+	      <para>If <filename>/usr/obj</filename> is the only
+		directory on this file system, this is not a problem.
+		If you have other, valuable data on the same file
+		system, ensure that there are verified backups before
+		enabling this option.</para>
+	    </warning>
+
+	    <para>Turn off profiling by setting
+	      <quote>NO_PROFILE=true</quote> in
+	      <filename>/etc/make.conf</filename>.</para>
+
+	    <para>Pass <option>-j<replaceable>n</replaceable></option>
+	      to &man.make.1; to run multiple processes in parallel.
+	      This usually helps on both single- and multi-processor
+	      machines.</para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term>What if something goes wrong?</term>
+
+	  <listitem>
+	    <para>First, make absolutely sure that the environment has
+	      no extraneous cruft from earlier builds:</para>
+
+	    <screen>&prompt.root; <userinput>chflags -R noschg /usr/obj/usr</userinput>
 &prompt.root; <userinput>rm -rf /usr/obj/usr</userinput>
 &prompt.root; <userinput>cd /usr/src</userinput>
 &prompt.root; <userinput>make cleandir</userinput>
 &prompt.root; <userinput>make cleandir</userinput></screen>
 
-            <para>Yes, <command>make cleandir</command> really should
-              be run twice.</para>
+	    <para>Yes, <command>make cleandir</command> really should
+	      be run twice.</para>
 
-            <para>Then restart the whole process, starting
-              with <command>make buildworld</command>.</para>
+	    <para>Then, restart the whole process, starting with
+	      <command>make buildworld</command>.</para>
 
-            <para>If you still have problems, send the error and the
-              output of <command>uname -a</command> to &a.questions;.
-              Be prepared to answer other questions about your
-              setup!</para>
-          </answer>
-        </qandaentry>
-      </qandaset>
+	    <para>If problems persist, send the error and the output
+	      of <command>uname -a</command> to &a.questions;.  Be
+	      prepared to answer other questions about the
+	      setup!</para>
+	  </listitem>
+	</varlistentry>
+      </variablelist>
     </sect2>
   </sect1>
 
   <sect1 xml:id="small-lan">
-    <info><title>Tracking for Multiple Machines</title>
+    <info>
+      <title>追蹤多追蹤多部機器</title>
+
       <authorgroup>
-	<author><personname><firstname>Mike</firstname><surname>Meyer</surname></personname><contrib>Contributed by </contrib></author>
+	<author>
+	  <personname>
+	    <firstname>Mike</firstname>
+	    <surname>Meyer</surname>
+	  </personname>
+	  <contrib>Contributed by </contrib>
+	</author>
       </authorgroup>
     </info>
-    
+
     <indexterm>
       <primary>NFS</primary>
-      <secondary>installing multiple machines</secondary>
+      <secondary>安裝多部機器</secondary>
     </indexterm>
 
-    <para>If you have multiple machines that you want to track the
-      same source tree, then having all of them download sources and
-      rebuild everything seems like a waste of resources: disk space,
-      network bandwidth, and CPU cycles.  It is, and the solution is
-      to have one machine do most of the work, while the rest of the
-      machines mount that work via NFS.  This section outlines a
-      method of doing so.</para>
-
-    <sect2 xml:id="small-lan-preliminaries">
-      <title>Preliminaries</title>
-
-      <para>First, identify a set of machines that is going to run
-	the same set of binaries, which we will call a
-	<emphasis>build set</emphasis>.  Each machine can have a
-	custom kernel, but they will be running the same userland
-	binaries.  From that set, choose a machine to be the
-	<emphasis>build machine</emphasis>.  It is going to be the
-	machine that the world and kernel are built on. Ideally, it
-	should be a fast machine that has sufficient spare CPU to
-	run <command>make buildworld</command> and
-	<command>make buildkernel</command>.  You will also want to
-	choose a machine to be the <emphasis>test
-	machine</emphasis>, which will test software updates before they
-	are put into production.  This <emphasis>must</emphasis> be a
-	machine that you can afford to have down for an extended
-	period of time.  It can be the build machine, but need not be.</para>
-
-      <para>All the machines in this build set need to mount
-	<filename>/usr/obj</filename> and
-	<filename>/usr/src</filename> from the same machine, and at
-	the same point.  Ideally, those are on two different drives
-	on the build machine, but they can be NFS mounted on that machine
-	as well.  If you have multiple build sets,
-	<filename>/usr/src</filename> should be on one build machine, and
-	NFS mounted on the rest.</para>
-
-      <para>Finally make sure that
-	<filename>/etc/make.conf</filename> on all the machines in
-	the build set agrees with the build machine.  That means that
-	the build machine must build all the parts of the base
-	system that any machine in the build set is going to
-	install.  Also, each build machine should have its kernel
-	name set with <varname>KERNCONF</varname> in
-	<filename>/etc/make.conf</filename>, and the build machine
-	should list them all in <varname>KERNCONF</varname>, listing
-	its own kernel first.  The build machine must have the kernel
-	configuration files for each machine in
-	<filename>/usr/src/sys/arch/conf</filename>
-	if it is going to build their kernels.</para>
-    </sect2>
-
-    <sect2>
-      <title>The Base System</title>
-
-      <para>Now that all that is done, you are ready to build
-	everything.  Build the kernel and world as described in <xref linkend="make-buildworld"/> on the build machine,
-	but do not install anything.  After the build has finished, go
-	to the test machine, and install the kernel you just
-	built.  If this machine mounts <filename>/usr/src</filename>
-	and <filename>/usr/obj</filename> via NFS, when you reboot
-	to single user you will need to enable the network and mount
-	them.  The easiest way to do this is to boot to multi-user,
-	then run <command>shutdown now</command> to go to single user
-	mode.  Once there, you can install the new kernel and world and run
-	<command>mergemaster</command> just as you normally would.  When
-	done, reboot to return to normal multi-user operations for this
-	machine.</para>
-
-      <para>After you are certain that everything on the test
-	machine is working properly, use the same procedure to
-	install the new software on each of the other machines in
-	the build set.</para>
-    </sect2>
-
-    <sect2>
-      <title>Ports</title>
-
-      <para>The same ideas can be used for the ports tree.  The first
-	critical step is mounting <filename>/usr/ports</filename> from
-	the same machine to all the machines in the build set.  You can
-	then set up <filename>/etc/make.conf</filename> properly to share
-	distfiles.  You should set <varname>DISTDIR</varname> to a
-	common shared directory that is writable by whichever user
-	<systemitem class="username">root</systemitem> is mapped to by your NFS mounts.  Each
-	machine should set <varname>WRKDIRPREFIX</varname> to a
-	local build directory.  Finally, if you are going to be
-	building and distributing packages, you should set
-	<varname>PACKAGES</varname> to a directory similar to
-	<varname>DISTDIR</varname>.</para>
-    </sect2>
+    <para>當有多部機器需要追蹤同一個原始碼樹，
+      會浪費磁碟空間，網路頻寬，和
+      <acronym>中央處理器</acronym>周期來讓每個系統下載原始碼和編譯所有東西。
+      解決方法是有解決方法是有一台機器做大部份的工作，剩下的機器經由
+      <acronym>NFS</acronym>來掛載這個工作。這一節概述了一個如此做的方法。
+      更多關於使用 <acronym>NFS</acronym>的資訊，請參考<xref
+	linkend="network-nfs"/>。</para>
+
+    <para>First, identify a set of machines which will run the same
+      set of binaries, known as a <firstterm>build set</firstterm>.
+      Each machine can have a custom kernel, but will run the same
+      userland binaries.  From that set, choose a machine to be the
+      <firstterm>build machine</firstterm> that the world and kernel
+      are built on.  Ideally, this is a fast machine that has
+      sufficient spare <acronym>CPU</acronym> to run <command>make
+	buildworld</command> and <command>make
+	buildkernel</command>.</para>
+
+    <para>Select a machine to be the <firstterm>test
+	machine</firstterm>, which will test software updates before
+      they are put into production.  This <emphasis>must</emphasis> be
+      a machine that can afford to be down for an extended period of
+      time.  It can be the build machine, but need not be.</para>
+
+    <para>All the machines in this build set need to mount
+      <filename>/usr/obj</filename> and <filename>/usr/src</filename>
+      from the build machine via <acronym>NFS</acronym>.  For multiple
+      build sets, <filename>/usr/src</filename> should be on one build
+      machine, and <acronym>NFS</acronym> mounted on the rest.</para>
+
+    <para>Ensure that <filename>/etc/make.conf</filename> and
+      <filename>/etc/src.conf</filename> on all the machines in the
+      build set agree with the build machine.  That means that the
+      build machine must build all the parts of the base system that
+      any machine in the build set is going to install.  Also, each
+      build machine should have its kernel name set with
+      <varname>KERNCONF</varname> in
+      <filename>/etc/make.conf</filename>, and the build machine
+      should list them all in its <varname>KERNCONF</varname>,
+      listing its own kernel first.  The build machine must have the
+      kernel configuration files for each machine in its <filename
+	>/usr/src/sys/<replaceable>arch</replaceable>/conf</filename>.</para>
+
+    <para>On the build machine, build the kernel and world as
+      described in <xref linkend="makeworld"/>, but do not install
+      anything on the build machine.  Instead, install the built
+      kernel on the test machine.  On the test machine, mount
+      <filename>/usr/src</filename> and
+      <filename>/usr/obj</filename> via <acronym>NFS</acronym>.  Then,
+      run <command>shutdown now</command> to go to single-user mode in
+      order to install the new kernel and world and run
+      <command>mergemaster</command> as usual.  When done, reboot to
+      return to normal multi-user operations.</para>
+
+    <para>After verifying that everything on the test machine is
+      working properly, use the same procedure to install the new
+      software on each of the other machines in the build set.</para>
+
+    <para>The same methodology can be used for the ports tree.  The
+      first step is to share <filename>/usr/ports</filename> via
+      <acronym>NFS</acronym> to all the machines in the build set.  To
+      configure <filename>/etc/make.conf</filename> to share
+      distfiles, set <varname>DISTDIR</varname> to a common shared
+      directory that is writable by whichever user <systemitem
+	class="username">root</systemitem> is mapped to by the
+      <acronym>NFS</acronym> mount.  Each machine should set
+      <varname>WRKDIRPREFIX</varname> to a local build directory, if
+      ports are to be built locally.  Alternately, if the build system
+      is to build and distribute packages to the machines in the build
+      set, set <varname>PACKAGES</varname> on the build system to a
+      directory similar to <varname>DISTDIR</varname>.</para>
   </sect1>
 </chapter>
Index: zh_TW.UTF-8/books/handbook/disks/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/disks/chapter.xml
+++ zh_TW.UTF-8/books/handbook/disks/chapter.xml
@@ -1,17 +1,20 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
      The FreeBSD Documentation Project
+     The FreeBSD Traditional Chinese Project
 
      $FreeBSD$
-     Original revision: 1.246
+     Original revision: r46056
 -->
-<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="disks">
+<chapter xmlns="http://docbook.org/ns/docbook"
+  xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+  xml:id="disks">
+
   <title>儲存設備篇</title>
 
   <sect1 xml:id="disks-synopsis">
     <title>概述</title>
 
-
     <para>本章涵蓋如何在 FreeBSD 下使用碟片裝置
       <footnote>
 	<para>譯註：雖然有些設備沒有『碟片』，例如 USB 隨身碟，
@@ -343,327 +346,152 @@
     </sect2>
   </sect1>
 
-  <sect1 xml:id="raid">
-    <title>RAID</title>
-
-    <sect2 xml:id="raid-soft">
-      <title>軟體 RAID</title>
-
-      <sect3 xml:id="ccd">
-	<info><title>連接式磁碟裝置驅動程式(CCD, Concatenated Disk Driver) 設定</title>
-	  <authorgroup>
-	    <author><personname><firstname>Christopher</firstname><surname>Shumway</surname></personname><contrib>Original work by </contrib></author>
-	  </authorgroup>
-	  <authorgroup>
-	    <author><personname><firstname>Jim</firstname><surname>Brown</surname></personname><contrib>Revised by </contrib></author>
-	  </authorgroup>
-	</info>
-
-        
-
-<indexterm><primary>RAID</primary><secondary>software</secondary></indexterm>
-<indexterm>
-  <primary>RAID</primary><secondary>CCD</secondary>
-</indexterm>
-
-	<para>對大容量儲存設備而言，最關鍵的要素乃是速度、可靠性及價格。
-	  然而這三者往往難以兼顧：快速可靠的設備通常很貴；
-	  而降低成本通常也犧牲了速度或可靠性。</para>
-
-	<para>接下來要介紹的系統，價格是最重要的考量，接下來是速度，
-	  最後才是可靠性。  順序如此是因為資料傳輸的速度最終取決於網路，
-	  而儘管可靠性十分重要，卻有簡單的取代方案：
-	  將資料完整備份於 CD-R 中。</para>
-
-	<para>選擇大容量儲存設備方案時，首先要定義您的需求。
-	  如果您重視速度或可靠性甚於價格，接下來的介紹恐非您所需。</para>
-
-	<sect4 xml:id="ccd-installhw">
-	  <title>安裝硬體</title>
-
-	  <para>除了系統磁碟外，下面介紹的 CCD 磁碟陣列將使用到三顆 30GB、
-	    5400 RPM 的 Western Digital IDE 磁碟，以提供約 90GB 的儲存空間。
-	    最理想的情況是每個磁碟由獨立使用的排線連接獨立使用的 IDE 控制器，
-	    不過為了降低成本，利用 jumper 設定磁碟，使每個 IDE 控制器可連接
-	    一個主磁碟加一個副磁碟，如此可不必加裝額外的 IDE 控制器。</para>
-
-	  <para>開機後，BIOS 應該設定成自重偵測磁碟。更重要的是 FreeBSD 應該
-	    要偵測到它們：</para>
-
-	  <programlisting>ad0: 19574MB &lt;WDC WD205BA&gt; [39770/16/63] at ata0-master UDMA33
-ad1: 29333MB &lt;WDC WD307AA&gt; [59598/16/63] at ata0-slave UDMA33
-ad2: 29333MB &lt;WDC WD307AA&gt; [59598/16/63] at ata1-master UDMA33
-ad3: 29333MB &lt;WDC WD307AA&gt; [59598/16/63] at ata1-slave UDMA33</programlisting>
-
-	  <note>
-	    <para>如果 FreeBSD 沒有偵測到所有磁碟，請確認 jumper 都設定正確。
-	      許多 IDE 磁碟可以設定成 <quote>Cable Select</quote>
-	      (根據排線位置決定)，這<emphasis>並非</emphasis> master(主磁碟)
-	      或 slave(副磁碟)。  請參閱磁碟的說明文件以正確設定 jumper
-	      。</para></note>
-
-	  <para>接下來，考慮如何將它們變成檔案系統的一部份。您可以參考
-	    &man.vinum.8;(<xref linkend="vinum-vinum"/>) 及 &man.ccd.4;。
-	    在此我們選擇 &man.ccd.4;。</para>
-	</sect4>
-
-	<sect4 xml:id="ccd-setup">
-	  <title>設定 CCD</title>
-
- 	  <para>&man.ccd.4; 可以將多個磁碟接起來成為一個大磁碟。要使用
- 	    &man.ccd.4;，您的 kernel 需要支援 &man.ccd.4;。將這行加入到
-	    kernel 設定檔，並重編、重安裝 kernel：</para>
-
-	  <programlisting>device   ccd</programlisting>
-
-	  <para>也可以載入 kernel 動態模組來支援 &man.ccd.4;。</para>
-
- 	  <para>使用 &man.ccd.4; 請先用 &man.bsdlabel.8; 來初始磁碟：</para>
-
-	  <programlisting>bsdlabel -r -w ad1 auto
-bsdlabel -r -w ad2 auto
-bsdlabel -r -w ad3 auto</programlisting>
-
- 	  <para>上述指令會建立 <filename>ad1c</filename>，
-	    <filename>ad2c</filename> 和 <filename>ad3c</filename>，
-	    這些 bsdlabel 都使用了整個磁碟。</para>
-
- 	  <para>下一步是修改 label type，同樣用 &man.bsdlabel.8; 來處理：</para>
-
-	  <programlisting>bsdlabel -e ad1
-bsdlabel -e ad2
-bsdlabel -e ad3</programlisting>
-
- 	  <para>這個指令會打開一個編輯器(預設是 &man.vi.1;，可以用
-	  <envar>EDITOR</envar> 環境變數來指定其它編輯器)，並將目前磁碟的 label
-	  資訊顯示在該編輯器裡。</para>
-
-	  <para>一個還未變動過的磁碟 label 資訊看起來會像這樣：</para>
-
-	  <programlisting>8 partitions:
-#        size   offset    fstype   [fsize bsize bps/cpg]
-  c: 60074784        0    unused        0     0     0   # (Cyl.    0 - 59597)</programlisting>
-
- 	  <para>在此我們要新增一個 <literal>e</literal> partition 給
-	    &man.ccd.4; 使用。  通常複製 <literal>c</literal> partition 那一行，
-	    再把 <option>fstype</option> 那一行改成
-	    <userinput>4.2BSD</userinput> 就可以了。
-	    改完之後看起來應該會像這樣：</para>
-
-	  <programlisting>8 partitions:
-#        size   offset    fstype   [fsize bsize bps/cpg]
-  c: 60074784        0    unused        0     0     0   # (Cyl.    0 - 59597)
-  e: 60074784        0    4.2BSD        0     0     0   # (Cyl.    0 - 59597)</programlisting>
-
-	</sect4>
-
-	<sect4 xml:id="ccd-buildingfs">
-	  <title>建立檔案系統</title>
-
-	  <para>現在所有的磁碟都已經建好 bsdlabel 了，可以開始建立 &man.ccd.4;。
-	    用 &man.ccdconfig.8; 來建立 &man.ccd.4;，參考下面的指令：</para>
-
-	    <programlisting>ccdconfig ccd0<co xml:id="co-ccd-dev"/> 32<co xml:id="co-ccd-interleave"/> 0<co xml:id="co-ccd-flags"/> /dev/ad1e<co xml:id="co-ccd-devs"/> /dev/ad2e /dev/ad3e</programlisting>
-
-	  <para>每個參數的作用如下：</para>
-
-          <calloutlist>
-            <callout arearefs="co-ccd-dev">
-	    <para>第一個參數是要設定的裝置名稱，在這個例子裡是
-	      <filename>/dev/ccd0c</filename>。其中 <filename>/dev/</filename>
-	      可有可無。</para>
-            </callout>
-
-            <callout arearefs="co-ccd-interleave">
-
-	    <para>「interleave」的大小。所謂 interleave 是指一排磁碟區塊
-	      (disk block)的大小，通常以 512 bytes 為單位，所以 interleave
-	      設為 32 即為 16,384 bytes。</para>
-            </callout>
-
-            <callout arearefs="co-ccd-flags">
-	    <para>&man.ccdconfig.8; 設定模式的參數。如果您打算啟用磁碟鏡設
-	      (drive mirroring)，您可以在此指定參數。這個例子沒有使用鏡設，
-	      所以設成 0。</para>
-            </callout>
-
-            <callout arearefs="co-ccd-devs">
-	    <para>&man.ccdconfig.8; 最後的參數是要加入到陣列的所有磁碟。
-	      請使用完整的路徑。</para>
-            </callout>
-          </calloutlist>
-
-
-	  <para>執行 &man.ccdconfig.8; 之後，&man.ccd.4;
-	    已設定完成可供建立檔案系統。  請參考 &man.newfs.8; 或輸入：</para>
-
-	  <programlisting>newfs /dev/ccd0c</programlisting>
-
-
-	</sect4>
-
-	<sect4 xml:id="ccd-auto">
-	  <title>讓一切自動完成</title>
-
-	  <para>通常您會希望每次開機時都能自動掛上(mount) &man.ccd.4;。
-	    用下面的指令將您目前的設定寫入 <filename>/etc/ccd.conf</filename>
-	    ：</para>
-
-	  <programlisting>ccdconfig -g &gt; /etc/ccd.conf</programlisting>
-
-	  <para>如果 <filename>/etc/ccd.conf</filename> 存在，每次開機時
-	    <command>/etc/rc</command> 都會執行 <command>ccdconfig -C</command>
-	    。  如此便可自動設定 &man.ccd.4; 以便之後掛上(mount)檔案系統。
-	  </para>
-
-	  <note><para>如果您開機時選擇進入單人模式(single mode)，在掛上
-	    (&man.mount.8;) &man.ccd.4; 的檔案系統之前您得先執行設定的指令：
-	  </para>
-
-	  <programlisting>ccdconfig -C</programlisting>
-          </note>
-
-	  <para>要在每次開機時自動掛上(mount) &man.ccd.4;，請在
-	    <filename>/etc/fstab</filename> 加入 &man.ccd.4;：
-	  </para>
-
-	  <programlisting>/dev/ccd0c              /media       ufs     rw      2       2</programlisting>
-	</sect4>
-      </sect3>
-
-      <sect3 xml:id="vinum">
-	<title>Vinum 容量管理系統</title>
-
-<indexterm><primary>RAID</primary><secondary>software</secondary></indexterm>
-<indexterm>
-  <primary>RAID</primary>
-  <secondary>Vinum</secondary>
-</indexterm>
-
-	<para>Vinum 容量管理系統(以下簡稱 Vinum) 可視為一種虛擬磁碟。
-	  它將區塊裝置(block device) 的介面與對應資料的方式切割開來，比起原本
-	  slice 劃分的磁碟，Vinum 可增加了彈性、效能和穩定度
-	  <footnote><para>譯註：原文這裡是用「和」，但要視實際使用方式而定。
-	  例如用 RAID-0 就不會增加穩定度 :)。</para></footnote>
-	  &man.vinum.8; 實作了 RAID-0、RAID-1 和 RAID-5 等模組，
-	  它們都可以單獨使用，也可以互相搭配使用。</para>
-
-	<para>請見 <xref linkend="vinum-vinum"/> 以參考更多關於
-	  &man.vinum.8; 的資訊。</para>
-      </sect3>
-    </sect2>
-
-    <sect2 xml:id="raid-hard">
-      <title>硬體 RAID</title>
-
-      <indexterm>
-	<primary>RAID</primary>
-	<secondary>hardware</secondary>
-      </indexterm>
-
-	  <para>FreeBSD 也支援許多硬體 <acronym>RAID</acronym> 控制器。
-	    這些控制器自行掌控一個小型的 <acronym>RAID</acronym> 系統，
-	    因此不需要特定軟體來管理。</para>
-
-	  <para>透過控制器上的 <acronym>BIOS</acronym> 幾乎能控制所有的操作。
-	    接下來將簡單介紹如何設定 Promise <acronym>IDE</acronym>
-	    <acronym>RAID</acronym> 控制卡。首先確認控制卡已安裝，接著開機。
-	    它應該會提示一些資訊<footnote><para>譯註：例如按 F1 可以進入控制卡
-	    BIOS 之類的資訊。</para></footnote>。依指示進入控制卡的設定畫面，
-	    從這裡您可以將全部的硬體結合成一個大磁碟。完成之後，FreeBSD
-	    將只會看到這個大磁碟。當然您也可以使用其它的
-	    <acronym>RAID</acronym> 模式。</para>
-	</sect2>
+  <sect1 xml:id="disks-growing">
+    <info>
+      <title>Resizing and Growing Disks</title>
 
-    <sect2>
-      <title>重建(rebuild) ATA RAID1 陣列</title>
-
-      <para>FreeBSD 允許您熱插拔磁碟陣列裡壞掉的磁碟，
-	當然在重開機前就得先發現。</para>
-
-      <para>也許您會在 <filename>/var/log/messages</filename>(或 &man.dmesg.8;
-	的輸出) 看到類似下面的訊息：</para>
-
-      <programlisting>ad6 on monster1 suffered a hard error.
-ad6: READ command timeout tag=0 serv=0 - resetting
-ad6: trying fallback to PIO mode
-ata3: resetting devices .. done
-ad6: hard error reading fsbn 1116119 of 0-7 (ad6 bn 1116119; cn 1107 tn 4 sn 11)\\
-status=59 error=40
-ar0: WARNING - mirror lost</programlisting>
-
-      <para>請用 &man.atacontrol.8; 來得到更多資訊：</para>
-
-      <screen>&prompt.root; <userinput>atacontrol list</userinput>
-ATA channel 0:
-	Master:      no device present
-	Slave:   acd0 &lt;HL-DT-ST CD-ROM GCR-8520B/1.00&gt; ATA/ATAPI rev 0
-
-ATA channel 1:
-	Master:      no device present
-	Slave:       no device present
-
-ATA channel 2:
-	Master:  ad4 &lt;MAXTOR 6L080J4/A93.0500&gt; ATA/ATAPI rev 5
-	Slave:       no device present
-
-ATA channel 3:
-	Master:  ad6 &lt;MAXTOR 6L080J4/A93.0500&gt; ATA/ATAPI rev 5
-	Slave:       no device present
-
-&prompt.root; <userinput>atacontrol status ar0</userinput>
-ar0: ATA RAID1 subdisks: ad4 ad6 status: DEGRADED</screen>
-
-      <procedure>
-	<step>
-	  <para>首先您得將損壞磁碟所在的 ata channel 卸載(detach)，
-	    如此才能安全地移除：</para>
+      <authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Allan</firstname>
+	    <surname>Jude</surname>
+	  </personname>
+	  <contrib>Originally contributed by </contrib>
+	</author>
+      </authorgroup>
+    </info>
 
-	  <screen>&prompt.root; <userinput>atacontrol detach ata3</userinput></screen>
-	</step>
+    <indexterm>
+      <primary>disks</primary>
+      <secondary>resizing</secondary>
+    </indexterm>
 
-	<step>
-	  <para>用好的磁碟換下損壞的。</para>
-	</step>
+    <para>A disk's capacity can increase without any changes to the
+      data already present.  This happens commonly with virtual
+      machines, when the virtual disk turns out to be too small and is
+      enlarged.  Sometimes a disk image is written to a
+      <acronym>USB</acronym> memory stick, but does not use the full
+      capacity.  Here we describe how to resize or
+      <emphasis>grow</emphasis> disk contents to take advantage of
+      increased capacity.</para>
+
+    <para>Determine the device name of the disk to be resized by
+      inspecting <filename>/var/run/dmesg.boot</filename>.  In this
+      example, there is only one <acronym>SATA</acronym> disk in the
+      system, so the drive will appear as
+      <filename>ada0</filename>.</para>
 
-	<step>
-	  <para>重新載入(re-attach) ata channel：</para>
+    <indexterm><primary>partitions</primary></indexterm>
+    <indexterm>
+      <primary><command>gpart</command></primary>
+    </indexterm>
 
-	  <screen>&prompt.root; <userinput>atacontrol attach ata3</userinput>
-Master:  ad6 &lt;MAXTOR 6L080J4/A93.0500&gt; ATA/ATAPI rev 5
-Slave:   no device present</screen>
-	</step>
+    <para>List the partitions on the disk to see the current
+      configuration:</para>
 
-	<step>
-	  <para>將新的磁碟加入原本的磁碟陣列成為備援(spare) 磁碟：</para>
+    <screen>&prompt.root; <userinput>gpart show <replaceable>ada0</replaceable></userinput>
+=>      34  83886013  ada0  GPT  (48G) [CORRUPT]
+        34       128     1  freebsd-boot  (64k)
+       162  79691648     2  freebsd-ufs  (38G)
+  79691810   4194236     3  freebsd-swap  (2G)
+  83886046         1        - free -  (512B)</screen>
 
-	  <screen>&prompt.root; <userinput>atacontrol addspare ar0 ad6</userinput></screen>
-	</step>
+    <note>
+      <para>If the disk was formatted with the <link
+	  xlink:href="http://en.wikipedia.org/wiki/GUID_Partition_Table">
+	<acronym>GPT</acronym></link> partitioning scheme, it may show
+	as <quote>corrupted</quote> because the <acronym>GPT</acronym>
+	backup partition table is no longer at the end of the
+	drive.  Fix the backup
+	partition table with
+	<command>gpart</command>:</para>
 
-	<step>
-	  <para>重建磁碟陣列：</para>
+      <screen>&prompt.root; <userinput>gpart recover <replaceable>ada0</replaceable></userinput>
+ada0 recovered</screen>
+    </note>
 
-	  <screen>&prompt.root; <userinput>atacontrol rebuild ar0</userinput></screen>
-	</step>
+    <para>Now the additional space on the disk is available for
+      use by a new partition, or an existing partition can be
+      expanded:</para>
+
+    <screen>&prompt.root; <userinput>gpart show <replaceable>ada0</replaceable></userinput>
+=>       34  102399933  ada0  GPT  (48G)
+         34        128     1  freebsd-boot  (64k)
+        162   79691648     2  freebsd-ufs  (38G)
+   79691810    4194236     3  freebsd-swap  (2G)
+   83886046   18513921        - free -  (8.8G)</screen>
+
+    <para>Partitions can only be resized into contiguous free space.
+      Here, the last partition on the disk is the swap partition, but
+      the second partition is the one that needs to be resized.  Swap
+      partitions only contain temporary data, so it can safely be
+      unmounted, deleted, and then recreated after resizing other
+      partitions.</para>
+
+    <screen>&prompt.root; <userinput>swapoff <replaceable>/dev/ada0p3</replaceable></userinput>
+&prompt.root; <userinput>gpart delete -i <replaceable>3</replaceable> <replaceable>ada0</replaceable></userinput>
+ada0p3 deleted
+&prompt.root; <userinput>gpart show <replaceable>ada0</replaceable></userinput>
+=>       34  102399933  ada0  GPT  (48G)
+         34        128     1  freebsd-boot  (64k)
+        162   79691648     2  freebsd-ufs  (38G)
+   79691810   22708157        - free -  (10G)</screen>
+
+    <warning>
+      <para>There is risk of data loss when modifying the partition
+	table of a mounted file system.  It is best to perform the
+	following steps on an unmounted file system while running from
+	a live <acronym>CD-ROM</acronym> or <acronym>USB</acronym>
+	device.  However, if absolutely necessary, a mounted file
+	system can be  resized after disabling GEOM safety
+	features:</para>
+
+      <screen>&prompt.root; <userinput>sysctl kern.geom.debugflags=16</userinput></screen>
+    </warning>
+
+    <para>Resize the partition, leaving room to recreate a swap
+      partition of the desired size.  This only modifies the size of
+      the partition.  The file system in the partition will be
+      expanded in a separate step.</para>
+
+    <screen>&prompt.root; <userinput>gpart resize -i <replaceable>2</replaceable> -a 4k -s <replaceable>47G</replaceable> <replaceable>ada0</replaceable></userinput>
+ada0p2 resized
+&prompt.root; <userinput>gpart show <replaceable>ada0</replaceable></userinput>
+=>       34  102399933  ada0  GPT  (48G)
+         34        128     1  freebsd-boot  (64k)
+        162   98566144     2  freebsd-ufs  (47G)
+   98566306    3833661        - free -  (1.8G)</screen>
+
+    <para>Recreate the swap partition:</para>
+
+    <screen>&prompt.root; <userinput>gpart add -t freebsd-swap -a 4k <replaceable>ada0</replaceable></userinput>
+ada0p3 added
+&prompt.root; <userinput>gpart show <replaceable>ada0</replaceable></userinput>
+=>       34  102399933  ada0  GPT  (48G)
+         34        128     1  freebsd-boot  (64k)
+        162   98566144     2  freebsd-ufs  (47G)
+   98566306    3833661     3  freebsd-swap  (1.8G)
+&prompt.root; <userinput>swapon <replaceable>/dev/ada0p3</replaceable></userinput></screen>
 
-	<step>
-	  <para>可以用下面指定來確認重建的進度：</para>
+    <para>Grow the <acronym>UFS</acronym> file system to use the new
+      capacity of the resized partition:</para>
 
-	  <screen>&prompt.root; <userinput>dmesg | tail -10</userinput>
-[output removed]
-ad6: removed from configuration
-ad6: deleted from ar0 disk1
-ad6: inserted into ar0 disk1 as spare
+    <note>
+      <para>Growing a live <acronym>UFS</acronym> file system is only
+	possible in &os; 10.0-RELEASE and later.  For earlier
+	versions, the file system must not be mounted.</para>
+    </note>
 
-&prompt.root; <userinput>atacontrol status ar0</userinput>
-ar0: ATA RAID1 subdisks: ad4 ad6 status: REBUILDING 0% completed</screen>
-	</step>
+    <screen>&prompt.root; <userinput>growfs <replaceable>/dev/ada0p2</replaceable></userinput>
+Device is mounted read-write; resizing will result in temporary write suspension for /.
+It's strongly recommended to make a backup before growing the file system.
+OK to grow file system on /dev/ada0p2, mounted on /, from 38GB to 47GB? [Yes/No] <userinput>Yes</userinput>
+super-block backups (for fsck -b #) at:
+ 80781312, 82063552, 83345792, 84628032, 85910272, 87192512, 88474752,
+ 89756992, 91039232, 92321472, 93603712, 94885952, 96168192, 97450432</screen>
 
-	<step>
-	  <para>等重建完就完成了。</para>
-	</step>
-      </procedure>
-    </sect2>
+    <para>Both the partition and the file system on it have now been
+      resized to use the newly-available disk space.</para>
   </sect1>
 
   <sect1 xml:id="usb-disks">
@@ -777,223 +605,176 @@
   </sect1>
 
   <sect1 xml:id="creating-cds">
-    <info><title>Creating and Using Optical Media (CDs)</title>
+    <info>
+      <title>Creating and Using <acronym>CD</acronym> Media</title>
+
       <authorgroup>
-	<author><personname><firstname>Mike</firstname><surname>Meyer</surname></personname><contrib>Contributed by </contrib></author>
+	<author>
+	  <personname>
+	    <firstname>Mike</firstname>
+	    <surname>Meyer</surname>
+	  </personname>
+	  <contrib>Contributed by </contrib>
+	</author>
       </authorgroup>
-      
     </info>
 
-    
     <indexterm>
-      <primary>CDROMs</primary>
+      <primary><acronym>CD-ROM</acronym>s</primary>
       <secondary>creating</secondary>
     </indexterm>
 
-    <sect2>
-      <title>Introduction</title>
+    <para>Compact Disc (<acronym>CD</acronym>) media provide a number
+      of features that differentiate them from conventional disks.
+      They are designed so that they can be read continuously without
+      delays to move the head between tracks.  While
+      <acronym>CD</acronym> media do have tracks, these refer to a
+      section of data to be read continuously, and not a physical
+      property of the disk.  The <acronym>ISO</acronym> 9660 file
+      system was designed to deal with these differences.</para>
+
+    <indexterm><primary><acronym>ISO</acronym>
+      9660</primary></indexterm>
+    <indexterm>
+      <primary>file systems</primary>
+      <secondary>ISO 9660</secondary>
+    </indexterm>
+
+    <indexterm>
+      <primary><acronym>CD</acronym> burner</primary>
+      <secondary><acronym>ATAPI</acronym></secondary>
+    </indexterm>
 
-      <para>CDs have a number of features that differentiate them from
-	conventional disks. Initially, they were not writable by the
-	user. They are designed so that they can be read continuously without
-	delays to move the head between tracks. They are also much easier
-	to transport between systems than similarly sized media were at the
-	time.</para>
-
-      <para>CDs do have tracks, but this refers to a section of data to
-	be read continuously and not a physical property of the disk. To
-	produce a CD on FreeBSD, you prepare the data files that are going
-	to make up the tracks on the CD, then write the tracks to the
-	CD.</para>
-
-      <indexterm><primary>ISO 9660</primary></indexterm>
-      <indexterm>
-        <primary>file systems</primary>
-        <secondary>ISO 9660</secondary>
-      </indexterm>
-      <para>The ISO 9660 file system was designed to deal with these
-	differences. It unfortunately codifies file system limits that were
-	common then. Fortunately, it provides an extension mechanism that
-	allows properly written CDs to exceed those limits while still
-	working with systems that do not support those extensions.</para>
-
-      <indexterm>
-        <primary><package>sysutils/cdrtools</package></primary>
-      </indexterm>
-      <para>The <package>sysutils/cdrtools</package>
-	port includes &man.mkisofs.8;, a program that you can use to
-	produce a data file containing an ISO 9660 file
-	system. It has options that support various extensions, and is
-	described below.</para>
-
-      <indexterm>
-        <primary>CD burner</primary>
-        <secondary>ATAPI</secondary>
-      </indexterm>
-      <para>Which tool to use to burn the CD depends on whether your CD burner
-	is ATAPI or something else. ATAPI CD burners use the <command>burncd</command> program that is part of
-	the base system. SCSI and USB CD burners should use
-	<command>cdrecord</command> from
-	the <package>sysutils/cdrtools</package> port.</para>
-
-      <para><command>burncd</command> has a limited number of
-	supported drives. To find out if a drive is supported, see the
-	<link xlink:href="http://www.freebsd.dk/ata/">CD-R/RW supported
-	  drives</link> list.</para>
+    <para>The &os; Ports Collection provides several utilities for
+      burning and duplicating audio and data <acronym>CD</acronym>s.
+      This chapter demonstrates the use of several command line
+      utilities.  For <acronym>CD</acronym> burning software with a
+      graphical utility, consider installing the
+      <package>sysutils/xcdroast</package> or
+      <package>sysutils/k3b</package> packages or ports.</para>
+
+    <sect2 xml:id="atapicam">
+      <info>
+	<title>Supported Devices</title>
+
+	<authorgroup>
+	  <author>
+	    <personname>
+	      <firstname>Marc</firstname>
+	      <surname>Fonvieille</surname>
+	    </personname>
+	    <contrib>Contributed by </contrib>
+	  </author>
+	</authorgroup>
+      </info>
 
-      <note>
       <indexterm>
-	<primary>CD burner</primary>
+	<primary><acronym>CD</acronym> burner</primary>
 	<secondary>ATAPI/CAM driver</secondary>
       </indexterm>
-	<para>If you run &os;&nbsp;5.X, &os;&nbsp;4.8-RELEASE version or
-	  higher, it will be possible to use <command>cdrecord</command> and other tools
-	  for SCSI drives on an ATAPI hardware with the <link linkend="atapicam">ATAPI/CAM module</link>.</para>
-      </note>
-
-      <para>If you want a CD burning software with a graphical user
-	interface, you should have a look to
-	<application>X-CD-Roast</application> or
-	<application>K3b</application>.  These tools are available as
-	packages or from the <package>sysutils/xcdroast</package> and <package>sysutils/k3b</package> ports.
-	<application>X-CD-Roast</application> and
-	<application>K3b</application> require the <link linkend="atapicam">ATAPI/CAM module</link> with ATAPI
-	hardware.</para>
-    </sect2>
 
-    <sect2 xml:id="mkisofs">
-      <title>mkisofs</title>
+      <para>The <filename>GENERIC</filename> kernel provides support
+	for <acronym>SCSI</acronym>,  <acronym>USB</acronym>, and
+	<acronym>ATAPI</acronym> <acronym>CD</acronym> readers and
+	burners.  If a custom kernel is used, the options that need to
+	be present in the kernel configuration file vary by the type
+	of device.</para>
+
+      <para>For a <acronym>SCSI</acronym> burner, make sure these
+	options are present:</para>
+
+      <programlisting>device scbus	# SCSI bus (required for ATA/SCSI)
+device da	# Direct Access (disks)
+device pass	# Passthrough device (direct ATA/SCSI access)
+device cd	# needed for CD and DVD burners</programlisting>
+
+      <para>For a <acronym>USB</acronym> burner, make sure these
+	options are present:</para>
+
+      <programlisting>device scbus	# SCSI bus (required for ATA/SCSI)
+device da	# Direct Access (disks)
+device pass	# Passthrough device (direct ATA/SCSI access)
+device cd	# needed for CD and DVD burners
+device uhci	# provides USB 1.x support
+device ohci	# provides USB 1.x support
+device ehci	# provides USB 2.0 support
+device xhci	# provides USB 3.0 support
+device usb	# USB Bus (required)
+device umass	# Disks/Mass storage - Requires scbus and da</programlisting>
+
+      <para>For an <acronym>ATAPI</acronym> burner, make sure these
+	options are present:</para>
+
+      <programlisting>device ata	# Legacy ATA/SATA controllers
+device scbus	# SCSI bus (required for ATA/SCSI)
+device pass	# Passthrough device (direct ATA/SCSI access)
+device cd	# needed for CD and DVD burners</programlisting>
 
-      <para>The &man.mkisofs.8; program, which is part of the
-	<package>sysutils/cdrtools</package> port,
-        produces an ISO 9660 file system
-	that is an image of a directory tree in the &unix; file system name
-	space. The simplest usage is:</para>
-
-      <screen>&prompt.root; <userinput>mkisofs -o imagefile.iso /path/to/tree</userinput></screen>
-
-      <indexterm>
-        <primary>file systems</primary>
-        <secondary>ISO 9660</secondary>
-      </indexterm>
-      <para>This command will create an <replaceable>imagefile.iso</replaceable>
-	containing an ISO 9660 file system that is a copy of the tree at
-	<replaceable>/path/to/tree</replaceable>. In the process, it will
-	map the file names to names that fit the limitations of the
-	standard ISO 9660 file system, and will exclude files that have
-	names uncharacteristic of ISO file systems.</para>
-
-      <indexterm>
-        <primary>file systems</primary>
-        <secondary>HFS</secondary>
-      </indexterm>
-      <indexterm>
-        <primary>file systems</primary>
-        <secondary>Joliet</secondary>
-      </indexterm>
-      <para>A number of options are available to overcome those
-	restrictions. In particular, <option>-R</option> enables the
-	Rock Ridge extensions common to &unix; systems, <option>-J</option>
-	enables Joliet extensions used by Microsoft systems, and
-	<option>-hfs</option> can be used to create HFS file systems used
-	by &macos;.</para>
-
-      <para>For CDs that are going to be used only on FreeBSD systems,
-	<option>-U</option> can be used to disable all filename
-	restrictions. When used with <option>-R</option>, it produces a
-	file system image that is identical to the FreeBSD tree you started
-	from, though it may violate the ISO 9660 standard in a number of
-	ways.</para>
-
-      <indexterm>
-        <primary>CDROMs</primary>
-        <secondary>creating bootable</secondary>
-      </indexterm>
-      <para>The last option of general use is <option>-b</option>. This is
-	used to specify the location of the boot image for use in producing an
-	<quote>El Torito</quote> bootable CD. This option takes an
-	argument which is the path to a boot image from the top of the
-	tree being written to the CD. By default, &man.mkisofs.8; creates an
-	ISO image in the so-called <quote>floppy disk emulation</quote> mode,
-	and thus expects the boot image to be exactly 1200, 1440 or
-	2880&nbsp;KB in size. Some boot loaders, like the one used by the
-	FreeBSD distribution disks, do not use emulation mode; in this case,
-	the <option>-no-emul-boot</option> option should be used. So, if
-	<filename>/tmp/myboot</filename> holds a bootable FreeBSD system
-	with the boot image in
-	<filename>/tmp/myboot/boot/cdboot</filename>, you could produce the
-	image of an ISO 9660 file system in
-	<filename>/tmp/bootable.iso</filename> like so:</para>
+      <note>
+	<para>On &os; versions prior to 10.x, this line is also
+	  needed in the kernel configuration file if the burner is an
+	  <acronym>ATAPI</acronym> device:</para>
 
-      <screen>&prompt.root; <userinput>mkisofs -R -no-emul-boot -b boot/cdboot -o /tmp/bootable.iso /tmp/myboot</userinput></screen>
+	<programlisting>device atapicam</programlisting>
 
-      <para>Having done that, if you have <filename>md</filename>
-	configured in your kernel, you can mount the file system with:</para>
+	<para>Alternately, this driver can be loaded at boot time by
+	  adding the following line to
+	  <filename>/boot/loader.conf</filename>:</para>
 
-      <screen>&prompt.root; <userinput>mdconfig -a -t vnode -f /tmp/bootable.iso -u 0</userinput>
-&prompt.root; <userinput>mount -t cd9660 /dev/md0 /mnt</userinput></screen>
+	<programlisting>atapicam_load="YES"</programlisting>
 
-      <para>At which point you can verify that <filename>/mnt</filename>
-	and <filename>/tmp/myboot</filename> are identical.</para>
+	<para>This will require a reboot of the system as this driver
+	  can only be loaded at boot time.</para>
+      </note>
 
-      <para>There are many other options you can use with
-	&man.mkisofs.8; to fine-tune its behavior.  In particular:
-	modifications to an ISO 9660 layout and the creation of Joliet
-	and HFS discs.  See the	&man.mkisofs.8; manual page for details.</para>
-    </sect2>
-
-    <sect2 xml:id="burncd">
-      <title>burncd</title>
-      <indexterm>
-        <primary>CDROMs</primary>
-        <secondary>burning</secondary>
-      </indexterm>
-      <para>If you have an ATAPI CD burner, you can use the
-	<command>burncd</command> command to burn an ISO image onto a
-	CD. <command>burncd</command> is part of the base system, installed
-	as <filename>/usr/sbin/burncd</filename>.  Usage is very simple, as
-	it has few options:</para>
-
-      <screen>&prompt.root; <userinput>burncd -f cddevice data imagefile.iso fixate</userinput></screen>
-
-      <para>Will burn a copy of <replaceable>imagefile.iso</replaceable> on
-	<replaceable>cddevice</replaceable>. The default device is
-	<filename>/dev/acd0</filename>.  See &man.burncd.8; for options to
-	set the write speed, eject the CD after burning, and write audio
-	data.</para>
+      <para>To verify that &os; recognizes the device, run
+	<command>dmesg</command> and look for an entry for the device.
+	On systems prior to 10.x, the device name in the first line of
+	the output will be <filename>acd0</filename> instead of
+	<filename>cd0</filename>.</para>
+
+      <screen>&prompt.user; <userinput>dmesg | grep cd</userinput>
+cd0 at ahcich1 bus 0 scbus1 target 0 lun 0
+cd0: &lt;HL-DT-ST DVDRAM GU70N LT20&gt; Removable CD-ROM SCSI-0 device
+cd0: Serial Number M3OD3S34152
+cd0: 150.000MB/s transfers (SATA 1.x, UDMA6, ATAPI 12bytes, PIO 8192bytes)
+cd0: Attempt to query device size failed: NOT READY, Medium not present - tray closed</screen>
     </sect2>
 
     <sect2 xml:id="cdrecord">
-      <title>cdrecord</title>
+      <title>Burning a <acronym>CD</acronym></title>
+
+      <para>In &os;, <command>cdrecord</command> can be used to burn
+	<acronym>CD</acronym>s.  This command is installed with the
+	<package>sysutils/cdrtools</package> package or port.</para>
+
+      <note>
+	<para>&os; 8.x includes the built-in
+	  <command>burncd</command> utility for burning
+	  <acronym>CD</acronym>s using an <acronym>ATAPI</acronym>
+	  <acronym>CD</acronym> burner.  Refer to the manual page for
+	  <command>burncd</command> for usage examples.</para>
+      </note>
+
+      <para>While <command>cdrecord</command> has many options, basic
+	usage is simple.  Specify the name of the
+	<acronym>ISO</acronym> file to burn and, if the system has
+	multiple burner devices, specify the name of the device to
+	use:</para>
+
+      <screen>&prompt.root; <userinput>cdrecord <replaceable>dev=device</replaceable> <replaceable>imagefile.iso</replaceable></userinput></screen>
+
+      <para>To determine the device name of the burner, use
+	<option>-scanbus</option> which might produce results like
+	this:</para>
 
-      <para>If you do not have an ATAPI CD burner, you will have to use
-	<command>cdrecord</command> to burn your
-	CDs. <command>cdrecord</command> is not part of the base system;
-	you must install it from either the port at <package>sysutils/cdrtools</package>
-	or the appropriate
-	package. Changes to the base system can cause binary versions of
-	this program to fail, possibly resulting in a
-	<quote>coaster</quote>. You should therefore either upgrade the
-	port when you upgrade your system, or if you are <link linkend="stable">tracking -STABLE</link>, upgrade the port when a
-	new version becomes available.</para>
-
-      <para>While <command>cdrecord</command> has many options, basic usage
-	is even simpler than <command>burncd</command>. Burning an ISO 9660
-	image is done with:</para>
-
-      <screen>&prompt.root; <userinput>cdrecord dev=device imagefile.iso</userinput></screen>
-
-      <para>The tricky part of using <command>cdrecord</command> is finding
-	the <option>dev</option> to use. To find the proper setting, use
-	the <option>-scanbus</option> flag of <command>cdrecord</command>,
-	which might produce results like this:</para>
       <indexterm>
-        <primary>CDROMs</primary>
-        <secondary>burning</secondary>
+	<primary><acronym>CD-ROM</acronym>s</primary>
+	<secondary>burning</secondary>
       </indexterm>
       <screen>&prompt.root; <userinput>cdrecord -scanbus</userinput>
-Cdrecord-Clone 2.01 (i386-unknown-freebsd7.0) Copyright (C) 1995-2004 J&ouml;rg Schilling
-Using libscg version 'schily-0.1'
+ProDVD-ProBD-Clone 3.00 (amd64-unknown-freebsd10.0) Copyright (C) 1995-2010 J&ouml;rg Schilling
+Using libscg version 'schily-0.9'
 scsibus0:
         0,0,0     0) 'SEAGATE ' 'ST39236LW       ' '0004' Disk
         0,1,0     1) 'SEAGATE ' 'ST39173W        ' '5958' Disk
@@ -1013,590 +794,648 @@
         1,6,0   106) 'ARTEC   ' 'AM12S           ' '1.06' Scanner
         1,7,0   107) *</screen>
 
-      <para>This lists the appropriate <option>dev</option> value for the
-	devices on the list. Locate your CD burner, and use the three
-	numbers separated by commas as the value for
-	<option>dev</option>. In this case, the CRW device is 1,5,0, so the
-	appropriate input would be
-	<option>dev=1,5,0</option>. There are easier
-	ways to specify this value; see &man.cdrecord.1; for
-	details. That is also the place to look for information on writing
-	audio tracks, controlling the speed, and other things.</para>
-    </sect2>
-
-    <sect2 xml:id="duplicating-audiocds">
-      <title>Duplicating Audio CDs</title>
-
-      <para>You can duplicate an audio CD by extracting the audio data from
-	the CD to a series of files, and then writing these files to a blank
-	CD.  The process is slightly different for ATAPI and SCSI
-	drives.</para>
-
-      <procedure>
-	<title>SCSI Drives</title>
-
-	<step>
-	  <para>Use <command>cdda2wav</command> to extract the audio.</para>
-
-	  <screen>&prompt.user; <userinput>cdda2wav -v255 -D2,0 -B -Owav</userinput></screen>
-	</step>
-
-	<step>
-	  <para>Use <command>cdrecord</command> to write the
-	    <filename>.wav</filename> files.</para>
-
-	  <screen>&prompt.user; <userinput>cdrecord -v dev=2,0 -dao -useinfo  *.wav</userinput></screen>
-
-	  <para>Make sure that <replaceable>2,0</replaceable> is set
-	    appropriately, as described in <xref linkend="cdrecord"/>.</para>
-	</step>
-      </procedure>
-
-      <procedure>
-	<title>ATAPI Drives</title>
+      <para>Locate the entry for the <acronym>CD</acronym> burner and
+	use the three numbers separated by commas as the value for
+	<option>dev</option>.  In this case, the Yamaha burner device
+	is <literal>1,5,0</literal>, so the appropriate input to
+	specify that device is <option>dev=1,5,0</option>.  Refer to
+	the manual page for <command>cdrecord</command> for other ways
+	to specify this value and for information on writing audio
+	tracks and controlling the write speed.</para>
 
-	<step>
-	  <para>The ATAPI CD driver makes each track available as
-	    <filename>/dev/acddtnn</filename>,
-	    where <replaceable>d</replaceable> is the drive number, and
-	    <replaceable>nn</replaceable> is the track number written with two
-	    decimal digits, prefixed with zero as needed.
-	    So the first track on the first disk is
-	    <filename>/dev/acd0t01</filename>, the second is
-	    <filename>/dev/acd0t02</filename>, the third is
-	    <filename>/dev/acd0t03</filename>, and so on.</para>
-
-	  <para>Make sure the appropriate files exist in
-	    <filename>/dev</filename>.  If the entries are missing,
-	    force the system to retaste the media:</para>
+      <para>Alternately, run the following command to get the device
+	address of the burner:</para>
 
-	  <screen>&prompt.root; <userinput>dd if=/dev/acd0 of=/dev/null count=1</userinput></screen>
+      <screen>&prompt.root; <userinput>camcontrol devlist</userinput>
+&lt;MATSHITA CDRW/DVD UJDA740 1.00&gt;   at scbus1 target 0 lun 0 (cd0,pass0)</screen>
 
-	</step>
+      <para>Use the numeric values for <literal>scbus</literal>,
+	<literal>target</literal>, and <literal>lun</literal>.  For
+	this example, <literal>1,0,0</literal> is the device name to
+	use.</para>
+    </sect2>
 
-	<step>
-	  <para>Extract each track using &man.dd.1;.  You must also use a
-	    specific block size when extracting the files.</para>
+    <sect2 xml:id="mkisofs">
+      <title>Writing Data to an <acronym>ISO</acronym> File
+	System</title>
 
-	  <screen>&prompt.root; <userinput>dd if=/dev/acd0t01 of=track1.cdr bs=2352</userinput>
-&prompt.root; <userinput>dd if=/dev/acd0t02 of=track2.cdr bs=2352</userinput>
-...
-</screen>
-	</step>
+      <para>In order to produce a data <acronym>CD</acronym>, the data
+	files that are going to make up the tracks on the
+	<acronym>CD</acronym> must be prepared before they can be
+	burned to the <acronym>CD</acronym>.  In &os;,
+	<package>sysutils/cdrtools</package> installs
+	<command>mkisofs</command>, which can be used to produce an
+	<acronym>ISO</acronym> 9660 file system that is an image of a
+	directory tree within a &unix; file system.  The simplest
+	usage is to specify the name of the <acronym>ISO</acronym>
+	file to create and the path to the files to place into the
+	<acronym>ISO</acronym> 9660 file system:</para>
+
+      <screen>&prompt.root; <userinput>mkisofs -o <replaceable>imagefile.iso</replaceable> <replaceable>/path/to/tree</replaceable></userinput></screen>
+
+      <indexterm>
+	<primary>file systems</primary>
+	<secondary>ISO 9660</secondary>
+      </indexterm>
+
+      <para>This command maps the file names in the specified path to
+	names that fit the limitations of the standard
+	<acronym>ISO</acronym> 9660 file system, and will exclude
+	files that do not meet the standard for <acronym>ISO</acronym>
+	file systems.</para>
+
+      <indexterm>
+	<primary>file systems</primary>
+	<secondary>Joliet</secondary>
+      </indexterm>
+
+      <para>A number of options are available to overcome the
+	restrictions imposed by the standard.  In particular,
+	<option>-R</option> enables the Rock Ridge extensions common
+	to &unix; systems and <option>-J</option> enables Joliet
+	extensions used by &microsoft; systems.</para>
+
+      <para>For <acronym>CD</acronym>s that are going to be used only
+	on &os; systems, <option>-U</option> can be used to disable
+	all filename restrictions.  When used with
+	<option>-R</option>, it produces a file system image that is
+	identical to the specified &os; tree, even if it violates the
+	<acronym>ISO</acronym> 9660 standard.</para>
+
+      <indexterm>
+	<primary><acronym>CD-ROM</acronym>s</primary>
+	<secondary>creating bootable</secondary>
+      </indexterm>
+
+      <para>The last option of general use is <option>-b</option>.
+	This is used to specify the location of a boot image for use
+	in producing an <quote>El Torito</quote> bootable
+	<acronym>CD</acronym>.  This option takes an argument which is
+	the path to a boot image from the top of the tree being
+	written to the <acronym>CD</acronym>.  By default,
+	<command>mkisofs</command> creates an <acronym>ISO</acronym>
+	image in <quote>floppy disk emulation</quote> mode, and thus
+	expects the boot image to be exactly 1200, 1440 or
+	2880&nbsp;KB in size.  Some boot loaders, like the one used by
+	the &os; distribution media, do not use emulation mode.  In
+	this case, <option>-no-emul-boot</option> should be used.  So,
+	if <filename>/tmp/myboot</filename> holds a bootable &os;
+	system with the boot image in
+	<filename>/tmp/myboot/boot/cdboot</filename>, this command
+	would produce
+	<filename>/tmp/bootable.iso</filename>:</para>
 
-	<step>
-	  <para>Burn the extracted files to disk using
-	    <command>burncd</command>.  You must specify that these are audio
-	    files, and that <command>burncd</command> should fixate the disk
-	    when finished.</para>
+      <screen>&prompt.root; <userinput>mkisofs -R -no-emul-boot -b boot/cdboot -o /tmp/bootable.iso /tmp/myboot</userinput></screen>
 
-	  <screen>&prompt.root; <userinput>burncd -f /dev/acd0 audio track1.cdr track2.cdr ... fixate</userinput></screen>
-	</step>
-      </procedure>
-    </sect2>
+      <para>The resulting <acronym>ISO</acronym> image can be mounted
+	as a memory disk with:</para>
 
-    <sect2 xml:id="imaging-cd">
-      <title>Duplicating Data CDs</title>
+      <screen>&prompt.root; <userinput>mdconfig -a -t vnode -f /tmp/bootable.iso -u 0</userinput>
+&prompt.root; <userinput>mount -t cd9660 /dev/md0 /mnt</userinput></screen>
 
-      <para>You can copy a data CD to a image file that is
-	functionally equivalent to the image file created with
-        &man.mkisofs.8;, and you can use it to duplicate
-	any data CD.  The example given here assumes that your CDROM
-	device is <filename>acd0</filename>.  Substitute your
-	correct CDROM device.</para>
+      <para>One can then verify that <filename>/mnt</filename> and
+	<filename>/tmp/myboot</filename> are identical.</para>
 
-      <screen>&prompt.root; <userinput>dd if=/dev/acd0 of=file.iso bs=2048</userinput></screen>
+      <para>There are many other options available for
+	<command>mkisofs</command> to fine-tune its behavior.  Refer
+	to &man.mkisofs.8; for details.</para>
 
-      <para>Now that you have an image, you can burn it to CD as
-	described above.</para>
+      <note>
+	<para>It is possible to copy a data <acronym>CD</acronym> to
+	  an image file that is functionally equivalent to the image
+	  file created with <command>mkisofs</command>.  To do so, use
+	  <filename>dd</filename> with the device name as the input
+	  file and the name of the <acronym>ISO</acronym> to create as
+	  the output file:</para>
+
+	<screen>&prompt.root; <userinput>dd if=/dev/<replaceable>cd0</replaceable> of=<replaceable>file.iso</replaceable> bs=2048</userinput></screen>
+
+	<para>The resulting image file can be burned to
+	  <acronym>CD</acronym> as described in <xref
+	    linkend="cdrecord"/>.</para>
+      </note>
     </sect2>
 
     <sect2 xml:id="mounting-cd">
-      <title>Using Data CDs</title>
+      <title>Using Data <acronym>CD</acronym>s</title>
 
-      <para>Now that you have created a standard data CDROM, you
-	probably want to mount it and read the data on it.  By
-	default, &man.mount.8; assumes that a file system is of type
-	<literal>ufs</literal>.  If you try something like:</para>
-
-      <screen>&prompt.root; <userinput>mount /dev/cd0 /mnt</userinput></screen>
-
-      <para>you will get a complaint about <errorname>Incorrect super
-	  block</errorname>, and no mount. The CDROM is not a
-	  <literal>UFS</literal> file system, so attempts to mount it
-	  as such will fail.  You just need to tell &man.mount.8; that
-	  the file system is of type <literal>ISO9660</literal>, and
-	  everything will work.  You do this by specifying the
-	  <option>-t cd9660</option> option &man.mount.8;. For
-	  example, if you want to mount the CDROM device,
-	  <filename>/dev/cd0</filename>, under
-	  <filename>/mnt</filename>, you would execute:</para>
-
-          <screen>&prompt.root; <userinput>mount -t cd9660 /dev/cd0 /mnt</userinput></screen>
-
-      <para>Note that your device name
-	(<filename>/dev/cd0</filename> in this example) could be
-	different, depending on the interface your CDROM uses. Also,
-	the <option>-t cd9660</option> option just executes
-	&man.mount.cd9660.8;. The above example could be shortened
-	to:</para>
-
-<screen>&prompt.root; <userinput>mount_cd9660 /dev/cd0 /mnt</userinput></screen>
-
-      <para>You can generally use data CDROMs from any vendor in this
-	way.  Disks with certain ISO 9660 extensions might behave
-	oddly, however.  For example, Joliet disks store all filenames
-	in two-byte Unicode characters.  The FreeBSD kernel does not
-	speak Unicode (yet!), so non-English characters show up as
-	question marks.  (The FreeBSD
-	CD9660 driver includes hooks to load an appropriate Unicode
-	conversion table on the fly.  Modules for some of the common
-	encodings are available via the
-	<package>sysutils/cd9660_unicode</package> port.)</para>
-
-      <para>Occasionally, you might get <errorname>Device not
-	configured</errorname> when trying to mount a CDROM.  This
-	usually means that the CDROM drive thinks that there is no
-	disk in the tray, or that the drive is not visible on the bus.
-	It can take a couple of seconds for a CDROM drive to realize
-	that it has been fed, so be patient.</para>
-
-      <para>Sometimes, a SCSI CDROM may be missed because it did not
-	have enough time to answer the bus reset.  If you have a SCSI
-	CDROM please add the following option to your kernel
-	configuration and <link linkend="kernelconfig-building">rebuild your kernel</link>.</para>
-
-      <programlisting>options SCSI_DELAY=15000</programlisting>
+      <para>Once an <acronym>ISO</acronym> has been burned to a
+	<acronym>CD</acronym>, it can be mounted by specifying the
+	file system type, the name of the device containing the
+	<acronym>CD</acronym>, and an existing mount point:</para>
+
+      <screen>&prompt.root; <userinput>mount -t cd9660 <replaceable>/dev/cd0</replaceable> <replaceable>/mnt</replaceable></userinput></screen>
+
+      <para>Since <command>mount</command> assumes that a file system
+	is of type <literal>ufs</literal>, a <errorname>Incorrect
+	  super block</errorname> error will occur if <literal>-t
+	  cd9660</literal> is not included when mounting a data
+	<acronym>CD</acronym>.</para>
+
+      <para>While any data <acronym>CD</acronym> can be mounted this
+	way, disks with certain <acronym>ISO</acronym> 9660 extensions
+	might behave oddly.  For example, Joliet disks store all
+	filenames in two-byte Unicode characters.  If some non-English
+	characters show up as question marks, specify the local
+	charset with <option>-C</option>.  For more information, refer
+	to &man.mount.cd9660.8;.</para>
 
-      <para>This tells your SCSI bus to pause 15 seconds during boot,
-	to give your CDROM drive every possible chance to answer the
-	bus reset.</para>
-    </sect2>
+      <note>
+	<para>In order to do this character conversion with the help
+	  of <option>-C</option>, the kernel requires the
+	  <filename>cd9660_iconv.ko</filename> module to be loaded.
+	  This can be done either by adding this line to
+	  <filename>loader.conf</filename>:</para>
 
-    <sect2 xml:id="rawdata-cd">
-      <title>Burning Raw Data CDs</title>
+	<programlisting>cd9660_iconv_load="YES"</programlisting>
 
-      <para>You can choose to burn a file directly to CD, without
-	creating an ISO 9660 file system.  Some people do this for
-	backup purposes.  This runs more quickly than burning a
-	standard CD:</para>
+	<para>and then rebooting the machine, or by directly loading
+	  the module with <command>kldload</command>.</para>
+      </note>
 
-      <screen>&prompt.root; <userinput>burncd -f /dev/acd1 -s 12 data archive.tar.gz fixate</userinput></screen>
+      <para>Occasionally, <errorname>Device not configured</errorname>
+	will be displayed when trying to mount a data
+	<acronym>CD</acronym>.  This usually means that the
+	<acronym>CD</acronym> drive thinks that there is no disk in
+	the tray, or that the drive is not visible on the bus.  It
+	can take a couple of seconds for a <acronym>CD</acronym>
+	drive to realize that a media is present, so be
+	patient.</para>
+
+      <para>Sometimes, a <acronym>SCSI</acronym>
+	<acronym>CD</acronym> drive may be missed because it did not
+	have enough time to answer the bus reset.  To resolve this,
+	a custom kernel can be created which increases the default
+	<acronym>SCSI</acronym> delay.  Add the following option to
+	the custom kernel configuration file and rebuild the kernel
+	using the instructions in <xref
+	  linkend="kernelconfig-building"/>:</para>
 
-      <para>In order to retrieve the data burned to such a CD, you
-	  must read data from the raw device node:</para>
+      <programlisting>options SCSI_DELAY=15000</programlisting>
 
-      <screen>&prompt.root; <userinput>tar xzvf /dev/acd1</userinput></screen>
+      <para>This tells the <acronym>SCSI</acronym> bus to pause 15
+	seconds during boot, to give the <acronym>CD</acronym>
+	drive every possible chance to answer the bus reset.</para>
 
-      <para>You cannot mount this disk as you would a normal CDROM.
-	  Such a CDROM cannot be read under any operating system
-	  except FreeBSD.  If you want to be able to mount the CD, or
-	  share data with another operating system, you must use
-	  &man.mkisofs.8; as described above.</para>
+      <note>
+	<para>It is possible to burn a file directly to
+	  <acronym>CD</acronym>, without creating an
+	  <acronym>ISO</acronym> 9660 file system.  This is known as
+	  burning a raw data <acronym>CD</acronym> and some people do
+	  this for backup purposes.</para>
+
+	<para>This type of disk can not be mounted as a normal data
+	  <acronym>CD</acronym>.  In order to retrieve the data burned
+	  to such a <acronym>CD</acronym>, the data must be read from
+	  the raw device node.  For example, this command will extract
+	  a compressed tar file located on the second
+	  <acronym>CD</acronym> device into the current working
+	  directory:</para>
+
+	<screen>&prompt.root; <userinput>tar xzvf /dev/<replaceable>cd1</replaceable></userinput></screen>
+
+	<para>  In order to mount a data <acronym>CD</acronym>, the
+	  data must be written using
+	  <command>mkisofs</command>.</para>
+      </note>
     </sect2>
 
-    <sect2 xml:id="atapicam">
-      <info><title>Using the ATAPI/CAM Driver</title>
-	<authorgroup>
-	  <author><personname><firstname>Marc</firstname><surname>Fonvieille</surname></personname><contrib>Contributed by </contrib></author>
-	</authorgroup>
-      </info>
-
-      
-
-      <indexterm>
-	<primary>CD burner</primary>
-	<secondary>ATAPI/CAM driver</secondary>
-      </indexterm>
-
-      <para>This driver allows ATAPI devices (CD-ROM, CD-RW, DVD
-	drives etc...) to be accessed through the SCSI subsystem, and
-	so allows the use of applications like <package>sysutils/cdrdao</package> or
-	&man.cdrecord.1;.</para>
-
-      <para>To use this driver, you will need to add the following
-	line to your kernel configuration file:</para>
-
-      <programlisting>device atapicam</programlisting>
-
-      <para>You also need the following lines in your kernel
-	configuration file:</para>
-
-      <programlisting>device ata
-device scbus
-device cd
-device pass</programlisting>
-
-      <para>which should already be present.</para>
-
-      <para>Then rebuild, install your new kernel, and reboot your
-	machine.  During the boot process, your burner should show up,
-	like so:</para>
-
-      <screen>acd0: CD-RW &lt;MATSHITA CD-RW/DVD-ROM UJDA740&gt; at ata1-master PIO4
-cd0 at ata1 bus 0 target 0 lun 0
-cd0: &lt;MATSHITA CDRW/DVD UJDA740 1.00&gt; Removable CD-ROM SCSI-0 device
-cd0: 16.000MB/s transfers
-cd0: Attempt to query device size failed: NOT READY, Medium not present - tray closed</screen>
-
-      <para>The drive could now be accessed via the
-	<filename>/dev/cd0</filename> device name, for example to
-	mount a CD-ROM on <filename>/mnt</filename>, just type the
-	following:</para>
-
-      <screen>&prompt.root; <userinput>mount -t cd9660 /dev/cd0 /mnt</userinput></screen>
+    <sect2 xml:id="duplicating-audiocds">
+      <title>Duplicating Audio <acronym>CD</acronym>s</title>
 
-      <para>As <systemitem class="username">root</systemitem>, you can run the following
-	command to get the SCSI address of the burner:</para>
+      <para>To duplicate an audio <acronym>CD</acronym>, extract the
+	audio data from the <acronym>CD</acronym> to a series of
+	files, then write these files to a blank
+	<acronym>CD</acronym>.</para>
+
+      <para><xref linkend="using-cdrecord"/> describes how to
+	duplicate and burn an audio <acronym>CD</acronym>.  If the
+	&os; version is less than 10.0 and the device is
+	<acronym>ATAPI</acronym>, the <option>atapicam</option> module
+	must be first loaded using the instructions in <xref
+	  linkend="atapicam"/>.</para>
+
+      <procedure xml:id="using-cdrecord">
+	<title>Duplicating an Audio <acronym>CD</acronym></title>
+
+	<step>
+	  <para>The <package>sysutils/cdrtools</package> package or
+	    port installs <command>cdda2wav</command>.  This command
+	    can be used to extract all of the audio tracks, with each
+	    track written to a separate <acronym>WAV</acronym> file in
+	    the current working directory:</para>
+
+	  <screen>&prompt.user; <userinput>cdda2wav -vall -B -Owav</userinput></screen>
+
+	  <para>A device name does not need to be specified if there
+	    is only one <acronym>CD</acronym> device on the system.
+	    Refer to the <command>cdda2wav</command> manual page for
+	    instructions on how to specify a device and to learn more
+	    about the other options available for this command.</para>
+	</step>
 
-      <screen>&prompt.root; <userinput>camcontrol devlist</userinput>
-&lt;MATSHITA CDRW/DVD UJDA740 1.00&gt;   at scbus1 target 0 lun 0 (pass0,cd0)</screen>
+	<step>
+	  <para>Use <command>cdrecord</command> to write the
+	    <filename>.wav</filename> files:</para>
 
-      <para>So <literal>1,0,0</literal> will be the SCSI address to
-	use with &man.cdrecord.1; and other SCSI application.</para>
+	  <screen>&prompt.user; <userinput>cdrecord -v dev=<replaceable>2,0</replaceable> -dao -useinfo  *.wav</userinput></screen>
 
-      <para>For more information about ATAPI/CAM and SCSI system,
-	refer to the &man.atapicam.4; and &man.cam.4; manual
-	pages.</para>
+	  <para>Make sure that <replaceable>2,0</replaceable> is set
+	    appropriately, as described in <xref
+	      linkend="cdrecord"/>.</para>
+	</step>
+      </procedure>
     </sect2>
   </sect1>
 
   <sect1 xml:id="creating-dvds">
-    <info><title>Creating and Using Optical Media (DVDs)</title>
+    <info>
+      <title>Creating and Using <acronym>DVD</acronym> Media</title>
+
       <authorgroup>
-	<author><personname><firstname>Marc</firstname><surname>Fonvieille</surname></personname><contrib>Contributed by </contrib></author>
+	<author>
+	  <personname>
+	    <firstname>Marc</firstname>
+	    <surname>Fonvieille</surname>
+	  </personname>
+	  <contrib>Contributed by </contrib>
+	</author>
       </authorgroup>
       <authorgroup>
-	<author><personname><firstname>Andy</firstname><surname>Polyakov</surname></personname><contrib>With inputs from </contrib></author>
+	<author>
+	  <personname>
+	    <firstname>Andy</firstname>
+	    <surname>Polyakov</surname>
+	  </personname>
+	  <contrib>With inputs from </contrib>
+	</author>
       </authorgroup>
-      
     </info>
 
-    
     <indexterm>
-      <primary>DVD</primary>
+      <primary><acronym>DVD</acronym></primary>
       <secondary>burning</secondary>
     </indexterm>
 
-    <sect2>
-      <title>Introduction</title>
-
-      <para>Compared to the CD, the DVD is the next generation of
-	optical media storage technology.  The DVD can hold more data
-	than any CD and is nowadays the standard for video
-	publishing.</para>
+    <para>Compared to the <acronym>CD</acronym>, the
+      <acronym>DVD</acronym> is the next generation of optical media
+      storage technology.  The <acronym>DVD</acronym> can hold more
+      data than any <acronym>CD</acronym> and is the standard for
+      video publishing.</para>
 
-      <para>Five physical recordable formats can be defined for what
-	we will call a recordable DVD:</para>
+    <para>Five physical recordable formats can be defined for a
+      recordable <acronym>DVD</acronym>:</para>
 
-      <itemizedlist>
-	<listitem>
-	  <para>DVD-R: This was the first DVD recordable format
-	    available.  The DVD-R standard is defined by the <link xlink:href="http://www.dvdforum.com/forum.shtml">DVD Forum</link>.
-	    This format is write once.</para>
-	</listitem>
+    <itemizedlist>
+      <listitem>
+	<para>DVD-R: This was the first <acronym>DVD</acronym>
+	  recordable format available.  The DVD-R standard is defined
+	  by the <link
+	    xlink:href="http://www.dvdforum.com/forum.shtml"><acronym>DVD</acronym>
+	    Forum</link>.  This format is write once.</para>
+      </listitem>
 
-	<listitem>
-	  <para>DVD-RW: This is the rewriteable version of
-	    the DVD-R standard.  A DVD-RW can be rewritten about 1000
-	    times.</para>
-	</listitem>
+      <listitem>
+	<para><acronym>DVD-RW</acronym>: This is the rewritable
+	  version of the DVD-R standard.  A
+	  <acronym>DVD-RW</acronym> can be rewritten about 1000
+	  times.</para>
+      </listitem>
 
-	<listitem>
-	  <para>DVD-RAM: This is also a rewriteable format
-	    supported by the DVD Forum.  A DVD-RAM can be seen as a
-	    removable hard drive.  However, this media is not
-	    compatible with most DVD-ROM drives and DVD-Video players;
-	    only a few DVD writers support the DVD-RAM format.</para>
-	</listitem>
+      <listitem>
+	<para><acronym>DVD-RAM</acronym>: This is a rewritable format
+	  which can be seen as a removable hard drive.  However, this
+	  media is not compatible with most
+	  <acronym>DVD-ROM</acronym> drives and DVD-Video players as
+	  only a few <acronym>DVD</acronym> writers support the
+	  <acronym>DVD-RAM</acronym> format.  Refer to <xref
+	    linkend="creating-dvd-ram"/> for more information on
+	  <acronym>DVD-RAM</acronym> use.</para>
+      </listitem>
 
-	<listitem>
-	  <para>DVD+RW: This is a rewriteable format defined by
-	    the <link xlink:href="http://www.dvdrw.com/">DVD+RW
-	    Alliance</link>.  A DVD+RW can be rewritten about 1000
-	    times.</para>
-	</listitem>
+      <listitem>
+	<para><acronym>DVD+RW</acronym>: This is a rewritable format
+	  defined by the <link
+	    xlink:href="http://www.dvdrw.com/"><acronym>DVD+RW</acronym>
+	    Alliance</link>.  A <acronym>DVD+RW</acronym> can be
+	  rewritten about 1000 times.</para>
+      </listitem>
 
-	<listitem>
-	  <para>DVD+R: This format is the write once variation
-	    of the DVD+RW format.</para>
-	</listitem>
-      </itemizedlist>
+      <listitem>
+	<para>DVD+R: This format is the write once variation of the
+	  <acronym>DVD+RW</acronym> format.</para>
+      </listitem>
+    </itemizedlist>
 
-      <para>A single layer recordable DVD can hold up to
-	4,700,000,000&nbsp;bytes which is actually 4.38&nbsp;GB or
-	4485&nbsp;MB (1 kilobyte is 1024 bytes).</para>
+    <para>A single layer recordable <acronym>DVD</acronym> can hold up
+      to 4,700,000,000&nbsp;bytes which is actually 4.38&nbsp;GB or
+      4485&nbsp;MB as 1 kilobyte is 1024 bytes.</para>
 
-      <note>
-	<para>A distinction must be made between the physical media and
-	  the application.   For example, a DVD-Video is a specific
-	  file layout that can be written on any recordable DVD
-	  physical media: DVD-R, DVD+R, DVD-RW etc.  Before choosing
-	  the type of media, you must be sure that both the burner and the
-	  DVD-Video player (a standalone player or a DVD-ROM drive on
-	  a computer) are compatible with the media under consideration.</para></note>
-    </sect2>
+    <note>
+      <para>A distinction must be made between the physical media and
+	the application.  For example, a DVD-Video is a specific file
+	layout that can be written on any recordable
+	<acronym>DVD</acronym> physical media such as DVD-R, DVD+R, or
+	<acronym>DVD-RW</acronym>.  Before choosing the type of media,
+	ensure that both the burner and the DVD-Video player are
+	compatible with the media under consideration.</para>
+    </note>
 
     <sect2>
       <title>Configuration</title>
 
-      <para>The program &man.growisofs.1; will be used to perform DVD
-	recording.  This command is part of the
-	<application>dvd+rw-tools</application> utilities (<package>sysutils/dvd+rw-tools</package>).  The
-	<application>dvd+rw-tools</application> support all DVD media
-	types.</para>
-
-      <para>These tools use the SCSI subsystem to access to the
-	devices, therefore the <link linkend="atapicam">ATAPI/CAM
-	support</link> must be added to your kernel.  If your burner
-	uses the USB interface this addition is useless, and you should
-	read the <xref linkend="usb-disks"/> for more details on USB
-	devices configuration.</para>
-
-      <para>You also have to enable DMA access for ATAPI devices, this
-	can be done in adding the following line to the
-	<filename>/boot/loader.conf</filename> file:</para>
+      <para>To perform <acronym>DVD</acronym> recording, use
+	&man.growisofs.1;.  This command is part of the
+	<package>sysutils/dvd+rw-tools</package> utilities which
+	support all <acronym>DVD</acronym> media types.</para>
+
+      <para>These tools use the <acronym>SCSI</acronym> subsystem to
+	access the devices, therefore <link
+	  linkend="atapicam">ATAPI/CAM support</link> must be loaded
+	or statically compiled into the kernel.  This support is not
+	needed if the burner uses the <acronym>USB</acronym>
+	interface.  Refer to <xref linkend="usb-disks"/> for more
+	details on <acronym>USB</acronym> device configuration.</para>
+
+      <para>DMA access must also be enabled for
+	<acronym>ATAPI</acronym> devices, by adding the following line
+	to <filename>/boot/loader.conf</filename>:</para>
 
       <programlisting>hw.ata.atapi_dma="1"</programlisting>
 
-      <para>Before attempting to use the
-	<application>dvd+rw-tools</application> you should consult the
-	<link xlink:href="http://fy.chalmers.se/~appro/linux/DVD+RW/hcn.html">dvd+rw-tools'
-	hardware compatibility notes</link> for any information
-	related to your DVD burner.</para>
+      <para>Before attempting to use
+	<application>dvd+rw-tools</application>, consult the <link
+	  xlink:href="http://fy.chalmers.se/~appro/linux/DVD+RW/hcn.html">Hardware
+	  Compatibility Notes</link>.</para>
 
       <note>
-	<para>If you want a graphical user interface, you should have
-	  a look to <application>K3b</application> (<package>sysutils/k3b</package>) which provides a
-	  user friendly interface to &man.growisofs.1; and many others
+	<para>For a graphical user interface, consider using
+	  <package>sysutils/k3b</package> which provides a user
+	  friendly interface to &man.growisofs.1; and many other
 	  burning tools.</para>
       </note>
     </sect2>
 
     <sect2>
-      <title>Burning Data DVDs</title>
+      <title>Burning Data <acronym>DVD</acronym>s</title>
 
-      <para>The &man.growisofs.1; command is a frontend to <link linkend="mkisofs">mkisofs</link>, it will invoke
-	&man.mkisofs.8; to create the file system layout and will
-	perform the write on the DVD.  This means you do not need to
-	create an image of the data before the burning process.</para>
+      <para>Since &man.growisofs.1; is a front-end to <link
+	  linkend="mkisofs">mkisofs</link>, it will invoke
+	&man.mkisofs.8; to create the file system layout and perform
+	the write on the <acronym>DVD</acronym>.  This means that an
+	image of the data does not need to be created before the
+	burning process.</para>
 
-      <para>To burn onto a DVD+R or a DVD-R the data from the <filename>/path/to/data</filename> directory, use the
-	following command:</para>
+      <para>To burn to a DVD+R or a DVD-R the data in
+	<filename>/path/to/data</filename>, use the following
+	command:</para>
 
-      <screen>&prompt.root; <userinput>growisofs -dvd-compat -Z /dev/cd0 -J -R /path/to/data</userinput></screen>
+      <screen>&prompt.root; <userinput>growisofs -dvd-compat -Z <replaceable>/dev/cd0</replaceable> -J -R <replaceable>/path/to/data</replaceable></userinput></screen>
 
-      <para>The options <option>-J -R</option> are passed to
-	&man.mkisofs.8; for the file system creation (in this case: an
-	ISO 9660 file system with Joliet and Rock Ridge extensions),
-	consult the &man.mkisofs.8; manual page for more
+      <para>In this example, <option>-J -R</option> is passed to
+	&man.mkisofs.8;  to create an ISO 9660 file system with Joliet
+	and Rock Ridge extensions.  Refer to &man.mkisofs.8; for more
 	details.</para>
 
-      <para>The option <option>-Z</option> is used for the initial
-	session recording in any case: multiple sessions or not.  The
-	DVD device, <replaceable>/dev/cd0</replaceable>, must be
-	changed according to your configuration.  The
-	<option>-dvd-compat</option> parameter will close the disk,
-	the recording will be unappendable.  In return this should provide better
-	media compatibility with DVD-ROM drives.</para>
-
-      <para>It is also possible to burn a pre-mastered image, for
-	example to burn the image
-	<replaceable>imagefile.iso</replaceable>, we will run:</para>
+      <para>For the initial session recording, <option>-Z</option> is
+	used for both single and multiple sessions.  Replace
+	<replaceable>/dev/cd0</replaceable>, with the name of the
+	<acronym>DVD</acronym> device.  Using
+	<option>-dvd-compat</option> indicates that the disk will be
+	closed and that the recording will be unappendable.  This
+	should also provide better media compatibility with
+	<acronym>DVD-ROM</acronym> drives.</para>
 
-      <screen>&prompt.root; <userinput>growisofs -dvd-compat -Z /dev/cd0=imagefile.iso</userinput></screen>
+      <para>To burn a pre-mastered image, such as
+	<replaceable>imagefile.iso</replaceable>, use:</para>
+
+      <screen>&prompt.root; <userinput>growisofs -dvd-compat -Z <replaceable>/dev/cd0</replaceable>=<replaceable>imagefile.iso</replaceable></userinput></screen>
 
       <para>The write speed should be detected and automatically set
-	according to the media and the drive being used.  If you want
-	to force the write speed, use the <option>-speed=</option>
-	parameter.  For more information, read the &man.growisofs.1;
-	manual page.</para>
+	according to the media and the drive being used.  To force the
+	write speed, use  <option>-speed=</option>.  Refer to
+	&man.growisofs.1; for example usage.</para>
+
+      <note>
+	<para>In order to support working files larger than 4.38GB, an
+	  UDF/ISO-9660 hybrid file system must be created by passing
+	  <option>-udf -iso-level 3</option> to &man.mkisofs.8; and
+	  all related programs, such as &man.growisofs.1;.  This is
+	  required only when creating an ISO image file or when
+	  writing files directly to a disk.  Since a disk created this
+	  way must be mounted as an UDF file system with
+	  &man.mount.udf.8;, it will be usable only on an UDF aware
+	  operating system.  Otherwise it will look as if it contains
+	  corrupted files.</para>
+
+	<para>To create this type of ISO file:</para>
+
+	<screen>&prompt.user; <userinput>mkisofs -R -J -udf -iso-level 3 -o <replaceable>imagefile.iso</replaceable> <replaceable>/path/to/data</replaceable></userinput></screen>
+
+	<para>To burn files directly to a disk:</para>
+
+	<screen>&prompt.root; <userinput>growisofs -dvd-compat -udf -iso-level 3 -Z <replaceable>/dev/cd0</replaceable> -J -R <replaceable>/path/to/data</replaceable></userinput></screen>
+
+	<para>When an ISO image already contains large files, no
+	  additional options are required for &man.growisofs.1; to
+	  burn that image on a disk.</para>
+
+	<para>Be sure to use an up-to-date version of
+	  <package>sysutils/cdrtools</package>, which contains
+	  &man.mkisofs.8;, as an older version may not contain large
+	  files support.  If the latest version does not work, install
+	  <package>sysutils/cdrtools-devel</package> and read its
+	  &man.mkisofs.8;.</para>
+      </note>
     </sect2>
 
     <sect2>
-      <title>Burning a DVD-Video</title>
+      <title>Burning a <acronym>DVD</acronym>-Video</title>
 
       <indexterm>
-        <primary>DVD</primary>
-        <secondary>DVD-Video</secondary>
+	<primary><acronym>DVD</acronym></primary>
+	<secondary>DVD-Video</secondary>
       </indexterm>
 
-      <para>A DVD-Video is a specific file layout based on ISO 9660
-	and the micro-UDF (M-UDF) specifications.  The DVD-Video also
-	presents a specific data structure hierarchy, it is the reason
-	why you need a particular program such as <package>multimedia/dvdauthor</package> to author the
-	DVD.</para>
+      <para>A DVD-Video is a specific file layout based on the ISO
+	9660 and micro-UDF (M-UDF) specifications.  Since DVD-Video
+	presents a specific data structure hierarchy, a particular
+	program such as <package>multimedia/dvdauthor</package> is
+	needed to author the <acronym>DVD</acronym>.</para>
 
-      <para>If you already have an image of the DVD-Video file system,
-	just burn it in the same way as for any image, see the
-	previous section for an example.  If you have made the DVD
-	authoring and the result is in, for example, the directory
-	<filename>/path/to/video</filename>, the
-	following command should be used to burn the DVD-Video:</para>
+      <para>If an image of the DVD-Video file system already exists,
+	it can be burned in the same way as any other image.  If
+	<command>dvdauthor</command> was used to make the
+	<acronym>DVD</acronym> and the result is in
+	<filename>/path/to/video</filename>, the following command
+	should be used to burn the DVD-Video:</para>
 
-      <screen>&prompt.root; <userinput>growisofs -Z /dev/cd0 -dvd-video /path/to/video</userinput></screen>
+      <screen>&prompt.root; <userinput>growisofs -Z <replaceable>/dev/cd0</replaceable> -dvd-video <replaceable>/path/to/video</replaceable></userinput></screen>
 
-      <para>The <option>-dvd-video</option> option will be passed down to
-	&man.mkisofs.8; and will instruct it to create a DVD-Video file system
-	layout.  Beside this, the <option>-dvd-video</option> option
-	implies <option>-dvd-compat</option> &man.growisofs.1;
-	option.</para>
+      <para><option>-dvd-video</option> is passed to &man.mkisofs.8;
+	to instruct it to create a DVD-Video file system layout.
+	This option implies the <option>-dvd-compat</option>
+	&man.growisofs.1; option.</para>
     </sect2>
 
     <sect2>
-      <title>Using a DVD+RW</title>
+      <title>Using a <acronym>DVD+RW</acronym></title>
 
       <indexterm>
-        <primary>DVD</primary>
-        <secondary>DVD+RW</secondary>
+	<primary><acronym>DVD</acronym></primary>
+	<secondary><acronym>DVD+RW</acronym></secondary>
       </indexterm>
 
-      <para>Unlike CD-RW, a virgin DVD+RW needs to be formatted before
-	first use.  The &man.growisofs.1; program will take care of it
-	automatically whenever appropriate, which is the
-	<emphasis>recommended</emphasis> way.  However you can use the
-	<command>dvd+rw-format</command> command to format the
-	DVD+RW:</para>
+      <para>Unlike CD-RW, a virgin <acronym>DVD+RW</acronym> needs to
+	be formatted before first use.  It is
+	<emphasis>recommended</emphasis> to let &man.growisofs.1; take
+	care of this automatically whenever appropriate.  However, it
+	is possible to use <command>dvd+rw-format</command> to format
+	the <acronym>DVD+RW</acronym>:</para>
 
-      <screen>&prompt.root; <userinput>dvd+rw-format /dev/cd0</userinput></screen>
+      <screen>&prompt.root; <userinput>dvd+rw-format <replaceable>/dev/cd0</replaceable></userinput></screen>
 
-      <para>You need to perform this operation just once, keep in mind
-	that only virgin DVD+RW medias need to be formatted.  Then you
-	can burn the DVD+RW in the way seen in previous
-	sections.</para>
+      <para>Only perform this operation once and keep in mind that
+	only virgin <acronym>DVD+RW</acronym> medias need to be
+	formatted.  Once formatted, the <acronym>DVD+RW</acronym> can
+	be burned as usual.</para>
 
-      <para>If you want to burn new data (burn a totally new file
-	system not append some data) onto a DVD+RW, you do not need to
-	blank it, you just have to write over the previous recording
-	(in performing a new initial session), like this:</para>
+      <para>To burn a totally new file system and not just append some
+	data onto a <acronym>DVD+RW</acronym>, the media does not need
+	to be blanked first.  Instead, write over the previous
+	recording like this:</para>
 
-      <screen>&prompt.root; <userinput>growisofs -Z /dev/cd0 -J -R /path/to/newdata</userinput></screen>
+      <screen>&prompt.root; <userinput>growisofs -Z <replaceable>/dev/cd0</replaceable> -J -R <replaceable>/path/to/newdata</replaceable></userinput></screen>
 
-      <para>DVD+RW format offers the possibility to easily append data
-	to a previous recording.  The operation consists in merging a
-	new session to the existing one, it is not multisession
-	writing, &man.growisofs.1; will <emphasis>grow</emphasis> the
-	ISO 9660 file system present on the media.</para>
+      <para>The <acronym>DVD+RW</acronym> format supports appending
+	data to a previous recording.  This operation consists of
+	merging a new session to the existing one as it is not
+	considered to be multi-session writing.  &man.growisofs.1;
+	will <emphasis>grow</emphasis> the ISO 9660 file system
+	present on the media.</para>
 
-      <para>For example, if we want to append data to our previous
-	DVD+RW, we have to use the following:</para>
+      <para>For example, to append data to a
+	<acronym>DVD+RW</acronym>, use the following:</para>
 
-      <screen>&prompt.root; <userinput>growisofs -M /dev/cd0 -J -R /path/to/nextdata</userinput></screen>
+      <screen>&prompt.root; <userinput>growisofs -M <replaceable>/dev/cd0</replaceable> -J -R <replaceable>/path/to/nextdata</replaceable></userinput></screen>
 
-      <para>The same &man.mkisofs.8; options we used to burn the
+      <para>The same &man.mkisofs.8; options used to burn the
 	initial session should be used during next writes.</para>
 
       <note>
-	<para>You may want to use the <option>-dvd-compat</option>
-	  option if you want better media compatibility with DVD-ROM
-	  drives.  In the DVD+RW case, this will not prevent you from
-	  adding data.</para>
+	<para>Use <option>-dvd-compat</option> for better media
+	  compatibility with <acronym>DVD-ROM</acronym> drives.  When
+	  using <acronym>DVD+RW</acronym>, this option will not
+	  prevent the addition of data.</para>
       </note>
 
-      <para>If for any reason you really want to blank the media, do
-	the following:</para>
+      <para>To blank the media, use:</para>
 
-      <screen>&prompt.root; <userinput>growisofs -Z /dev/cd0=/dev/zero</userinput></screen>
+      <screen>&prompt.root; <userinput>growisofs -Z <replaceable>/dev/cd0</replaceable>=<replaceable>/dev/zero</replaceable></userinput></screen>
     </sect2>
 
     <sect2>
-      <title>Using a DVD-RW</title>
+      <title>Using a <acronym>DVD-RW</acronym></title>
 
       <indexterm>
-        <primary>DVD</primary>
-        <secondary>DVD-RW</secondary>
+	<primary><acronym>DVD</acronym></primary>
+	<secondary><acronym>DVD-RW</acronym></secondary>
       </indexterm>
 
-      <para>A DVD-RW accepts two disc formats: the incremental
-	sequential one and the restricted overwrite.  By default
-	DVD-RW discs are in sequential format.</para>
+      <para>A <acronym>DVD-RW</acronym> accepts two disc formats:
+	incremental sequential and restricted overwrite.  By default,
+	<acronym>DVD-RW</acronym> discs are in sequential
+	format.</para>
 
-      <para>A virgin DVD-RW can be directly written without the need
-	of a formatting operation, however a non-virgin DVD-RW in
-	sequential format needs to be blanked before to be able to
-	write a new initial session.</para>
+      <para>A virgin <acronym>DVD-RW</acronym> can be directly written
+	without being formatted.  However, a non-virgin
+	<acronym>DVD-RW</acronym> in sequential format needs to be
+	blanked before writing a new initial session.</para>
 
-      <para>To blank a DVD-RW in sequential mode, run:</para>
+      <para>To blank a <acronym>DVD-RW</acronym> in sequential
+	mode:</para>
 
-      <screen>&prompt.root; <userinput>dvd+rw-format -blank=full /dev/cd0</userinput></screen>
+      <screen>&prompt.root; <userinput>dvd+rw-format -blank=full <replaceable>/dev/cd0</replaceable></userinput></screen>
 
       <note>
-	<para>A full blanking (<option>-blank=full</option>) will take
-	  about one hour on a 1x media.  A fast blanking can be
-	  performed using the <option>-blank</option> option if the
-	  DVD-RW will be recorded in Disk-At-Once (DAO) mode.  To burn
-	  the DVD-RW in DAO mode, use the command:</para>
-
-	<screen>&prompt.root; <userinput>growisofs -use-the-force-luke=dao -Z /dev/cd0=imagefile.iso</userinput></screen>
-
-	<para>The <option>-use-the-force-luke=dao</option> option
-	  should not be required since &man.growisofs.1; attempts to
-	  detect minimally (fast blanked) media and engage DAO
-	  write.</para>
-
-	<para>In fact one should use restricted overwrite mode with
-	  any DVD-RW, this format is more flexible than the default
-	  incremental sequential one.</para>
+	<para>A full blanking using <option>-blank=full</option> will
+	  take about one hour on a 1x media.  A fast blanking can be
+	  performed using <option>-blank</option>, if the
+	  <acronym>DVD-RW</acronym> will be recorded in Disk-At-Once
+	  (DAO) mode.  To burn the <acronym>DVD-RW</acronym> in DAO
+	  mode, use the command:</para>
+
+	<screen>&prompt.root; <userinput>growisofs -use-the-force-luke=dao -Z <replaceable>/dev/cd0</replaceable>=<replaceable>imagefile.iso</replaceable></userinput></screen>
+
+	<para>Since &man.growisofs.1; automatically attempts to detect
+	  fast blanked media and engage DAO write,
+	  <option>-use-the-force-luke=dao</option> should not be
+	  required.</para>
+
+	<para>One should instead use restricted overwrite mode with
+	  any <acronym>DVD-RW</acronym> as this format is more
+	  flexible than the default of incremental sequential.</para>
       </note>
 
-      <para>To write data on a sequential DVD-RW, use the same
-	instructions as for the other DVD formats:</para>
+      <para>To write data on a sequential <acronym>DVD-RW</acronym>,
+	use the same instructions as for the other
+	<acronym>DVD</acronym> formats:</para>
 
-      <screen>&prompt.root; <userinput>growisofs -Z /dev/cd0 -J -R /path/to/data</userinput></screen>
+      <screen>&prompt.root; <userinput>growisofs -Z <replaceable>/dev/cd0</replaceable> -J -R <replaceable>/path/to/data</replaceable></userinput></screen>
 
-      <para>If you want to append some data to your previous
-	recording, you will have to use the &man.growisofs.1;
-	<option>-M</option> option.  However, if you perform data
-	addition on a DVD-RW in incremental sequential mode, a new
-	session will be created on the disc and the result will be a
-	multi-session disc.</para>
+      <para>To append some data to a previous recording, use
+	<option>-M</option> with &man.growisofs.1;.  However, if data
+	is appended on a <acronym>DVD-RW</acronym> in incremental
+	sequential mode, a new session will be created on the disc and
+	the result will be a multi-session disc.</para>
 
-      <para>A DVD-RW in restricted overwrite format does not need to
-	be blanked before a new initial session, you just have to
-	overwrite the disc with the <option>-Z</option> option, this
-	is similar to the DVD+RW case.  It is also possible to grow an
-	existing ISO 9660 file system written on the disc in a same
-	way as for a DVD+RW with the <option>-M</option> option.  The
-	result will be a one-session DVD.</para>
+      <para>A <acronym>DVD-RW</acronym> in restricted overwrite format
+	does not need to be blanked before a new initial session.
+	Instead, overwrite the disc with <option>-Z</option>.  It is
+	also possible to grow an existing ISO 9660 file system written
+	on the disc with <option>-M</option>.  The result will be a
+	one-session <acronym>DVD</acronym>.</para>
 
-      <para>To put a DVD-RW in the restricted overwrite format, the
-	following command must be used:</para>
+      <para>To put a <acronym>DVD-RW</acronym> in restricted overwrite
+	format, the following command must be used:</para>
 
-      <screen>&prompt.root; <userinput>dvd+rw-format /dev/cd0</userinput></screen>
+      <screen>&prompt.root; <userinput>dvd+rw-format <replaceable>/dev/cd0</replaceable></userinput></screen>
 
-      <para>To change back to the sequential format use:</para>
+      <para>To change back to sequential format, use:</para>
 
-      <screen>&prompt.root; <userinput>dvd+rw-format -blank=full /dev/cd0</userinput></screen>
+      <screen>&prompt.root; <userinput>dvd+rw-format -blank=full <replaceable>/dev/cd0</replaceable></userinput></screen>
     </sect2>
 
     <sect2>
-      <title>Multisession</title>
+      <title>Multi-Session</title>
 
-      <para>Very few DVD-ROM drives support
-	multisession DVDs, they will most of time, hopefully, only read
-	the first session.  DVD+R, DVD-R and DVD-RW in sequential
-	format can accept multiple sessions, the notion of multiple
-	sessions does not exist for the DVD+RW and the DVD-RW
+      <para>Few <acronym>DVD-ROM</acronym> drives support
+	multi-session DVDs and most of the time only read the first
+	session.  DVD+R, DVD-R and <acronym>DVD-RW</acronym> in
+	sequential format can accept multiple sessions.  The notion
+	of multiple sessions does not exist for the
+	<acronym>DVD+RW</acronym> and the <acronym>DVD-RW</acronym>
 	restricted overwrite formats.</para>
 
-      <para>Using the following command after an initial (non-closed)
-	session on a DVD+R, DVD-R, or DVD-RW in sequential format,
-	will add a new session to the disc:</para>
-
-      <screen>&prompt.root; <userinput>growisofs -M /dev/cd0 -J -R /path/to/nextdata</userinput></screen>
-
-      <para>Using this command line with a DVD+RW or a DVD-RW in restricted
-	overwrite mode, will append data in merging the new session to
-	the existing one.  The result will be a single-session disc.
-	This is the way used to add data after an initial write on these
-	medias.</para>
+      <para>Using the following command after an initial non-closed
+	session on a DVD+R, DVD-R, or <acronym>DVD-RW</acronym> in
+	sequential format, will add a new session to the disc:</para>
+
+      <screen>&prompt.root; <userinput>growisofs -M <replaceable>/dev/cd0</replaceable> -J -R <replaceable>/path/to/nextdata</replaceable></userinput></screen>
+
+      <para>Using this command with a <acronym>DVD+RW</acronym> or a
+	<acronym>DVD-RW</acronym> in restricted overwrite mode will
+	append data while merging the new session to the existing one.
+	The result will be a single-session disc.  Use this method to
+	add data after an initial write on these types of
+	media.</para>
 
       <note>
-	<para>Some space on the media is used between each session for
-	  end and start of sessions.  Therefore, one should add
-	  sessions with large amount of data to optimize media space.
-	  The number of sessions is limited to 154 for a DVD+R,
-	  about 2000 for a DVD-R, and 127 for a DVD+R Double
+	<para>Since some space on the media is used between each
+	  session to mark the end and start of sessions, one should
+	  add sessions with a large amount of data to optimize media
+	  space.  The number of sessions is limited to 154 for a
+	  DVD+R, about 2000 for a DVD-R, and 127 for a DVD+R Double
 	  Layer.</para>
       </note>
     </sect2>
@@ -1604,1378 +1443,798 @@
     <sect2>
       <title>For More Information</title>
 
-      <para>To obtain more information about a DVD, the
-	<command>dvd+rw-mediainfo
-	/dev/cd0</command> command can be
-	ran with the disc in the drive.</para>
+      <para>To obtain more information about a <acronym>DVD</acronym>,
+	use <command>dvd+rw-mediainfo
+	  <replaceable>/dev/cd0</replaceable></command> while the
+	disc in the specified drive.</para>
 
-      <para>More information about the
+      <para>More information about
 	<application>dvd+rw-tools</application> can be found in
-	the &man.growisofs.1; manual page, on the <link xlink:href="http://fy.chalmers.se/~appro/linux/DVD+RW/">dvd+rw-tools
-	web site</link> and in the <link xlink:href="http://lists.debian.org/cdwrite/">cdwrite mailing
-	list</link> archives.</para>
+	&man.growisofs.1;, on the <link
+	  xlink:href="http://fy.chalmers.se/~appro/linux/DVD+RW/">dvd+rw-tools
+	  web site</link>, and in the <link
+	  xlink:href="http://lists.debian.org/cdwrite/">cdwrite
+	  mailing list</link> archives.</para>
 
       <note>
-	<para>The <command>dvd+rw-mediainfo</command> output of the
-	  resulting recording or the media with issues is mandatory
-	  for any problem report.  Without this output, it will be
-	  quite impossible to help you.</para>
+	<para>When creating a problem report related to the use of
+	  <application>dvd+rw-tools</application>, always include the
+	  output of <command>dvd+rw-mediainfo</command>.</para>
       </note>
     </sect2>
-  </sect1>
 
-  <sect1 xml:id="floppies">
-    <info><title>Creating and Using Floppy Disks</title>
-      <authorgroup>
-	<author><personname><firstname>Julio</firstname><surname>Merino</surname></personname><contrib>Original work by </contrib></author>
-      </authorgroup>
-      
-      <authorgroup>
-	<author><personname><firstname>Martin</firstname><surname>Karlsson</surname></personname><contrib>Rewritten by </contrib></author>
-      </authorgroup>
-      
-    </info>
-
-    
-
-    <para>Storing data on floppy disks is sometimes useful, for
-      example when one does not have any other removable storage media
-      or when one needs to transfer small amounts of data to another
-      computer.</para>
-
-    <para>This section will explain how to use floppy disks in
-      FreeBSD.  It will primarily cover formatting and usage of
-      3.5inch DOS floppies, but the concepts are similar for other
-      floppy disk formats.</para>
-
-    <sect2>
-      <title>Formatting Floppies</title>
-
-      <sect3>
-	<title>The Device</title>
-
-	<para>Floppy disks are accessed through entries in
-	  <filename>/dev</filename>, just like other devices.  To
-	  access the raw floppy disk, simply use
-	  <filename>/dev/fdN</filename>.</para>
-
-      </sect3>
-
-      <sect3>
-	<title>Formatting</title>
-
-	<para>A floppy disk needs to be low-level formated before it
-	  can be used.  This is usually done by the vendor, but
-	  formatting is a good way to check media integrity.  Although
-	  it is possible to force larger (or smaller) disk sizes,
-	  1440kB is what most floppy disks are designed for.</para>
-
-	<para>To low-level format the floppy disk you need to use
-	  &man.fdformat.1;.  This utility expects the device name as an
-	  argument.</para>
-
-	  <para>Make note of any error messages, as these can help
-	    determine if the disk is good or bad.</para>
-
-	<sect4>
-	  <title>Formatting Floppy Disks</title>
-
-	  <para>Use the
-	    <filename>/dev/fdN</filename>
-	    devices to format the floppy.  Insert a new 3.5inch floppy
-	    disk in your drive and issue:</para>
-
-	  <screen>&prompt.root; <userinput>/usr/sbin/fdformat -f 1440 /dev/fd0</userinput></screen>
-
-	</sect4>
-      </sect3>
-    </sect2>
-
-    <sect2>
-      <title>The Disk Label</title>
-
-      <para>After low-level formatting the disk, you will need to
-	place a disk label on it.  This disk label will be destroyed
-	later, but it is needed by the system to determine the size of
-	the disk and its geometry later.</para>
-
-      <para>The new disk label will take over the whole disk, and will
-	contain all the proper information about the geometry of the
-	floppy.  The geometry values for the disk label are listed in
-	<filename>/etc/disktab</filename>.</para>
-
-      <para>You can run now &man.bsdlabel.8; like so:</para>
-
-      <screen>&prompt.root; <userinput>/sbin/bsdlabel -B -r -w /dev/fd0 fd1440</userinput></screen>
-
-      <note><para>Since &os;&nbsp;5.1-RELEASE, the &man.bsdlabel.8;
-	utility replaces the old &man.bsdlabel.8; program.  With
-	&man.bsdlabel.8; a number of obsolete options and parameters
-	have been retired; in the example above the option
-	<option>-r</option> should be removed.  For more
-	information, please refer to the &man.bsdlabel.8;
-	manual page.</para></note>
-
-    </sect2>
-
-    <sect2>
-      <title>The File System</title>
-
-      <para>Now the floppy is ready to be high-level formated. This
-	will place a new file system on it, which will let FreeBSD read
-	and write to the disk.  After creating the new file system, the
-	disk label is destroyed, so if you want to reformat the disk, you
-	will have to recreate the disk label.</para>
-
-      <para>The floppy's file system can be either UFS or FAT.
-	 FAT is generally a better choice for floppies.</para>
-
-      <para>To put a new file system on the floppy, issue:</para>
-
-      <screen>&prompt.root; <userinput>/sbin/newfs_msdos /dev/fd0</userinput></screen>
-
-      <para>The disk is now ready for use.</para>
-    </sect2>
-
-
-    <sect2>
-      <title>Using the Floppy</title>
-
-      <para>To use the floppy, mount it with &man.mount.msdos.8;. One can also use
-	<package>emulators/mtools</package> from the ports
-	collection.</para>
-    </sect2>
-  </sect1>
-
-  <sect1 xml:id="backups-tapebackups">
-    <title>Creating and Using Data Tapes</title>
-
-    <indexterm><primary>tape media</primary></indexterm>
-    <para>The major tape media are the 4mm, 8mm, QIC, mini-cartridge and
-      DLT.</para>
-
-    <sect2 xml:id="backups-tapebackups-4mm">
-      <title>4mm (DDS: Digital Data Storage)</title>
-
-      <indexterm>
-        <primary>tape media</primary>
-	<secondary>DDS (4mm) tapes</secondary>
-      </indexterm>
-      <indexterm>
-        <primary>tape media</primary>
-	<secondary>QIC tapes</secondary>
-      </indexterm>
-      <para>4mm tapes are replacing QIC as the workstation backup media of
-	choice.  This trend accelerated greatly when Conner purchased Archive,
-	a leading manufacturer of QIC drives, and then stopped production of
-	QIC drives.  4mm drives are small and quiet but do not have the
-	reputation for reliability that is enjoyed by 8mm drives.  The
-	cartridges are less expensive and smaller (3 x 2 x 0.5 inches, 76 x 51
-	x 12 mm) than 8mm cartridges.  4mm, like 8mm, has comparatively short
-	head life for the same reason, both use helical scan.</para>
-
-      <para>Data throughput on these drives starts ~150&nbsp;kB/s, peaking at ~500&nbsp;kB/s.
-	Data capacity starts at 1.3&nbsp;GB and ends at 2.0&nbsp;GB.  Hardware
-	compression, available with most of these drives, approximately
-	doubles the capacity.  Multi-drive tape library units can have 6
-	drives in a single cabinet with automatic tape changing.  Library
-	capacities reach 240&nbsp;GB.</para>
-
-      <para>The DDS-3 standard now supports tape capacities up to 12&nbsp;GB (or
-	24&nbsp;GB compressed).</para>
-
-      <para>4mm drives, like 8mm drives, use helical-scan.  All the benefits
-	and drawbacks of helical-scan apply to both 4mm and 8mm drives.</para>
-
-      <para>Tapes should be retired from use after 2,000 passes or 100 full
-	backups.</para>
-    </sect2>
-
-    <sect2 xml:id="backups-tapebackups-8mm">
-      <title>8mm (Exabyte)</title>
-      <indexterm>
-        <primary>tape media</primary>
-	<secondary>Exabyte (8mm) tapes</secondary>
-      </indexterm>
-
-      <para>8mm tapes are the most common SCSI tape drives; they are the best
-	choice of exchanging tapes.  Nearly every site has an Exabyte 2&nbsp;GB 8mm
-	tape drive.  8mm drives are reliable, convenient and quiet. Cartridges
-	are inexpensive and small (4.8 x 3.3 x 0.6 inches; 122 x 84 x 15 mm).
-	One downside of 8mm tape is relatively short head and tape life due to
-	the high rate of relative motion of the tape across the heads.</para>
-
-      <para>Data throughput ranges from ~250&nbsp;kB/s to ~500&nbsp;kB/s.  Data sizes start
-	at 300&nbsp;MB and go up to 7&nbsp;GB.  Hardware compression, available with
-	most of these drives, approximately doubles the capacity.  These
-	drives are available as single units or multi-drive tape libraries
-	with 6 drives and 120 tapes in a single cabinet.  Tapes are changed
-	automatically by the unit.  Library capacities reach 840+&nbsp;GB.</para>
-
-      <para>The Exabyte <quote>Mammoth</quote> model supports 12&nbsp;GB on one tape
-	(24&nbsp;GB with compression) and costs approximately twice as much as
-	conventional tape drives.</para>
-
-      <para>Data is recorded onto the tape using helical-scan, the heads are
-	positioned at an angle to the media (approximately 6 degrees).  The
-	tape wraps around 270 degrees of the spool that holds the heads.  The
-	spool spins while the tape slides over the spool.  The result is a
-	high density of data and closely packed tracks that angle across the
-	tape from one edge to the other.</para>
-    </sect2>
+    <sect2 xml:id="creating-dvd-ram">
+      <title>Using a <acronym>DVD-RAM</acronym></title>
 
-    <sect2 xml:id="backups-tapebackups-qic">
-      <title>QIC</title>
       <indexterm>
-        <primary>tape media</primary>
-	<secondary>QIC-150</secondary>
+	<primary><acronym>DVD</acronym></primary>
+	<secondary><acronym>DVD-RAM</acronym></secondary>
       </indexterm>
 
-      <para>QIC-150 tapes and drives are, perhaps, the most common tape drive
-	and media around.  QIC tape drives are the least expensive <quote>serious</quote>
-	backup drives.  The downside is the cost of media.  QIC tapes are
-	expensive compared to 8mm or 4mm tapes, up to 5 times the price per GB
-	data storage.  But, if your needs can be satisfied with a half-dozen
-	tapes, QIC may be the correct choice.  QIC is the
-	<emphasis>most</emphasis> common tape drive.  Every site has a QIC
-	drive of some density or another.  Therein lies the rub, QIC has a
-	large number of densities on physically similar (sometimes identical)
-	tapes.  QIC drives are not quiet.  These drives audibly seek before
-	they begin to record data and are clearly audible whenever reading,
-	writing or seeking.  QIC tapes measure (6 x 4 x 0.7 inches; 152 x
-	102 x 17 mm).</para>
-
-      <para>Data throughput ranges from ~150&nbsp;kB/s to ~500&nbsp;kB/s.  Data capacity
-	ranges from 40&nbsp;MB to 15&nbsp;GB.  Hardware compression is available on many
-	of the newer QIC drives.  QIC drives are less frequently installed;
-	they are being supplanted by DAT drives.</para>
-
-      <para>Data is recorded onto the tape in tracks.  The tracks run along
-	the long axis of the tape media from one end to the other.  The number
-	of tracks, and therefore the width of a track, varies with the tape's
-	capacity.  Most if not all newer drives provide backward-compatibility
-	at least for reading (but often also for writing).  QIC has a good
-	reputation regarding the safety of the data (the mechanics are simpler
-	and more robust than for helical scan drives).</para>
-
-      <para>Tapes should be retired from use after 5,000 backups.</para>
-    </sect2>
+      <para><acronym>DVD-RAM</acronym> writers can use either a
+	<acronym>SCSI</acronym> or <acronym>ATAPI</acronym> interface.
+	For <acronym>ATAPI</acronym> devices, DMA access has to be
+	enabled by adding the following line to
+	<filename>/boot/loader.conf</filename>:</para>
 
-    <sect2 xml:id="backups-tapebackups-dlt">
-      <title>DLT</title>
-      <indexterm>
-        <primary>tape media</primary>
-	<secondary>DLT</secondary>
-      </indexterm>
-
-      <para>DLT has the fastest data transfer rate of all the drive types
-	listed here.  The 1/2" (12.5mm) tape is contained in a single spool
-	cartridge (4 x 4 x 1 inches; 100 x 100 x 25 mm).  The cartridge has a
-	swinging gate along one entire side of the cartridge.  The drive
-	mechanism opens this gate to extract the tape leader.  The tape leader
-	has an oval hole in it which the drive uses to <quote>hook</quote> the tape.  The
-	take-up spool is located inside the tape drive.  All the other tape
-	cartridges listed here (9 track tapes are the only exception) have
-	both the supply and take-up spools located inside the tape cartridge
-	itself.</para>
-
-      <para>Data throughput is approximately 1.5&nbsp;MB/s, three times the throughput of
-	4mm, 8mm, or QIC tape drives.  Data capacities range from 10&nbsp;GB to 20&nbsp;GB
-	for a single drive.  Drives are available in both multi-tape changers
-	and multi-tape, multi-drive tape libraries containing from 5 to 900
-	tapes over 1 to 20 drives, providing from 50&nbsp;GB to 9&nbsp;TB of
-	storage.</para>
-
-      <para>With compression, DLT Type IV format supports up to 70&nbsp;GB
-	capacity.</para>
-
-      <para>Data is recorded onto the tape in tracks parallel to the direction
-	of travel (just like QIC tapes).  Two tracks are written at once.
-	Read/write head lifetimes are relatively long; once the tape stops
-	moving, there is no relative motion between the heads and the
-	tape.</para>
-    </sect2>
-
-    <sect2>
-      <title xml:id="backups-tapebackups-ait">AIT</title>
-      <indexterm>
-        <primary>tape media</primary>
-	<secondary>AIT</secondary>
-      </indexterm>
-
-      <para>AIT is a new format from Sony, and can hold up to 50&nbsp;GB (with
-	compression) per tape.  The tapes contain memory chips which retain an
-	index of the tape's contents.  This index can be rapidly read by the
-	tape drive to determine the position of files on the tape, instead of
-	the several minutes that would be required for other tapes.  Software
-	such as <application>SAMS:Alexandria</application> can operate forty or more AIT tape libraries,
-	communicating directly with the tape's memory chip to display the
-	contents on screen, determine what files were backed up to which
-	tape, locate the correct tape, load it, and restore the data from the
-	tape.</para>
-
-      <para>Libraries like this cost in the region of $20,000, pricing them a
-	little out of the hobbyist market.</para>
-    </sect2>
-
-    <sect2>
-      <title>Using a New Tape for the First Time</title>
-
-      <para>The first time that you try to read or write a new, completely
-	blank tape, the operation will fail.  The console messages should be
-	similar to:</para>
-
-      <screen>sa0(ncr1:4:0): NOT READY asc:4,1
-sa0(ncr1:4:0):  Logical unit is in process of becoming ready</screen>
-
-      <para>The tape does not contain an Identifier Block (block number 0).
-	All QIC tape drives since the adoption of QIC-525 standard write an
-	Identifier Block to the tape.  There are two solutions:</para>
-
-      <itemizedlist>
-	<listitem>
-	  <para><command>mt fsf 1</command> causes the tape drive to write an
-	  Identifier Block to the tape.</para>
-	</listitem>
-
-	<listitem>
-	  <para>Use the front panel button to eject the tape.</para>
-
-	  <para>Re-insert the tape and <command>dump</command> data to
-	    the tape.</para>
+      <programlisting>hw.ata.atapi_dma="1"</programlisting>
 
-	  <para><command>dump</command> will report <errorname>DUMP: End of tape
-	    detected</errorname> and the console will show: <errorname>HARDWARE
-	    FAILURE info:280 asc:80,96</errorname>.</para>
+      <para>A <acronym>DVD-RAM</acronym> can be seen as a removable
+	hard drive.  Like any other hard drive, the
+	<acronym>DVD-RAM</acronym> must be formatted before it can be
+	used.  In this example, the whole disk space will be formatted
+	with a standard UFS2 file system:</para>
+
+      <screen>&prompt.root; <userinput>dd if=/dev/zero of=<replaceable>/dev/acd0</replaceable> bs=2k count=1</userinput>
+&prompt.root; <userinput>bsdlabel -Bw <replaceable>acd0</replaceable></userinput>
+&prompt.root; <userinput>newfs <replaceable>/dev/acd0</replaceable></userinput></screen>
+
+      <para>The <acronym>DVD</acronym> device,
+	<filename>acd0</filename>, must be changed according to the
+	configuration.</para>
 
-	  <para>rewind the tape using: <command>mt rewind</command>.</para>
+      <para>Once the <acronym>DVD-RAM</acronym> has been formatted, it
+	can be mounted as a normal hard drive:</para>
 
-	  <para>Subsequent tape operations are successful.</para>
-	</listitem>
-      </itemizedlist>
+      <screen>&prompt.root; <userinput>mount <replaceable>/dev/acd0</replaceable> <replaceable>/mnt</replaceable></userinput></screen>
 
+      <para>Once mounted, the <acronym>DVD-RAM</acronym> will be both
+	readable and writeable.</para>
     </sect2>
   </sect1>
 
-  <sect1 xml:id="backups-floppybackups">
-    <title>Backups to Floppies</title>
-
-    <sect2 xml:id="floppies-using">
-      <title>Can I Use Floppies for Backing Up My Data?</title>
-      <indexterm><primary>backup floppies</primary></indexterm>
-      <indexterm><primary>floppy disks</primary></indexterm>
-
-      <para>Floppy disks are not really a suitable media for
-        making backups as:</para>
-
-      <itemizedlist>
-	<listitem>
-	  <para>The media is unreliable, especially over long periods of
-	    time.</para>
-	</listitem>
-
-	<listitem>
-	  <para>Backing up and restoring is very slow.</para>
-	</listitem>
-
-	<listitem>
-	  <para>They have a very limited capacity (the days of backing up
-	    an entire hard disk onto a dozen or so floppies has long since
-	    passed).</para>
-	</listitem>
-      </itemizedlist>
-
-      <para>However, if you have no other method of backing up your data then
-	floppy disks are better than no backup at all.</para>
-
-      <para>If you do have to use floppy disks then ensure that you use good
-	quality ones. Floppies that have been lying around the office for a
-	couple of years are a bad choice. Ideally use new ones from a
-	reputable manufacturer.</para>
-    </sect2>
-
-    <sect2 xml:id="floppies-creating">
-      <title>So How Do I Backup My Data to Floppies?</title>
-
-      <para>The best way to backup to floppy disk is to use
-	&man.tar.1; with the <option>-M</option> (multi
-	volume) option, which allows backups to span multiple
-	floppies.</para>
-
-      <para>To backup all the files in the current directory and sub-directory
-	use this (as <systemitem class="username">root</systemitem>):</para>
-
-      <screen>&prompt.root; <userinput>tar Mcvf /dev/fd0 *</userinput></screen>
-
-      <para>When the first floppy is full &man.tar.1; will prompt you to
-	insert the next volume (because &man.tar.1; is media independent it
-	refers to volumes; in this context it means floppy disk).</para>
-
-      <screen>Prepare volume #2 for /dev/fd0 and hit return:</screen>
-
-      <para>This is repeated (with the volume number incrementing) until all
-	the specified files have been archived.</para>
-    </sect2>
-
-    <sect2 xml:id="floppies-compress">
-      <title>Can I Compress My Backups?</title>
-      <indexterm>
-        <primary><command>tar</command></primary>
-      </indexterm>
-      <indexterm>
-        <primary><command>gzip</command></primary>
-      </indexterm>
-      <indexterm><primary>compression</primary></indexterm>
-
-      <para>Unfortunately, &man.tar.1; will not allow the
-	<option>-z</option> option to be used for multi-volume archives.
-	You could, of course, &man.gzip.1; all the files,
-	&man.tar.1; them to the floppies, then
-	&man.gunzip.1; the files again!</para>
-    </sect2>
+  <sect1 xml:id="floppies">
+    <title>Creating and Using Floppy Disks</title>
 
-    <sect2 xml:id="floppies-restoring">
-      <title>How Do I Restore My Backups?</title>
+<!--
+      <authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Julio</firstname>
+	    <surname>Merino</surname>
+	  </personname>
+	  <contrib>Original work by </contrib>
+	</author>
+      </authorgroup>
 
-      <para>To restore the entire archive use:</para>
+      <authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Martin</firstname>
+	    <surname>Karlsson</surname>
+	  </personname>
+	  <contrib>Rewritten by </contrib>
+	</author>
+      </authorgroup>
+      -->
 
-      <screen>&prompt.root; <userinput>tar Mxvf /dev/fd0</userinput></screen>
+    <para>This section explains how to format a 3.5 inch floppy disk
+      in &os;.</para>
 
-      <para>There are two ways that you can use to restore only
-	specific files.  First, you can start with the first floppy
-	and use:</para>
+    <procedure>
+      <title>Steps to Format a Floppy</title>
 
-      <screen>&prompt.root; <userinput>tar Mxvf /dev/fd0 filename</userinput></screen>
+      <para>A floppy disk needs to be low-level formatted before it
+	can be used.  This is usually done by the vendor, but
+	formatting is a good way to check media integrity.  To
+	low-level format the floppy disk on &os;, use
+	&man.fdformat.1;.  When using this utility, make note of any
+	error messages, as these can help determine if the disk is
+	good or bad.</para>
+
+      <step>
+	<para>To format the floppy, insert a new 3.5 inch floppy disk
+	  into the first floppy drive and issue:</para>
 
-      <para>The utility &man.tar.1; will prompt you to insert subsequent floppies until it
-	finds the required file.</para>
+	  <screen>&prompt.root; <userinput>/usr/sbin/fdformat -f 1440 /dev/fd0</userinput></screen>
+      </step>
 
-      <para>Alternatively, if you know which floppy the file is on then you
-	can simply insert that floppy and use the same command as above. Note
-	that if the first file on the floppy is a continuation from the
-	previous one then &man.tar.1; will warn you that it cannot
-	restore it, even if you have not asked it to!</para>
-    </sect2>
+      <step>
+	<para>After low-level formatting the disk, create a disk label
+	  as it is needed by the system to determine the size of the
+	  disk and its geometry.  The supported geometry values are
+	  listed in <filename>/etc/disktab</filename>.</para>
+
+	<para>To write the disk label, use &man.bsdlabel.8;:</para>
+
+	<screen>&prompt.root; <userinput>/sbin/bsdlabel -B -w /dev/fd0 fd1440</userinput></screen>
+      </step>
+
+      <step>
+	<para>The floppy is now ready to be high-level formatted with
+	  a file system.  The floppy's file system can be either UFS
+	  or FAT, where FAT is generally a better choice for
+	  floppies.</para>
+
+	<para>To format the floppy with FAT, issue:</para>
+
+	<screen>&prompt.root; <userinput>/sbin/newfs_msdos /dev/fd0</userinput></screen>
+      </step>
+    </procedure>
+
+    <para>The disk is now ready for use.  To use the floppy, mount it
+      with &man.mount.msdosfs.8;.  One can also install and use
+      <package>emulators/mtools</package> from the Ports
+      Collection.</para>
   </sect1>
 
-  <sect1 xml:id="backup-strategies">
-    <info><title>Backup Strategies</title>
-      <authorgroup>
-	<author><personname><firstname>Lowell</firstname><surname>Gilbert</surname></personname><contrib>Original work by </contrib></author>
-      </authorgroup>
-      
-    </info>
-
-    
-
-    <para>The first requirement in devising a backup plan is to make sure that
-      all of the following problems are covered:</para>
-
-    <itemizedlist>
-      <listitem>
-	<para>Disk failure</para>
-      </listitem>
-      <listitem>
-	<para>Accidental file deletion</para>
-      </listitem>
-      <listitem>
-	<para>Random file corruption</para>
-      </listitem>
-      <listitem>
-	<para>Complete machine destruction (e.g. fire), including destruction
-	  of any on-site backups.</para>
-      </listitem>
-    </itemizedlist>
+  <sect1 xml:id="backup-basics">
+    <title>Backup Basics</title>
 
-    <para>It is perfectly possible that some systems will be best served by
-      having each of these problems covered by a completely different
-      technique.  Except for strictly personal systems with very low-value
-      data, it is unlikely that one technique would cover all of them.</para>
+<!--
+    <authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Lowell</firstname>
+	    <surname>Gilbert</surname>
+	  </personname>
+	  <contrib>Original work by </contrib>
+	</author>
+      </authorgroup>
+      -->
 
-    <para>Some of the techniques in the toolbox are:</para>
+    <para>Implementing a backup plan is essential in order to have the
+      ability to recover from disk failure, accidental file deletion,
+      random file corruption, or complete machine destruction,
+      including destruction of on-site backups.</para>
+
+    <para>The backup type and schedule will vary, depending upon the
+      importance of the data, the granularity needed for file
+      restores, and the amount of acceptable downtime.  Some possible
+      backup techniques include:</para>
 
     <itemizedlist>
       <listitem>
-	<para>Archives of the whole system, backed up onto permanent media
-	  offsite.  This actually provides protection against all of the
-	  possible problems listed above, but is slow and inconvenient to
-	  restore from.  You can keep copies of the backups onsite and/or
-	  online, but there will still be inconveniences in restoring files,
-	  especially for non-privileged users.</para>
+	<para>Archives of the whole system, backed up onto permanent,
+	  off-site media.  This provides protection against all of the
+	  problems listed above, but is slow and inconvenient to
+	  restore from, especially for non-privileged users.</para>
       </listitem>
 
       <listitem>
-	<para>Filesystem snapshots.  This is really only helpful in the
-	  accidental file deletion scenario, but it can be
-	  <emphasis>very</emphasis> helpful in that case, and is quick and
-	  easy to deal with.</para>
+	<para>File system snapshots, which are useful for restoring
+	  deleted files or previous versions of files.</para>
       </listitem>
 
       <listitem>
-	<para>Copies of whole filesystems and/or disks (e.g. periodic rsync of
-	  the whole machine).  This is generally most useful in networks with
-	  unique requirements.  For general protection against disk failure,
-	  it is usually inferior to <acronym>RAID</acronym>.  For restoring
-	  accidentally deleted files, it can be comparable to
-	  <acronym>UFS</acronym> snapshots, but that depends on your
-	  preferences.</para>
+	<para>Copies of whole file systems or disks which are
+	  sychronized with another system on the network using a
+	  scheduled <package>net/rsync</package>.</para>
       </listitem>
 
       <listitem>
-	<para><acronym>RAID</acronym>.  Minimizes or avoids downtime when a
-	  disk fails.  At the expense of having to deal with disk failures
-	  more often (because you have more disks), albeit at a much lower
-	  urgency.</para>
-      </listitem>
-
-      <listitem>
-	<para>Checking fingerprints of files.  The &man.mtree.8; utility is
-	  very useful for this.  Although it is not a backup technique, it
-	  helps guarantee that you will notice when you need to resort to your
-	  backups.  This is particularly important for offline backups, and
-	  should be checked periodically.</para>
+	<para>Hardware or software <acronym>RAID</acronym>, which
+	  minimizes or avoids downtime when a disk fails.</para>
       </listitem>
     </itemizedlist>
 
-    <para>It is quite easy to come up with even more techniques, many of them
-      variations on the ones listed above.  Specialized requirements will
-      usually lead to specialized techniques (for example, backing up a live
-      database usually requires a method particular to the database software
-      as an intermediate step).  The important thing is to know what dangers
-      you want to protect against, and how you will handle each.</para>
-  </sect1>
+    <para>Typically, a mix of backup techniques is used.  For
+      example, one could create a schedule to automate a weekly, full
+      system backup that is stored off-site and to supplement this
+      backup with hourly ZFS snapshots.  In addition, one could make a
+      manual backup of individual directories or files before making
+      file edits or deletions.</para>
 
-  <sect1 xml:id="backup-basics">
-    <title>Backup Basics</title>
-
-    <para>The three major backup programs are
-	&man.dump.8;,
-	&man.tar.1;,
-      and
-	&man.cpio.1;.</para>
+    <para>This section describes some of the utilities which can be
+      used to create and manage backups on a &os; system.</para>
 
     <sect2>
-      <title>Dump and Restore</title>
+      <title>File System Backups</title>
+
       <indexterm>
-        <primary>backup software</primary>
+	<primary>backup software</primary>
 	<secondary>dump / restore</secondary>
       </indexterm>
-      <indexterm><primary><command>dump</command></primary></indexterm>
-      <indexterm><primary><command>restore</command></primary></indexterm>
+      <indexterm>
+	<primary><command>dump</command></primary>
+      </indexterm>
+      <indexterm>
+	<primary><command>restore</command></primary>
+      </indexterm>
+
+      <para>The traditional &unix; programs for backing up a file
+	system are &man.dump.8;, which creates the backup, and
+	&man.restore.8;, which restores the backup.  These utilities
+	work at the disk block level, below the abstractions of the
+	files, links, and directories that are created by file
+	systems.  Unlike other backup software,
+	<command>dump</command> backs up an entire file system and is
+	unable to backup only part of a file system or a directory
+	tree that spans multiple file systems.  Instead of writing
+	files and directories, <command>dump</command> writes the raw
+	data blocks that comprise files and directories.</para>
 
-      <para>The traditional &unix; backup programs are
-	<command>dump</command> and <command>restore</command>.  They
-	operate on the drive as a collection of disk blocks, below the
-	abstractions of files, links and directories that are created by
-	the file systems. <command>dump</command> backs up an entire
-	file system on a device.  It is unable to backup only part of a
-	file system or a directory tree that spans more than one
-	file system.  <command>dump</command> does not write files and
-	directories to tape, but rather writes the raw data blocks that
-	comprise files and directories.</para>
-
-      <note><para>If you use <command>dump</command> on your root directory, you
-        would not back up <filename>/home</filename>,
-        <filename>/usr</filename> or many other directories since
-        these are typically mount points for other file systems or
-        symbolic links into those file systems.</para></note>
-
-      <para><command>dump</command> has quirks that remain from its early days in
-	Version 6 of AT&amp;T UNIX (circa 1975).  The default
-	parameters are suitable for 9-track tapes (6250 bpi), not the
-	high-density media available today (up to 62,182 ftpi).  These
-	defaults must be overridden on the command line to utilize the
-	capacity of current tape drives.</para>
-
-      <indexterm><primary><filename>.rhosts</filename></primary></indexterm>
-      <para>It is also possible to backup data across the network to a
-        tape drive attached to another computer with <command>rdump</command> and
-        <command>rrestore</command>.  Both programs rely upon &man.rcmd.3; and
-        &man.ruserok.3; to access the remote tape drive.  Therefore,
-	the user performing the backup must be listed in the
-	<filename>.rhosts</filename> file on the remote computer.  The
-        arguments to <command>rdump</command> and <command>rrestore</command> must be suitable
-        to use on the remote computer.  When
-        <command>rdump</command>ing from a FreeBSD computer to an
-        Exabyte tape drive connected to a Sun called
-        <systemitem>komodo</systemitem>, use:</para>
-
-      <screen>&prompt.root; <userinput>/sbin/rdump 0dsbfu 54000 13000 126 komodo:/dev/nsa8 /dev/da0a 2&gt;&amp;1</userinput></screen>
-
-      <para>Beware: there are security implications to
-        allowing <filename>.rhosts</filename> authentication.  Evaluate your
-        situation carefully.</para>
-
-      <para>It is also possible to use <command>dump</command> and
-        <command>restore</command> in a more secure fashion over
-        <command>ssh</command>.</para>
+      <note>
+	<para>If <command>dump</command> is used on the root
+	  directory, it will not back up <filename>/home</filename>,
+	  <filename>/usr</filename> or many other directories since
+	  these are typically mount points for other file systems or
+	  symbolic links into those file systems.</para>
+      </note>
+
+      <para>When used to restore data, <command>restore</command>
+	stores temporary files in <filename>/tmp/</filename> by
+	default.  When using a recovery disk with a small
+	<filename>/tmp</filename>, set <envar>TMPDIR</envar> to a
+	directory with more free space in order for the restore to
+	succeed.</para>
+
+      <para>When using <command>dump</command>, be aware that some
+	quirks remain from its early days in Version 6 of
+	AT&amp;T &unix;,circa 1975.  The default parameters assume a
+	backup to a 9-track tape, rather than to another type of media
+	or to the high-density tapes available today.  These defaults
+	must be overridden on the command line.</para>
+
+      <indexterm>
+	<primary><filename>.rhosts</filename></primary>
+      </indexterm>
+      <para>It is possible to backup a file system across the network
+	to a another system or to a tape drive attached to another
+	computer.  While the &man.rdump.8; and &man.rrestore.8;
+	utilities can be used for this purpose, they are not
+	considered to be secure.</para>
+
+      <para>Instead, one can use <command>dump</command> and
+	<command>restore</command> in a more secure fashion over an
+	<acronym>SSH</acronym> connection.  This example creates a
+	full, compressed backup of <filename>/usr</filename> and sends
+	the backup file to the specified host over a
+	<acronym>SSH</acronym> connection.</para>
 
       <example>
-	<title>Using <command>dump</command> over <application>ssh</application></title>
+	<title>Using <command>dump</command> over
+	  <application>ssh</application></title>
 
 	<screen>&prompt.root; <userinput>/sbin/dump -0uan -f - /usr | gzip -2 | ssh -c blowfish \
           targetuser@targetmachine.example.com dd of=/mybigfiles/dump-usr-l0.gz</userinput></screen>
-
       </example>
 
-      <para>Or using <command>dump</command>'s built-in method,
-        setting the environment variable <envar>RSH</envar>:</para>
+      <para>This example sets <envar>RSH</envar> in order to write the
+	backup to a tape drive on a remote system over a
+	<acronym>SSH</acronym> connection:</para>
 
       <example>
-	<title>Using <command>dump</command> over <application>ssh</application> with <envar>RSH</envar> set</title>
-
-	<screen>&prompt.root; <userinput>RSH=/usr/bin/ssh /sbin/dump -0uan -f targetuser@targetmachine.example.com:/dev/sa0 /usr</userinput></screen>
+	<title>Using <command>dump</command> over
+	  <application>ssh</application> with <envar>RSH</envar>
+	  Set</title>
 
+	<screen>&prompt.root; <userinput>env RSH=/usr/bin/ssh /sbin/dump -0uan -f targetuser@targetmachine.example.com:/dev/sa0 /usr</userinput></screen>
       </example>
-
     </sect2>
 
     <sect2>
-      <title><command>tar</command></title>
+      <title>Directory Backups</title>
+
       <indexterm>
-        <primary>backup software</primary>
-        <secondary><command>tar</command></secondary>
+	<primary>backup software</primary>
+	<secondary><command>tar</command></secondary>
       </indexterm>
 
-      <para>&man.tar.1; also dates back to Version 6 of AT&amp;T UNIX
-	(circa 1975).  <command>tar</command> operates in cooperation
-	with the file system; it writes files and
-	directories to tape. <command>tar</command> does not support the
-	full range of options that are available from &man.cpio.1;, but
-	it does not require the unusual command
-	pipeline that <command>cpio</command> uses.</para>
+      <para>Several built-in utilities are available for backing up
+	and restoring specified files and directories as
+	needed.</para>
 
-      <indexterm><primary><command>tar</command></primary></indexterm>
+      <para>A good choice for making a backup of all of the files in a
+	directory is &man.tar.1;.  This utility dates back to Version
+	6 of AT&amp;T &unix; and by default assumes a recursive backup
+	to a local tape  device.  Switches can be used to instead
+	specify the name of a backup file.</para>
 
-      <para>On FreeBSD 5.3 and later, both GNU <command>tar</command>
-        and the default <command>bsdtar</command> are available.  The
-        GNU version can be invoked with <command>gtar</command>.  It
-        supports remote devices using the same syntax as
-        <command>rdump</command>.  To <command>tar</command> to an
-        Exabyte tape drive connected to a Sun called
-        <systemitem>komodo</systemitem>, use:</para>
+      <indexterm><primary><command>tar</command></primary></indexterm>
 
-      <screen>&prompt.root; <userinput>/usr/bin/gtar cf komodo:/dev/nsa8 . 2&gt;&amp;1</userinput></screen>
+      <para>This example creates a compressed backup of the current
+	directory and saves it to
+	<filename>/tmp/mybackup.tgz</filename>.  When creating a
+	backup file, make sure that the backup is not saved to the
+	same directory that is being backed up.</para>
 
-      <para>The same could be accomplished with
-	<command>bsdtar</command> by using a pipeline and
-	<command>rsh</command> to send the data to a remote tape
-	drive.</para>
+      <example>
+	<title>Backing Up the Current Directory with
+	  <command>tar</command></title>
 
-      <screen>&prompt.root; <userinput>tar cf - . | rsh hostname dd of=tape-device obs=20b</userinput></screen>
+      <screen>&prompt.root; <userinput>tar czvf <replaceable>/tmp/mybackup.tgz</replaceable> . </userinput></screen>
+      </example>
 
-      <para>If you are worried about the security of backing up over a
-	network you should use the <command>ssh</command> command
-	instead of <command>rsh</command>.</para>
-    </sect2>
+      <para>To restore the entire backup, <command>cd</command> into
+	the directory to restore into and specify the name of the
+	backup.  Note that this will overwrite any newer versions of
+	files in the restore directory.  When in doubt, restore to a
+	temporary directory or specify the name of the file within the
+	backup to restore.</para>
 
-    <sect2>
-      <title><command>cpio</command></title>
-      <indexterm>
-        <primary>backup software</primary>
-        <secondary><command>cpio</command></secondary>
-      </indexterm>
+      <example>
+	<title>Restoring Up the Current Directory with
+	  <command>tar</command></title>
 
-      <para>&man.cpio.1; is the original &unix; file interchange tape
-	program for magnetic media.  <command>cpio</command> has options
-	(among many others) to perform byte-swapping, write a number of
-	different archive formats, and pipe the data to other programs.
-	This last feature makes <command>cpio</command> an excellent
-	choice for installation media.  <command>cpio</command> does not
-	know how to walk the directory tree and a list of files must be
-	provided through <filename>stdin</filename>.</para>
-      <indexterm><primary><command>cpio</command></primary></indexterm>
+      <screen>&prompt.root; <userinput>tar xzvf <replaceable>/tmp/mybackup.tgz</replaceable></userinput></screen>
+      </example>
 
-      <para><command>cpio</command> does not support backups across
-	the network.  You can use a pipeline and <command>rsh</command>
-	to send the data to a remote tape drive.</para>
+      <para>There are dozens of available switches which are described
+	in &man.tar.1;.  This utility also supports the use of exclude
+	patterns to specify which files should not be included when
+	backing up the specified directory or restoring files from a
+	backup.</para>
+
+      <indexterm>
+	<primary>backup software</primary>
+	<secondary><command>cpio</command></secondary>
+      </indexterm>
+
+      <para>To create a backup using a specified list of files and
+	directories, &man.cpio.1; is a good choice.  Unlike
+	<command>tar</command>, <command>cpio</command> does not know
+	how to walk the directory tree and it must be provided the
+	list of files to backup.</para>
+
+      <para>For example, a list of files can be created using
+	<command>ls</command> or <command>find</command>.  This
+	example creates a recursive listing of the current directory
+	which is then piped to  <command>cpio</command> in order to
+	create an output backup file named
+	<filename>/tmp/mybackup.cpio</filename>.</para>
 
-      <screen>&prompt.root; <userinput>for f in directory_list; do</userinput>
-<userinput>find $f &gt;&gt; backup.list</userinput>
-<userinput>done</userinput>
-&prompt.root; <userinput>cpio -v -o --format=newc &lt; backup.list | ssh user@host "cat &gt; backup_device"</userinput></screen>
+      <example>
+	<title>Using<command>ls</command> and <command>cpio</command>
+	  to Make a Recursive Backup of the Current Directory</title>
 
-      <para>Where <replaceable>directory_list</replaceable> is the list of
-	directories you want to back up,
-	<replaceable>user</replaceable>@<replaceable>host</replaceable> is the
-	user/hostname combination that will be performing the backups, and
-	<replaceable>backup_device</replaceable> is where the backups should
-	be written to (e.g., <filename>/dev/nsa0</filename>).</para>
-    </sect2>
+      <screen>&prompt.root; <userinput>ls -R | cpio -ovF <replaceable>/tmp/mybackup.cpio</replaceable></userinput></screen>
+      </example>
 
-    <sect2>
-      <title><command>pax</command></title>
       <indexterm>
-        <primary>backup software</primary>
-        <secondary><command>pax</command></secondary>
+	<primary>backup software</primary>
+	<secondary><command>pax</command></secondary>
       </indexterm>
       <indexterm><primary><command>pax</command></primary></indexterm>
       <indexterm><primary>POSIX</primary></indexterm>
       <indexterm><primary>IEEE</primary></indexterm>
 
-      <para>&man.pax.1; is IEEE/&posix;'s answer to
-	<command>tar</command> and <command>cpio</command>.  Over the
-	years the various versions of <command>tar</command> and
-	<command>cpio</command> have gotten slightly incompatible.  So
-	rather than fight it out to fully standardize them, &posix;
-	created a new archive utility. <command>pax</command> attempts
-	to read and write many of the various <command>cpio</command>
-	and <command>tar</command> formats, plus new formats of its own.
-	Its command set more resembles <command>cpio</command> than
-	<command>tar</command>.</para>
-    </sect2>
-
-    <sect2 xml:id="backups-programs-amanda">
-      <title><application>Amanda</application></title>
-      <indexterm>
-        <primary>backup software</primary>
-        <secondary><application>Amanda</application></secondary>
-      </indexterm>
-      <indexterm><primary><application>Amanda</application></primary></indexterm>
-
-      <!-- Remove link until <port> tag is available -->
-      <para><application>Amanda</application> (Advanced Maryland
-        Network Disk Archiver) is a client/server backup system,
-        rather than a single program.  An <application>Amanda</application> server will backup to
-        a single tape drive any number of computers that have <application>Amanda</application>
-        clients and a network connection to the <application>Amanda</application> server.  A
-        common problem at sites with a number of large disks is
-        that the length of time required to backup to data directly to tape
-        exceeds the amount of time available for the task.  <application>Amanda</application>
-        solves this problem.  <application>Amanda</application> can use a <quote>holding disk</quote> to
-        backup several file systems at the same time.  <application>Amanda</application> creates
-        <quote>archive sets</quote>: a group of tapes used over a period of time to
-        create full backups of all the file systems listed in <application>Amanda</application>'s
-        configuration file.  The <quote>archive set</quote> also contains nightly
-        incremental (or differential) backups of all the file systems.
-        Restoring a damaged file system requires the most recent full
-        backup and the incremental backups.</para>
-
-      <para>The configuration file provides fine control of backups and the
-	network traffic that <application>Amanda</application> generates.  <application>Amanda</application> will use any of the
-	above backup programs to write the data to tape.  <application>Amanda</application> is available
-	as either a port or a package, it is not installed by default.</para>
-      </sect2>
-
-    <sect2>
-      <title>Do Nothing</title>
-
-      <para><quote>Do nothing</quote> is not a computer program, but it is the
-	most widely used backup strategy.  There are no initial costs.  There
-	is no backup schedule to follow.  Just say no.  If something happens
-	to your data, grin and bear it!</para>
-
-      <para>If your time and your data is worth little to nothing, then
-	<quote>Do nothing</quote> is the most suitable backup program for your
-	computer.  But beware, &unix; is a useful tool, you may find that within
-	six months you have a collection of files that are valuable to
-	you.</para>
-
-      <para><quote>Do nothing</quote> is the correct backup method for
-	<filename>/usr/obj</filename> and other directory trees that can be
-	exactly recreated by your computer.  An example is the files that
-	comprise the HTML or &postscript; version of this Handbook.
-	These document formats have been created from SGML input
-	files.  Creating backups of the HTML or &postscript; files is
-	not necessary.  The SGML files are backed up regularly.</para>
-    </sect2>
-
-    <sect2>
-      <title>Which Backup Program Is Best?</title>
-      <indexterm>
-        <primary>LISA</primary>
-      </indexterm>
-
-      <para>&man.dump.8; <emphasis>Period.</emphasis> Elizabeth D. Zwicky
-	torture tested all the backup programs discussed here.  The clear
-	choice for preserving all your data and all the peculiarities of &unix;
-	file systems is <command>dump</command>.  Elizabeth created file systems containing
-	a large variety of unusual conditions (and some not so unusual ones)
-	and tested each program by doing a backup and restore of those
-	file systems.  The peculiarities included: files with holes, files with
-	holes and a block of nulls, files with funny characters in their
-	names, unreadable and unwritable files, devices, files that change
-	size during the backup, files that are created/deleted during the
-	backup and more.  She presented the results at LISA V in Oct. 1991.
-	See <link xlink:href="http://berdmann.dyndns.org/zwicky/testdump.doc.html">torture-testing
-	  Backup and Archive Programs</link>.</para>
-    </sect2>
-
-    <sect2>
-      <title>Emergency Restore Procedure</title>
-
-      <sect3>
-	<title>Before the Disaster</title>
-
-	<para>There are only four steps that you need to perform in
-	  preparation for any disaster that may occur.</para>
-	<indexterm>
-    <primary><command>bsdlabel</command></primary>
-  </indexterm>
-
-	<para>First, print the bsdlabel from each of your disks
-	  (e.g. <command>bsdlabel da0 | lpr</command>), your file system table
-	  (<filename>/etc/fstab</filename>) and all boot messages,
-	  two copies of
-	  each.</para>
-
-	<indexterm><primary>fix-it floppies</primary></indexterm>
-	<para>Second, determine that the boot and fix-it floppies
-	  (<filename>boot.flp</filename> and <filename>fixit.flp</filename>)
-	  have all your devices.  The easiest way to check is to reboot your
-	  machine with the boot floppy in the floppy drive and check the boot
-	  messages.  If all your devices are listed and functional, skip on to
-	  step three.</para>
-
-	<para>Otherwise, you have to create two custom bootable
-	  floppies which have a kernel that can mount all of your disks
-	  and access your tape drive.  These floppies must contain:
-	  <command>fdisk</command>, <command>bsdlabel</command>,
-	  <command>newfs</command>, <command>mount</command>, and
-	  whichever backup program you use.  These programs must be
-	  statically linked.  If you use <command>dump</command>, the
-	  floppy must contain <command>restore</command>.</para>
-
-	<para>Third, create backup tapes regularly.  Any changes that you make
-	  after your last backup may be irretrievably lost.  Write-protect the
-	  backup tapes.</para>
-
-	<para>Fourth, test the floppies (either <filename>boot.flp</filename>
-	  and <filename>fixit.flp</filename> or the two custom bootable
-	  floppies you made in step two.) and backup tapes.  Make notes of the
-	  procedure.  Store these notes with the bootable floppy, the
-	  printouts and the backup tapes.  You will be so distraught when
-	  restoring that the notes may prevent you from destroying your backup
-	  tapes (How? In place of <command>tar xvf /dev/sa0</command>, you
-	  might accidentally type <command>tar cvf /dev/sa0</command> and
-	  over-write your backup tape).</para>
-
-	<para>For an added measure of security, make bootable floppies and two
-	  backup tapes each time.  Store one of each at a remote location.  A
-	  remote location is NOT the basement of the same office building.  A
-	  number of firms in the World Trade Center learned this lesson the
-	  hard way.  A remote location should be physically separated from
-	  your computers and disk drives by a significant distance.</para>
-
-	<example>
-	  <title>A Script for Creating a Bootable Floppy</title>
-
-	<programlisting><![CDATA[#!/bin/sh
-#
-# create a restore floppy
-#
-# format the floppy
-#
-PATH=/bin:/sbin:/usr/sbin:/usr/bin
-
-fdformat -q fd0
-if [ $? -ne 0 ]
-then
-	 echo "Bad floppy, please use a new one"
-	 exit 1
-fi
-
-# place boot blocks on the floppy
-#
-bsdlabel -w -B /dev/fd0c fd1440
-
-#
-# newfs the one and only partition
-#
-newfs -t 2 -u 18 -l 1 -c 40 -i 5120 -m 5 -o space /dev/fd0a
-
-#
-# mount the new floppy
-#
-mount /dev/fd0a /mnt
-
-#
-# create required directories
-#
-mkdir /mnt/dev
-mkdir /mnt/bin
-mkdir /mnt/sbin
-mkdir /mnt/etc
-mkdir /mnt/root
-mkdir /mnt/mnt			# for the root partition
-mkdir /mnt/tmp
-mkdir /mnt/var
-
-#
-# populate the directories
-#
-if [ ! -x /sys/compile/MINI/kernel ]
-then
-	 cat &lt;&lt; EOM
-The MINI kernel does not exist, please create one.
-Here is an example config file:
-#
-# MINI - A kernel to get FreeBSD onto a disk.
-#
-machine         "i386"
-cpu             "I486_CPU"
-ident           MINI
-maxusers        5
-
-options         INET                    # needed for _tcp _icmpstat _ipstat
-                                        #            _udpstat _tcpstat _udb
-options         FFS                     #Berkeley Fast File System
-options         FAT_CURSOR              #block cursor in syscons or pccons
-options         SCSI_DELAY=15           #Be pessimistic about Joe SCSI device
-options         NCONS=2                 #1 virtual consoles
-options         USERCONFIG              #Allow user configuration with -c XXX
+      <para>A backup utility which tries to bridge the features
+	provided by <command>tar</command> and <command>cpio</command>
+	is &man.pax.1;.  Over the years, the various versions of
+	<command>tar</command> and <command>cpio</command> became
+	slightly incompatible.  &posix; created <command>pax</command>
+	which attempts to read and write many of the various
+	<command>cpio</command> and <command>tar</command> formats,
+	plus new formats of its own.</para>
 
-config          kernel	root on da0 swap on da0 and da1 dumps on da0
+      <para>The <command>pax</command> equivalent to the previous
+	examples would be:</para>
 
-device          isa0
-device          pci0
+      <example>
+	<title>Backing Up the Current Directory with
+	  <command>pax</command></title>
 
-device          fdc0	at isa? port "IO_FD1" bio irq 6 drq 2 vector fdintr
-device          fd0	at fdc0 drive 0
+      <screen>&prompt.root; <userinput>pax -wf <replaceable>/tmp/mybackup.pax</replaceable> .</userinput></screen>
+      </example>
+    </sect2>
 
-device          ncr0
+    <sect2 xml:id="backups-tapebackups">
+      <title>Using Data Tapes for Backups</title>
 
-device          scbus0
+      <indexterm><primary>tape media</primary></indexterm>
 
-device          sc0	at isa? port "IO_KBD" tty irq 1 vector scintr
-device          npx0	at isa? port "IO_NPX" irq 13 vector npxintr
+      <para>While tape technology has continued to evolve, modern
+	backup systems tend to combine off-site backups with local
+	removable media.  &os; supports any tape drive that uses
+	<acronym>SCSI</acronym>, such as <acronym>LTO</acronym> or
+	<acronym>DAT</acronym>.  There is limited support for
+	<acronym>SATA</acronym> and <acronym>USB</acronym> tape
+	drives.</para>
 
-device          da0
-device          da1
-device          da2
+      <para>For <acronym>SCSI</acronym> tape devices, &os; uses the
+	&man.sa.4; driver and the <filename>/dev/sa0</filename>,
+	<filename>/dev/nsa0</filename>, and
+	<filename>/dev/esa0</filename> devices.  The physical device
+	name is <filename>/dev/sa0</filename>.  When
+	<filename>/dev/nsa0</filename> is used, the backup application
+	will not rewind the tape after writing a file, which allows
+	writing more than one file to a tape.  Using
+	<filename>/dev/esa0</filename> ejects the tape after the
+	device is closed.</para>
+
+      <para>In &os;, <command>mt</command> is used to control
+	operations of the tape drive, such as seeking through files on
+	a tape or writing tape control marks to the tape.  For
+	example, the first three files on a tape can be preserved by
+	skipping past them before writing a new file:</para>
+
+      <screen>&prompt.root; <userinput>mt -f /dev/nsa0 fsf 3</userinput></screen>
+
+      <para>This utility supports many operations.  Refer to
+	&man.mt.1; for details.</para>
+
+      <para>To write a single file to tape using
+	<command>tar</command>, specify the name of the tape device
+	and the file to backup:</para>
+
+      <screen>&prompt.root; <userinput>tar cvf /dev/sa0 <replaceable>file</replaceable></userinput></screen>
+
+      <para>To recover files from a <command>tar</command> archive
+	on tape into the current directory:</para>
+
+      <screen>&prompt.root; <userinput>tar xvf /dev/sa0</userinput></screen>
+
+      <para>To backup a <acronym>UFS</acronym> file system, use
+	<command>dump</command>.  This examples backs up
+	<filename>/usr</filename> without rewinding the tape when
+	finished:</para>
+
+      <screen>&prompt.root; <userinput>dump -0aL -b64 -f /dev/nsa0 /usr</userinput></screen>
+
+      <para>To interactively restore files from a
+	<command>dump</command> file on tape into the current
+	directory:</para>
 
-device          sa0
+      <screen>&prompt.root; <userinput>restore -i -f /dev/nsa0</userinput></screen>
+    </sect2>
 
-pseudo-device   loop            # required by INET
-pseudo-device   gzip            # Exec gzipped a.out's
-EOM
-	 exit 1
-fi
+    <sect2 xml:id="backups-programs-amanda">
+      <title>Third-Party Backup Utilities</title>
 
-cp -f /sys/compile/MINI/kernel /mnt
+      <indexterm>
+	<primary>backup software</primary>
+      </indexterm>
 
-gzip -c -best /sbin/init &gt; /mnt/sbin/init
-gzip -c -best /sbin/fsck &gt; /mnt/sbin/fsck
-gzip -c -best /sbin/mount &gt; /mnt/sbin/mount
-gzip -c -best /sbin/halt &gt; /mnt/sbin/halt
-gzip -c -best /sbin/restore &gt; /mnt/sbin/restore
+      <para>The &os; Ports Collection provides many third-party
+	utilities which can be used to schedule the creation of
+	backups, simplify tape backup, and make backups easier and
+	more convenient.  Many of these applications are client/server
+	based and can be used to automate the backups of a single
+	system or all of the computers in a network.</para>
 
-gzip -c -best /bin/sh &gt; /mnt/bin/sh
-gzip -c -best /bin/sync &gt; /mnt/bin/sync
+      <para>Popular utilities include
+	<application>Amanda</application>,
+	<application>Bacula</application>,
+	<application>rsync</application>, and
+	<application>duplicity</application>.</para>
+    </sect2>
 
-cp /root/.profile /mnt/root
+    <sect2>
+      <title>Emergency Recovery</title>
 
-cp -f /dev/MAKEDEV /mnt/dev
-chmod 755 /mnt/dev/MAKEDEV
+      <para>In addition to regular backups, it is recommended to
+	perform the following steps as part of an emergency
+	preparedness plan.</para>
 
-chmod 500 /mnt/sbin/init
-chmod 555 /mnt/sbin/fsck /mnt/sbin/mount /mnt/sbin/halt
-chmod 555 /mnt/bin/sh /mnt/bin/sync
-chmod 6555 /mnt/sbin/restore
+      <indexterm>
+	<primary><command>bsdlabel</command></primary></indexterm>
 
-#
-# create the devices nodes
-#
-cd /mnt/dev
-./MAKEDEV std
-./MAKEDEV da0
-./MAKEDEV da1
-./MAKEDEV da2
-./MAKEDEV sa0
-./MAKEDEV pty0
-cd /
+      <para>Create a print copy of the output of the following
+	commands:</para>
 
-#
-# create minimum file system table
-#
-cat &gt; /mnt/etc/fstab &lt;&lt;EOM
-/dev/fd0a    /    ufs    rw  1  1
-EOM
+      <itemizedlist>
+	<listitem>
+	  <para><command>gpart show</command></para>
+	</listitem>
 
-#
-# create minimum passwd file
-#
-cat &gt; /mnt/etc/passwd &lt;&lt;EOM
-root:*:0:0:Charlie &:/root:/bin/sh
-EOM
-
-cat &gt; /mnt/etc/master.passwd &lt;&lt;EOM
-root::0:0::0:0:Charlie &:/root:/bin/sh
-EOM
-
-chmod 600 /mnt/etc/master.passwd
-chmod 644 /mnt/etc/passwd
-/usr/sbin/pwd_mkdb -d/mnt/etc /mnt/etc/master.passwd
+	<listitem>
+	  <para><command>more /etc/fstab</command></para>
+	</listitem>
 
-#
-# umount the floppy and inform the user
-#
-/sbin/umount /mnt
-echo "The floppy has been unmounted and is now ready."]]></programlisting>
+	<listitem>
+	  <para><command>dmesg</command></para>
+	</listitem>
+      </itemizedlist>
 
-        </example>
+      <indexterm><primary>livefs
+	  <acronym>CD</acronym></primary></indexterm>
 
-      </sect3>
+      <para>Store this printout and a copy of the installation media
+	in a secure location.  Should an emergency restore be
+	needed, boot into the installation media and select
+	<literal>Live CD</literal> to access a rescue shell.  This
+	rescue mode can be used to view the current state of the
+	system, and if needed, to  reformat disks and restore data
+	from backups.</para>
 
-      <sect3>
-	<title>After the Disaster</title>
+      <note>
+	<para>The installation media for
+	  &os;/&arch.i386;&nbsp;&rel2.current;-RELEASE does not
+	  include a rescue shell.  For this version, instead
+	  download and burn a Livefs <acronym>CD</acronym> image from
+	  <uri
+	    xlink:href="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/&arch.i386;/ISO-IMAGES/&rel2.current;/&os;-&rel2.current;-RELEASE-&arch.i386;-livefs.iso">ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/&arch.i386;/ISO-IMAGES/&rel2.current;/&os;-&rel2.current;-RELEASE-&arch.i386;-livefs.iso</uri>.</para>
+      </note>
 
-	<para>The key question is: did your hardware survive?  You have been
-	  doing regular backups so there is no need to worry about the
-	  software.</para>
-
-	<para>If the hardware has been damaged, the parts should be replaced
-	  before attempting to use the computer.</para>
-
-	<para>If your hardware is okay, check your floppies.  If you are using
-	  a custom boot floppy, boot single-user (type <literal>-s</literal>
-	  at the <prompt>boot:</prompt> prompt).  Skip the following
-	  paragraph.</para>
-
-	<para>If you are using the <filename>boot.flp</filename> and
-	  <filename>fixit.flp</filename> floppies, keep reading.  Insert the
-	  <filename>boot.flp</filename> floppy in the first floppy drive and
-	  boot the computer.  The original install menu will be displayed on
-	  the screen.  Select the <literal>Fixit--Repair mode with CDROM or
-	    floppy.</literal> option.  Insert the
-	  <filename>fixit.flp</filename> when prompted.
-	  <command>restore</command> and the other programs that you need are
-	  located in <filename>/mnt2/rescue</filename>
-	  (<filename>/mnt2/stand</filename> for
-	  &os; versions older than 5.2).</para>
-
-	<para>Recover each file system separately.</para>
-
-	<indexterm>
-    <primary><command>mount</command></primary>
-  </indexterm>
-	<indexterm><primary>root partition</primary></indexterm>
-	<indexterm>
-    <primary><command>bsdlabel</command></primary>
-  </indexterm>
-	<indexterm>
-    <primary><command>newfs</command></primary>
-  </indexterm>
-	<para>Try to <command>mount</command> (e.g. <command>mount /dev/da0a
-	    /mnt</command>)  the root partition of your first disk.  If the
-	  bsdlabel was damaged, use <command>bsdlabel</command> to re-partition and
-	  label the disk to match the label that you printed and saved.  Use
-	    <command>newfs</command> to re-create the file systems.  Re-mount the root
-	  partition of the floppy read-write (<command>mount -u -o rw
-	    /mnt</command>).  Use your backup program and backup tapes to
-	  recover the data for this file system (e.g. <command>restore vrf
-	    /dev/sa0</command>).  Unmount the file system (e.g. <command>umount
-	    /mnt</command>). Repeat for each file system that was
-	  damaged.</para>
-
-	<para>Once your system is running, backup your data onto new tapes.
-	  Whatever caused the crash or data loss may strike again.  Another
-	  hour spent now may save you from further distress later.</para>
-      </sect3>
+      <para>Next, test the rescue shell and the backups.  Make notes
+	of the procedure.  Store these notes with the media, the
+	printouts, and the backups.  These notes may prevent the
+	inadvertent destruction of the backups while under the stress
+	of performing an emergency recovery.</para>
+
+      <para>For an added measure of security, store the latest backup
+	at a remote location which is physically separated from the
+	computers and disk drives by a significant distance.</para>
     </sect2>
   </sect1>
 
   <sect1 xml:id="disks-virtual">
-    <info><title>Network, Memory, and File-Backed File Systems</title>
+    <info>
+      <title>Memory Disks</title>
+
       <authorgroup>
-	<author><personname><firstname>Marc</firstname><surname>Fonvieille</surname></personname><contrib>Reorganized and enhanced by </contrib></author>
+	<author>
+	  <personname>
+	    <firstname>Marc</firstname>
+	    <surname>Fonvieille</surname>
+	  </personname>
+	  <contrib>Reorganized and enhanced by </contrib>
+	</author>
       </authorgroup>
     </info>
-    
-    <indexterm><primary>virtual disks</primary></indexterm>
-    <indexterm>
-      <primary>disks</primary>
-      <secondary>virtual</secondary>
-    </indexterm>
 
-    <para>Aside from the disks you physically insert into your computer:
-      floppies, CDs, hard drives, and so forth; other forms of disks
-      are understood by FreeBSD - the <firstterm>virtual
-      disks</firstterm>.</para>
+    <para>In addition to physical disks, &os; also supports the
+      creation and use of memory disks.  One possible use for a
+      memory disk is to access the contents of an
+      <acronym>ISO</acronym> file system without the overhead of first
+      burning it to a <acronym>CD</acronym> or <acronym>DVD</acronym>,
+      then mounting the <acronym>CD/DVD</acronym> media.</para>
+
+    <para>In &os;, the  &man.md.4; driver is used to provide support
+      for memory disks.  The <filename>GENERIC</filename> kernel
+      includes this driver.  When using a custom kernel configuration
+      file, ensure it includes this line:</para>
 
-    <indexterm><primary>NFS</primary></indexterm>
-    <indexterm><primary>Coda</primary></indexterm>
-    <indexterm>
-      <primary>disks</primary>
-      <secondary>memory</secondary>
-    </indexterm>
-    <para>These include network file systems such as the <link linkend="network-nfs">Network File System</link> and Coda, memory-based
-      file systems and
-      file-backed file systems.</para>
-
-    <para>According to the FreeBSD version you run, you will have to use
-      different tools for creation and use of file-backed and
-      memory-based file systems.</para>
-
-    <note>
-      <para>Use &man.devfs.5; to allocate device nodes transparently for the
-	user.</para>
-    </note>
+    <programlisting>device md</programlisting>
 
     <sect2 xml:id="disks-mdconfig">
-      <title>File-Backed File System</title>
+      <title>Attaching and Detaching Existing Images</title>
+
       <indexterm>
-        <primary>disks</primary>
-        <secondary>file-backed</secondary>
+	<primary>disks</primary>
+	<secondary>memory</secondary>
       </indexterm>
 
-      <para>The utility &man.mdconfig.8; is used to configure and enable
-	memory disks, &man.md.4;, under FreeBSD.  To use
-	&man.mdconfig.8;, you have to load &man.md.4; module or to add
-	the support in your kernel configuration file:</para>
-
-      <programlisting>device md</programlisting>
+      <para>To mount an existing file system image, use
+	<command>mdconfig</command> to specify the name of the
+	<acronym>ISO</acronym> file and a free unit number.  Then,
+	refer to that unit number to mount it on an existing mount
+	point.  Once mounted, the files in the <acronym>ISO</acronym>
+	will appear in the mount point.  This example attaches
+	<replaceable>diskimage.iso</replaceable> to the memory device
+	<filename>/dev/md0</filename> then mounts that memory device
+	on <filename>/mnt</filename>:</para>
 
-      <para>The &man.mdconfig.8; command supports three kinds of
-	memory backed virtual disks: memory disks allocated with
-	&man.malloc.9;, memory disks using a file or swap space as
-	backing.  One possible use is the mounting of floppy
-	or CD images kept in files.</para>
+      <screen>&prompt.root; <userinput>mdconfig -f <replaceable>diskimage.iso</replaceable> -u <replaceable>0</replaceable></userinput>
+&prompt.root; <userinput>mount /dev/md<replaceable>0</replaceable> <replaceable>/mnt</replaceable></userinput></screen>
 
-      <para>To mount an existing file system image:</para>
-
-      <example>
-	<title>Using <command>mdconfig</command> to Mount an Existing File System
-	  Image</title>
+      <para>If a unit number is not specified with
+	<option>-u</option>, <command>mdconfig</command> will
+	automatically allocate an unused memory device and output
+	the name of the allocated unit, such as
+	<filename>md4</filename>.  Refer to &man.mdconfig.8; for more
+	details about this command and its options.</para>
 
-	<screen>&prompt.root; <userinput>mdconfig -a -t vnode -f diskimage -u 0</userinput>
-&prompt.root; <userinput>mount /dev/md0 /mnt</userinput></screen>
-      </example>
-
-      <para>To create a new file system image with &man.mdconfig.8;:</para>
-
-      <example>
-	<title>Creating a New File-Backed Disk with <command>mdconfig</command></title>
-
-	<screen>&prompt.root; <userinput>dd if=/dev/zero of=newimage bs=1k count=5k</userinput>
-5120+0 records in
-5120+0 records out
-&prompt.root; <userinput>mdconfig -a -t vnode -f newimage -u 0</userinput>
-&prompt.root; <userinput>bsdlabel -w md0 auto</userinput>
-&prompt.root; <userinput>newfs md0a</userinput>
-/dev/md0a: 5.0MB (10224 sectors) block size 16384, fragment size 2048
-        using 4 cylinder groups of 1.25MB, 80 blks, 192 inodes.
-super-block backups (for fsck -b #) at:
- 160, 2720, 5280, 7840
-&prompt.root; <userinput>mount /dev/md0a /mnt</userinput>
-&prompt.root; <userinput>df /mnt</userinput>
-Filesystem 1K-blocks Used Avail Capacity  Mounted on
-/dev/md0a       4710    4  4330     0%    /mnt</screen>
-      </example>
-
-      <para>If you do not specify the unit number with the
-	<option>-u</option> option, &man.mdconfig.8; will use the
-	&man.md.4; automatic allocation to select an unused device.
-	The name of the allocated unit will be output on stdout like
-	<filename>md4</filename>.  For more details about
-	&man.mdconfig.8;, please refer to the manual page.</para>
-
-      <para>The utility &man.mdconfig.8; is very useful, however it
-	asks many command lines to create a file-backed file system.
-	FreeBSD also comes with a tool called &man.mdmfs.8;,
-	this program configures a &man.md.4; disk using
-	&man.mdconfig.8;, puts a UFS file system on it using
-	&man.newfs.8;, and mounts it using &man.mount.8;.  For example,
-	if you want to create and mount the same file system image as
-	above, simply type the following:</para>
-
-      <example>
-	<title>Configure and Mount a File-Backed Disk with <command>mdmfs</command></title>
-	<screen>&prompt.root; <userinput>dd if=/dev/zero of=newimage bs=1k count=5k</userinput>
-5120+0 records in
-5120+0 records out
-&prompt.root; <userinput>mdmfs -F newimage -s 5m md0 /mnt</userinput>
-&prompt.root; <userinput>df /mnt</userinput>
-Filesystem 1K-blocks Used Avail Capacity  Mounted on
-/dev/md0        4718    4  4338     0%    /mnt</screen>
-      </example>
-
-      <para>If you use the option <option>md</option> without unit
-	number, &man.mdmfs.8; will use &man.md.4; auto-unit feature to
-	automatically select an unused device.  For more details
-	about &man.mdmfs.8;, please refer to the manual page.</para>
-
-    </sect2>
-
-    <sect2 xml:id="disks-md-freebsd5">
-      <title>Memory-Based File System</title>
       <indexterm>
-        <primary>disks</primary>
-        <secondary>memory file system</secondary>
+	<primary>disks</primary>
+	<secondary>detaching a memory disk</secondary>
       </indexterm>
 
-      <para>For a
-	memory-based file system the <quote>swap backing</quote>
-	should normally be used.  Using swap backing does not mean
-	that the memory disk will be swapped out to disk by default,
-	but merely that the memory disk will be allocated from a
-	memory pool which can be swapped out to disk if needed.  It is
-	also possible to create memory-based disk which are
-	&man.malloc.9; backed, but using malloc backed memory disks,
-	especially large ones, can result in a system panic if the
-	kernel runs out of memory.</para>
-
-      <example>
-	<title>Creating a New Memory-Based Disk with
-	  <command>mdconfig</command></title>
-
-	<screen>&prompt.root; <userinput>mdconfig -a -t malloc -s 5m -u 1</userinput>
-&prompt.root; <userinput>newfs -U md1</userinput>
-/dev/md1: 5.0MB (10240 sectors) block size 16384, fragment size 2048
-	using 4 cylinder groups of 1.27MB, 81 blks, 256 inodes.
-	with soft updates
-super-block backups (for fsck -b #) at:
- 32, 2624, 5216, 7808
-&prompt.root; <userinput>mount /dev/md1 /mnt</userinput>
-&prompt.root; <userinput>df /mnt</userinput>
-Filesystem 1K-blocks Used Avail Capacity  Mounted on
-/dev/md1        4846    2  4458     0%    /mnt</screen>
-      </example>
+      <para>When a memory disk is no longer in use, its resources
+	should be released back to the system.  First, unmount the
+	file system, then use <command>mdconfig</command> to detach
+	the disk from the system and release its resources.  To
+	continue this example:</para>
 
-      <example>
-	<title>Creating a New Memory-Based Disk with
-	  <command>mdmfs</command></title>
-	<screen>&prompt.root; <userinput>mdmfs -M -s 5m md2 /mnt</userinput>
-&prompt.root; <userinput>df /mnt</userinput>
-Filesystem 1K-blocks Used Avail Capacity  Mounted on
-/dev/md2        4846    2  4458     0%    /mnt</screen>
-      </example>
+      <screen>&prompt.root; <userinput>umount /mnt</userinput>
+&prompt.root; <userinput>mdconfig -d -u <replaceable>0</replaceable></userinput></screen>
 
-      <para>Instead of using a &man.malloc.9; backed file system, it is
-	possible to use swap, for that just replace
-	<option>malloc</option> with <option>swap</option> in the
-	command line of &man.mdconfig.8;.  The &man.mdmfs.8; utility
-	by default (without <option>-M</option>) creates a swap-based
-	disk.  For more details, please refer to &man.mdconfig.8;
-	and &man.mdmfs.8; manual pages.</para>
+      <para>To determine if any memory disks are still attached to the
+	system, type <command>mdconfig -l</command>.</para>
     </sect2>
 
-    <sect2>
-      <title>Detaching a Memory Disk from the System</title>
+    <sect2 xml:id="disks-md-freebsd5">
+      <title>Creating a File- or Memory-Backed Memory Disk</title>
+
       <indexterm>
-        <primary>disks</primary>
-        <secondary>detaching a memory disk</secondary>
+	<primary>disks</primary>
+	<secondary>memory file system</secondary>
       </indexterm>
+      <para>&os; also supports memory disks where the storage to use
+	is allocated from either a hard disk or an area of memory.
+	The first method is commonly referred to as a file-backed file
+	system and the second method as a memory-backed file system.
+	Both types can be created using
+	<command>mdconfig</command>.</para>
+
+      <para>To create a new memory-backed file system, specify a type
+	of <literal>swap</literal> and the size of the memory disk to
+	create.  Then, format the memory disk with a file system and
+	mount as usual.  This example creates a 5M memory disk on unit
+	<literal>1</literal>.  That memory disk is then formatted with
+	the <acronym>UFS</acronym> file system before it is
+	mounted:</para>
 
-      <para>When a memory-based or file-based file system
-	is not used, you should release all resources to the system.
-	The first thing to do is to unmount the file system, then use
-	&man.mdconfig.8; to detach the disk from the system and release
-	the resources.</para>
+      <screen>&prompt.root; <userinput>mdconfig -a -t swap -s <replaceable>5</replaceable>m -u <replaceable>1</replaceable></userinput>
+&prompt.root; <userinput>newfs -U md<replaceable>1</replaceable></userinput>
+/dev/md1: 5.0MB (10240 sectors) block size 16384, fragment size 2048
+        using 4 cylinder groups of 1.27MB, 81 blks, 192 inodes.
+        with soft updates
+super-block backups (for fsck -b #) at:
+ 160, 2752, 5344, 7936
+&prompt.root; <userinput>mount /dev/md<replaceable>1</replaceable> <replaceable>/mnt</replaceable></userinput>
+&prompt.root; <userinput>df <replaceable>/mnt</replaceable></userinput>
+Filesystem 1K-blocks Used Avail Capacity  Mounted on
+/dev/md1        4718    4  4338     0%    /mnt</screen>
 
-      <para>For example to detach and free all resources used by
-	<filename>/dev/md4</filename>:</para>
+      <para>To create a new file-backed memory disk, first allocate an
+	area of disk to use.  This example creates an empty 5K file
+	named <filename>newimage</filename>:</para>
 
-      <screen>&prompt.root; <userinput>mdconfig -d -u 4</userinput></screen>
+      <screen>&prompt.root; <userinput>dd if=/dev/zero of=<replaceable>newimage</replaceable> bs=1k count=<replaceable>5</replaceable>k</userinput>
+5120+0 records in
+5120+0 records out</screen>
 
-      <para>It is possible to list information about configured
-	&man.md.4; devices in using the command <command>mdconfig
-	-l</command>.</para>
+      <para>Next, attach that file to a memory disk, label the memory
+	disk and format it with the <acronym>UFS</acronym> file
+	system, mount the memory disk, and verify the size of the
+	file-backed disk:</para>
+
+      <screen>&prompt.root; <userinput>mdconfig -f <replaceable>newimage</replaceable> -u <replaceable>0</replaceable></userinput>
+&prompt.root; <userinput>bsdlabel -w md<replaceable>0</replaceable> auto</userinput>
+&prompt.root; <userinput>newfs md<replaceable>0</replaceable>a</userinput>
+/dev/md0a: 5.0MB (10224 sectors) block size 16384, fragment size 2048
+        using 4 cylinder groups of 1.25MB, 80 blks, 192 inodes.
+super-block backups (for fsck -b #) at:
+ 160, 2720, 5280, 7840
+&prompt.root; <userinput>mount /dev/md<replaceable>0</replaceable>a <replaceable>/mnt</replaceable></userinput>
+&prompt.root; <userinput>df <replaceable>/mnt</replaceable></userinput>
+Filesystem 1K-blocks Used Avail Capacity  Mounted on
+/dev/md0a       4710    4  4330     0%    /mnt</screen>
 
+      <para>It takes several commands to create a file- or
+	memory-backed file system using <command>mdconfig</command>.
+	&os; also comes with <command>mdmfs</command> which
+	automatically configures a memory disk, formats it with the
+	<acronym>UFS</acronym> file system, and mounts it.  For
+	example, after creating <replaceable>newimage</replaceable>
+	with <command>dd</command>, this one command is equivalent to
+	running the <command>bsdlabel</command>,
+	<command>newfs</command>, and <command>mount</command>
+	commands shown above:</para>
+
+      <screen>&prompt.root; <userinput>mdmfs -F <replaceable>newimage</replaceable> -s <replaceable>5</replaceable>m md<replaceable>0</replaceable> <replaceable>/mnt</replaceable></userinput></screen>
+
+      <para>To instead create a new memory-based memory disk with
+	<command>mdmfs</command>, use this one command:</para>
+
+      <screen>&prompt.root; <userinput>mdmfs -s <replaceable>5</replaceable>m md<replaceable>1</replaceable> <replaceable>/mnt</replaceable></userinput></screen>
+
+      <para>If the unit number is not specified,
+	<command>mdmfs</command> will automatically select an unused
+	memory device.  For more details about
+	<command>mdmfs</command>, refer to &man.mdmfs.8;.</para>
     </sect2>
   </sect1>
 
   <sect1 xml:id="snapshots">
-    <info><title>File System Snapshots</title>
+    <info>
+      <title>File System Snapshots</title>
+
       <authorgroup>
-	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed by </contrib></author>
+	<author>
+	  <personname>
+	    <firstname>Tom</firstname>
+	    <surname>Rhodes</surname>
+	  </personname>
+	  <contrib>Contributed by </contrib>
+	</author>
       </authorgroup>
-      
     </info>
 
-    
-
     <indexterm>
       <primary>file systems</primary>
       <secondary>snapshots</secondary>
     </indexterm>
 
-      <para>FreeBSD offers a feature in conjunction with
-	<link linkend="soft-updates">Soft Updates</link>: File system snapshots.</para>
+    <para>&os; offers a feature in conjunction with
+      <link linkend="soft-updates">Soft Updates</link>: file system
+      snapshots.</para>
+
+    <para>UFS snapshots allow a user to create images of specified
+      file systems, and treat them as a file.  Snapshot files must be
+      created in the file system that the action is performed on, and
+      a user may create no more than 20 snapshots per file system.
+      Active snapshots are recorded in the superblock so they are
+      persistent across unmount and remount operations along with
+      system reboots.  When a snapshot is no longer required, it can
+      be removed using &man.rm.1;.  While snapshots may be removed in
+      any order, all the used space may not be acquired because
+      another snapshot will possibly claim some of the released
+      blocks.</para>
 
-      <para>Snapshots allow a user to create images of specified file
-	systems, and treat them as a file.
-	Snapshot files must be created in the file system that the
-	action is performed on, and a user may create no more than 20
-	snapshots per file system.  Active snapshots are recorded
-	in the superblock so they are persistent across unmount and
-	remount operations along with system reboots.  When a snapshot
-	is no longer required, it can be removed with the standard &man.rm.1;
-	command.  Snapshots may be removed in any order,
-	however all the used space may not be acquired because another snapshot will
-	possibly claim some of the released blocks.</para>
-
-      <para>The un-alterable <option>snapshot</option> file flag is set
+    <para>The un-alterable <option>snapshot</option> file flag is set
       by &man.mksnap.ffs.8; after initial creation of a snapshot file.
-	The &man.unlink.1; command makes an exception for snapshot files
-	since it allows them to be removed.</para>
+      &man.unlink.1; makes an exception for snapshot files since it
+      allows them to be removed.</para>
 
-      <para>Snapshots are created with the &man.mount.8; command.  To place
-	a snapshot of <filename>/var</filename> in the file
-	<filename>/var/snapshot/snap</filename> use the following
-	command:</para>
+    <para>Snapshots are created using &man.mount.8;.  To place a
+      snapshot of <filename>/var</filename> in the
+      file <filename>/var/snapshot/snap</filename>, use the following
+      command:</para>
 
-<screen>&prompt.root; <userinput>mount -u -o snapshot /var/snapshot/snap /var</userinput></screen>
+    <screen>&prompt.root; <userinput>mount -u -o snapshot /var/snapshot/snap /var</userinput></screen>
 
-      <para>Alternatively, you can use &man.mksnap.ffs.8; to create
-	a snapshot:</para>
-<screen>&prompt.root; <userinput>mksnap_ffs /var /var/snapshot/snap</userinput></screen>
-
-      <para>One can find snapshot files on a file system (e.g. <filename>/var</filename>)
-        by using the &man.find.1; command:</para>
-<screen>&prompt.root; <userinput>find /var -flags snapshot</userinput></screen>
+    <para>Alternatively, use &man.mksnap.ffs.8; to create the
+      snapshot:</para>
 
-      <para>Once a snapshot has been created, it has several
-	uses:</para>
+    <screen>&prompt.root; <userinput>mksnap_ffs /var /var/snapshot/snap</userinput></screen>
 
-      <itemizedlist>
-	<listitem>
-	  <para>Some administrators will use a snapshot file for backup purposes,
-	    because the snapshot can be transfered to CDs or tape.</para>
-	</listitem>
+    <para>One can find snapshot files on a file system, such as
+      <filename>/var</filename>, using
+      &man.find.1;:</para>
 
-	<listitem>
-	  <para>File integrity, &man.fsck.8; may be ran on the snapshot.
-	    Assuming that the file system was clean when it was mounted, you
-	    should always get a clean (and unchanging) result.
-	    This is essentially what the
-	    background &man.fsck.8; process does.</para>
-	</listitem>
+    <screen>&prompt.root; <userinput>find /var -flags snapshot</userinput></screen>
 
-	<listitem>
-	  <para>Run the &man.dump.8; utility on the snapshot.
-	    A dump will be returned that is consistent with the
-	    file system and the timestamp of the snapshot.  &man.dump.8;
-	    can also take a snapshot, create a dump image and then
-	    remove the snapshot in one command using the
-	    <option>-L</option> flag.</para>
-	</listitem>
+    <para>Once a snapshot has been created, it has several
+      uses:</para>
 
-	<listitem>
-	  <para>&man.mount.8; the snapshot as a frozen image of the file system.
-	    To &man.mount.8; the snapshot
-	    <filename>/var/snapshot/snap</filename> run:</para>
+    <itemizedlist>
+      <listitem>
+	<para>Some administrators will use a snapshot file for backup
+	  purposes, because the snapshot can be transferred to
+	  <acronym>CD</acronym>s or tape.</para>
+      </listitem>
 
-<screen>&prompt.root; <userinput>mdconfig -a -t vnode -f /var/snapshot/snap -u 4</userinput>
-&prompt.root; <userinput>mount -r /dev/md4 /mnt</userinput></screen>
+      <listitem>
+	<para>The file system integrity checker, &man.fsck.8;, may be
+	  run on the snapshot.  Assuming that the file system was
+	  clean when it was mounted, this should always provide a
+	  clean and unchanging result.</para>
+      </listitem>
 
-	</listitem>
-      </itemizedlist>
+      <listitem>
+	<para>Running &man.dump.8; on the snapshot will produce a dump
+	  file that is consistent with the file system and the
+	  timestamp of the snapshot.  &man.dump.8; can also take a
+	  snapshot, create a dump image, and then remove the snapshot
+	  in one command by using <option>-L</option>.</para>
+      </listitem>
+
+      <listitem>
+	<para>The snapshot can be mounted as a frozen image of the
+	  file system.  To &man.mount.8; the snapshot
+	  <filename>/var/snapshot/snap</filename> run:</para>
+
+	<screen>&prompt.root; <userinput>mdconfig -a -t vnode -o readonly -f /var/snapshot/snap -u 4</userinput>
+&prompt.root; <userinput>mount -r /dev/md4 /mnt</userinput></screen>
+      </listitem>
+    </itemizedlist>
 
-      <para>You can now walk the hierarchy of your frozen <filename>/var</filename>
-	file system mounted at <filename>/mnt</filename>.  Everything will
-	initially be in the same state it was during the snapshot creation time.
-	The only exception is that any earlier snapshots will appear
-	as zero length files.  When the use of a snapshot has delimited,
-	it can be unmounted with:</para>
+    <para>The frozen <filename>/var</filename> is now available
+      through <filename>/mnt</filename>.  Everything will initially be
+      in the same state it was during the snapshot creation time.  The
+      only exception is that any earlier snapshots will appear as zero
+      length files.  To unmount the snapshot, use:</para>
 
-<screen>&prompt.root; <userinput>umount /mnt</userinput>
+    <screen>&prompt.root; <userinput>umount /mnt</userinput>
 &prompt.root; <userinput>mdconfig -d -u 4</userinput></screen>
 
-      <para>For more information about <option>softupdates</option> and
-	file system snapshots, including technical papers, you can visit
-	Marshall Kirk McKusick's website at
-	<uri xlink:href="http://www.mckusick.com/">http://www.mckusick.com/</uri>.</para>
+    <para>For more information about <option>softupdates</option> and
+      file system snapshots, including technical papers, visit
+      Marshall Kirk McKusick's website at <uri
+	xlink:href="http://www.mckusick.com/">http://www.mckusick.com/</uri>.</para>
   </sect1>
 
   <sect1 xml:id="quotas">
@@ -3181,92 +2440,109 @@
     </sect2>
   </sect1>
 
-
   <sect1 xml:id="disks-encrypting">
-    <info><title>Encrypting Disk Partitions</title>
+    <info>
+      <title>Encrypting Disk Partitions</title>
+
       <authorgroup>
-	<author><personname><firstname>Lucky</firstname><surname>Green</surname></personname><contrib>Contributed by </contrib><affiliation>
-	    <address><email>shamrock@cypherpunks.to</email></address>
-	  </affiliation></author>
+	<author>
+	  <personname>
+	    <firstname>Lucky</firstname>
+	    <surname>Green</surname>
+	  </personname>
+	  <contrib>Contributed by </contrib>
+	  <affiliation>
+	    <address>
+	      <email>shamrock@cypherpunks.to</email>
+	    </address>
+	  </affiliation>
+	</author>
       </authorgroup>
-      
     </info>
 
-    
     <indexterm>
       <primary>disks</primary>
-      <secondary>encrypting</secondary></indexterm>
+      <secondary>encrypting</secondary>
+    </indexterm>
 
-    <para>FreeBSD offers excellent online protections against
-      unauthorized data access.  File permissions and Mandatory
-      Access Control (MAC) (see <xref linkend="mac"/>) help prevent
-      unauthorized third-parties from accessing data while the operating
-      system is active and the computer is powered up. However,
-      the permissions enforced by the operating system are irrelevant if an
-      attacker has physical access to a computer and can simply move
-      the computer's hard drive to another system to copy and analyze
-      the sensitive data.</para>
-
-    <para>Regardless of how an attacker may have come into possession of
-      a hard drive or powered-down computer, both <application>GEOM
-      Based Disk Encryption (gbde)</application> and
-      <command>geli</command> cryptographic subsystems in &os; are able
-      to protect the data on the computer's file systems against even
-      highly-motivated attackers with significant resources. Unlike
-      cumbersome encryption methods that encrypt only individual files,
-      <command>gbde</command> and <command>geli</command> transparently
-      encrypt entire file systems. No cleartext ever touches the hard
+    <para>&os; offers excellent online protections against
+      unauthorized data access.  File permissions and <link
+	linkend="mac">Mandatory Access Control</link> (MAC) help
+      prevent unauthorized users from accessing data while the
+      operating system is active and the computer is powered up.
+      However, the permissions enforced by the operating system are
+      irrelevant if an attacker has physical access to a computer and
+      can move the computer's hard drive to another system to copy and
+      analyze the data.</para>
+
+    <para>Regardless of how an attacker may have come into possession
+      of a hard drive or powered-down computer, the
+      <acronym>GEOM</acronym>-based cryptographic subsystems built
+      into &os; are able to protect the data on the computer's file
+      systems against even highly-motivated attackers with significant
+      resources.  Unlike encryption methods that encrypt individual
+      files, the built-in <command>gbde</command> and
+      <command>geli</command> utilities can be used to transparently
+      encrypt entire file systems.  No cleartext ever touches the hard
       drive's platter.</para>
 
-    <sect2>
-      <title>Disk Encryption with <application>gbde</application></title>
-
-      <procedure>
-	<step>
-	  <title>Become <systemitem class="username">root</systemitem></title>
-
-	  <para>Configuring <application>gbde</application> requires
-	    super-user privileges.</para>
-
-	  <screen>&prompt.user; <userinput>su -</userinput>
-Password:</screen>
-	</step>
-
-	<step>
-	  <title>Add &man.gbde.4; Support to the Kernel Configuration File</title>
-
-	  <para>Add the following line to the kernel configuration
-	    file:</para>
+    <para>This chapter demonstrates how to create an encrypted file
+      system on &os;.  It first demonstrates the process using
+      <command>gbde</command> and then demonstrates the same example
+      using <command>geli</command>.</para>
+
+    <sect2>
+      <title>Disk Encryption with
+	<application>gbde</application></title>
+
+      <para>The objective of the &man.gbde.4; facility is to provide a
+	formidable challenge for an attacker to gain access to the
+	contents of a <emphasis>cold</emphasis> storage device.
+	However, if the computer is compromised while up and running
+	and the storage device is actively attached, or the attacker
+	has access to a valid passphrase, it offers no protection to
+	the contents of the storage device.  Thus, it is important to
+	provide physical security while the system is running and to
+	protect the passphrase used by the encryption
+	mechanism.</para>
+
+      <para>This facility provides several barriers to protect the
+	data stored in each disk sector.  It encrypts the contents of
+	a disk sector using 128-bit <acronym>AES</acronym> in
+	<acronym>CBC</acronym> mode.  Each sector on the disk is
+	encrypted with a different <acronym>AES</acronym> key.  For
+	more information on the cryptographic design, including how
+	the sector keys are derived from the user-supplied passphrase,
+	refer to &man.gbde.4;.</para>
 
-	  <para><literal>options GEOM_BDE</literal></para>
+      <para>&os; provides a kernel module for
+	<application>gbde</application> which can be loaded with this
+	command:</para>
 
-	  <para>Rebuild the kernel as described in <xref linkend="kernelconfig"/>.</para>
+      <screen>&prompt.root; <userinput>kldload geom_bde</userinput></screen>
 
-	  <para>Reboot into the new kernel.</para>
-	</step>
-      </procedure>
+      <para>If using a custom kernel configuration file, ensure it
+	contains this line:</para>
 
-    <sect3>
-      <title>Preparing the Encrypted Hard Drive</title>
+      <para><literal>options GEOM_BDE</literal></para>
 
-      <para>The following example assumes that you are adding a new hard
-	drive to your system that will hold a single encrypted partition.
-	This partition will be mounted as <filename>/private</filename>.
-	<application>gbde</application> can also be used to encrypt
-	<filename>/home</filename> and <filename>/var/mail</filename>, but
-	this requires more complex instructions which exceed the scope of
-	this introduction.</para>
+      <para>The following example demonstrates adding a new hard drive
+	to a system that will hold a single encrypted partition that
+	will be mounted as <filename>/private</filename>.</para>
 
       <procedure>
+	<title>Encrypting a Partition with
+	  <application>gbde</application></title>
+
 	<step>
 	  <title>Add the New Hard Drive</title>
 
-	  <para>Install the new drive to the system as explained in <xref linkend="disks-adding"/>. For the purposes of this example,
-	    a new hard drive partition has been added as
-	    <filename>/dev/ad4s1c</filename>. The
-	    <filename>/dev/ad0s1*</filename>
-	    devices represent existing standard FreeBSD partitions on
-	    the example system.</para>
+	  <para>Install the new drive to the system as explained in
+	    <xref linkend="disks-adding"/>.  For the purposes of this
+	    example, a new hard drive partition has been added as
+	    <filename>/dev/ad4s1c</filename> and
+	    <filename>/dev/ad0s1<replaceable>*</replaceable></filename>
+	    represents the existing standard &os; partitions.</para>
 
 	  <screen>&prompt.root; <userinput>ls /dev/ad*</userinput>
 /dev/ad0        /dev/ad0s1b     /dev/ad0s1e     /dev/ad4s1
@@ -3275,81 +2551,78 @@
 	</step>
 
 	<step>
-	  <title>Create a Directory to Hold gbde Lock Files</title>
+	  <title>Create a Directory to Hold <command>gbde</command>
+	    Lock Files</title>
 
 	  <screen>&prompt.root; <userinput>mkdir /etc/gbde</userinput></screen>
 
-	  <para>The <application>gbde</application> lock file contains
-	    information that <application>gbde</application> requires to
-	    access encrypted partitions. Without access to the lock file,
-	    <application>gbde</application> will not be able to decrypt
-	    the data contained in the encrypted partition without
-	    significant manual intervention which is not supported by the
-	    software. Each encrypted partition uses a separate lock
-	    file.</para>
+	  <para>The <application>gbde</application> lock file
+	    contains information that <application>gbde</application>
+	    requires to access encrypted partitions.  Without access
+	    to the lock file, <application>gbde</application> will not
+	    be able to decrypt the data contained in the encrypted
+	    partition without significant manual intervention which is
+	    not supported by the software.  Each encrypted partition
+	    uses a separate lock file.</para>
 	</step>
 
 	<step>
-	  <title>Initialize the gbde Partition</title>
+	  <title>Initialize the <command>gbde</command>
+	    Partition</title>
 
 	  <para>A <application>gbde</application> partition must be
-	    initialized before it can be used. This initialization needs to
-	    be performed only once:</para>
-
-	  <screen>&prompt.root; <userinput>gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c</userinput></screen>
-
-	  <para>&man.gbde.8; will open your editor, permitting you to set
-	    various configuration options in a template. For use with UFS1
-	    or UFS2, set the sector_size to 2048:</para>
+	    initialized before it can be used.  This initialization
+	    needs to be performed only once.  This command will open
+	    the default editor, in order to set various configuration
+	    options in a template.  For use with the
+	    <acronym>UFS</acronym> file system, set the sector_size to
+	    2048:</para>
 
-	  <programlisting>$<!-- This is not the space you are looking
-for-->FreeBSD: src/sbin/gbde/template.txt,v 1.1 2002/10/20 11:16:13 phk Exp $
+	  <screen>&prompt.root; <userinput>gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c.lock</userinput># &dollar;FreeBSD: src/sbin/gbde/template.txt,v 1.1.36.1 2009/08/03 08:13:06 kensmith Exp $
 #
 # Sector size is the smallest unit of data which can be read or written.
 # Making it too small decreases performance and decreases available space.
 # Making it too large may prevent filesystems from working.  512 is the
 # minimum and always safe.  For UFS, use the fragment size
 #
-sector_size     =       2048
-[...]
-</programlisting>
-
-	  <para>&man.gbde.8; will ask you twice to type the passphrase that
-	    should be used to secure the data. The passphrase must be the
-	    same both times. <application>gbde</application>'s ability to
-	    protect your data depends entirely on the quality of the
-	    passphrase that you choose.
-	  <footnote>
-          <para>For tips on how to select a secure passphrase that is easy
-	    to remember, see the <link xlink:href="http://world.std.com/~reinhold/diceware.html">Diceware
-	    Passphrase</link> website.</para></footnote></para>
-
-	  <para>The <command>gbde init</command> command creates a lock
-	    file for your <application>gbde</application> partition that in
-	    this example is stored as
-	    <filename>/etc/gbde/ad4s1c</filename>.</para>
+sector_size	=	2048
+[...]</screen>
+
+	  <para>Once the edit is saved, the user will be asked twice
+	    to type the passphrase used to secure the data.  The
+	    passphrase must be the same both times.  The ability of
+	    <application>gbde</application> to protect data depends
+	    entirely on the quality of the passphrase.  For tips on
+	    how to select a secure passphrase that is easy to
+	    remember, see <link
+	      xlink:href="http://world.std.com/~reinhold/diceware.html">http://world.std.com/~reinhold/diceware.htm</link>.</para>
+
+	  <para>This initialization creates a lock file for the
+	    <application>gbde</application> partition.  In this
+	    example, it is stored as
+	    <filename>/etc/gbde/ad4s1c.lock</filename>.  Lock files
+	    must end in <quote>.lock</quote> in order to be correctly
+	    detected by the <filename>/etc/rc.d/gbde</filename> start
+	    up script.</para>
 
 	  <caution>
-	    <para><application>gbde</application> lock files
-	      <emphasis>must</emphasis> be backed up together with the
-	      contents of any encrypted partitions. While deleting a lock
-	      file alone cannot prevent a determined attacker from
-	      decrypting a <application>gbde</application> partition,
-	      without the lock file, the legitimate owner will be unable
-	      to access the data on the encrypted partition without a
-	      significant amount of work that is totally unsupported by
-	      &man.gbde.8; and its designer.</para>
+	    <para>Lock files <emphasis>must</emphasis> be backed up
+	      together with the contents of any encrypted partitions.
+	      Without the lock file, the legitimate owner will be
+	      unable to access the data on the encrypted
+	      partition.</para>
 	  </caution>
 	</step>
 
 	<step>
-	  <title>Attach the Encrypted Partition to the Kernel</title>
+	  <title>Attach the Encrypted Partition to the
+	    Kernel</title>
 
-	  <screen>&prompt.root; <userinput>gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c</userinput></screen>
+	  <screen>&prompt.root; <userinput>gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c.lock</userinput></screen>
 
-	  <para> You will be asked to provide the passphrase that you
-	    selected during the initialization of the encrypted partition.
-	    The new encrypted device will show up in
+	  <para>This command will prompt to input the passphrase that
+	    was selected during the initialization of the encrypted
+	    partition.  The new encrypted device will appear in
 	    <filename>/dev</filename> as
 	    <filename>/dev/device_name.bde</filename>:</para>
 
@@ -3360,43 +2633,36 @@
 	</step>
 
 	<step>
-	  <title>Create a File System on the Encrypted Device</title>
+	  <title>Create a File System on the Encrypted
+	    Device</title>
 
-	  <para>Once the encrypted device has been attached to the kernel,
-	    you can create a file system on the device. To create a file
-	    system on the encrypted device, use &man.newfs.8;. Since it is
-	    much faster to initialize a new UFS2 file system than it is to
-	    initialize the old UFS1 file system, using &man.newfs.8; with
-	    the <option>-O2</option> option is recommended.</para>
-
-	  <screen>&prompt.root; <userinput>newfs -U -O2 /dev/ad4s1c.bde</userinput></screen>
-
-	  <note>
-	    <para>The &man.newfs.8; command must be performed on an
-	      attached <application>gbde</application> partition which
-	      is identified by a
-	      <filename>*.bde</filename>
-	      extension to the device name.</para>
-	  </note>
+	  <para>Once the encrypted device has been attached to the
+	    kernel, a file system can be created on the device.  This
+	    example creates a <acronym>UFS</acronym> file system with
+	    soft updates enabled.  Be sure to specify the partition
+	    which has a
+	    <filename><replaceable>*</replaceable>.bde</filename>
+	    extension:</para>
+
+	  <screen>&prompt.root; <userinput>newfs -U /dev/ad4s1c.bde</userinput></screen>
 	</step>
 
 	<step>
 	  <title>Mount the Encrypted Partition</title>
 
-	  <para>Create a mount point for the encrypted file system.</para>
-
-	  <screen>&prompt.root; <userinput>mkdir /private</userinput></screen>
+	  <para>Create a mount point and mount the encrypted file
+	    system:</para>
 
-	  <para>Mount the encrypted file system.</para>
-
-	  <screen>&prompt.root; <userinput>mount /dev/ad4s1c.bde /private</userinput></screen>
+	  <screen>&prompt.root; <userinput>mkdir /private</userinput>
+&prompt.root; <userinput>mount /dev/ad4s1c.bde /private</userinput></screen>
 	</step>
 
 	<step>
-	  <title>Verify That the Encrypted File System is Available</title>
+	  <title>Verify That the Encrypted File System is
+	    Available</title>
 
-	  <para>The encrypted file system should now be visible to
-	    &man.df.1; and be available for use.</para>
+	  <para>The encrypted file system should now be visible and
+	    available for use:</para>
 
 	  <screen>&prompt.user; <userinput>df -H</userinput>
 Filesystem        Size   Used  Avail Capacity  Mounted on
@@ -3408,251 +2674,195 @@
 /dev/ad4s1c.bde   150G   4.1K   138G     0%    /private</screen>
 	</step>
       </procedure>
-    </sect3>
-
-    <sect3>
-      <title>Mounting Existing Encrypted File Systems</title>
 
       <para>After each boot, any encrypted file systems must be
-	re-attached to the kernel, checked for errors, and mounted, before
-	the file systems can be used. The required commands must be
-	executed as user <systemitem class="username">root</systemitem>.</para>
-
-      <procedure>
-	<step>
-	  <title>Attach the gbde Partition to the Kernel</title>
-
-	  <screen>&prompt.root; <userinput>gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c</userinput></screen>
-
-	  <para>You will be asked to provide the passphrase that you
-	    selected during initialization of the encrypted
-	    <application>gbde</application> partition.</para>
-	</step>
-
-	<step>
-	  <title>Check the File System for Errors</title>
-
-	  <para>Since encrypted file systems cannot yet be listed in
-	    <filename>/etc/fstab</filename> for automatic mounting, the
-	    file systems must be checked for errors by running &man.fsck.8;
-	    manually before mounting.</para>
-
-	  <screen>&prompt.root; <userinput>fsck -p -t ffs /dev/ad4s1c.bde</userinput></screen>
-	</step>
-
-	<step>
-	  <title>Mount the Encrypted File System</title>
-
-	  <screen>&prompt.root; <userinput>mount /dev/ad4s1c.bde /private</userinput></screen>
-
-	  <para>The encrypted file system is now available for use.</para>
-	</step>
-      </procedure>
-
-      <sect4>
-	<title>Automatically Mounting Encrypted Partitions</title>
+	manually re-attached to the kernel, checked for errors, and
+	mounted, before the file systems can be used.  To configure
+	these steps, add the following lines to
+	<filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>gbde_autoattach_all="YES"
+gbde_devices="<replaceable>ad4s1c</replaceable>"
+gbde_lockdir="/etc/gbde"</programlisting>
+
+      <para>This requires that the passphrase be entered at the
+	console at boot time.  After typing the correct passphrase,
+	the encrypted partition will be mounted automatically.
+	Additional <application>gbde</application> boot options are
+	available and listed in &man.rc.conf.5;.</para>
 
-	<para>It is possible to create a script to automatically attach,
-	  check, and mount an encrypted partition, but for security reasons
-	  the script should not contain the &man.gbde.8; password. Instead,
-	  it is recommended that such scripts be run manually while
-	  providing the password via the console or &man.ssh.1;.</para>
-
-	<para>As of &os; 5.2-RELEASE, there is a new <filename>rc.d</filename> script
-	  provided.  Arguments for this script can be passed via
-	  &man.rc.conf.5;, for example:</para>
-
-	<screen>gbde_autoattach_all="YES"
-gbde_devices="ad4s1c"</screen>
-
-	<para>This will require that the <application>gbde</application>
-	  passphrase be entered at boot time.  After typing the correct
-	  passphrase, the <application>gbde</application> encrypted
-	  partition will be mounted automatically.  This can be very
-	  useful when using <application>gbde</application> on
-	  notebooks.</para>
-      </sect4>
-    </sect3>
-
-      <sect3>
-	<title>Cryptographic Protections Employed by gbde</title>
-
-	<para>&man.gbde.8; encrypts the sector payload using 128-bit AES in
-	  CBC mode.  Each sector on the disk is encrypted with a different
-	  AES key. For more information on <application>gbde</application>'s
-	  cryptographic design, including how the sector keys are derived
-	  from the user-supplied passphrase, see &man.gbde.4;.</para>
-      </sect3>
-
-      <sect3>
-	<title>Compatibility Issues</title>
-
-	<para>&man.sysinstall.8; is incompatible with
-	  <application>gbde</application>-encrypted devices. All
+<!--
+What about bsdinstall?
+-->
+      <note>
+	<para><application>sysinstall</application> is incompatible
+	  with <application>gbde</application>-encrypted devices.  All
 	  <filename>*.bde</filename> devices must be detached from the
-	  kernel before starting &man.sysinstall.8; or it will crash during
-	  its initial probing for devices. To detach the encrypted device
-	  used in our example, use the following command:</para>
-	<screen>&prompt.root; <userinput>gbde detach /dev/ad4s1c</userinput></screen>
-
-      <para>Also note that, as &man.vinum.4; does not use the
-	&man.geom.4; subsystem, you cannot use
-	<application>gbde</application> with
-	<application>vinum</application> volumes.</para>
-      </sect3>
+	  kernel before starting <application>sysinstall</application>
+	  or it will crash during its initial probing for devices.  To
+	  detach the encrypted device used in the example, use the
+	  following command:</para>
 
+	<screen>&prompt.root; <userinput>gbde detach /dev/<replaceable>ad4s1c</replaceable></userinput></screen>
+      </note>
     </sect2>
 
-    <sect2>
-      <info><title>Disk Encryption with <command>geli</command></title>
+    <sect2 xml:id="disks-encrypting-geli">
+      <info>
+	<title>Disk Encryption with <command>geli</command></title>
+
 	<authorgroup>
-	  <author><personname><firstname>Daniel</firstname><surname>Gerzo</surname></personname><contrib>Contributed by </contrib></author>
+	  <author>
+	    <personname>
+	      <firstname>Daniel</firstname>
+	      <surname>Gerzo</surname>
+	    </personname>
+	    <contrib>Contributed by </contrib>
+	  </author>
 	</authorgroup>
-	
       </info>
 
-      
-
-      <para>A new cryptographic GEOM class is available as of &os; 6.0 -
-	<command>geli</command>.  It is currently being developed by
-	&a.pjd;.  <command>Geli</command> is different to
-	<command>gbde</command>; it offers different features and uses
-	a different scheme for doing cryptographic work.</para>
-
-      <para>The most important features of &man.geli.8; are:</para>
+      <para>An alternative cryptographic <acronym>GEOM</acronym> class
+	is available using <command>geli</command>.  This control
+	utility adds some features and uses a different scheme for
+	doing cryptographic work.  It provides the following
+	features:</para>
 
       <itemizedlist>
 	<listitem>
-	  <para>Utilizes the &man.crypto.9; framework &mdash; when
-	    cryptographic hardware is available, <command>geli</command>
-	    will use it automatically.</para>
+	  <para>Utilizes the &man.crypto.9; framework and
+	    automatically uses cryptographic hardware when it is
+	    available.</para>
 	</listitem>
+
 	<listitem>
-	  <para>Supports multiple cryptographic algorithms (currently
-	     AES, Blowfish, and 3DES).</para>
+	  <para>Supports multiple cryptographic algorithms such as
+	    <acronym>AES</acronym>, Blowfish, and
+	    <acronym>3DES</acronym>.</para>
 	</listitem>
+
 	<listitem>
 	  <para>Allows the root partition to be encrypted.  The
-	    passphrase used to access the encrypted root partition will
-	    be requested during the system boot.</para>
+	    passphrase used to access the encrypted root partition
+	    will be requested during system boot.</para>
 	</listitem>
+
 	<listitem>
-	  <para>Allows the use of two independent keys (e.g. a
-	    <quote>key</quote> and a <quote>company key</quote>).</para>
+	  <para>Allows the use of two independent keys.</para>
 	</listitem>
+
 	<listitem>
-	  <para><command>geli</command> is fast - performs simple
-	    sector-to-sector encryption.</para>
+	  <para>It is fast as it performs simple sector-to-sector
+	    encryption.</para>
 	</listitem>
+
 	<listitem>
-	  <para>Allows backup and restore of Master Keys.  When a user
-	    has to destroy his keys, it will be possible to get access
-	    to the data again by restoring keys from the backup.</para>
+	  <para>Allows backup and restore of master keys.  If a user
+	    destroys their keys, it is still possible to get access to
+	    the data by restoring keys from the backup.</para>
 	</listitem>
+
 	<listitem>
-	  <para>Allows to attach a disk with a random, one-time key
-	    &mdash; useful for swap partitions and temporary file
+	  <para>Allows a disk to attach with a random, one-time key
+	    which is useful for swap partitions and temporary file
 	    systems.</para>
 	</listitem>
       </itemizedlist>
 
-      <para>More <command>geli</command> features can be found in the
-	&man.geli.8; manual page.</para>
+      <para>More features and usage examples can be found in
+	&man.geli.8;.</para>
 
-      <para>The next steps will describe how to enable support for
-	<command>geli</command> in the &os; kernel and will explain how
-	to create a new <command>geli</command> encryption provider.  At
-	the end it will be demonstrated how to create an encrypted swap
-	partition using features provided by <command>geli</command>.</para>
-
-      <para>In order to use <command>geli</command>, you must be running
-	&os; 6.0-RELEASE or later.  Super-user privileges will be
-	required since modifications to the kernel are necessary.</para>
+      <para>The following example describes how to generate a key file
+	which will be used as part of the master key for the encrypted
+	provider mounted under <filename>/private</filename>.  The key
+	file will provide some random data used to encrypt the master
+	key.  The master key will also be protected by a passphrase.
+	The provider's sector size will be 4kB.  The example describes
+	how to attach to the <command>geli</command> provider, create
+	a file system on it, mount it, work with it, and finally, how
+	to detach it.</para>
 
       <procedure>
+	<title>Encrypting a Partition with
+	  <command>geli</command></title>
+
 	<step>
-	  <title>Adding <command>geli</command> Support to the Kernel
-	    Configuration File</title>
+	  <title>Load <command>geli</command> Support</title>
 
-	  <para>Add the following lines to the kernel configuration
-	    file:</para>
+	  <para>Support for <command>geli</command> is available as a
+	    loadable kernel module.  To configure the system to
+	    automatically load the module at boot time, add the
+	    following line to
+	    <filename>/boot/loader.conf</filename>:</para>
 
-	  <screen>options GEOM_ELI
-device crypto</screen>
+	  <programlisting>geom_eli_load="YES"</programlisting>
 
-	  <para>Rebuild the kernel as described in <xref linkend="kernelconfig"/>.</para>
+	  <para>To load the kernel module now:</para>
 
-	  <para>Alternatively, the <command>geli</command> module can
-	    be loaded at boot time.  Add the following line to the
-	    <filename>/boot/loader.conf</filename>:</para>
+	  <screen>&prompt.root; <userinput>kldload geom_eli</userinput></screen>
 
-	  <para><literal>geom_eli_load="YES"</literal></para>
+	  <para>For a custom kernel, ensure the kernel configuration
+	    file contains these lines:</para>
 
-	  <para>&man.geli.8; should now be supported by the kernel.</para>
+	  <programlisting>options GEOM_ELI
+device crypto</programlisting>
 	</step>
 
 	<step>
-	  <title>Generating the Master Key</title>
+	  <title>Generate the Master Key</title>
 
-	  <para>The following example will describe how to generate a
-	    key file, which will be used as part of the Master Key for
-	    the encrypted provider mounted under
-	    <filename>/private</filename>.  The key
-	    file will provide some random data used to encrypt the
-	    Master Key.  The Master Key will be protected by a
-	    passphrase as well.  Provider's sector size will be 4kB big.
-	    Furthermore, the discussion will describe how to attach the
-	    <command>geli</command> provider, create a file system on
-	    it, how to mount it, how to work with it, and finally how to
-	    detach it.</para>
-
-	  <para>It is recommended to use a bigger sector size (like 4kB) for
-	    better performance.</para>
-
-	  <para>The Master Key will be protected with a passphrase and
-	    the data source for key file will be
-	    <filename>/dev/random</filename>.  The sector size of
-	    <filename>/dev/da2.eli</filename>, which we call provider,
-	    will be 4kB.</para>
+	  <para>The following commands generate a master key
+	    (<filename>/root/da2.key</filename>) that is protected
+	    with a passphrase.  The data source for the key file is
+	    <filename>/dev/random</filename> and the sector size of
+	    the provider (<filename>/dev/da2.eli</filename>) is 4kB as
+	    a bigger sector size provides better performance:</para>
 
 	  <screen>&prompt.root; <userinput>dd if=/dev/random of=/root/da2.key bs=64 count=1</userinput>
 &prompt.root; <userinput>geli init -s 4096 -K /root/da2.key /dev/da2</userinput>
 Enter new passphrase:
 Reenter new passphrase:</screen>
 
-	  <para>It is not mandatory that both a passphrase and a key
-	    file are used; either method of securing the Master Key can
-	    be used in isolation.</para>
-
-	  <para>If key file is given as <quote>-</quote>, standard
-	    input will be used.  This example shows how more than one
-	    key file can be used.</para>
+	  <para>It is not mandatory to use both a passphrase and a key
+	    file as either method of securing the master key can be
+	    used in isolation.</para>
+
+	  <para>If the key file is given as <quote>-</quote>, standard
+	    input will be used.  For example, this command generates
+	    three key files:</para>
 
 	  <screen>&prompt.root; <userinput>cat keyfile1 keyfile2 keyfile3 | geli init -K - /dev/da2</userinput></screen>
 	</step>
 
 	<step>
-	  <title>Attaching the Provider with the generated Key</title>
+	  <title>Attach the Provider with the Generated Key</title>
+
+	  <para>To attach the provider, specify the key file, the name
+	    of the disk, and the passphrase:</para>
 
 	  <screen>&prompt.root; <userinput>geli attach -k /root/da2.key /dev/da2</userinput>
 Enter passphrase:</screen>
 
-	  <para>The new plaintext device will be named
-	    <filename>/dev/da2.eli</filename>.</para>
+	  <para>This creates a new device with an
+	    <filename>.eli</filename> extension:</para>
 
 	  <screen>&prompt.root; <userinput>ls /dev/da2*</userinput>
 /dev/da2  /dev/da2.eli</screen>
 	</step>
 
 	<step>
-	  <title>Creating the new File System</title>
+	  <title>Create the New File System</title>
+
+	  <para>Next, format the device with the
+	    <acronym>UFS</acronym> file system and mount it on an
+	    existing mount point:</para>
 
 	  <screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/da2.eli bs=1m</userinput>
 &prompt.root; <userinput>newfs /dev/da2.eli</userinput>
-&prompt.root; <userinput>mount /dev/da2.eli /private</userinput></screen>
+&prompt.root; <userinput>mount /dev/da2.eli <replaceable>/private</replaceable></userinput></screen>
 
-	<para>The encrypted file system should be visible to &man.df.1;
-	  and be available for use now.</para>
+	  <para>The encrypted file system should now be available for
+	    use:</para>
 
 	  <screen>&prompt.root; <userinput>df -H</userinput>
 Filesystem     Size   Used  Avail Capacity  Mounted on
@@ -3662,188 +2872,767 @@
 /dev/ad0s1d    989M   1.5M   909M     0%    /tmp
 /dev/ad0s1e    3.9G   1.3G   2.3G    35%    /var
 /dev/da2.eli   150G   4.1K   138G     0%    /private</screen>
-
-	</step>
-
-	<step>
-	  <title>Unmounting and Detaching the Provider</title>
-
-	  <para>Once the work on the encrypted partition is done, and
-	    the <filename>/private</filename> partition
-	    is no longer needed, it is prudent to consider unmounting
-	    and detaching the <command>geli</command> encrypted
-	    partition from the kernel.</para>
-
-	  <screen>&prompt.root; <userinput>umount /private</userinput>
-&prompt.root; <userinput>geli detach da2.eli</userinput></screen>
 	</step>
       </procedure>
 
-      <para>More information about the use of &man.geli.8; can be
-        found in the manual page.</para>
-
-      <sect3>
-	<title>Encrypting a Swap Partition</title>
-
-	<para>The following example demonstrates how to create a
-	  <command>geli</command> encrypted swap partition.</para>
-
-	<screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/ad0s1b bs=1m</userinput>
-&prompt.root; <userinput>geli onetime -d -a 3des ad0s1b</userinput>
-&prompt.root; <userinput>swapon /dev/ad0s1b.eli</userinput></screen>
-      </sect3>
+      <para>Once the work on the encrypted partition is done, and the
+	<filename>/private</filename> partition is no longer needed,
+	it is prudent to put the device into cold storage by
+	unmounting and detaching the <command>geli</command> encrypted
+	partition from the kernel:</para>
 
-      <sect3>
-	<title>Using the <filename>geli</filename> <filename>rc.d</filename> Script</title>
+      <screen>&prompt.root; <userinput>umount /private</userinput>
+&prompt.root; <userinput>geli detach da2.eli</userinput></screen>
 
-	<para><command>geli</command> comes with a <filename>rc.d</filename> script which
-	  can be used to simplify the usage of <command>geli</command>.
-	  An example of configuring <command>geli</command> through
-	  &man.rc.conf.5; follows:</para>
-
-	<screen>geli_devices="da2"
-geli_da2_flags="-p -k /root/da2.key"</screen>
-
-	<para>This will configure <filename>/dev/da2</filename> as a
-	  <command>geli</command> provider of which the Master Key file
-	  is located in <filename>/root/da2.key</filename>, and
-	  <command>geli</command> will not use a passphrase when
-	  attaching the provider (note that this can only be used if -P
-	  was given during the <command>geli</command> init phase).  The
-	  system will detach the <command>geli</command> provider from
-	  the kernel before the system shuts down.</para>
-
-	<para>More information about configuring <filename>rc.d</filename> is provided in the
-	  <link linkend="configtuning-rcd">rc.d</link> section of the
-	  Handbook.</para>
-      </sect3>
+      <para>A <filename>rc.d</filename> script is provided to
+	simplify the mounting of <command>geli</command>-encrypted
+	devices at boot time.  For this example, add these lines to
+	<filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>geli_devices="<replaceable>da2</replaceable>"
+geli_da2_flags="-p -k /root/<replaceable>da2.key</replaceable>"</programlisting>
+
+      <para>This configures <filename>/dev/da2</filename> as a
+	<command>geli</command> provider with a master key of
+	<filename>/root/da2.key</filename>.  The system will
+	automatically detach the provider from the kernel before the
+	system shuts down.  During the startup process, the script
+	will prompt for the passphrase before attaching the provider.
+	Other kernel messages might be shown before and after the
+	password prompt.  If the boot process seems to stall, look
+	carefully for the password prompt among the other messages.
+	Once the correct passphrase is entered, the provider is
+	attached.  The file system is then mounted, typically by an
+	entry in <filename>/etc/fstab</filename>.  Refer to <xref
+	  linkend="mount-unmount"/> for instructions on how to
+	configure a file system to mount at boot time.</para>
     </sect2>
   </sect1>
 
-
   <sect1 xml:id="swap-encrypting">
-    <info><title>Encrypting Swap Space</title>
+    <info>
+      <title>Encrypting Swap</title>
+
       <authorgroup>
-	<author><personname><firstname>Christian</firstname><surname>Br&uuml;ffer</surname></personname><contrib>Written by </contrib></author>
+	<author>
+	  <personname>
+	    <firstname>Christian</firstname>
+	    <surname>Br&uuml;ffer</surname>
+	  </personname>
+	  <contrib>Written by </contrib>
+	</author>
       </authorgroup>
     </info>
 
-    
     <indexterm>
       <primary>swap</primary>
       <secondary>encrypting</secondary>
     </indexterm>
 
-    <para>Swap encryption in &os; is easy to configure and has been
-      available since &os; 5.3-RELEASE.  Depending on which version
-      of &os; is being used, different options are available
-      and configuration can vary slightly.  From &os; 6.0-RELEASE onwards,
-      the &man.gbde.8; or &man.geli.8; encryption systems can be used
-      for swap encryption.  With earlier versions, only &man.gbde.8; is
-      available.  Both systems use the <filename>encswap</filename>
-      <link linkend="configtuning-rcd">rc.d</link> script.</para>
-
-    <para>The previous section, <link linkend="disks-encrypting">Encrypting
-      Disk Partitions</link>, includes a short discussion on the different
-      encryption systems.</para>
-
-    <sect2>
-      <title>Why should Swap be Encrypted?</title>
-
-      <para>Like the encryption of disk partitions, encryption of swap space
-	is done to protect sensitive information.  Imagine an application
-	that e.g. deals with passwords.  As long as these passwords stay in
-	physical memory, all is well.  However, if the operating system starts
-	swapping out memory pages to free space for other applications, the
-	passwords may be written to the disk platters unencrypted and easy to
-	retrieve for an adversary.  Encrypting swap space can be a solution for
-	this scenario.</para>
-    </sect2>
+    <para>Like the encryption of disk partitions, encryption of swap
+      space is used to protect sensitive information.  Consider an
+      application that deals with passwords.  As long as these
+      passwords stay in physical memory, they are not written to disk
+      and will be cleared after a reboot.  However, if &os; starts
+      swapping out memory pages to free space, the passwords may be
+      written to the disk unencrypted.  Encrypting swap space can be a
+      solution for this scenario.</para>
+
+    <para>This section demonstrates how to configure an encrypted
+      swap partition using &man.gbde.8; or &man.geli.8; encryption.
+      It assumes a <acronym>UFS</acronym> file system where
+      <filename>/dev/ad0s1b</filename> is the swap partition.</para>
+
+    <sect2>
+      <title>Configuring Encrypted Swap</title>
+
+      <para>Swap partitions are not encrypted by default and should be
+	cleared of any sensitive data before continuing.  To overwrite
+	the current swap partition with random garbage, execute the
+	following command:</para>
 
-    <sect2>
-      <title>Preparation</title>
+      <screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/<replaceable>ad0s1b</replaceable> bs=1m</userinput></screen>
 
-      <note>
-	<para>For the remainder of this section, <filename>ad0s1b</filename>
-	  will be the swap partition.</para>
-      </note>
+      <para>To encrypt the swap partition using &man.gbde.8;, add the
+	<literal>.bde</literal> suffix to the swap line in
+	<filename>/etc/fstab</filename>:</para>
+
+      <programlisting># Device		Mountpoint	FStype	Options		Dump	Pass#
+/dev/ad0s1b.bde		none		swap	sw		0	0</programlisting>
 
-      <para>Up to this point the swap has been unencrypted.  It is possible that
-	there are already passwords or other sensitive data on the disk platters
-	in cleartext.  To rectify this, the data on the swap partition should be
-	overwritten with random garbage:</para>
+      <para>To instead encrypt the swap partition using &man.geli.8;,
+	use the
+	<literal>.eli</literal> suffix:</para>
 
-      <screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/ad0s1b bs=1m</userinput></screen>
+      <programlisting># Device		Mountpoint	FStype	Options		Dump	Pass#
+/dev/ad0s1b.eli		none		swap	sw		0	0</programlisting>
+
+      <para>By default, &man.geli.8; uses the <acronym>AES</acronym>
+	algorithm with a key length of 128 bit.  These defaults can be
+	altered by using <literal>geli_swap_flags</literal> in
+	<filename>/etc/rc.conf</filename>.  The following flags
+	configure encryption using the Blowfish algorithm with a key
+	length of 128 bits and a sectorsize of 4 kilobytes, and sets
+	<quote>detach on last close</quote>:</para>
+
+      <programlisting>geli_swap_flags="-e blowfish -l 128 -s 4096 -d"</programlisting>
+
+      <para>Refer to the description of <literal>onetime</literal> in
+	&man.geli.8; for a list of possible options.</para>
     </sect2>
 
     <sect2>
-      <title>Swap Encryption with &man.gbde.8;</title>
+      <title>Encrypted Swap Verification</title>
+
+      <para>Once the system has rebooted, proper operation of the
+	encrypted swap can be verified using
+	<command>swapinfo</command>.</para>
 
-      <para>If &os; 6.0-RELEASE or newer is being used, the
-	<literal>.bde</literal> suffix should be added to the device in the
-	respective <filename>/etc/fstab</filename> swap line:</para>
+      <para>If &man.gbde.8; is being used:</para>
 
-      <screen>
-# Device                Mountpoint      FStype  Options         Dump    Pass#
-/dev/ad0s1b.bde         none            swap    sw              0       0
-      </screen>
+      <screen>&prompt.user; <userinput>swapinfo</userinput>
+Device          1K-blocks     Used    Avail Capacity
+/dev/ad0s1b.bde    542720        0   542720     0%</screen>
 
-      <para>For systems prior to &os; 6.0-RELEASE, the following line
-	in <filename>/etc/rc.conf</filename> is also needed:</para>
+      <para>If &man.geli.8; is being used:</para>
 
-      <programlisting>gbde_swap_enable="YES"</programlisting>
+      <screen>&prompt.user; <userinput>swapinfo</userinput>
+Device          1K-blocks     Used    Avail Capacity
+/dev/ad0s1b.eli    542720        0   542720     0%</screen>
     </sect2>
+  </sect1>
 
-    <sect2>
-      <title>Swap Encryption with &man.geli.8;</title>
+  <sect1 xml:id="disks-hast">
+    <info>
+      <title>Highly Available Storage
+	(<acronym>HAST</acronym>)</title>
+
+      <authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Daniel</firstname>
+	    <surname>Gerzo</surname>
+	  </personname>
+	  <contrib>Contributed by </contrib>
+	</author>
+      </authorgroup>
+
+      <authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Freddie</firstname>
+	    <surname>Cash</surname>
+	  </personname>
+	  <contrib>With inputs from </contrib>
+	</author>
+
+	<author>
+	  <personname>
+	    <firstname>Pawel Jakub</firstname>
+	    <surname>Dawidek</surname>
+	  </personname>
+	</author>
+
+	<author>
+	  <personname>
+	    <firstname>Michael W.</firstname>
+	    <surname>Lucas</surname>
+	  </personname>
+	</author>
+
+	<author>
+	  <personname>
+	    <firstname>Viktor</firstname>
+	    <surname>Petersson</surname>
+	  </personname>
+	</author>
+      </authorgroup>
+    </info>
+
+    <indexterm>
+      <primary>HAST</primary>
+      <secondary>high availability</secondary>
+    </indexterm>
+
+    <para>High availability is one of the main requirements in
+      serious business applications and highly-available storage is a
+      key component in such environments.  In &os;, the Highly
+      Available STorage (<acronym>HAST</acronym>) framework allows
+      transparent storage of the same data across several physically
+      separated machines connected by a <acronym>TCP/IP</acronym>
+      network.  <acronym>HAST</acronym> can be understood as a
+      network-based RAID1 (mirror), and is similar to the DRBD&reg;
+      storage system used in the GNU/&linux; platform.  In combination
+      with other high-availability features of &os; like
+      <acronym>CARP</acronym>, <acronym>HAST</acronym> makes it
+      possible to build a highly-available storage cluster that is
+      resistant to hardware failures.</para>
+
+    <para>The following are the main features of
+      <acronym>HAST</acronym>:</para>
+
+    <itemizedlist>
+      <listitem>
+	<para>Can be used to mask <acronym>I/O</acronym> errors on
+	  local hard drives.</para>
+      </listitem>
+
+      <listitem>
+	<para>File system agnostic as it works with any file system
+	  supported by &os;.</para>
+      </listitem>
+
+      <listitem>
+	<para>Efficient and quick resynchronization as only the blocks
+	  that were modified during the downtime of a node are
+	  synchronized.</para>
+      </listitem>
+
+      <!--
+      <listitem>
+	<para>Has several synchronization modes to allow for fast
+	  failover.</para>
+      </listitem>
+      -->
+
+      <listitem>
+	<para>Can be used in an already deployed environment to add
+	  additional redundancy.</para>
+      </listitem>
+
+      <listitem>
+	<para>Together with <acronym>CARP</acronym>,
+	  <application>Heartbeat</application>, or other tools, it can
+	  be used to build a robust and durable storage system.</para>
+      </listitem>
+    </itemizedlist>
 
-      <para>Alternatively, the procedure for using &man.geli.8; for swap
-	encryption is similar to that of using &man.gbde.8;.  The
-	<literal>.eli</literal> suffix should be added to the device in the
-	respective <filename>/etc/fstab</filename> swap line:</para>
+    <para>After reading this section, you will know:</para>
 
-      <screen>
-# Device                Mountpoint      FStype  Options         Dump    Pass#
-/dev/ad0s1b.eli         none            swap    sw              0       0
-      </screen>
+    <itemizedlist>
+      <listitem>
+	<para>What <acronym>HAST</acronym> is, how it works, and
+	  which features it provides.</para>
+      </listitem>
+
+      <listitem>
+	<para>How to set up and use <acronym>HAST</acronym> on
+	  &os;.</para>
+      </listitem>
+
+      <listitem>
+	<para>How to integrate <acronym>CARP</acronym> and
+	  &man.devd.8; to build a robust storage system.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Before reading this section, you should:</para>
+
+    <itemizedlist>
+      <listitem>
+	<para>Understand &unix; and &os; basics (<xref
+	    linkend="basics"/>).</para>
+      </listitem>
+
+      <listitem>
+	<para>Know how to configure network
+	  interfaces and other core &os; subsystems (<xref
+	    linkend="config-tuning"/>).</para>
+      </listitem>
+
+      <listitem>
+	<para>Have a good understanding of &os;
+	  networking (<xref
+	    linkend="network-communication"/>).</para>
+      </listitem>
+    </itemizedlist>
 
-      <para>&man.geli.8; uses the <acronym>AES</acronym> algorithm with
-	a key length of 256 bit by default.</para>
+    <para>The <acronym>HAST</acronym> project was sponsored by The
+      &os; Foundation with support from <link
+	xlink:href="http://www.omc.net/">http://www.omc.net/</link>
+      and <link
+	xlink:href="http://www.transip.nl/">http://www.transip.nl/</link>.</para>
+
+    <sect2>
+      <title>HAST Operation</title>
+
+      <para><acronym>HAST</acronym> provides synchronous block-level
+	replication between two physical machines: the
+	<emphasis>primary</emphasis>, also known as the
+	<emphasis>master</emphasis> node, and the
+	<emphasis>secondary</emphasis>, or <emphasis>slave</emphasis>
+	node.  These two machines together are referred to as a
+	cluster.</para>
+
+      <para>Since <acronym>HAST</acronym> works in a primary-secondary
+	configuration, it allows only one of the cluster nodes to be
+	active at any given time.  The primary node, also called
+	<emphasis>active</emphasis>, is the one which will handle all
+	the <acronym>I/O</acronym> requests to
+	<acronym>HAST</acronym>-managed devices.  The secondary node
+	is automatically synchronized from the primary node.</para>
+
+      <para>The physical components of the <acronym>HAST</acronym>
+	system are the local disk on primary node, and the disk on the
+	remote, secondary node.</para>
+
+      <para><acronym>HAST</acronym> operates synchronously on a block
+	level, making it transparent to file systems and applications.
+	<acronym>HAST</acronym> provides regular GEOM providers in
+	<filename>/dev/hast/</filename> for use by other tools or
+	applications.  There is no difference between using
+	<acronym>HAST</acronym>-provided devices and raw disks or
+	partitions.</para>
+
+      <para>Each write, delete, or flush operation is sent to both the
+	local disk and to the remote disk over
+	<acronym>TCP/IP</acronym>.  Each read operation is served from
+	the local disk, unless the local disk is not up-to-date or an
+	<acronym>I/O</acronym> error occurs.  In such cases, the read
+	operation is sent to the secondary node.</para>
+
+      <para><acronym>HAST</acronym> tries to provide fast failure
+	recovery.  For this reason, it is important to reduce
+	synchronization time after a node's outage.  To provide fast
+	synchronization, <acronym>HAST</acronym> manages an on-disk
+	bitmap of dirty extents and only synchronizes those during a
+	regular synchronization, with an exception of the initial
+	sync.</para>
+
+      <para>There are many ways to handle synchronization.
+	<acronym>HAST</acronym> implements several replication modes
+	to handle different synchronization methods:</para>
 
-      <para>Optionally, these defaults can be altered using the
-	<literal>geli_swap_flags</literal> option in
-	<filename>/etc/rc.conf</filename>.  The following line tells the
-	<filename>encswap</filename> rc.d script to create &man.geli.8; swap
-	partitions using the Blowfish algorithm with a key length of 128 bit,
-	a sectorsize of 4 kilobytes and the <quote>detach on last close</quote>
-	option set:</para>
+      <itemizedlist>
+	<listitem>
+	  <para><emphasis>memsync</emphasis>: This mode reports a
+	    write operation as completed when the local write
+	    operation is finished and when the remote node
+	    acknowledges data arrival, but before actually storing the
+	    data.  The data on the remote node will be stored directly
+	    after sending the acknowledgement.  This mode is intended
+	    to reduce latency, but still provides good
+	    reliability.</para>
+	</listitem>
 
-      <programlisting>geli_swap_flags="-a blowfish -l 128 -s 4096 -d"</programlisting>
+	<listitem>
+	  <para><emphasis>fullsync</emphasis>: This mode reports a
+	    write operation as completed when both the local write and
+	    the remote write complete.  This is the safest and the
+	    slowest replication mode.  This mode is the
+	    default.</para>
+	</listitem>
 
-      <para>Please refer to the description of the <command>onetime</command> command
-	in the &man.geli.8; manual page for a list of possible options.</para>
+	<listitem>
+	  <para><emphasis>async</emphasis>: This mode reports a write
+	    operation as completed when the local write completes.
+	    This is the fastest and the most dangerous replication
+	    mode.  It should only be used when replicating to a
+	    distant node where latency is too high for other
+	    modes.</para>
+	</listitem>
+      </itemizedlist>
     </sect2>
 
     <sect2>
-      <title>Verifying that it Works</title>
+      <title>HAST Configuration</title>
 
-      <para>Once the system has been rebooted, proper operation of the
-	encrypted swap can be verified using the
-	<command>swapinfo</command> command.</para>
+      <para>The <acronym>HAST</acronym> framework consists of several
+	components:</para>
 
-      <para>If &man.gbde.8; is being used:</para>
+      <itemizedlist>
+	<listitem>
+	  <para>The &man.hastd.8; daemon which provides data
+	    synchronization.  When this daemon is started, it will
+	    automatically load <varname>geom_gate.ko</varname>.</para>
+	</listitem>
 
-      <screen>&prompt.user; <userinput>swapinfo</userinput>
-Device          1K-blocks     Used    Avail Capacity
-/dev/ad0s1b.bde    542720        0   542720     0%
-      </screen>
+	<listitem>
+	  <para>The userland management utility,
+	    &man.hastctl.8;.</para>
+	</listitem>
 
-      <para>If &man.geli.8; is being used:</para>
+	<listitem>
+	  <para>The &man.hast.conf.5; configuration file.  This file
+	    must exist before starting
+	    <application>hastd</application>.</para>
+	</listitem>
+      </itemizedlist>
 
-      <screen>&prompt.user; <userinput>swapinfo</userinput>
-Device          1K-blocks     Used    Avail Capacity
-/dev/ad0s1b.eli    542720        0   542720     0%
-      </screen>
+      <para>Users who prefer to statically build
+	<literal>GEOM_GATE</literal> support into the kernel should
+	add this line to the custom kernel configuration file, then
+	rebuild the kernel using the instructions in <xref
+	  linkend="kernelconfig"/>:</para>
+
+      <programlisting>options	GEOM_GATE</programlisting>
+
+      <para>The following example describes how to configure two nodes
+	in master-slave/primary-secondary operation using
+	<acronym>HAST</acronym> to replicate the data between the two.
+	The nodes will be called <literal>hasta</literal>, with an
+	<acronym>IP</acronym> address of
+	<literal>172.16.0.1</literal>, and <literal>hastb</literal>,
+	with an <acronym>IP</acronym> address of
+	<literal>172.16.0.2</literal>.  Both nodes will have a
+	dedicated hard drive <filename>/dev/ad6</filename> of the same
+	size for <acronym>HAST</acronym> operation.  The
+	<acronym>HAST</acronym> pool, sometimes referred to as a
+	resource or the <acronym>GEOM</acronym> provider in <filename
+	  class="directory">/dev/hast/</filename>, will be called
+	<literal>test</literal>.</para>
+
+      <para>Configuration of <acronym>HAST</acronym> is done using
+	<filename>/etc/hast.conf</filename>.  This file should be
+	identical on both nodes.  The simplest configuration
+	is:</para>
+
+      <programlisting>resource <replaceable>test</replaceable> {
+	on <replaceable>hasta</replaceable> {
+		local <replaceable>/dev/ad6</replaceable>
+		remote <replaceable>172.16.0.2</replaceable>
+	}
+	on <replaceable>hastb</replaceable> {
+		local <replaceable>/dev/ad6</replaceable>
+		remote <replaceable>172.16.0.1</replaceable>
+	}
+}</programlisting>
+
+      <para>For more advanced configuration, refer to
+	&man.hast.conf.5;.</para>
+
+      <tip>
+	<para>It is also possible to use host names in the
+	  <literal>remote</literal> statements if the hosts are
+	  resolvable and defined either in
+	  <filename>/etc/hosts</filename> or in the local
+	  <acronym>DNS</acronym>.</para>
+      </tip>
+
+      <para>Once the configuration exists on both nodes, the
+	<acronym>HAST</acronym> pool can be created.  Run these
+	commands on both nodes to place the initial metadata onto the
+	local disk and to start &man.hastd.8;:</para>
+
+      <screen>&prompt.root; <userinput>hastctl create <replaceable>test</replaceable></userinput>
+&prompt.root; <userinput>service hastd onestart</userinput></screen>
+
+      <note>
+	<para>It is <emphasis>not</emphasis> possible to use
+	  <acronym>GEOM</acronym>
+	  providers with an existing file system or to convert an
+	  existing storage to a <acronym>HAST</acronym>-managed pool.
+	  This procedure needs to store some metadata on the provider
+	  and there will not be enough required space available on an
+	  existing provider.</para>
+      </note>
+
+      <para>A HAST node's <literal>primary</literal> or
+	<literal>secondary</literal> role is selected by an
+	administrator, or software like
+	<application>Heartbeat</application>, using &man.hastctl.8;.
+	On the primary node, <literal>hasta</literal>, issue this
+	command:</para>
+
+      <screen>&prompt.root; <userinput>hastctl role primary <replaceable>test</replaceable></userinput></screen>
+
+      <para>Run this command on the secondary node,
+	<literal>hastb</literal>:</para>
+
+      <screen>&prompt.root; <userinput>hastctl role secondary <replaceable>test</replaceable></userinput></screen>
+
+      <para>Verify the result by running <command>hastctl</command> on
+	each node:</para>
+
+      <screen>&prompt.root; <userinput>hastctl status <replaceable>test</replaceable></userinput></screen>
+
+      <para>Check the <literal>status</literal> line in the output.
+	If it says <literal>degraded</literal>, something is wrong
+	with the configuration file.  It should say
+	<literal>complete</literal> on each node, meaning that the
+	synchronization between the nodes has started.  The
+	synchronization completes when <command>hastctl
+	  status</command> reports 0 bytes of <literal>dirty</literal>
+	extents.</para>
+
+      <para>The next step is to create a file system on the
+	<acronym>GEOM</acronym> provider and mount it.  This must be
+	done on the <literal>primary</literal> node.  Creating the
+	file system can take a few minutes, depending on the size of
+	the hard drive.  This example creates a <acronym>UFS</acronym>
+	file system on <filename>/dev/hast/test</filename>:</para>
+
+      <screen>&prompt.root; <userinput>newfs -U /dev/hast/<replaceable>test</replaceable></userinput>
+&prompt.root; <userinput>mkdir /hast/<replaceable>test</replaceable></userinput>
+&prompt.root; <userinput>mount /dev/hast/<replaceable>test</replaceable> <replaceable>/hast/test</replaceable></userinput></screen>
+
+      <para>Once the <acronym>HAST</acronym> framework is configured
+	properly, the final step is to make sure that
+	<acronym>HAST</acronym> is started automatically during
+	system boot.  Add this line to
+	<filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>hastd_enable="YES"</programlisting>
+
+      <sect3>
+	<title>Failover Configuration</title>
+
+	<para>The goal of this example is to build a robust storage
+	  system which is resistant to the failure of any given node.
+	  If the primary node fails, the secondary node is there to
+	  take over seamlessly, check and mount the file system, and
+	  continue to work without missing a single bit of
+	  data.</para>
+
+	<para>To accomplish this task, the Common Address Redundancy
+	  Protocol (<acronym>CARP</acronym>) is used to provide for
+	  automatic failover at the <acronym>IP</acronym> layer.
+	  <acronym>CARP</acronym> allows multiple hosts on the same
+	  network segment to share an <acronym>IP</acronym> address.
+	  Set up <acronym>CARP</acronym> on both nodes of the cluster
+	  according to the documentation available in <xref
+	    linkend="carp"/>.  In this example, each node will have
+	  its own management <acronym>IP</acronym> address and a
+	  shared <acronym>IP</acronym> address of
+	  <replaceable>172.16.0.254</replaceable>.  The primary
+	  <acronym>HAST</acronym> node of the cluster must be the
+	  master <acronym>CARP</acronym> node.</para>
+
+	<para>The <acronym>HAST</acronym> pool created in the previous
+	  section is now ready to be exported to the other hosts on
+	  the network.  This can be accomplished by exporting it
+	  through <acronym>NFS</acronym> or
+	  <application>Samba</application>, using the shared
+	  <acronym>IP</acronym> address
+	  <replaceable>172.16.0.254</replaceable>.  The only problem
+	  which remains unresolved is an automatic failover should the
+	  primary node fail.</para>
+
+	<para>In the event of <acronym>CARP</acronym> interfaces going
+	  up or down, the &os; operating system generates a
+	  &man.devd.8; event, making it possible to watch for state
+	  changes on the <acronym>CARP</acronym> interfaces.  A state
+	  change on the <acronym>CARP</acronym> interface is an
+	  indication that one of the nodes failed or came back online.
+	  These state change events make it possible to run a script
+	  which will automatically handle the HAST failover.</para>
+
+	<para>To catch state changes on the
+	  <acronym>CARP</acronym> interfaces, add this configuration
+	  to <filename>/etc/devd.conf</filename> on each node:</para>
+
+	<programlisting>notify 30 {
+	match "system" "IFNET";
+	match "subsystem" "carp0";
+	match "type" "LINK_UP";
+	action "/usr/local/sbin/carp-hast-switch master";
+};
+
+notify 30 {
+	match "system" "IFNET";
+	match "subsystem" "carp0";
+	match "type" "LINK_DOWN";
+	action "/usr/local/sbin/carp-hast-switch slave";
+};</programlisting>
+
+	<note>
+	  <para>If the systems are running &os;&nbsp;10 or higher,
+	    replace <filename>carp0</filename> with the name of the
+	    <acronym>CARP</acronym>-configured interface.</para>
+	</note>
+
+	<para>Restart &man.devd.8; on both nodes to put the new
+	  configuration into effect:</para>
+
+	<screen>&prompt.root; <userinput>service devd restart</userinput></screen>
+
+	<para>When the specified interface state changes by going up
+	  or down , the system generates a notification, allowing the
+	  &man.devd.8; subsystem to run the specified automatic
+	  failover script,
+	  <filename>/usr/local/sbin/carp-hast-switch</filename>.
+	  For further clarification about this configuration, refer to
+	  &man.devd.conf.5;.</para>
+
+	<para>Here is an example of an automated failover
+	  script:</para>
+
+	<programlisting>#!/bin/sh
+
+# Original script by Freddie Cash &lt;fjwcash@gmail.com&gt;
+# Modified by Michael W. Lucas &lt;mwlucas@BlackHelicopters.org&gt;
+# and Viktor Petersson &lt;vpetersson@wireload.net&gt;
+
+# The names of the HAST resources, as listed in /etc/hast.conf
+resources="<replaceable>test</replaceable>"
+
+# delay in mounting HAST resource after becoming master
+# make your best guess
+delay=3
+
+# logging
+log="local0.debug"
+name="carp-hast"
+
+# end of user configurable stuff
+
+case "$1" in
+	master)
+		logger -p $log -t $name "Switching to primary provider for ${resources}."
+		sleep ${delay}
+
+		# Wait for any "hastd secondary" processes to stop
+		for disk in ${resources}; do
+			while $( pgrep -lf "hastd: ${disk} \(secondary\)" &gt; /dev/null 2&gt;&amp;1 ); do
+				sleep 1
+			done
+
+			# Switch role for each disk
+			hastctl role primary ${disk}
+			if [ $? -ne 0 ]; then
+				logger -p $log -t $name "Unable to change role to primary for resource ${disk}."
+				exit 1
+			fi
+		done
+
+		# Wait for the /dev/hast/* devices to appear
+		for disk in ${resources}; do
+			for I in $( jot 60 ); do
+				[ -c "/dev/hast/${disk}" ] &amp;&amp; break
+				sleep 0.5
+			done
+
+			if [ ! -c "/dev/hast/${disk}" ]; then
+				logger -p $log -t $name "GEOM provider /dev/hast/${disk} did not appear."
+				exit 1
+			fi
+		done
+
+		logger -p $log -t $name "Role for HAST resources ${resources} switched to primary."
+
+
+		logger -p $log -t $name "Mounting disks."
+		for disk in ${resources}; do
+			mkdir -p /hast/${disk}
+			fsck -p -y -t ufs /dev/hast/${disk}
+			mount /dev/hast/${disk} /hast/${disk}
+		done
+
+	;;
+
+	slave)
+		logger -p $log -t $name "Switching to secondary provider for ${resources}."
+
+		# Switch roles for the HAST resources
+		for disk in ${resources}; do
+			if ! mount | grep -q "^/dev/hast/${disk} on "
+			then
+			else
+				umount -f /hast/${disk}
+			fi
+			sleep $delay
+			hastctl role secondary ${disk} 2&gt;&amp;1
+			if [ $? -ne 0 ]; then
+				logger -p $log -t $name "Unable to switch role to secondary for resource ${disk}."
+				exit 1
+			fi
+			logger -p $log -t $name "Role switched to secondary for resource ${disk}."
+		done
+	;;
+esac</programlisting>
+
+	<para>In a nutshell, the script takes these actions when a
+	  node becomes master:</para>
+
+	<itemizedlist>
+	  <listitem>
+	    <para>Promotes the <acronym>HAST</acronym> pool to
+	      primary on the other node.</para>
+	  </listitem>
+
+	  <listitem>
+	    <para>Checks the file system under the
+	      <acronym>HAST</acronym> pool.</para>
+	  </listitem>
+
+	  <listitem>
+	    <para>Mounts the pool.</para>
+	  </listitem>
+	</itemizedlist>
+
+	<para>When a node becomes secondary:</para>
+
+	<itemizedlist>
+	  <listitem>
+	    <para>Unmounts the <acronym>HAST</acronym> pool.</para>
+	  </listitem>
+
+	  <listitem>
+	    <para>Degrades the <acronym>HAST</acronym> pool to
+	      secondary.</para>
+	  </listitem>
+	</itemizedlist>
+
+	<caution>
+	  <para>This is just an example script which serves as a proof
+	    of concept.  It does not handle all the possible scenarios
+	    and can be extended or altered in any way, for example, to
+	    start or stop required services.</para>
+	</caution>
+
+	<tip>
+	  <para>For this example, a standard <acronym>UFS</acronym>
+	    file system was used.  To reduce the time needed for
+	    recovery, a journal-enabled <acronym>UFS</acronym> or
+	    <acronym>ZFS</acronym> file system can be used
+	    instead.</para>
+	</tip>
+
+	<para>More detailed information with additional examples can
+	  be found at <link
+	    xlink:href="http://wiki.FreeBSD.org/HAST">http://wiki.FreeBSD.org/HAST</link>.</para>
+      </sect3>
+    </sect2>
+
+    <sect2>
+      <title>Troubleshooting</title>
+
+      <para><acronym>HAST</acronym> should generally work without
+	issues.  However, as with any other software product, there
+	may be times when it does not work as supposed.  The sources
+	of the problems may be different, but the rule of thumb is to
+	ensure that the time is synchronized between the nodes of the
+	cluster.</para>
+
+      <para>When troubleshooting <acronym>HAST</acronym>, the
+	debugging level of &man.hastd.8; should be increased by
+	starting <command>hastd</command> with <literal>-d</literal>.
+	This argument may be specified multiple times to further
+	increase the debugging level.  Consider also using
+	<literal>-F</literal>, which starts <command>hastd</command>
+	in the foreground.</para>
+
+      <sect3 xml:id="disks-hast-sb">
+	<title>Recovering from the Split-brain Condition</title>
+
+	<para><firstterm>Split-brain</firstterm> occurs when the nodes
+	  of the cluster are unable to communicate with each other,
+	  and both are configured as primary.  This is a dangerous
+	  condition because it allows both nodes to make incompatible
+	  changes to the data.  This problem must be corrected
+	  manually by the system administrator.</para>
+
+	<para>The administrator must decide which node has more
+	  important changes or merge them manually.  Then, let
+	  <acronym>HAST</acronym> perform full synchronization of the
+	  node which has the broken data.  To do this, issue these
+	  commands on the node which needs to be
+	  resynchronized:</para>
+
+	<screen>&prompt.root; <userinput>hastctl role init <replaceable>test</replaceable></userinput>
+&prompt.root; <userinput>hastctl create <replaceable>test</replaceable></userinput>
+&prompt.root; <userinput>hastctl role secondary <replaceable>test</replaceable></userinput></screen>
+      </sect3>
     </sect2>
   </sect1>
 </chapter>
Index: zh_TW.UTF-8/books/handbook/dtrace/Makefile
===================================================================
--- /dev/null
+++ zh_TW.UTF-8/books/handbook/dtrace/Makefile
@@ -0,0 +1,15 @@
+#
+# Build the Handbook with just the content from this chapter.
+#
+# $FreeBSD: head/en_US.ISO8859-1/books/handbook/dtrace/Makefile 39631 2012-10-01 09:53:01Z gabor $
+#
+
+CHAPTERS= 	dtrace/chapter.xml
+
+VPATH=		..
+
+MASTERDOC=	${.CURDIR}/../${DOC}.${DOCBOOKSUFFIX}
+
+DOC_PREFIX?= 	${.CURDIR}/../../../..
+
+.include "../Makefile"
Index: zh_TW.UTF-8/books/handbook/eresources/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/eresources/chapter.xml
+++ zh_TW.UTF-8/books/handbook/eresources/chapter.xml
@@ -1,12 +1,16 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
      The FreeBSD Documentation Project
+     The FreeBSD Traditional Chinese Project
 
      $FreeBSD$
      Take translation from Kang-min Liu <gugod@gugod.org>
-     Original revision:  1.175
+     Original revision: r46084
 -->
-<appendix xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="eresources">
+<appendix xmlns="http://docbook.org/ns/docbook"
+  xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+  xml:id="eresources">
+
   <title>網際網路上的資源</title>
 
   <para>進展飛快的 FreeBSD 使得現有的印刷、平面媒體跟不上它的最新進度！
@@ -112,11 +116,6 @@
 	    </row>
 
 	    <row>
-	      <entry>&a.policy.name;</entry>
-	      <entry>FreeBSD Core team 的 policy 方針討論區。這裡文章不多，且只限 core team 才可發言。</entry>
-	    </row>
-
-	    <row>
 	      <entry>&a.questions.name;</entry>
 	      <entry>使用問題及技術支援</entry>
 	    </row>
@@ -194,16 +193,6 @@
 	    </row>
 
 	    <row>
-	      <entry>&a.audit.name;</entry>
-	      <entry>Source code 的稽核(audit)計劃</entry>
-	    </row>
-
-	    <row>
-	      <entry>&a.binup.name;</entry>
-	      <entry>研發 binary 的升級方式</entry>
-	    </row>
-
-	    <row>
 	      <entry>&a.bluetooth.name;</entry>
 	      <entry>在 FreeBSD 中使用藍芽(&bluetooth;)技術</entry>
 	    </row>
@@ -214,11 +203,6 @@
 	    </row>
 
 	    <row>
-	      <entry>&a.cvsweb.name;</entry>
-	      <entry>CVSweb 的維護</entry>
-	    </row>
-
-	    <row>
 	      <entry>&a.database.name;</entry>
 	      <entry>討論各式資料庫在 FreeBSD 的研發、運用</entry>
 	    </row>
@@ -314,11 +298,6 @@
 	    </row>
 
 	    <row>
-	      <entry>&a.libh.name;</entry>
-	      <entry>新世代的安裝、打包套件機制</entry>
-	    </row>
-
-	    <row>
 	      <entry>&a.mips.name;</entry>
 	      <entry>移植 FreeBSD 到 &mips;</entry>
 	    </row>
@@ -349,12 +328,6 @@
 	    </row>
 
 	    <row>
-	      <entry>&a.openoffice.name;</entry>
-	      <entry>移植 <application>OpenOffice.org</application> 及
-		<application>&staroffice;</application> 到 FreeBSD</entry>
-	    </row>
-
-	    <row>
 	      <entry>&a.performance.name;</entry>
 	      <entry>在高效能/負荷環境下的效能調校(tuning)議題</entry>
 	    </row>
@@ -727,44 +700,6 @@
 	</varlistentry>
 
 	<varlistentry>
-	  <term>&a.audit.name;</term>
-
-	  <listitem>
-	    <para><emphasis>Source code audit project</emphasis></para>
-
-	    <para>This is the mailing list for the FreeBSD source code
-	      audit project.  Although this was originally intended for
-	      security-related changes, its charter has been expanded to
-	      review any code changes.</para>
-
-	    <para>This list is very heavy on patches, and is probably of no
-	      interest to the average FreeBSD user.  Security discussions
-	      not related to a particular code change are held on
-	      freebsd-security.  Conversely, all developers are encouraged
-	      to send their patches here for review, especially if they
-	      touch a part of the system where a bug may adversely affect
-	      the integrity of the system.</para>
-
-<!-- I can't actually find a charter for this, but there's this email: http://www.FreeBSD.org/cgi/getmsg.cgi?fetch=223347+225804+/usr/local/www/db/text/2000/cvs-all/20001210.cvs-all -->
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term>&a.binup.name;</term>
-
-	  <listitem>
-	    <para><emphasis>FreeBSD Binary Update Project</emphasis></para>
-
-	    <para>This list exists to provide discussion for the binary
-	      update system, or <application>binup</application>.
-	      Design issues, implementation details,
-	      patches, bug reports, status reports, feature requests, commit
-	      logs, and all other things related to
-	      <application>binup</application> are fair game.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
 	  <term>&a.bluetooth.name;</term>
 
 	  <listitem>
@@ -854,17 +789,6 @@
 	</varlistentry>
 
 	<varlistentry>
-	  <term>&a.cvsweb.name;</term>
-
-	  <listitem>
-	    <para><emphasis>FreeBSD CVSweb Project</emphasis></para>
-
-	    <para>Technical discussions about use, development and maintenance
-	      of FreeBSD-CVSweb.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
 	  <term>&a.doc.name;</term>
 
 	  <listitem>
@@ -1129,18 +1053,6 @@
 	</varlistentry>
 
 	<varlistentry>
-	  <term>&a.openoffice.name;</term>
-
-	  <listitem>
-	    <para><emphasis>OpenOffice.org</emphasis></para>
-
-	    <para>Discussions concerning the porting and maintenance
-	      of <application>OpenOffice.org</application> and
-	      <application>&staroffice;</application>.</para>
-	   </listitem>
-	</varlistentry>
-
-	<varlistentry>
 	  <term>&a.performance.name;</term>
 
 	  <listitem>
@@ -1195,17 +1107,6 @@
 	</varlistentry>
 
 	<varlistentry>
-	  <term>&a.policy.name;</term>
-
-	  <listitem>
-	    <para><emphasis>Core team policy decisions</emphasis></para>
-
-	    <para>This is a low volume, read-only mailing list for FreeBSD
-	      Core Team Policy decisions.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
 	  <term>&a.ports.name;</term>
 
 	  <listitem>
Index: zh_TW.UTF-8/books/handbook/filesystems/Makefile
===================================================================
--- /dev/null
+++ zh_TW.UTF-8/books/handbook/filesystems/Makefile
@@ -0,0 +1,15 @@
+#
+# Build the Handbook with just the content from this chapter.
+#
+# $FreeBSD: head/en_US.ISO8859-1/books/handbook/filesystems/Makefile 39631 2012-10-01 09:53:01Z gabor $
+#
+
+CHAPTERS= 	filesystems/chapter.xml
+
+VPATH=		..
+
+MASTERDOC=	${.CURDIR}/../${DOC}.${DOCBOOKSUFFIX}
+
+DOC_PREFIX?= 	${.CURDIR}/../../../..
+
+.include "../Makefile"
Index: zh_TW.UTF-8/books/handbook/geom/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/geom/chapter.xml
+++ zh_TW.UTF-8/books/handbook/geom/chapter.xml
@@ -1,20 +1,31 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
      The FreeBSD Documentation Project
-	  $FreeBSD$
-	  Original revision: 1.21
+     The FreeBSD Traditional Chinese Project
+
+     $FreeBSD$
+     Original revision: r46061
 
 -->
-<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="GEOM">
-  <info><title>GEOM: Modular Disk Transformation Framework</title>
+<chapter xmlns="http://docbook.org/ns/docbook"
+  xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+  xml:id="geom">
+
+  <info>
+    <title>GEOM: Modular Disk Transformation Framework</title>
+
     <authorgroup>
-      <author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by </contrib></author>
+      <author>
+	<personname>
+	  <firstname>Tom</firstname>
+	  <surname>Rhodes</surname>
+	</personname>
+	<contrib>Written by </contrib>
+      </author>
     </authorgroup>
   </info>
 
-  
-
-  <sect1 xml:id="GEOM-synopsis">
+  <sect1 xml:id="geom-synopsis">
     <title>概述</title>
 
     <indexterm>
@@ -69,25 +80,27 @@
     </itemizedlist>
   </sect1>
 
-  <sect1 xml:id="GEOM-intro">
-    <title>GEOM 導論</title>
-
-	<para>GEOM 透過 privoder(即 <filename>/dev/</filename>
-	下的特殊裝置檔案) 來操控 classes(如 Master Boot Records、
-	<acronym>BSD</acronym> labels 等) 。GEOM 支援多種軟體
-	<acronym>RAID</acronym> 配置，透過 GEOM 存取時，
-	作業系統和應用程式不會意識到 GEOM 存在。</para>
-  </sect1>
-
-  <sect1 xml:id="GEOM-striping">
-  <info><title>RAID0 - 分散連結(striping)</title>
-    <authorgroup>
-      <author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by </contrib></author>
-      <author><personname><firstname>Murray</firstname><surname>Stokely</surname></personname></author>
-    </authorgroup>
-  </info>
-
-    
+  <sect1 xml:id="geom-striping">
+    <info>
+      <title>RAID0 - 分散連結(striping)</title>
+
+      <authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Tom</firstname>
+	    <surname>Rhodes</surname>
+	  </personname>
+	  <contrib>Written by </contrib>
+	</author>
+
+	<author>
+	  <personname>
+	    <firstname>Murray</firstname>
+	    <surname>Stokely</surname>
+	  </personname>
+	</author>
+      </authorgroup>
+    </info>
 
     <indexterm>
       <primary>GEOM</primary>
@@ -189,7 +202,7 @@
 
   </sect1>
 
-  <sect1 xml:id="GEOM-mirror">
+  <sect1 xml:id="geom-mirror">
     <title>RAID1 - 鏡射(Mirroring)</title>
 
     <indexterm>
@@ -353,4 +366,855 @@
       </sect3>
     </sect2>
   </sect1>
+
+  <sect1 xml:id="geom-raid3">
+    <info>
+
+      <title><acronym>RAID</acronym>3 - Byte-level Striping with
+	Dedicated Parity</title>
+
+      <authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Mark</firstname>
+	    <surname>Gladman</surname>
+	  </personname>
+	  <contrib>Written by </contrib>
+	</author>
+
+	<author>
+	  <personname>
+	    <firstname>Daniel</firstname>
+	    <surname>Gerzo</surname>
+	  </personname>
+	</author>
+      </authorgroup>
+
+      <authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Tom</firstname>
+	    <surname>Rhodes</surname>
+	  </personname>
+	  <contrib>Based on documentation by </contrib>
+	</author>
+
+	<author>
+	  <personname>
+	    <firstname>Murray</firstname>
+	    <surname>Stokely</surname>
+	  </personname>
+	</author>
+      </authorgroup>
+    </info>
+
+    <indexterm>
+      <primary><acronym>GEOM</acronym></primary>
+    </indexterm>
+    <indexterm>
+      <primary>RAID3</primary>
+    </indexterm>
+
+    <para><acronym>RAID</acronym>3 is a method used to combine several
+      disk drives into a single volume with a dedicated parity disk.
+      In a <acronym>RAID</acronym>3 system, data is split up into a
+      number of bytes that are written across all the drives in the
+      array except for one disk which acts as a dedicated parity disk.
+      This means that disk reads from a <acronym>RAID</acronym>3
+      implementation access all disks in the array.  Performance can
+      be enhanced by using multiple disk controllers.  The
+      <acronym>RAID</acronym>3 array provides a fault tolerance of 1
+      drive, while providing a capacity of 1 - 1/n times the total
+      capacity of all drives in the array, where n is the number of
+      hard drives in the array.  Such a configuration is mostly
+      suitable for storing data of larger sizes such as multimedia
+      files.</para>
+
+    <para>At least 3 physical hard drives are required to build a
+      <acronym>RAID</acronym>3 array.  Each disk must be of the same
+      size, since <acronym>I/O</acronym> requests are interleaved to
+      read or write to multiple disks in parallel.  Also, due to the
+      nature of <acronym>RAID</acronym>3, the number of drives must be
+      equal to 3, 5, 9, 17, and so on, or 2^n + 1.</para>
+
+    <para>This section demonstrates how to create a software
+      <acronym>RAID</acronym>3 on a &os; system.</para>
+
+    <note>
+      <para>While it is theoretically possible to boot from a
+	<acronym>RAID</acronym>3 array on &os;, that configuration is
+	uncommon and is not advised.</para>
+    </note>
+
+    <sect2>
+      <title>Creating a Dedicated <acronym>RAID</acronym>3
+	Array</title>
+
+      <para>In &os;, support for <acronym>RAID</acronym>3 is
+	implemented by the &man.graid3.8; <acronym>GEOM</acronym>
+	class.  Creating a dedicated <acronym>RAID</acronym>3 array on
+	&os; requires the following steps.</para>
+
+      <procedure>
+	<step>
+	  <para>First, load the <filename>geom_raid3.ko</filename>
+	    kernel module by issuing one of the following
+	    commands:</para>
+
+	  <screen>&prompt.root; <userinput>graid3 load</userinput></screen>
+
+	  <para>or:</para>
+
+	  <screen>&prompt.root; <userinput>kldload geom_raid3</userinput></screen>
+	</step>
+
+	<step>
+	  <para>Ensure that a suitable mount point exists.  This
+	    command creates a new directory to use as the mount
+	    point:</para>
+
+	  <screen>&prompt.root; <userinput>mkdir <replaceable>/multimedia</replaceable></userinput></screen>
+	</step>
+
+	<step>
+	  <para>Determine the device names for the disks which will be
+	    added to the array, and create the new
+	    <acronym>RAID</acronym>3 device.  The final device listed
+	    will act as the dedicated parity disk.  This example uses
+	    three unpartitioned <acronym>ATA</acronym> drives:
+	    <filename><replaceable>ada1</replaceable></filename> and
+	    <filename><replaceable>ada2</replaceable></filename> for
+	    data, and
+	    <filename><replaceable>ada3</replaceable></filename> for
+	    parity.</para>
+
+	  <screen>&prompt.root; <userinput>graid3 label -v gr0 /dev/ada1 /dev/ada2 /dev/ada3</userinput>
+Metadata value stored on /dev/ada1.
+Metadata value stored on /dev/ada2.
+Metadata value stored on /dev/ada3.
+Done.</screen>
+	</step>
+
+	<step>
+	  <para>Partition the newly created <filename>gr0</filename>
+	    device and put a <acronym>UFS</acronym> file system on
+	    it:</para>
+
+	  <screen>&prompt.root; <userinput>gpart create -s GPT /dev/raid3/gr0</userinput>
+&prompt.root; <userinput>gpart add -t freebsd-ufs /dev/raid3/gr0</userinput>
+&prompt.root; <userinput>newfs -j /dev/raid3/gr0p1</userinput></screen>
+
+	  <para>Many numbers will glide across the screen, and after a
+	    bit of time, the process will be complete.  The volume has
+	    been created and is ready to be mounted:</para>
+
+	  <screen>&prompt.root; <userinput>mount /dev/raid3/gr0p1 /multimedia/</userinput></screen>
+
+	  <para>The <acronym>RAID</acronym>3 array is now ready to
+	    use.</para>
+	</step>
+      </procedure>
+
+      <para>Additional configuration is needed to retain this setup
+	across system reboots.</para>
+
+      <procedure>
+	<step>
+	  <para>The <filename>geom_raid3.ko</filename> module must be
+	    loaded before the array can be mounted.  To automatically
+	    load the kernel module during system initialization, add
+	    the following line to
+	    <filename>/boot/loader.conf</filename>:</para>
+
+	  <programlisting>geom_raid3_load="YES"</programlisting>
+	</step>
+
+	<step>
+	  <para>The following volume information must be added to
+	    <filename>/etc/fstab</filename> in order to
+	    automatically mount the array's file system during the
+	    system boot process:</para>
+
+	  <programlisting>/dev/raid3/gr0p1	/multimedia	ufs	rw	2	2</programlisting>
+	</step>
+      </procedure>
+    </sect2>
+  </sect1>
+
+  <sect1 xml:id="geom-graid">
+    <info>
+      <title>Software <acronym>RAID</acronym> Devices</title>
+
+      <authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Warren</firstname>
+	    <surname>Block</surname>
+	  </personname>
+	  <contrib>Originally contributed by </contrib>
+	</author>
+      </authorgroup>
+    </info>
+
+    <indexterm>
+      <primary><acronym>GEOM</acronym></primary>
+    </indexterm>
+    <indexterm>
+      <primary>Software RAID Devices</primary>
+      <secondary>Hardware-assisted RAID</secondary>
+    </indexterm>
+
+    <para>Some motherboards and expansion cards add some simple
+      hardware, usually just a <acronym>ROM</acronym>, that allows the
+      computer to boot from a <acronym>RAID</acronym> array.  After
+      booting, access to the <acronym>RAID</acronym> array is handled
+      by software running on the computer's main processor.  This
+      <quote>hardware-assisted software
+	<acronym>RAID</acronym></quote> gives <acronym>RAID</acronym>
+      arrays that are not dependent on any particular operating
+      system, and which are functional even before an operating system
+      is loaded.</para>
+
+    <para>Several levels of <acronym>RAID</acronym> are supported,
+      depending on the hardware in use.  See &man.graid.8; for a
+      complete list.</para>
+
+    <para>&man.graid.8; requires the <filename>geom_raid.ko</filename>
+      kernel module, which is included in the
+      <filename>GENERIC</filename> kernel starting with &os;&nbsp;9.1.
+      If needed, it can be loaded manually with
+      <command>graid load</command>.</para>
+
+    <sect2 xml:id="geom-graid-creating">
+      <title>Creating an Array</title>
+
+      <para>Software <acronym>RAID</acronym> devices often have a menu
+	that can be entered by pressing special keys when the computer
+	is booting.  The menu can be used to create and delete
+	<acronym>RAID</acronym> arrays.  &man.graid.8; can also create
+	arrays directly from the command line.</para>
+
+      <para><command>graid label</command> is used to create a new
+	array.  The motherboard used for this example has an Intel
+	software <acronym>RAID</acronym> chipset, so the Intel
+	metadata format is specified.  The new array is given a label
+	of <filename>gm0</filename>, it is a mirror
+	(<acronym>RAID1</acronym>), and uses drives
+	<filename>ada0</filename> and
+	<filename>ada1</filename>.</para>
+
+      <caution>
+	<para>Some space on the drives will be overwritten when they
+	  are made into a new array.  Back up existing data
+	  first!</para>
+      </caution>
+
+      <screen>&prompt.root; <userinput>graid label Intel gm0 RAID1 ada0 ada1</userinput>
+GEOM_RAID: Intel-a29ea104: Array Intel-a29ea104 created.
+GEOM_RAID: Intel-a29ea104: Disk ada0 state changed from NONE to ACTIVE.
+GEOM_RAID: Intel-a29ea104: Subdisk gm0:0-ada0 state changed from NONE to ACTIVE.
+GEOM_RAID: Intel-a29ea104: Disk ada1 state changed from NONE to ACTIVE.
+GEOM_RAID: Intel-a29ea104: Subdisk gm0:1-ada1 state changed from NONE to ACTIVE.
+GEOM_RAID: Intel-a29ea104: Array started.
+GEOM_RAID: Intel-a29ea104: Volume gm0 state changed from STARTING to OPTIMAL.
+Intel-a29ea104 created
+GEOM_RAID: Intel-a29ea104: Provider raid/r0 for volume gm0 created.</screen>
+
+      <para>A status check shows the new mirror is ready for
+	use:</para>
+
+      <screen>&prompt.root; <userinput>graid status</userinput>
+   Name   Status  Components
+raid/r0  OPTIMAL  ada0 (ACTIVE (ACTIVE))
+                  ada1 (ACTIVE (ACTIVE))</screen>
+
+      <para>The array device appears in
+	<filename>/dev/raid/</filename>.  The first array is called
+	<filename>r0</filename>.  Additional arrays, if present, will
+	be <filename>r1</filename>, <filename>r2</filename>, and so
+	on.</para>
+
+      <para>The <acronym>BIOS</acronym> menu on some of these devices
+	can create arrays with special characters in their names.  To
+	avoid problems with those special characters, arrays are given
+	simple numbered names like <filename>r0</filename>.  To show
+	the actual labels, like <filename>gm0</filename> in the
+	example above, use &man.sysctl.8;:</para>
+
+      <screen>&prompt.root; <userinput>sysctl kern.geom.raid.name_format=1</userinput></screen>
+    </sect2>
+
+    <sect2 xml:id="geom-graid-volumes">
+      <title>Multiple Volumes</title>
+
+      <para>Some software <acronym>RAID</acronym> devices support
+	more than one <emphasis>volume</emphasis> on an array.
+	Volumes work like partitions, allowing space on the physical
+	drives to be split and used in different ways.  For example,
+	Intel software <acronym>RAID</acronym> devices support two
+	volumes.  This example creates a 40&nbsp;G mirror for safely
+	storing the operating system, followed by a 20&nbsp;G
+	<acronym>RAID0</acronym> (stripe) volume for fast temporary
+	storage:</para>
+
+      <screen>&prompt.root; <userinput>graid label -S 40G Intel gm0 RAID1 ada0 ada1</userinput>
+&prompt.root; <userinput>graid add -S 20G gm0 RAID0</userinput></screen>
+
+      <para>Volumes appear as additional
+	<filename>r<replaceable>X</replaceable></filename> entries
+	in <filename>/dev/raid/</filename>.  An array with two volumes
+	will show <filename>r0</filename> and
+	<filename>r1</filename>.</para>
+
+      <para>See &man.graid.8; for the number of volumes supported by
+	different software <acronym>RAID</acronym> devices.</para>
+    </sect2>
+
+    <sect2 xml:id="geom-graid-converting">
+      <title>Converting a Single Drive to a Mirror</title>
+
+      <para>Under certain specific conditions, it is possible to
+	convert an existing single drive to a &man.graid.8; array
+	without reformatting.  To avoid data loss during the
+	conversion, the existing drive must meet these minimum
+	requirements:</para>
+
+      <itemizedlist>
+	<listitem>
+	  <para>The drive must be partitioned with the
+	    <acronym>MBR</acronym> partitioning scheme.
+	    <acronym>GPT</acronym> or other partitioning schemes with
+	    metadata at the end of the drive will be overwritten and
+	    corrupted by the &man.graid.8; metadata.</para>
+	</listitem>
+
+	<listitem>
+	  <para>There must be enough unpartitioned and unused space at
+	    the end of the drive to hold the &man.graid.8; metadata.
+	    This metadata varies in size, but the largest occupies
+	    64&nbsp;M, so at least that much free space is
+	    recommended.</para>
+	</listitem>
+      </itemizedlist>
+
+      <para>If the drive meets these requirements, start by making a
+	full backup.  Then create a single-drive mirror with that
+	drive:</para>
+
+      <screen>&prompt.root; <userinput>graid label Intel gm0 RAID1 ada0 NONE</userinput></screen>
+
+      <para>&man.graid.8; metadata was written to the end of the drive
+	in the unused space.  A second drive can now be inserted into
+	the mirror:</para>
+
+      <screen>&prompt.root; <userinput>graid insert raid/r0 ada1</userinput></screen>
+
+      <para>Data from the original drive will immediately begin to be
+	copied to the second drive.  The mirror will operate in
+	degraded status until the copy is complete.</para>
+    </sect2>
+
+    <sect2 xml:id="geom-graid-inserting">
+      <title>Inserting New Drives into the Array</title>
+
+      <para>Drives can be inserted into an array as replacements for
+	drives that have failed or are missing.  If there are no
+	failed or missing drives, the new drive becomes a spare.  For
+	example, inserting a new drive into a working two-drive mirror
+	results in a two-drive mirror with one spare drive, not a
+	three-drive mirror.</para>
+
+      <para>In the example mirror array, data immediately begins to be
+	copied to the newly-inserted drive.  Any existing information
+	on the new drive will be overwritten.</para>
+
+      <screen>&prompt.root; <userinput>graid insert raid/r0 ada1</userinput>
+GEOM_RAID: Intel-a29ea104: Disk ada1 state changed from NONE to ACTIVE.
+GEOM_RAID: Intel-a29ea104: Subdisk gm0:1-ada1 state changed from NONE to NEW.
+GEOM_RAID: Intel-a29ea104: Subdisk gm0:1-ada1 state changed from NEW to REBUILD.
+GEOM_RAID: Intel-a29ea104: Subdisk gm0:1-ada1 rebuild start at 0.</screen>
+    </sect2>
+
+    <sect2 xml:id="geom-graid-removing">
+      <title>Removing Drives from the Array</title>
+
+      <para>Individual drives can be permanently removed from a
+	from an array and their metadata erased:</para>
+
+      <screen>&prompt.root; <userinput>graid remove raid/r0 ada1</userinput>
+GEOM_RAID: Intel-a29ea104: Disk ada1 state changed from ACTIVE to OFFLINE.
+GEOM_RAID: Intel-a29ea104: Subdisk gm0:1-[unknown] state changed from ACTIVE to NONE.
+GEOM_RAID: Intel-a29ea104: Volume gm0 state changed from OPTIMAL to DEGRADED.</screen>
+    </sect2>
+
+    <sect2 xml:id="geom-graid-stopping">
+      <title>Stopping the Array</title>
+
+      <para>An array can be stopped without removing metadata from the
+	drives.  The array will be restarted when the system is
+	booted.</para>
+
+      <screen>&prompt.root; <userinput>graid stop raid/r0</userinput></screen>
+    </sect2>
+
+    <sect2 xml:id="geom-graid-status">
+      <title>Checking Array Status</title>
+
+      <para>Array status can be checked at any time.  After a drive
+	was added to the mirror in the example above, data is being
+	copied from the original drive to the new drive:</para>
+
+      <screen>&prompt.root; <userinput>graid status</userinput>
+   Name    Status  Components
+raid/r0  DEGRADED  ada0 (ACTIVE (ACTIVE))
+                   ada1 (ACTIVE (REBUILD 28%))</screen>
+
+      <para>Some types of arrays, like <literal>RAID0</literal> or
+	<literal>CONCAT</literal>, may not be shown in the status
+	report if disks have failed.  To see these partially-failed
+	arrays, add <option>-ga</option>:</para>
+
+      <screen>&prompt.root; <userinput>graid status -ga</userinput>
+          Name  Status  Components
+Intel-e2d07d9a  BROKEN  ada6 (ACTIVE (ACTIVE))</screen>
+    </sect2>
+
+    <sect2 xml:id="geom-graid-deleting">
+      <title>Deleting Arrays</title>
+
+      <para>Arrays are destroyed by deleting all of the volumes from
+	them.  When the last volume present is deleted, the array is
+	stopped and metadata is removed from the drives:</para>
+
+      <screen>&prompt.root; <userinput>graid delete raid/r0</userinput></screen>
+    </sect2>
+
+    <sect2 xml:id="geom-graid-unexpected">
+      <title>Deleting Unexpected Arrays</title>
+
+      <para>Drives may unexpectedly contain &man.graid.8; metadata,
+	either from previous use or manufacturer testing.
+	&man.graid.8; will detect these drives and create an array,
+	interfering with access to the individual drive.  To remove
+	the unwanted metadata:</para>
+
+      <procedure>
+	<step>
+	  <para>Boot the system.  At the boot menu, select
+	    <literal>2</literal> for the loader prompt.  Enter:</para>
+
+	  <screen>OK <userinput>set kern.geom.raid.enable=0</userinput>
+OK <userinput>boot</userinput></screen>
+
+	  <para>The system will boot with &man.graid.8;
+	    disabled.</para>
+	</step>
+
+	<step>
+	  <para>Back up all data on the affected drive.</para>
+	</step>
+
+	<step>
+	  <para>As a workaround, &man.graid.8; array detection
+	    can be disabled by adding</para>
+
+	  <programlisting>kern.geom.raid.enable=0</programlisting>
+
+	  <para>to <filename>/boot/loader.conf</filename>.</para>
+
+	  <para>To permanently remove the &man.graid.8; metadata
+	    from the affected drive, boot a &os; installation
+	    <acronym>CD-ROM</acronym> or memory stick, and select
+	    <literal>Shell</literal>.  Use <command>status</command>
+	    to find the name of the array, typically
+	    <literal>raid/r0</literal>:</para>
+
+	  <screen>&prompt.root; <userinput>graid status</userinput>
+   Name   Status  Components
+raid/r0  OPTIMAL  ada0 (ACTIVE (ACTIVE))
+                  ada1 (ACTIVE (ACTIVE))</screen>
+
+	  <para>Delete the volume by name:</para>
+
+	  <screen>&prompt.root; <userinput>graid delete raid/r0</userinput></screen>
+
+	  <para>If there is more than one volume shown, repeat the
+	    process for each volume.  After the last array has been
+	    deleted, the volume will be destroyed.</para>
+
+	  <para>Reboot and verify data, restoring from backup if
+	    necessary.  After the metadata has been removed, the
+	    <literal>kern.geom.raid.enable=0</literal> entry in
+	    <filename>/boot/loader.conf</filename> can also be
+	    removed.</para>
+	</step>
+      </procedure>
+    </sect2>
+  </sect1>
+
+  <sect1 xml:id="geom-ggate">
+    <title><acronym>GEOM</acronym> Gate Network</title>
+
+    <para><acronym>GEOM</acronym> provides a simple mechanism for
+      providing remote access to devices such as disks,
+      <acronym>CD</acronym>s, and file systems through the use of the
+      <acronym>GEOM</acronym> Gate network daemon,
+      <application>ggated</application>.  The system with the device
+      runs the server daemon which handles requests made by clients
+      using <application>ggatec</application>.  The devices should not
+      contain any sensitive data as the connection between the client
+      and the server is not encrypted.</para>
+
+    <para>Similar to <acronym>NFS</acronym>, which is discussed in
+      <xref linkend="network-nfs"/>, <application>ggated</application>
+      is configured using an exports file.  This file specifies which
+      systems are permitted to access the exported resources and what
+      level of access they are offered.  For example, to give the
+      client <systemitem class="ipaddress">192.168.1.5</systemitem>
+      read and write access to the fourth slice on the first
+      <acronym>SCSI</acronym> disk, create
+      <filename>/etc/gg.exports</filename> with this line:</para>
+
+    <programlisting>192.168.1.5 RW /dev/da0s4d</programlisting>
+
+    <para>Before exporting the device, ensure it is not currently
+      mounted.  Then, start <application>ggated</application>:</para>
+
+    <screen>&prompt.root; <userinput>ggated</userinput></screen>
+
+    <para>Several options are available for specifying an alternate
+      listening port or changing the default location of the exports
+      file.  Refer to &man.ggated.8; for details.</para>
+
+    <para>To access the exported device on the client machine, first
+      use <command>ggatec</command> to specify the
+      <acronym>IP</acronym> address of the server and the device name
+      of the exported device.  If successful, this command will
+      display a <literal>ggate</literal> device name to mount.  Mount
+      that specified device name on a free mount point.  This example
+      connects to the <filename>/dev/da0s4d</filename> partition on
+      <literal>192.168.1.1</literal>, then mounts
+      <filename>/dev/ggate0</filename> on
+      <filename>/mnt</filename>:</para>
+
+    <screen>&prompt.root; <userinput>ggatec create -o rw 192.168.1.1 /dev/da0s4d</userinput>
+ggate0
+&prompt.root; <userinput>mount /dev/ggate0 /mnt</userinput></screen>
+
+    <para>The device on the server may now be accessed through
+      <filename>/mnt</filename> on the client.  For more details about
+      <command>ggatec</command> and a few usage examples, refer to
+      &man.ggatec.8;.</para>
+
+    <note>
+      <para>The mount will fail if the device is currently mounted on
+	either the server or any other client on the network.  If
+	simultaneous access is needed to network resources, use
+	<acronym>NFS</acronym> instead.</para>
+    </note>
+
+    <para>When the device is no longer needed, unmount it with
+      <command>umount</command> so that the resource is available to
+      other clients.</para>
+  </sect1>
+
+  <sect1 xml:id="geom-glabel">
+    <title>Labeling Disk Devices</title>
+
+    <indexterm>
+      <primary><acronym>GEOM</acronym></primary>
+    </indexterm>
+    <indexterm>
+      <primary>Disk Labels</primary>
+    </indexterm>
+
+    <para>During system initialization, the &os; kernel creates
+      device nodes as devices are found.  This method of probing for
+      devices raises some issues.  For instance, what if a new disk
+      device is added via <acronym>USB</acronym>?  It is likely that
+      a flash device may be handed the device name of
+      <filename>da0</filename> and the original
+      <filename>da0</filename> shifted to
+      <filename>da1</filename>.  This will cause issues mounting
+      file systems if they are listed in
+      <filename>/etc/fstab</filename> which may also prevent the
+      system from booting.</para>
+
+    <para>One solution is to chain <acronym>SCSI</acronym> devices
+      in order so a new device added to the <acronym>SCSI</acronym>
+      card will be issued unused device numbers.  But what about
+      <acronym>USB</acronym> devices which may replace the primary
+      <acronym>SCSI</acronym> disk?  This happens because
+      <acronym>USB</acronym> devices are usually probed before the
+      <acronym>SCSI</acronym> card.  One solution is to only insert
+      these devices after the system has been booted.  Another method
+      is to use only a single <acronym>ATA</acronym> drive and never
+      list the <acronym>SCSI</acronym> devices in
+      <filename>/etc/fstab</filename>.</para>
+
+    <para>A better solution is to use <command>glabel</command> to
+      label the disk devices and use the labels in
+      <filename>/etc/fstab</filename>.  Because
+      <command>glabel</command> stores the label in the last sector of
+      a given provider, the label will remain persistent across
+      reboots.  By using this label as a device, the file system may
+      always be mounted regardless of what device node it is accessed
+      through.</para>
+
+    <note>
+      <para><command>glabel</command> can create both transient and
+	permanent labels.  Only permanent labels are consistent across
+	reboots.  Refer to &man.glabel.8; for more information on the
+	differences between labels.</para>
+    </note>
+
+    <sect2>
+      <title>Label Types and Examples</title>
+
+      <para>Permanent labels can be a generic or a file system label.
+	Permanent file system labels can be created with
+	&man.tunefs.8; or &man.newfs.8;.  These types of labels are
+	created in a sub-directory of <filename>/dev</filename>, and
+	will be named according to the file system type.  For example,
+	<acronym>UFS</acronym>2 file system labels will be created in
+	<filename>/dev/ufs</filename>.  Generic permanent labels can
+	be created with <command>glabel label</command>.  These are
+	not file system specific and will be created in
+	<filename>/dev/label</filename>.</para>
+
+      <para>Temporary labels are destroyed at the next reboot.  These
+	labels are created in <filename>/dev/label</filename> and are
+	suited to experimentation.  A temporary label can be created
+	using <command>glabel create</command>.</para>
+
+<!-- XXXTR: How do you create a file system label without running newfs
+	    or when there is no newfs (e.g.: cd9660)? -->
+
+      <para>To create a permanent label for a
+	<acronym>UFS</acronym>2 file system without destroying any
+	data, issue the following command:</para>
+
+      <screen>&prompt.root; <userinput>tunefs -L <replaceable>home</replaceable> <replaceable>/dev/da3</replaceable></userinput></screen>
+
+      <warning>
+	<para>If the file system is full, this may cause data
+	  corruption.</para>
+      </warning>
+
+      <para>A label should now exist in <filename>/dev/ufs</filename>
+	which may be added to <filename>/etc/fstab</filename>:</para>
+
+      <programlisting>/dev/ufs/home		/home            ufs     rw              2      2</programlisting>
+
+      <note>
+	<para>The file system must not be mounted while attempting
+	  to run <command>tunefs</command>.</para>
+      </note>
+
+      <para>Now the file system may be mounted:</para>
+
+      <screen>&prompt.root; <userinput>mount /home</userinput></screen>
+
+      <para>From this point on, so long as the
+	<filename>geom_label.ko</filename> kernel module is loaded at
+	boot with <filename>/boot/loader.conf</filename> or the
+	<literal>GEOM_LABEL</literal> kernel option is present,
+	the device node may change without any ill effect on the
+	system.</para>
+
+      <para>File systems may also be created with a default label
+	by using the <option>-L</option> flag with
+	<command>newfs</command>.  Refer to &man.newfs.8; for
+	more information.</para>
+
+      <para>The following command can be used to destroy the
+	label:</para>
+
+      <screen>&prompt.root; <userinput>glabel destroy home</userinput></screen>
+
+      <para>The following example shows how to label the partitions of
+	a boot disk.</para>
+
+      <example>
+	<title>Labeling Partitions on the Boot Disk</title>
+
+	<para>By permanently labeling the partitions on the boot disk,
+	  the system should be able to continue to boot normally, even
+	  if the disk is moved to another controller or transferred to
+	  a different system.  For this example, it is assumed that a
+	  single <acronym>ATA</acronym> disk is used, which is
+	  currently recognized by the system as
+	  <filename>ad0</filename>.  It is also assumed that the
+	  standard &os; partition scheme is used, with
+	  <filename>/</filename>,
+	  <filename>/var</filename>,
+	  <filename>/usr</filename> and
+	  <filename>/tmp</filename>, as
+	  well as a swap partition.</para>
+
+	<para>Reboot the system, and at the &man.loader.8; prompt,
+	  press <keycap>4</keycap> to boot into single user mode.
+	  Then enter the following commands:</para>
+
+	<screen>&prompt.root; <userinput>glabel label rootfs /dev/ad0s1a</userinput>
+GEOM_LABEL: Label for provider /dev/ad0s1a is label/rootfs
+&prompt.root; <userinput>glabel label var /dev/ad0s1d</userinput>
+GEOM_LABEL: Label for provider /dev/ad0s1d is label/var
+&prompt.root; <userinput>glabel label usr /dev/ad0s1f</userinput>
+GEOM_LABEL: Label for provider /dev/ad0s1f is label/usr
+&prompt.root; <userinput>glabel label tmp /dev/ad0s1e</userinput>
+GEOM_LABEL: Label for provider /dev/ad0s1e is label/tmp
+&prompt.root; <userinput>glabel label swap /dev/ad0s1b</userinput>
+GEOM_LABEL: Label for provider /dev/ad0s1b is label/swap
+&prompt.root; <userinput>exit</userinput></screen>
+
+	<para>The system will continue with multi-user boot.  After
+	  the boot completes, edit <filename>/etc/fstab</filename> and
+	  replace the conventional device names, with their respective
+	  labels.  The final <filename>/etc/fstab</filename> will
+	  look like this:</para>
+
+	<programlisting># Device                Mountpoint      FStype  Options         Dump    Pass#
+/dev/label/swap         none            swap    sw              0       0
+/dev/label/rootfs       /               ufs     rw              1       1
+/dev/label/tmp          /tmp            ufs     rw              2       2
+/dev/label/usr          /usr            ufs     rw              2       2
+/dev/label/var          /var            ufs     rw              2       2</programlisting>
+
+	<para>The system can now be rebooted.  If everything went
+	  well, it will come up normally and <command>mount</command>
+	  will show:</para>
+
+	<screen>&prompt.root; <userinput>mount</userinput>
+/dev/label/rootfs on / (ufs, local)
+devfs on /dev (devfs, local)
+/dev/label/tmp on /tmp (ufs, local, soft-updates)
+/dev/label/usr on /usr (ufs, local, soft-updates)
+/dev/label/var on /var (ufs, local, soft-updates)</screen>
+      </example>
+
+      <para>Starting with &os;&nbsp;7.2, the &man.glabel.8; class
+	supports a new label type for <acronym>UFS</acronym> file
+	systems, based on the unique file system id,
+	<literal>ufsid</literal>.  These labels may be found in
+	<filename>/dev/ufsid</filename> and are
+	created automatically during system startup.  It is possible
+	to use <literal>ufsid</literal> labels to mount partitions
+	using <filename>/etc/fstab</filename>.  Use <command>glabel
+	  status</command> to receive a list of file systems and their
+	corresponding <literal>ufsid</literal> labels:</para>
+
+      <screen>&prompt.user; <userinput>glabel status</userinput>
+                  Name  Status  Components
+ufsid/486b6fc38d330916     N/A  ad4s1d
+ufsid/486b6fc16926168e     N/A  ad4s1f</screen>
+
+      <para>In the above example, <filename>ad4s1d</filename>
+	represents <filename>/var</filename>,
+	while <filename>ad4s1f</filename> represents
+	<filename>/usr</filename>.
+	Using the <literal>ufsid</literal> values shown, these
+	partitions may now be mounted with the following entries in
+	<filename>/etc/fstab</filename>:</para>
+
+      <programlisting>/dev/ufsid/486b6fc38d330916        /var        ufs        rw        2      2
+/dev/ufsid/486b6fc16926168e        /usr        ufs        rw        2      2</programlisting>
+
+      <para>Any partitions with <literal>ufsid</literal> labels can be
+	mounted in this way, eliminating the need to manually create
+	permanent labels, while still enjoying the benefits of device
+	name independent mounting.</para>
+    </sect2>
+  </sect1>
+
+  <sect1 xml:id="geom-gjournal">
+    <title>UFS Journaling Through <acronym>GEOM</acronym></title>
+
+    <indexterm>
+      <primary><acronym>GEOM</acronym></primary>
+    </indexterm>
+    <indexterm>
+      <primary>Journaling</primary>
+    </indexterm>
+
+    <para>Beginning with &os;&nbsp;7.0, support for journals on
+      <acronym>UFS</acronym> file systems is available.  The
+      implementation is provided through the <acronym>GEOM</acronym>
+      subsystem and is configured using <command>gjournal</command>.
+      Unlike other file system journaling implementations, the
+      <command>gjournal</command> method is block based and not
+      implemented as part of the file system.  It is a
+      <acronym>GEOM</acronym> extension.</para>
+
+    <para>Journaling stores a log of file system transactions, such as
+      changes that make up a complete disk write operation, before
+      meta-data and file writes are committed to the disk.  This
+      transaction log can later be replayed to redo file system
+      transactions, preventing file system inconsistencies.</para>
+
+    <para>This method provides another mechanism to protect against
+      data loss and inconsistencies of the file system.  Unlike Soft
+      Updates, which tracks and enforces meta-data updates, and
+      snapshots, which create an image of the file system, a log is
+      stored in disk space specifically for this task.  For better
+      performance, the journal may be stored on another disk.  In this
+      configuration, the journal provider or storage device should be
+      listed after the device to enable journaling on.</para>
+
+    <para>The <filename>GENERIC</filename> kernel provides support for
+      <command>gjournal</command>.  To automatically load the
+      <filename>geom_journal.ko</filename> kernel module at boot time,
+      add the following line to
+      <filename>/boot/loader.conf</filename>:</para>
+
+    <programlisting>geom_journal_load="YES"</programlisting>
+
+    <para>If a custom kernel is used, ensure the following line is in
+      the kernel configuration file:</para>
+
+    <programlisting>options	GEOM_JOURNAL</programlisting>
+
+    <para>Once the module is loaded, a journal can be created on a new
+      file system using the following steps.  In this example,
+      <filename>da4</filename> is a new <acronym>SCSI</acronym>
+      disk:</para>
+
+    <screen>&prompt.root; <userinput>gjournal load</userinput>
+&prompt.root; <userinput>gjournal label /dev/<replaceable>da4</replaceable></userinput></screen>
+
+    <para>This will load the module and create a
+      <filename>/dev/da4.journal</filename> device node on
+      <filename>/dev/da4</filename>.</para>
+
+    <para>A <acronym>UFS</acronym> file system may now be created on
+      the journaled device, then mounted on an existing mount
+      point:</para>
+
+    <screen>&prompt.root; <userinput>newfs -O 2 -J /dev/<replaceable>da4</replaceable>.journal</userinput>
+&prompt.root; <userinput>mount /dev/<replaceable>da4</replaceable>.journal <replaceable>/mnt</replaceable></userinput></screen>
+
+    <note>
+      <para>In the case of several slices, a journal will be created
+	for each individual slice.  For instance, if
+	<filename>ad4s1</filename> and <filename>ad4s2</filename> are
+	both slices, then <command>gjournal</command> will create
+	<filename>ad4s1.journal</filename> and
+	<filename>ad4s2.journal</filename>.</para>
+    </note>
+
+    <para>Journaling may also be enabled on current file systems by
+      using <command>tunefs</command>.  However,
+      <emphasis>always</emphasis> make a backup before attempting to
+      alter an existing file system.  In most cases,
+      <command>gjournal</command> will fail if it is unable to create
+      the journal, but this does not protect against data loss
+      incurred as a result of misusing <command>tunefs</command>.
+      Refer to &man.gjournal.8; and &man.tunefs.8; for more
+      information about these commands.</para>
+
+    <para>It is possible to journal the boot disk of a &os; system.
+      Refer to the article
+      Implementing UFS Journaling on a Desktop PC for detailed
+      instructions.</para>
+  </sect1>
 </chapter>
Index: zh_TW.UTF-8/books/handbook/install/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/install/chapter.xml
+++ zh_TW.UTF-8/books/handbook/install/chapter.xml
@@ -1,26 +1,29 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
      The FreeBSD Documentation Project
+     The FreeBSD Traditional Chinese Project
 
      $FreeBSD$
-     Original revision: 1.381
+     Original revision: r46052
 -->
-<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="install">
-  <info><title>安裝 FreeBSD</title>
+<chapter xmlns="http://docbook.org/ns/docbook"
+  xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+  xml:id="install">
+  <info>
+    <title>安裝 FreeBSD</title>
+
     <authorgroup>
-      <author><personname><firstname>Jim</firstname><surname>Mock</surname></personname><contrib>Restructured, reorganized, and parts
-	  rewritten by </contrib></author>
+      <author><personname><firstname>Jim</firstname><surname>Mock</surname></personname><contrib>Restructured,
+	  reorganized, and parts rewritten by </contrib></author>
     </authorgroup>
 
     <authorgroup>
-      <author><personname><firstname>Randy</firstname><surname>Pratt</surname></personname><contrib>The sysinstall walkthrough, screenshots, and general
-	  copy by </contrib></author>
+      <author><personname><firstname>Randy</firstname><surname>Pratt</surname></personname><contrib>The
+	  sysinstall walkthrough, screenshots, and general copy by
+	  </contrib></author>
     </authorgroup>
-    
   </info>
 
-  
-
   <sect1 xml:id="install-synopsis">
     <title>概述</title>
 
@@ -84,7 +87,7 @@
 	Information</link> 找相關的 Installation Notes 說明。
 	接下來的章節會有相關說明整理。
 	根據安裝 &os; 的方式不同，可能會需要軟碟機或光碟機，
-	或某些情況則是要網路卡。  這些部份會在 <xref linkend="install-floppies"/> 有介紹。</para>
+	或某些情況則是要網路卡。  這些部份會在 <xref linkend="install-boot-media"/> 有介紹。</para>
 
       <sect3>
 	<title>&os;/&arch.i386; 及 &os;/&arch.pc98; 架構</title>
@@ -412,52 +415,6 @@
 	  </listitem>
 	</orderedlist>
       </example>
-
-      </sect3>
-
-      <sect3>
-	<title>Alpha 架構的磁碟配置模式</title>
-
-	<para>在 Alpha 上，您必須使用一整顆硬碟給 FreeBSD，
-	  沒有辦法在同顆硬碟上跟其他作業系統共存。  依不同型號的 Alpha
-	  機器，您的硬碟可以是 SCSI 或 IDE 硬碟，
-	  只要您的機器可以從這些硬碟開機就可以。</para>
-
-	<para>按照 Digital / Compaq 使用手冊的編排風格，
-	  所有 SRM 輸入的部分都用大寫表示。  注意：SRM 大小寫有別。</para>
-
-	<para>要得知您磁碟的名稱以及型號，可以在 SRM console 提示下使用
-	  <literal>SHOW DEVICE</literal> 命令：</para>
-
-	<screen>&gt;&gt;&gt;<userinput>SHOW DEVICE</userinput>
-dka0.0.0.4.0               DKA0           TOSHIBA CD-ROM XM-57  3476
-dkc0.0.0.1009.0            DKC0                       RZ1BB-BS  0658
-dkc100.1.0.1009.0          DKC100             SEAGATE ST34501W  0015
-dva0.0.0.0.1               DVA0
-ewa0.0.0.3.0               EWA0              00-00-F8-75-6D-01
-pkc0.7.0.1009.0            PKC0                  SCSI Bus ID 7  5.27
-pqa0.0.0.4.0               PQA0                       PCI EIDE
-pqb0.0.1.4.0               PQB0                       PCI EIDE</screen>
-
-	<para>例子中機器為 Digital Personal Workstation 433au，
-	  並且顯示出此機器有連接三個磁碟機。  第一個是 CDROM，叫做
-	  <filename>DKA0</filename> ；另外兩個是磁碟機， 分別叫做：
-	  <filename>DKC0</filename> 及 <filename>DKC100</filename>。
-	  </para>
-
-	<para>磁碟機的名稱中有 <filename>DKx</filename>
-	  字樣的是 SCSI 硬碟。例如： <filename>DKA100</filename>
-	  表示是 SCSI 硬碟，其 SCSI ID 為 1， 位在第一個 SCSI 匯流排(A)；
-	  而 <filename>DKC300</filename> 表示是 SCSI 硬碟，
-	  其 SCSI ID 為 3，位於第三個 SCSI 匯流排(C)。
-	  裝置名稱 <filename>PKx</filename> 則為 SCSI 控制卡。
-	  由上述 <literal>SHOW DEVICE</literal> 的結果看來，
-	  SCSI 光碟機也被視為是 SCSI 硬碟的一種。</para>
-
-	<para>若為 IDE 硬碟的話，名稱會有 <filename>DQx</filename> 字樣，
-	  而 <filename>PQx</filename> 則表示相對應的 IDE 磁碟控制器。
-	  </para>
-
       </sect3>
     </sect2>
 
@@ -583,58 +540,176 @@
 	</listitem>
       </itemizedlist>
 
-      <para>若已經有 FreeBSD 的 CD 或 DVD，但機器不支援從光碟開機的話，
-	那麼請直接進下一節 (<xref linkend="install-floppies"/>)。</para>
+      <para>若已經有 FreeBSD 的 CD 或 DVD，
+	那麼請直接進下一節 (<xref linkend="install-boot-media"/>)。</para>
 
       <para>若沒有 FreeBSD 安裝片的話，那麼請先看 <xref linkend="install-diff-media"/> 這裡會介紹如何準備所需要的安裝片，
-	照該節步驟弄好後，就可以繼續下一步 <xref linkend="install-start"/>。
+	照該節步驟弄好後，就可以繼續下一步 <xref linkend="install-boot-media"/>。
 	</para>
     </sect2>
 
-    <sect2 xml:id="install-floppies">
-      <title>準備好開機磁片</title>
+    <sect2 xml:id="install-boot-media">
+      <title>Prepare the Boot Media</title>
 
-      <para>FreeBSD 安裝流程是要從電腦開機後，進入 FreeBSD 安裝畫面 ——
-	而不是在其他作業系統上執行程式。
-      	一般來講，電腦都是用裝在硬碟上的作業系統來開機，
-	也可以用開機磁片來開機；
-      	此外，現在大多數電腦都可以從光碟開機。</para>
+      <para>The &os; installation process is started by booting the
+	computer into the &os; installer.  It is not a program that
+	can be run within another operating system.  The computer
+	normally boots using the operating system installed on the
+	hard disk, but it can also be configured to boot from a CDROM
+	or from a USB disk.</para>
 
       <tip>
-	<para>如果您有 FreeBSD 的 CDROM 或 DVD(無論是用買現成的或是自己燒錄的)，
-	  且您的電腦可支援由光碟開機，(通常在 BIOS 中會有
-	  <quote>Boot Order</quote> 或類似選項)，那麼您就可以跳過此小節。
-	  因為 FreeBSD CDROM 或 DVD 都可以用來開機。</para>
+	<para>If installing from a CD/DVD to a computer whose BIOS
+	  supports booting from the CD/DVD, skip this section.  The
+	  &os; CD/DVD images are bootable and can be used to install
+	  &os; without any other special preparation.</para>
       </tip>
 
-      <para>請按照下面步驟，以製作開機片：</para>
+      <para>To create a bootable memory stick, follow these
+	steps:</para>
 
       <procedure>
 	<step>
-	  <title>取得開機片的映像檔(images)</title>
+	  <title>Acquire the Memory Stick Image</title>
 
-	  <para>開機磁片用的映像檔(images)通常會放在光碟片上的
-	    <filename>floppies/</filename> 目錄內，
-	    另外也可以從像是下面 FTP 站的 floppies 目錄下載：
-	   <literal>ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/&lt;arch&gt;/&lt;version&gt;-RELEASE/floppies/</literal>
-	   。請將『arch』、『version』替換為打算安裝的電腦架構、OS 版本。
-	   例如：想裝的是 &os;/&arch.i386;&nbsp;&rel.current;-RELEASE
-	   ，那麼可以到 <uri xlink:href="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/&rel.current;-RELEASE/floppies/">ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/&rel.current;-RELEASE/floppies/</uri> 下載。</para>
-
-	  <para>映像檔(images)的附檔名都是 <filename>.flp</filename>。而
-	    <filename>floppies/</filename> 目錄內包含一些不同用途的映像檔
-	    (images)，這取決於您要裝的 FreeBSD 版本、需求、硬體配備為何。
-	    通常要 4 個映像檔，也就是： <filename>boot.flp</filename>、
-	    <filename>kern1.flp</filename>、<filename>kern2.flp</filename>、
-	    <filename>kern3.flp</filename>。  若有疑問的話，請翻閱同一目錄下的
-	    <filename>README.TXT</filename> 文件檔，以瞭解相關最新注意事項。
-	    </para>
+	  <para>Memory stick images for
+	    &os;&nbsp;8.<replaceable>X</replaceable> can be downloaded
+	    from the <filename
+	      class="directory">ISO-IMAGES/</filename> directory at
+	    <literal>ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/<replaceable>arch</replaceable>/ISO-IMAGES/<replaceable>version</replaceable>/&os;-<replaceable>version</replaceable>-RELEASE-<replaceable>arch</replaceable>-memstick.img</literal>.
+	    Replace <replaceable>arch</replaceable> and
+	    <replaceable>version</replaceable> with the architecture
+	    and the version number to install.  For example, the
+	    memory stick images for
+	    &os;/&arch.i386;&nbsp;&rel2.current;-RELEASE are
+	    available from <uri
+	      xlink:href="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/&arch.i386;/ISO-IMAGES/&rel2.current;/&os;-&rel2.current;-RELEASE-&arch.i386;-memstick.img">ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/&arch.i386;/ISO-IMAGES/&rel2.current;/&os;-&rel2.current;-RELEASE-&arch.i386;-memstick.img</uri>.</para>
+
+	  <tip>
+	    <para>A different directory path is used for
+	      &os;&nbsp;9.0-RELEASE and later versions.  How to
+	      download and install
+	      &os;&nbsp;9.<replaceable>X</replaceable>
+	      is covered in <xref linkend="bsdinstall"/>.</para>
+	  </tip>
+
+	  <para>The memory stick image has a <filename>.img</filename>
+	    extension.  The <filename>ISO-IMAGES/</filename> directory
+	    contains a number of different images and the one to
+	    use depends on the version of &os; and the type of media
+	    supported by the hardware being installed to.</para>
 
 	  <important>
-	    <para>在使用 FTP 下載時，必須使用 <emphasis>binary 模式</emphasis>
-	      進行傳輸。  有些瀏覽器預設是以 <emphasis>text</emphasis> (或
-	      <emphasis>ASCII</emphasis>) 模式來傳輸資料，
-	      所以這些錯誤傳輸模式下載的映像檔所做成的磁片，會無法使用。</para>
+	    <para>Before proceeding, <emphasis>back up</emphasis> the
+	      data on the USB stick, as this procedure will
+	      <emphasis>erase</emphasis> it.</para>
+	  </important>
+	</step>
+
+	<step>
+	  <title>Write the Image File to the Memory Stick</title>
+
+	  <procedure>
+	    <title>Using &os; to Write the Image</title>
+
+	    <warning>
+	      <para>The example below lists
+		<filename>/dev/da0</filename> as the target device
+		where the image will be written.  Be very careful that
+		you have the correct device as the output target, or
+		you may destroy your existing data.</para>
+	    </warning>
+
+	    <step>
+	      <title>Writing the Image with &man.dd.1;</title>
+
+	      <para>The <filename>.img</filename> file is
+		<emphasis>not</emphasis> a regular file that can just
+		be copied to the memory stick.  It is an image of the
+		complete contents of the disk.  This means that
+		&man.dd.1; must be used to write the image directly to
+		the disk:</para>
+
+	      <screen>&prompt.root; <userinput>dd if=&os;-&rel2.current;-RELEASE-&arch.i386;-memstick.img of=/dev/<replaceable>da0</replaceable> bs=64k</userinput></screen>
+
+	      <para>If an <computeroutput>Operation not
+		  permitted</computeroutput> error is displayed, make
+		certain that the target device is not in use, mounted,
+		or being automounted by another program.  Then try
+		again.</para>
+	    </step>
+	  </procedure>
+
+	  <procedure>
+	    <title>Using &windows; to Write the Image</title>
+
+	    <warning>
+	      <para>Make sure to use the correct drive letter as the
+		output target, as this command will overwrite and
+		destroy any existing data on the specified
+		device.</para>
+	    </warning>
+
+	    <step>
+	      <title>Obtaining <application>Image Writer for
+		  Windows</application></title>
+
+	      <para><application>Image Writer for
+		  Windows</application> is a free application that can
+		correctly write an image file to a memory stick.
+		Download it from <uri
+		  xlink:href="https://launchpad.net/win32-image-writer/">https://launchpad.net/win32-image-writer/</uri>
+		and extract it into a folder.</para>
+	    </step>
+
+	    <step>
+	      <title>Writing the Image with Image Writer</title>
+
+	      <para>Double-click the
+		<application>Win32DiskImager</application> icon to
+		start the program.  Verify that the drive letter shown
+		under <computeroutput>Device</computeroutput> is the
+		drive with the memory stick.  Click the folder icon
+		and select the image to be written to the memory
+		stick.  Click <guibutton>Save</guibutton> to accept
+		the image file name.  Verify that everything is
+		correct, and that no folders on the memory stick are
+		open in other windows.  Finally, click
+		<guibutton>Write</guibutton> to write the image file
+		to the drive.</para>
+	    </step>
+	  </procedure>
+	</step>
+      </procedure>
+
+      <para>To create the boot floppy images for a &os;/&arch.pc98;
+	installation, follow these steps:</para>
+
+      <procedure>
+	<step>
+	  <title>Acquire the Boot Floppy Images</title>
+
+	  <para>The &os;/&arch.pc98; boot disks can be downloaded from
+	    the floppies directory,
+	    <literal>ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/pc98/<replaceable>version</replaceable>-RELEASE/floppies/</literal>.
+	    Replace <replaceable>version</replaceable> with the
+	    version number to install.</para>
+
+	  <para>The floppy images have a <filename>.flp</filename>
+	    extension.  <filename
+	      class="directory">floppies/</filename> contains a number
+	    of different images.  Download
+	    <filename>boot.flp</filename> as well as the number of
+	    files associated with the type of installation, such as
+	    <literal>kern.small*</literal> or
+	    <literal>kern*</literal>.</para>
+
+	  <important>
+	    <para>The FTP program must use <emphasis>binary
+		mode</emphasis> to download these disk images.  Some
+	      web browsers use <emphasis>text</emphasis> or
+	      <emphasis>ASCII</emphasis> mode, which will be apparent
+	      if the disks are not bootable.</para>
 	  </important>
 	</step>
 
@@ -760,7 +835,7 @@
 
 	<step>
 	  <para>若要用磁片安裝，請把在
-	    <xref linkend="install-floppies"/>一節中製作好的
+	    <xref linkend="install-boot-media"/>一節中製作好的
 	    <filename>boot.flp</filename> 那張安裝磁片放到第一台軟碟機中。
 	    </para>
 
@@ -855,59 +930,6 @@
       </procedure>
 
       </sect3>
-      <sect3>
-        <title>Alpha 平台的開機流程</title>
-
-	<indexterm><primary>Alpha</primary></indexterm>
-
-      <procedure>
-	<step>
-	  <para>在一開始，電腦電源開關是關閉的。</para>
-	</step>
-
-	<step>
-	  <para>打開電腦電源開關，然後等開機畫面出現。</para>
-        </step>
-
-	<step>
-	  <para>若要用磁片安裝，請把在
-	    <xref linkend="install-floppies"/>一節中製作好的
-	    <filename>boot.flp</filename> 那張安裝磁片放到第一台軟碟機中。
-	    然後，打下列指令來從磁片開機
-	    (請把下列軟碟機代號改為你電腦的軟碟機代號)：</para>
-
-	  <screen>&gt;&gt;&gt;<userinput>BOOT DVA0 -FLAGS '' -FILE ''</userinput></screen>
-
-	  <para>若要用光碟安裝，請把做好的安裝片放入光碟機，
-	    然後打下列指令來從光碟開機
-	    (請把下列光碟機代號改為你電腦的光碟機代號)：</para>
-
-          <screen>&gt;&gt;&gt;<userinput>BOOT DKA0 -FLAGS '' -FILE ''</userinput></screen>
-	</step>
-
-	<step>
-	  <para>接著 FreeBSD 開機片就會開始了。若是由軟碟開機的話，
-	    這時會看到以下訊息：</para>
-
-	  <screen>Insert disk labelled "Kernel floppy 1" and press any key...</screen>
-
-	  <para>請照指示，拿走 <filename>boot.flp</filename> 片，改放
-	    <filename>kern1.flp</filename> 片，
-	    然後按 <keycap>Enter</keycap>。</para>
-	</step>
-
-	<step>
-	  <para>無論從軟碟或光碟開機，您都會看到下面這段訊息：</para>
-
-	  <screen>Hit [Enter] to boot immediately, or any other key for command prompt.
-Booting [kernel] in 9 seconds... _</screen>
-
-	  <para>您可以等待 10 秒，或是按 <keycap>Enter</keycap> 鍵。
-	    接下來就會進入kernel configuration 選單。</para>
-	</step>
-      </procedure>
-
-      </sect3>
 
       <sect3>
 	<title>&sparc64; 平台的開機流程</title>
@@ -2346,7 +2368,7 @@
 
       <para>These services can be enabled after installation by editing
 	<filename>/etc/inetd.conf</filename> with your favorite text editor.
-	See <xref linkend="network-inetd-overview"/> for more information.</para>
+	See <xref linkend="network-inetd-conf"/> for more information.</para>
 
       <para>Select &gui.yes; if you wish to
 	configure these services during install.  An additional
@@ -3969,7 +3991,7 @@
         serial console.  A serial console is basically using another
         machine to act as the main display and keyboard for a
         system.  To do this, just follow the steps to create
-        installation floppies, explained in <xref linkend="install-floppies"/>.</para>
+        installation floppies, explained in <xref linkend="install-boot-media"/>.</para>
 
       <para>To modify these floppies to boot into a serial console, follow
 	these steps:</para>
@@ -4106,112 +4128,156 @@
     </itemizedlist>
 
     <sect2 xml:id="install-cdrom">
-      <title>Creating an Installation CDROM</title>
+      <title>Creating an Installation ISO</title>
 
-      <para>As part of each release, the FreeBSD project makes available at least two
-	CDROM images (<quote>ISO images</quote>) per supported architecture.  These images can be written
-	(<quote>burned</quote>) to CDs if you have a CD writer, and then used
-	to install FreeBSD.  If you have a CD writer, and bandwidth is cheap,
-	then this is the easiest way to install FreeBSD.</para>
+      <para>As part of each release, the &os; Project provides ISO
+	images for each supported architecture.  These images can be
+	written (<quote>burned</quote>) to CD or DVD media using a
+	burning application, and then used to install &os;.  If a
+	CD/DVD writer is available, this is the easiest way to install
+	&os;.</para>
 
       <procedure>
 	<step>
 	  <title>Download the Correct ISO Images</title>
 
-	  <para>The ISO images for each release can be downloaded from <filename>ftp://ftp.FreeBSD.org/pub/FreeBSD/ISO-IMAGES-arch/version</filename> or the closest mirror.
-	    Substitute <replaceable>arch</replaceable> and
+	  <para>The ISO images for each release can be downloaded from
+	    <filename>ftp://ftp.FreeBSD.org/pub/FreeBSD/ISO-IMAGES-<replaceable>arch</replaceable>/<replaceable>version</replaceable></filename>
+	    or the closest mirror.  Substitute
+	    <replaceable>arch</replaceable> and
 	    <replaceable>version</replaceable> as appropriate.</para>
 
-	  <para>That directory will normally contain the following images:</para>
+	  <para>An image directory normally contains the following
+	    images:</para>
 
 	  <table frame="none">
-	    <title>FreeBSD 5.<replaceable>X</replaceable> and 6.<replaceable>X</replaceable>
-	    ISO Image Names and Meanings</title>
+	    <title>&os;
+	      ISO Image Names and Meanings</title>
 
 	    <tgroup cols="2">
 	      <thead>
 		<row>
-		  <entry>檔名</entry>
+		  <entry>Filename</entry>
 
-		  <entry>內容</entry>
+		  <entry>Contents</entry>
 		</row>
 	      </thead>
 
 	      <tbody>
 		<row>
-		  <entry><filename>版本-RELEASE-架構-bootonly.iso</filename></entry>
+		  <entry><filename>&os;-<replaceable>version</replaceable>-RELEASE-<replaceable>arch</replaceable>-bootonly.iso</filename></entry>
+
+		  <entry>This CD image starts the installation process
+		    by booting from a CD-ROM drive but it does not
+		    contain the support for installing &os; from the
+		    CD itself.  Perform a network based install, such
+		    as from an FTP server, after booting from this
+		    CD.</entry>
+		</row>
+
+		<row>
+		  <entry><filename>&os;-<replaceable>version</replaceable>-RELEASE-<replaceable>arch</replaceable>-dvd1.iso.gz</filename></entry>
+
+		  <entry>This DVD image contains everything necessary
+		    to install the base &os; operating system, a
+		    collection of pre-built packages, and the
+		    documentation.  It also supports booting into a
+		    <quote>livefs</quote> based rescue mode.</entry>
+		</row>
+
+		<row>
+		  <entry><filename>&os;-<replaceable>version</replaceable>-RELEASE-<replaceable>arch</replaceable>-memstick.img</filename></entry>
 
-		  <entry>Everything you need to boot into a FreeBSD
-		    kernel and start the installation interface.
-		    The installable files have to be pulled over FTP
-		    or some other supported source.</entry>
+		  <entry>This image can be written to a USB memory
+		    stick in order to install machines capable of
+		    booting from USB drives.  It also supports booting
+		    into a <quote>livefs</quote> based rescue mode.
+		    The only included package is the documentation
+		    package.</entry>
 		</row>
 
 		<row>
-		  <entry><filename>版本-RELEASE-架構-disc1.iso</filename></entry>
+		  <entry><filename>&os;-<replaceable>version</replaceable>-RELEASE-<replaceable>arch</replaceable>-disc1.iso</filename></entry>
 
-		  <entry>Everything you need to install &os; and a
-		    <quote>live filesystem</quote>, which is used in
-		    conjunction with the <quote>Repair</quote> facility
-		    in <application>sysinstall</application>.</entry>
+		  <entry>This image can be written to a USB memory
+		    stick in order to install machines capable of
+		    booting from USB drives.  Similar to the
+		    <filename>bootonly.iso</filename> image, it does
+		    not contain the distribution sets on the medium
+		    itself, but does support network-based
+		    installations (for example, via ftp).</entry>
 		</row>
 
 		<row>
-		  <entry><filename>版本-RELEASE-架構-disc2.iso</filename></entry>
+		  <entry><filename>&os;-version-RELEASE-arch-disc1.iso</filename></entry>
 
-		  <entry>&os; 文件(&os; 6.2 之前的)，以及許多 third-party
-		    packages。</entry>
+		  <entry>This CD image contains the base &os;
+		    operating system and the documentation package but
+		    no other packages.</entry>
 		</row>
 
 		<row>
-		  <entry><filename>版本-RELEASE-架構-docs.iso</filename></entry>
+		  <entry><filename>&os;-<replaceable>version</replaceable>-RELEASE-<replaceable>arch</replaceable>-disc2.iso</filename></entry>
 
-		  <entry>&os; 文件(&os; 6.2 及之後)。</entry>
+		  <entry>A CD image with as many third-party packages
+		    as would fit on the disc.  This image is not
+		    available for
+		    &os;&nbsp;9.<replaceable>X</replaceable>.</entry>
+		</row>
+
+		<row>
+		  <entry><filename>&os;-<replaceable>version</replaceable>-RELEASE-<replaceable>arch</replaceable>-disc3.iso</filename></entry>
+
+		  <entry>Another CD image with as many third-party
+		    packages as would fit on the disc.  This image is
+		    not available for
+		    &os;&nbsp;9.<replaceable>X</replaceable>.</entry>
+		</row>
+
+		<row>
+		  <entry><filename>&os;-<replaceable>version</replaceable>-RELEASE-<replaceable>arch</replaceable>-livefs.iso</filename></entry>
+
+		  <entry>This CD image contains support for booting
+		    into a <quote>livefs</quote> based rescue mode but
+		    does not support doing an install from the CD
+		    itself.</entry>
 		</row>
 	      </tbody>
 	    </tgroup>
 	  </table>
 
-	  <para>You <emphasis>must</emphasis> download one of either the bootonly
-	    ISO image (if available), or the image of disc one.  Do not download
-	    both of them, since the disc one image contains everything that the
-	    bootonly ISO image contains.</para>
-
-	  <para>Use the bootonly ISO if Internet access is cheap for you.  It will
-	    let you install &os;, and you can then install third-party
-	    packages by downloading them using the ports/packages system (see
-	    <xref linkend="ports"/>) as
-	    necessary.</para>
-
-	  <para>Use the image of disc one if you want to install a &os;
-	    release and want
-	    a reasonable selection of third-party packages on the disc
-	    as well.</para>
+	  <para>When performing a CD installation, download either
+	    the <literal>bootonly</literal> ISO image or
+	    <literal>disc1</literal>.  Do not download both, since
+	    <literal>disc1</literal> contains everything that the
+	    <literal>bootonly</literal> ISO image contains.</para>
+
+	  <para>Use the <literal>bootonly</literal> ISO to perform a
+	    network install over the Internet.  Additional software
+	    can be installed as needed using the Ports Collection as
+	    described in <xref linkend="ports"/>.</para>
 
-	  <para>The additional disc images are useful, but not essential,
-	    especially if you have high-speed access to the Internet.</para>
+	  <para>Use <literal>dvd1</literal> to install &os; and a
+	    selection of third-party packages from the disc.</para>
 	</step>
 
 	<step>
-	  <title>Write the CDs</title>
+	  <title>Burn the Media</title>
 
-	  <para>You must then write the CD images to disc.  If you will be
-	    doing this on another FreeBSD system then see
-	    <xref linkend="creating-cds"/> for more information (in
-	    particular, <xref linkend="burncd"/> and
-	    <xref linkend="cdrecord"/>).</para>
-
-	  <para>If you will be doing this on another platform then you will
-	    need to use whatever utilities exist to control your CD writer on
-	    that platform.  The images provided are in the standard ISO format,
-	    which many CD writing applications support.</para>
+	  <para>Next, write the downloaded image(s) to disc.  If using
+	    another &os; system, refer to
+	    <xref linkend="cdrecord"/> for instructions.</para>
+
+	  <para>If using another platform, use any burning utility
+	    that exists for that platform.  The images are in the
+	    standard ISO format which most CD writing applications
+	    support.</para>
 	</step>
       </procedure>
 
-      <note><para>If you are interested in building a customized
-        release of FreeBSD, please see the <link xlink:href="&url.articles.releng;">Release Engineering
-        Article</link>.</para></note>
-
+      <note><para>To build a customized release of &os;, refer to the
+	<link xlink:href="&url.articles.releng;">Release Engineering
+	  Article</link>.</para></note>
     </sect2>
 
     <sect2 xml:id="install-ftp">
Index: zh_TW.UTF-8/books/handbook/jails/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/jails/chapter.xml
+++ zh_TW.UTF-8/books/handbook/jails/chapter.xml
@@ -524,8 +524,8 @@
 	  <link xlink:href="&url.books.handbook;/makeworld.html">相關章節</link>。
 	  當更新完成之後，就要進行 buildworld 程序，此外還要裝 <package>sysutils/cpdup</package> 套件。
 	  我們將用 &man.portsnap.8; 來下載 &os; Ports Collection，
-	  在 Handbook 中對 <link xlink:href="&url.books.handbook;/portsnap.html">Portsnap 章節</link>
-	  中有相關介紹，初學者可以看看。</para>
+	  在 Handbook 中 <xref linkend="ports-using-portsnap-method"/>
+	  有相關介紹，初學者可以看看。</para>
 
 	<procedure>
 	  <step>
Index: zh_TW.UTF-8/books/handbook/kernelconfig/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/kernelconfig/chapter.xml
+++ zh_TW.UTF-8/books/handbook/kernelconfig/chapter.xml
@@ -242,7 +242,7 @@
 	一旦真的砍了之後，你可能幾秒之後才會醒悟到：
 	你同時也砍掉自己改的 kernel 設定檔。
 	此外，也不要直接修改 <filename>GENERIC</filename>，因為下次你
-	<link linkend="cutting-edge">更新 source tree</link>時，
+	更新 source tree 時，
 	它會被新版覆蓋，而相關修改也將隨之而逝。</para>
 
       <para>你也可考慮把 kernel 設定檔改放到其他地方，然後再到
@@ -275,7 +275,7 @@
       會循序漸進地介紹。</para>
 
     <note>
-      <para>若有從 &os; 計劃去 <link linkend="cutting-edge">更新你的 source tree</link> 的話，
+      <para>若有從 &os; 計劃去更新你的 source tree 的話，
         則切記在進行任何升級之前，務必要察看
 	<filename>/usr/src/UPDATING</filename>。
 	這檔會介紹在更新過程中的重大議題或要注意的事項。
Index: zh_TW.UTF-8/books/handbook/mirrors/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/mirrors/chapter.xml
+++ zh_TW.UTF-8/books/handbook/mirrors/chapter.xml
@@ -1,3147 +1,882 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
      The FreeBSD Documentation Project
+     The FreeBSD Traditional Chinese Project
 
      $FreeBSD$
-     Original revision: 1.420
+     Original revision: r46052
 -->
-<appendix xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="mirrors">
-  <title>取得 FreeBSD 的方式</title>
+<appendix xmlns="http://docbook.org/ns/docbook"
+  xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+  xml:id="mirrors">
+  <title>取得 &os; 的方式</title>
 
   <sect1 xml:id="mirrors-cdrom">
-    <title>CDROM 及 DVD 發行商</title>
+    <title><acronym>CD</acronym> 及
+      <acronym>DVD</acronym> 合集</title>
 
-    <sect2>
-      <title>盒裝產品的零售處：</title>
-
-      <para>FreeBSD 盒裝產品(含 FreeBSD 光碟及其他一些軟體、書面文件)的零售業者：</para>
-
-      <itemizedlist>
-	<listitem>
-	  <address>
-	    CompUSA
-	    WWW: <otheraddr xlink:href="http://www.compusa.com/">http://www.compusa.com/</otheraddr>
-	  </address>
-	</listitem>
-
-	<listitem>
-	  <address>
-	    Frys Electronics
-	    WWW: <otheraddr xlink:href="http://www.frys.com/">http://www.frys.com/</otheraddr>
-	  </address>
-	</listitem>
-      </itemizedlist>
-    </sect2>
-
-    <sect2>
-      <title>CD 及 DVD 合集</title>
-
-      <para>FreeBSD 光碟(CD 及 DVD)的網路零售業者：</para>
+    <para>&os; <acronym>CD</acronym> 及 <acronym>DVD</acronym> 合集
+      可以從這些網路零售商取得：</para>
 
     <itemizedlist>
       <listitem>
-        <address>
-	  BSD Mall by Daemon News
-	  <street>PO Box 161</street>
-	  <city>Nauvoo</city>, <state>IL</state> <postcode>62354</postcode>
-	  <country>USA</country>
-	  Phone: <phone>+1 866 273-6255</phone>
-	  Fax: <fax>+1 217 453-9956</fax>
-	  Email: <email>sales@bsdmall.com</email>
-	  WWW: <otheraddr xlink:href="http://www.bsdmall.com/freebsd1.html">http://www.bsdmall.com/freebsd1.html</otheraddr>
-        </address>
-      </listitem>
-
-      <listitem>
-        <address>
-	  BSD-Systems
-	  Email: <email>info@bsd-systems.co.uk</email>
-	  WWW: <otheraddr xlink:href="http://www.bsd-systems.co.uk">http://www.bsd-systems.co.uk</otheraddr>
-        </address>
-      </listitem>
-
-      <listitem>
-        <address>
-	  FreeBSD Mall, Inc.
-	  <street>3623 Sanford Street</street>
-	  <city>Concord</city>, <state>CA</state>  <postcode>94520-1405</postcode>
+	<address>&os; Mall, Inc.
+	  <street>2420 Sand Creek Rd C-1 #347</street>
+	  <city>Brentwood</city>, <state>CA</state>
+	  <postcode>94513</postcode>
 	  <country>USA</country>
-	  Phone: <phone>+1 925 674-0783</phone>
+	  Phone: <phone>+1 925 240-6652</phone>
 	  Fax: <fax>+1 925 674-0821</fax>
 	  Email: <email>info@freebsdmall.com</email>
-	  WWW: <otheraddr xlink:href="http://www.freebsdmall.com/">http://www.freebsdmall.com/</otheraddr>
-        </address>
-      </listitem>
-
-      <listitem>
-	<address>
-	  Hinner EDV
-	  <street>St. Augustinus-Str. 10</street>
-	  <postcode>D-81825</postcode> <city>M&uuml;nchen</city>
-	  <country>Germany</country>
-	  Phone: <phone>(089) 428 419</phone>
-	  WWW: <otheraddr xlink:href="http://www.hinner.de/linux/freebsd.html">http://www.hinner.de/linux/freebsd.html</otheraddr>
-        </address>
-      </listitem>
-
-      <listitem>
-	<address>
-	  Ikarios
-	  <street>22-24 rue Voltaire</street>
-	  <postcode>92000</postcode> <city>Nanterre</city>
-	  <country>France</country>
-	  WWW: <otheraddr xlink:href="http://ikarios.com/form/#freebsd">http://ikarios.com/form/#freebsd</otheraddr>
-        </address>
-      </listitem>
-
-      <listitem>
-	<address>
-	  JMC Software
-	  <country>Ireland</country>
-	  Phone: <phone>353 1 6291282</phone>
-	  WWW: <otheraddr xlink:href="http://www.thelinuxmall.com">http://www.thelinuxmall.com</otheraddr>
-	</address>
-      </listitem>
-
-      <listitem>
-	<address>
-	  Linux CD Mall
-	  <street>Private Bag MBE N348</street>
-	  <city>Auckland 1030</city>
-	  <country>New Zealand</country>
-	  Phone: <phone>+64 21 866529</phone>
-	  WWW: <otheraddr xlink:href="http://www.linuxcdmall.co.nz/">http://www.linuxcdmall.co.nz/</otheraddr>
+	  WWW: <otheraddr
+	    xlink:href="http://www.freebsdmall.com/">http://www.freebsdmall.com/</otheraddr>
 	</address>
       </listitem>
 
       <listitem>
-	<address>
-	  The Linux Emporium
-	  <street>Hilliard House, Lester Way</street>
-	  <city>Wallingford</city>
-	  <postcode>OX10 9TA</postcode>
-	  <country>United Kingdom</country>
-	  Phone: <phone>+44 1491 837010</phone>
-	  Fax: <fax>+44 1491 837016</fax>
-	  WWW: <otheraddr xlink:href="http://www.linuxemporium.co.uk/products/freebsd/">http://www.linuxemporium.co.uk/products/freebsd/</otheraddr>
-        </address>
-      </listitem>
-
-      <listitem>
-	<address>
-	  Linux+ DVD Magazine
-	  <street>Lewartowskiego 6</street>
-	  <city>Warsaw</city>
-	  <postcode>00-190</postcode>
-	  <country>Poland</country>
-	  Phone: <phone>+48 22 860 18 18</phone>
-	  Email: <email>editors@lpmagazine.org</email>
-	  WWW: <otheraddr xlink:href="http://www.lpmagazine.org/">http://www.lpmagazine.org/</otheraddr>
+	<address>Getlinux
+	  <street>78 Rue de la Croix Rochopt</street>
+	  <city>&Eacute;pinay-sous-S&eacute;nart</city>
+	  <postcode>91860</postcode>
+	  <country>France</country>
+	  Email: <email>contact@getlinux.fr</email>
+	  WWW: <otheraddr
+	    xlink:href="http://www.getlinux.fr">http://www.getlinux.fr/</otheraddr>
 	</address>
       </listitem>
 
       <listitem>
-	<address>
-	  Linux System Labs Australia
-	  <street>21 Ray Drive</street>
-	  <city>Balwyn North</city>
-	  <postcode>VIC - 3104</postcode>
-	  <country>Australia</country>
-	  Phone: <phone>+61 3 9857 5918</phone>
-	  Fax: <fax>+61 3 9857 8974</fax>
-	  WWW: <otheraddr xlink:href="http://www.lsl.com.au">http://www.lsl.com.au</otheraddr>
-        </address>
-      </listitem>
-
-      <listitem>
-	<address>
-	  LinuxCenter.Ru
-	  <street>Galernaya Street, 55</street>
-	  <city>Saint-Petersburg</city>
-	  <postcode>190000</postcode>
-	  <country>Russia</country>
-	  Phone: <phone>+7-812-3125208</phone>
-	  Email: <email>info@linuxcenter.ru</email>
-	  WWW: <otheraddr xlink:href="http://linuxcenter.ru/freebsd">http://linuxcenter.ru/freebsd</otheraddr>
+	<address>Dr. Hinner EDV
+	  <street>Kochelseestr. 11</street>
+	  <postcode>D-81371</postcode> <city>M&uuml;nchen</city>
+	  <country>Germany</country>
+	  Phone: <phone>(0177) 428 419 0</phone>
+	  Email: <email>infow@hinner.de</email>
+	  WWW: <otheraddr
+	    xlink:href="http://www.hinner.de/linux/freebsd.html">http://www.hinner.de/linux/freebsd.html</otheraddr>
 	</address>
       </listitem>
 
-    </itemizedlist>
-    </sect2>
-
-    <sect2>
-      <title>經銷商(Distributors)</title>
-
-      <para>若你是區域經銷商，並想代理經銷 FreeBSD 光碟產品的話，請與下列的代理商聯繫：</para>
-
-      <itemizedlist>
-	<listitem>
-	  <address>
-	    Cylogistics
-	    <street>809B Cuesta Dr., #2149</street>
-	    <city>Mountain View</city>, <state>CA</state> <postcode>94040</postcode>
-	    <country>USA</country>
-	    Phone: <phone>+1 650 694-4949</phone>
-	    Fax: <fax>+1 650 694-4953</fax>
-	    Email: <email>sales@cylogistics.com</email>
-	    WWW: <otheraddr xlink:href="http://www.cylogistics.com/">http://www.cylogistics.com/</otheraddr>
-	  </address>
-	</listitem>
-
-        <listitem>
-	  <address>
-	    Ingram Micro
-	    <street>1600 E. St. Andrew Place</street>
-	    <city>Santa Ana</city>, <state>CA</state>  <postcode>92705-4926</postcode>
-	    <country>USA</country>
-	    Phone: <phone>1 (800) 456-8000</phone>
-	    WWW: <otheraddr xlink:href="http://www.ingrammicro.com/">http://www.ingrammicro.com/</otheraddr>
-          </address>
-        </listitem>
-
-	<listitem>
-	  <address>
-	    Kudzu, LLC
-	    <street>7375 Washington Ave. S.</street>
-	    <city>Edina</city>, <state>MN</state> <postcode>55439</postcode>
-	    <country>USA</country>
-	    Phone: <phone>+1 952 947-0822</phone>
-	    Fax: <fax>+1 952 947-0876</fax>
-	    Email: <email>sales@kudzuenterprises.com</email>
-	  </address>
-	</listitem>
-
+<!--
+This site is just showing the Apache test page.
 	<listitem>
 	  <address>
-	    LinuxCenter.Ru
-	    <street>Galernaya Street, 55</street>
-	    <city>Saint-Petersburg</city>
-	    <postcode>190000</postcode>
-	    <country>Russia</country>
-	    Phone: <phone>+7-812-3125208</phone>
-	    Email: <email>info@linuxcenter.ru</email>
-	    WWW: <otheraddr xlink:href="http://linuxcenter.ru/freebsd">http://linuxcenter.ru/freebsd</otheraddr>
+	    Linux Distro UK
+	    <street>42 Wharfedale Road</street>
+	    <city>Margate</city>
+	    <postcode>CT9 2TB</postcode>
+	    <country>United Kingdom</country>
+	    WWW: <otheraddr
+	      xlink:href="https://linux-distro.co.uk/">https://linux-distro.co.uk/</otheraddr>
 	  </address>
 	</listitem>
 
+This site doesn't have any products newer than 8.1 which is now EOL'd
 	<listitem>
-	  <address>
-	    Navarre Corp
-	    <street>7400 49th Ave South</street>
-	    <city>New Hope</city>, <state>MN</state> <postcode>55428</postcode>
-	    <country>USA</country>
-	    Phone: <phone>+1 763 535-8333</phone>
-	    Fax: <fax>+1 763 535-0341</fax>
-	    WWW: <otheraddr xlink:href="http://www.navarre.com/">http://www.navarre.com/</otheraddr>
+	  <address>The Linux Emporium
+	    <street>The Techno Centre, Puma Way</street>
+	    <city>Parkside</city>
+	    <postcode>CV1 2TT</postcode>
+	    <country>United Kingdom</country>
+	    Phone: <phone>+44 (0)247 615 8121</phone>
+	    Fax: <fax>+44 1491 837016</fax>
+	    WWW: <otheraddr
+	      xlink:href="http://www.linuxemporium.co.uk/products/bsd/">http://www.linuxemporium.co.uk/products/bsd/</otheraddr>
 	  </address>
 	</listitem>
-      </itemizedlist>
-    </sect2>
-  </sect1>
-
-  <sect1 xml:id="mirrors-ftp">
-    <title>FTP 站</title>
-
-    <para>The official sources for FreeBSD are available via anonymous FTP
-      from a worldwide set of mirror sites.  The site
-      <uri xlink:href="ftp://ftp.FreeBSD.org/pub/FreeBSD/">ftp://ftp.FreeBSD.org/pub/FreeBSD/</uri> is well
-      connected and allows a large number of connections to it, but
-      you are probably better off finding a <quote>closer</quote>
-      mirror site (especially if you decide to set up some sort of
-      mirror site).</para>
-
-    <para>The <link xlink:href="http://mirrorlist.FreeBSD.org/">FreeBSD mirror
-	sites database</link> is more accurate than the mirror listing in the
-      Handbook, as it gets its information from the DNS rather than relying on
-      static lists of hosts.</para>
-
-    <para>Additionally, FreeBSD is available via anonymous FTP from the
-      following mirror sites.  If you choose to obtain FreeBSD via anonymous
-      FTP, please try to use a site near you.  The mirror sites listed as
-      <quote>Primary Mirror Sites</quote> typically have the entire FreeBSD archive (all
-      the currently available versions for each of the architectures) but
-      you will probably have faster download times from a site that is
-      in your country or region.  The regional sites carry the most recent
-      versions for the most popular architecture(s) but might not carry
-      the entire FreeBSD archive.  All sites provide access via anonymous
-      FTP but some sites also provide access via other methods.  The access
-      methods available for each site are provided in parentheses
-      after the hostname.</para>
-
-    &chap.mirrors.ftp.index.inc;
-
-    &chap.mirrors.lastmod.inc;
-
-    &chap.mirrors.ftp.inc;
-  </sect1>
-
-    <sect1 xml:id="anoncvs">
-      <title>Anonymous CVS</title>
-
-      <sect2 xml:id="anoncvs-intro">
-	<title>anoncvs 簡介</title>
-
-	<indexterm>
-	  <primary>CVS</primary>
-	  <secondary>anonymous</secondary>
-	</indexterm>
-
-	<para>Anonymous CVS (or, as it is otherwise known,
-	  <emphasis>anoncvs</emphasis>) is a feature provided by the CVS
-	  utilities bundled with FreeBSD for synchronizing with a remote
-	  CVS repository.  Among other things, it allows users of FreeBSD
-	  to perform, with no special privileges, read-only CVS operations
-	  against one of the FreeBSD project's official anoncvs servers.
-	  To use it, one simply sets the <envar>CVSROOT</envar>
-	  environment variable to point at the appropriate anoncvs server,
-	  provides the well-known password <quote>anoncvs</quote> with the
-	  <command>cvs login</command> command, and then uses the
-	  &man.cvs.1; command to access it like any local
-	  repository.</para>
-
-	<note>
-	  <para>The <command>cvs login</command> command, stores the passwords
-	    that are used for authenticating to the CVS server in a file
-	    called <filename>.cvspass</filename> in your
-	    <envar>HOME</envar> directory.  If this file does not exist,
-	    you might get an error when trying to use <command>cvs
-	    login</command> for the first time.  Just make an empty
-	    <filename>.cvspass</filename> file, and retry to login.</para>
-	</note>
-
-	<para>While it can also be said that the <link linkend="cvsup">CVSup</link> and <emphasis>anoncvs</emphasis>
-	  services both perform essentially the same function, there are
-	  various trade-offs which can influence the user's choice of
-	  synchronization methods.  In a nutshell,
-	  <application>CVSup</application> is much more efficient in its
-	  usage of network resources and is by far the most technically
-	  sophisticated of the two, but at a price.  To use
-	  <application>CVSup</application>, a special client must first be
-	  installed and configured before any bits can be grabbed, and
-	  then only in the fairly large chunks which
-	  <application>CVSup</application> calls
-	  <emphasis>collections</emphasis>.</para>
-
-	<para><application>Anoncvs</application>, by contrast, can be used
-	  to examine anything from an individual file to a specific
-	  program (like <command>ls</command> or <command>grep</command>)
-	  by referencing the CVS module name.  Of course,
-	  <application>anoncvs</application> is also only good for
-	  read-only operations on the CVS repository, so if it is your
-	  intention to support local development in one repository shared
-	  with the FreeBSD project bits then
-	  <application>CVSup</application> is really your only
-	  option.</para>
-      </sect2>
-
-      <sect2 xml:id="anoncvs-usage">
-	<title>Using Anonymous CVS</title>
-
-	<para>Configuring &man.cvs.1; to use an Anonymous CVS repository
-	  is a simple matter of setting the <envar>CVSROOT</envar>
-	  environment variable to point to one of the FreeBSD project's
-	  <emphasis>anoncvs</emphasis> servers.  At the time of this
-	  writing, the following servers are available:</para>
-
-	<itemizedlist>
-	  <listitem>
-	    <para><emphasis>Austria(奧地利)</emphasis>:
-	      :pserver:anoncvs@anoncvs.at.FreeBSD.org:/home/ncvs
-	      (Use <command>cvs login</command> and enter any
-	      password when prompted.)</para>
-	  </listitem>
-	  <listitem>
-	    <para><emphasis>France(法國)</emphasis>:
-	      :pserver:anoncvs@anoncvs.fr.FreeBSD.org:/home/ncvs
-	      (pserver (password <quote>anoncvs</quote>), ssh (no password))
-	    </para>
-	  </listitem>
-	  <listitem>
-	    <para><emphasis>Germany(德國)</emphasis>:
-	      :pserver:anoncvs@anoncvs.de.FreeBSD.org:/home/ncvs
-	      (Use <command>cvs login</command> and enter the password
-	      <quote>anoncvs</quote> when prompted.)</para>
-	  </listitem>
-	  <listitem>
-	    <para><emphasis>Germany(德國)</emphasis>:
-	      :pserver:anoncvs@anoncvs2.de.FreeBSD.org:/home/ncvs
-	      (rsh, pserver, ssh, ssh/2022)
-	      </para>
-	  </listitem>
-	  <listitem>
-	    <para><emphasis>Japan(日本)</emphasis>:
-	      :pserver:anoncvs@anoncvs.jp.FreeBSD.org:/home/ncvs
-	      (Use <command>cvs login</command> and enter the password
-	      <quote>anoncvs</quote> when prompted.)</para>
-	  </listitem>
-	  <listitem>
-	    <para><emphasis>USA(美國)</emphasis>:
-	      freebsdanoncvs@anoncvs.FreeBSD.org:/home/ncvs
-	      (ssh only - no password)</para>
-
-	    <programlisting>SSH HostKey: 1024 a1:e7:46:de:fb:56:ef:05:bc:73:aa:91:09:da:f7:f4 root@sanmateo.ecn.purdue.edu
-SSH2 HostKey: 1024 52:02:38:1a:2f:a8:71:d3:f5:83:93:8d:aa:00:6f:65 ssh_host_dsa_key.pub</programlisting>
-
-	  </listitem>
-	  <listitem>
-	    <para><emphasis>USA(美國)</emphasis>:
-	      anoncvs@anoncvs1.FreeBSD.org:/home/ncvs (ssh only - no
-	      password)</para>
-
-	    <programlisting>SSH HostKey: 1024 8b:c4:6f:9a:7e:65:8a:eb:50:50:29:7c:a1:47:03:bc root@ender.liquidneon.com
-SSH2 HostKey: 2048 4d:59:19:7b:ea:9b:76:0b:ca:ee:da:26:e2:3a:83:b8 ssh_host_dsa_key.pub</programlisting>
-
-	  </listitem>
-	</itemizedlist>
-
-	<para>Since CVS allows one to <quote>check out</quote> virtually
-	  any version of the FreeBSD sources that ever existed (or, in
-	  some cases, will exist), you need to be
-	  familiar with the revision (<option>-r</option>) flag to
-	  &man.cvs.1; and what some of the permissible values for it in
-	  the FreeBSD Project repository are.</para>
-
-	<para>There are two kinds of tags, revision tags and branch tags.
-	  A revision tag refers to a specific revision.  Its meaning stays
-	  the same from day to day.  A branch tag, on the other hand,
-	  refers to the latest revision on a given line of development, at
-	  any given time.  Because a branch tag does not refer to a
-	  specific revision, it may mean something different tomorrow than
-	  it means today.</para>
-
-	<para><xref linkend="cvs-tags"/> contains revision tags that users
- 	  might be interested
-	  in.  Again, none of these are valid for the Ports Collection
-	  since the Ports Collection does not have multiple
-	  revisions.</para>
-
-	<para>When you specify a branch tag, you normally receive the
-	  latest versions of the files on that line of development.  If
-	  you wish to receive some past version, you can do so by
-	  specifying a date with the <option>-D date</option> flag.
-	  See the &man.cvs.1; manual page for more details.</para>
-      </sect2>
-
-      <sect2>
-	<title>Examples</title>
-
-	<para>While it really is recommended that you read the manual page
-	  for &man.cvs.1; thoroughly before doing anything, here are some
-	  quick examples which essentially show how to use Anonymous
-	  CVS:</para>
-
-	<example>
-	  <title>Checking Out Something from -CURRENT (&man.ls.1;):</title>
-
-	  <screen>&prompt.user; <userinput>setenv CVSROOT :pserver:anoncvs@anoncvs.jp.FreeBSD.org:/home/ncvs</userinput>
-&prompt.user; <userinput>cvs login</userinput>
-<emphasis>At the prompt, enter the password</emphasis> <quote>anoncvs</quote>.
-&prompt.user; <userinput>cvs co ls</userinput>
-	  </screen>
-	</example>
-
-	<example>
-	  <title>Using SSH to check out the <filename>src/</filename>
-	    tree:</title>
-	  <screen>&prompt.user; <userinput>cvs -d freebsdanoncvs@anoncvs.FreeBSD.org:/home/ncvs co src</userinput>
-The authenticity of host 'anoncvs.freebsd.org (128.46.156.46)' can't be established.
-DSA key fingerprint is 52:02:38:1a:2f:a8:71:d3:f5:83:93:8d:aa:00:6f:65.
-Are you sure you want to continue connecting (yes/no)? <userinput>yes</userinput>
-Warning: Permanently added 'anoncvs.freebsd.org' (DSA) to the list of known hosts.</screen>
-	</example>
-
-	<example>
-	  <title>Checking Out the Version of &man.ls.1; in the 6-STABLE
-	    Branch:</title>
-
-	  <screen>&prompt.user; <userinput>setenv CVSROOT :pserver:anoncvs@anoncvs.jp.FreeBSD.org:/home/ncvs</userinput>
-&prompt.user; <userinput>cvs login</userinput>
-<emphasis>At the prompt, enter the password</emphasis> <quote>anoncvs</quote>.
-&prompt.user; <userinput>cvs co -rRELENG_6 ls</userinput>
-	  </screen>
-	</example>
-
-	<example>
-	  <title>Creating a List of Changes (as Unified Diffs) to &man.ls.1;</title>
-
-	  <screen>&prompt.user; <userinput>setenv CVSROOT :pserver:anoncvs@anoncvs.jp.FreeBSD.org:/home/ncvs</userinput>
-&prompt.user; <userinput>cvs login</userinput>
-<emphasis>At the prompt, enter the password</emphasis> <quote>anoncvs</quote>.
-&prompt.user; <userinput>cvs rdiff -u -rRELENG_5_3_0_RELEASE -rRELENG_5_4_0_RELEASE ls</userinput>
-	  </screen>
-	</example>
-
-	<example>
-	  <title>Finding Out What Other Module Names Can Be Used:</title>
-
-	  <screen>&prompt.user; <userinput>setenv CVSROOT :pserver:anoncvs@anoncvs.jp.FreeBSD.org:/home/ncvs</userinput>
-&prompt.user; <userinput>cvs login</userinput>
-<emphasis>At the prompt, enter the password</emphasis> <quote>anoncvs</quote>.
-&prompt.user; <userinput>cvs co modules</userinput>
-&prompt.user; <userinput>more modules/modules</userinput>
-	  </screen>
-	</example>
-      </sect2>
-
-      <sect2>
-	<title>Other Resources</title>
-
-	<para>The following additional resources may be helpful in learning
-	  CVS:</para>
-
-	<itemizedlist>
-	  <listitem>
-	    <para><link xlink:href="http://www.csc.calpoly.edu/~dbutler/tutorials/winter96/cvs/">CVS Tutorial</link> from Cal Poly.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para><link xlink:href="http://ximbiot.com/cvs/wiki/">CVS Home</link>,
-	      the CVS development and support community.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para><link xlink:href="http://www.FreeBSD.org/cgi/cvsweb.cgi">CVSweb</link> is
-	      the FreeBSD Project web interface for CVS.</para>
-	  </listitem>
-	</itemizedlist>
-      </sect2>
-    </sect1>
-
-
-  <sect1 xml:id="ctm">
-    <title>Using CTM</title>
-
-      <indexterm>
-	<primary>CTM</primary>
-      </indexterm>
-
-      <para><application>CTM</application> is a method for keeping a
-	remote directory tree in sync with a central one.  It has been
-	developed for usage with FreeBSD's source trees, though other
-	people may find it useful for other purposes as time goes by.
-	Little, if any, documentation currently exists at this time on the
-	process of creating deltas, so contact the &a.ctm-users.name; mailing list for more
-	information and if you wish to use <application>CTM</application>
-	for other things.</para>
-
-      <sect2>
-	<title>Why Should I Use <application>CTM</application>?</title>
-
-	<para><application>CTM</application> will give you a local copy of
-	  the FreeBSD source trees.  There are a number of
-	  <quote>flavors</quote> of the tree available.  Whether you wish
-	  to track the entire CVS tree or just one of the branches,
-	  <application>CTM</application> can provide you the information.
-	  If you are an active developer on FreeBSD, but have lousy or
-	  non-existent TCP/IP connectivity, or simply wish to have the
-	  changes automatically sent to you,
-	  <application>CTM</application> was made for you.  You will need
-	  to obtain up to three deltas per day for the most  active
-	  branches.  However, you should consider having them sent by
-	  automatic email.  The sizes of the updates are always kept as
-	  small as possible.  This is typically less than 5K, with an
-	  occasional (one in ten) being 10-50K and every now and then a
-	  large 100K+ or more coming around.</para>
-
-	<para>You will also need to make yourself aware of the various
-	  caveats related to working directly from the development sources
-	  rather than a pre-packaged release.  This is particularly true
-	  if you choose the <quote>current</quote> sources.  It is
-	  recommended that you read <link linkend="current">Staying
-	  current with FreeBSD</link>.</para>
-      </sect2>
-
-      <sect2>
-	<title>What Do I Need to Use
-	  <application>CTM</application>?</title>
-
-	<para>You will need two things: The <application>CTM</application>
-	  program, and the initial deltas to feed it (to get up to
-	  <quote>current</quote> levels).</para>
-
-	<para>The <application>CTM</application> program has been part of
-	  FreeBSD ever since version 2.0 was released, and lives in
-	  <filename>/usr/src/usr.sbin/ctm</filename> if you have a copy
-	  of the source available.</para>
-
-	<para>The <quote>deltas</quote> you feed
-	  <application>CTM</application> can be had two ways, FTP or
-	  email.  If you have general FTP access to the Internet then the
-	  following FTP sites support access to
-	  <application>CTM</application>:</para>
-
-	<para><uri xlink:href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CTM/">ftp://ftp.FreeBSD.org/pub/FreeBSD/CTM/</uri></para>
-
-	<para>or see section <link linkend="mirrors-ctm">mirrors</link>.</para>
-
-	<para>FTP the relevant directory and fetch the
-	  <filename>README</filename> file, starting from there.</para>
-
-	<para>If you wish to get your deltas via email:</para>
-
-	<para>Subscribe to one of the
-	  <application>CTM</application> distribution lists.
-	  &a.ctm-cvs-cur.name; supports the entire CVS tree.
-	  &a.ctm-src-cur.name; supports the head of the development
-	  branch.  &a.ctm-src-4.name; supports the 4.X release
-	  branch, etc..  (If you do not know how to subscribe yourself
-	  to a list, click on the list name above or go to
-	  &a.mailman.lists.link; and click on the list that you
-	  wish to subscribe to.  The list page should contain all of
-	  the necessary subscription instructions.)</para>
-
-	<para>When you begin receiving your <application>CTM</application>
-	  updates in the mail, you may use the
-	  <command>ctm_rmail</command> program to unpack and apply them.
-	  You can actually use the <command>ctm_rmail</command> program
-	  directly from a entry in <filename>/etc/aliases</filename> if
-	  you want to have the process run in a fully automated fashion.
-	  Check the <command>ctm_rmail</command> manual page for more
-	  details.</para>
-
-	<note>
-	  <para>No matter what method you use to get the
-	    <application>CTM</application> deltas, you should subscribe to
-	    the &a.ctm-announce.name; mailing list.  In
-	    the future, this will be the only place where announcements
-	    concerning the operations of the
-	    <application>CTM</application> system will be posted.  Click
-	    on the list name above and follow the instructions
-	    to subscribe to the
-	    list.</para>
-	</note>
-      </sect2>
-
-      <sect2>
-	<title>Using <application>CTM</application> for the First
-	  Time</title>
-
-	<para>Before you can start using <application>CTM</application>
-	  deltas, you will need to get to a starting point for the deltas
-	  produced subsequently to it.</para>
-
-	<para>First you should determine what you already have.  Everyone
-	  can start from an <quote>empty</quote> directory.  You must use
-	  an initial <quote>Empty</quote> delta to start off your
-	  <application>CTM</application> supported tree.  At some point it
-	  is intended that one of these <quote>started</quote> deltas be
-	  distributed on the CD for your convenience, however, this does
-	  not currently happen.</para>
-
-	<para>Since the trees are many tens of megabytes, you should
-	  prefer to start from something already at hand.  If you have a
-	  -RELEASE CD, you can copy or extract an initial source from it.
-	  This will save a significant transfer of data.</para>
-
-	<para>You can recognize these <quote>starter</quote> deltas by the
-	  <literal>X</literal> appended to the number
-	  (<filename>src-cur.3210XEmpty.gz</filename> for instance).  The
-	  designation following the <literal>X</literal> corresponds to
-	  the origin of your initial <quote>seed</quote>.
-	  <filename>Empty</filename> is an empty directory.  As a rule a
-	  base transition from <literal>Empty</literal> is produced
-	  every 100 deltas.  By the way, they are large! 70 to 80
-	  Megabytes of <command>gzip</command>'d data is common for the
-	  <filename>XEmpty</filename> deltas.</para>
-
-	<para>Once you have picked a base delta to start from, you will also
-	  need all deltas with higher numbers following it.</para>
-      </sect2>
-
-      <sect2>
-	<title>Using <application>CTM</application> in Your Daily
-	  Life</title>
-
-	<para>To apply the deltas, simply say:</para>
-
-	<screen>&prompt.root; <userinput>cd /where/ever/you/want/the/stuff</userinput>
-&prompt.root; <userinput>ctm -v -v /where/you/store/your/deltas/src-xxx.*</userinput></screen>
-
-	<para><application>CTM</application> understands deltas which have
-	  been put through <command>gzip</command>, so you do not need to
-	  <command>gunzip</command> them first, this saves disk space.</para>
-
-	<para>Unless it feels very secure about the entire process,
-	  <application>CTM</application> will not touch your tree.  To
-	  verify a delta you can also use the <option>-c</option> flag and
-	  <application>CTM</application> will not actually touch your
-	  tree; it will merely verify the integrity of the delta and see
-	  if it would apply cleanly to your current tree.</para>
-
-	<para>There are other options to <application>CTM</application>
-	  as well, see the manual pages or look in the sources for more
-	  information.</para>
-
-	<para>That is really all there is to it.  Every time you get a new
-	  delta, just run it through <application>CTM</application> to
-	  keep your sources up to date.</para>
-
-	<para>Do not remove the deltas if they are hard to download again.
-	  You just might want to keep them around in case something bad
-	  happens.  Even if you only have floppy disks, consider using
-	  <command>fdwrite</command> to make a copy.</para>
-      </sect2>
-
-      <sect2>
-	<title>Keeping Your Local Changes</title>
-
-	<para>As a developer one would like to experiment with and change
-	  files in the source tree.  <application>CTM</application>
-	  supports local modifications in a limited way: before checking
-	  for the presence of a file <filename>foo</filename>, it first
-	  looks for <filename>foo.ctm</filename>.  If this file exists,
-	  <application>CTM</application> will operate on it instead of
-	  <filename>foo</filename>.</para>
-
-	<para>This behavior gives us a simple way to maintain local
-	  changes:  simply copy the files you plan to modify to the
-	  corresponding file names with a <filename>.ctm</filename>
-	  suffix.  Then you can freely hack  the code, while <application>CTM</application> keeps the
-	  <filename>.ctm</filename> file up-to-date.</para>
-      </sect2>
-
-      <sect2>
-	<title>Other Interesting <application>CTM</application> Options</title>
-
-	<sect3>
-	  <title>Finding Out Exactly What Would Be Touched by an
-	    Update</title>
-
-	  <para>You can determine the list of changes that
-	    <application>CTM</application> will make on your source
-	    repository using the <option>-l</option> option to
-	    <application>CTM</application>.</para>
-
-	  <para>This is useful if you would like to keep logs of the
-	    changes, pre- or post- process the modified files in any
-	    manner, or just are feeling a tad paranoid.</para>
-	</sect3>
-
-	<sect3>
-	  <title>Making Backups Before Updating</title>
-
-	  <para>Sometimes you may want to backup all the files that would
-	    be changed by a <application>CTM</application> update.</para>
-
-	  <para>Specifying the <option>-B backup-file</option> option
-	    causes <application>CTM</application> to backup all files that
-	    would be touched by a given <application>CTM</application>
-	    delta to <filename>backup-file</filename>.</para>
-	</sect3>
-
-	<sect3>
-	  <title>Restricting the Files Touched by an Update</title>
-
-	  <para>Sometimes you would be interested in restricting the scope
-	    of a given <application>CTM</application> update, or may be
-	    interested in extracting just a few files from a sequence of
-	    deltas.</para>
-
-	  <para>You can control the list of files that
-	    <application>CTM</application> would operate on by specifying
-	    filtering regular expressions using the <option>-e</option>
-	    and <option>-x</option> options.</para>
-
-	  <para>For example, to extract an up-to-date copy of
-	    <filename>lib/libc/Makefile</filename> from your collection of
-	    saved <application>CTM</application> deltas, run the commands:</para>
-
-	  <screen>&prompt.root; <userinput>cd /where/ever/you/want/to/extract/it/</userinput>
-&prompt.root; <userinput>ctm -e '^lib/libc/Makefile' ~ctm/src-xxx.*</userinput></screen>
-
-	  <para>For every file specified in a
-	    <application>CTM</application> delta, the <option>-e</option>
-	    and <option>-x</option> options are applied in the order given
-	    on the command line.  The file is processed by
-	    <application>CTM</application> only if it is marked as
-	    eligible after all the <option>-e</option> and
-	    <option>-x</option> options are applied to it.</para>
-	</sect3>
-      </sect2>
-
-      <sect2>
-	<title>Future Plans for <application>CTM</application></title>
-
-	<para>Tons of them:</para>
-
-	<itemizedlist>
-	  <listitem>
-	    <para>Use some kind of authentication into the <application>CTM</application> system, so
-	      as to allow detection of spoofed <application>CTM</application> updates.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>Clean up the options to <application>CTM</application>,
-	      they became confusing and counter intuitive.</para>
-	  </listitem>
-	</itemizedlist>
-      </sect2>
-
-      <sect2>
-	<title>Miscellaneous Stuff</title>
-
-	<para>There is a sequence of deltas for the
-	  <literal>ports</literal> collection too, but interest has not
-	  been all that high yet.</para>
-      </sect2>
-
-    <sect2 xml:id="mirrors-ctm">
-      <title>CTM Mirrors</title>
-
-    <para><link linkend="ctm">CTM</link>/FreeBSD is available via anonymous
-      FTP from the following mirror sites.  If you choose to obtain <application>CTM</application> via
-      anonymous FTP, please try to use a site near you.</para>
-
-    <para>In case of problems, please contact the &a.ctm-users.name;
-      mailing list.</para>
-
-    <variablelist>
-      <varlistentry>
-	<term>California, Bay Area, official source</term>
-
-	<listitem>
-	  <itemizedlist>
-	    <listitem>
-	      <para><uri xlink:href="ftp://ftp.FreeBSD.org/pub/FreeBSD/development/CTM/">ftp://ftp.FreeBSD.org/pub/FreeBSD/development/CTM/</uri></para>
-	    </listitem>
-	  </itemizedlist>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>South Africa, backup server for old deltas</term>
-
-	<listitem>
-	  <itemizedlist>
-	    <listitem>
-	      <para><uri xlink:href="ftp://ftp.za.FreeBSD.org/pub/FreeBSD/CTM/">ftp://ftp.za.FreeBSD.org/pub/FreeBSD/CTM/</uri></para>
-	    </listitem>
-	  </itemizedlist>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>Taiwan/R.O.C.(台灣/中華民國)</term>
-
-	<listitem>
-	  <itemizedlist>
-	    <listitem>
-	      <para><uri xlink:href="ftp://ctm.tw.FreeBSD.org/pub/FreeBSD/development/CTM/">ftp://ctm.tw.FreeBSD.org/pub/FreeBSD/development/CTM/</uri></para>
-	    </listitem>
-
-	    <listitem>
-	      <para><uri xlink:href="ftp://ctm2.tw.FreeBSD.org/pub/FreeBSD/development/CTM/">ftp://ctm2.tw.FreeBSD.org/pub/FreeBSD/development/CTM/</uri></para>
-	    </listitem>
-
-	    <listitem>
-	      <para><uri xlink:href="ftp://ctm3.tw.FreeBSD.org/pub/FreeBSD/development/CTM/">ftp://ctm3.tw.FreeBSD.org/pub/FreeBSD/development/CTM/</uri></para>
-	    </listitem>
-	  </itemizedlist>
-	</listitem>
-      </varlistentry>
-    </variablelist>
-
-    <para>If you did not find a mirror near to you or the mirror is
-      incomplete, try to use a search engine such as
-      <link xlink:href="http://www.alltheweb.com/">alltheweb</link>.</para>
-  </sect2></sect1>
-
-  <sect1 xml:id="cvsup">
-    <title>Using CVSup</title>
-
-    <sect2 xml:id="cvsup-intro">
-      <title>CVSup 簡介</title>
-
-      <para><application>CVSup</application> is a software package for
-	distributing and updating source trees from a master CVS
-	repository on a remote server host.  The FreeBSD sources are
-	maintained in a CVS repository on a central development machine
-	in California.  With <application>CVSup</application>, FreeBSD
-	users can easily keep their own source trees up to date.</para>
-
-      <para><application>CVSup</application> uses the so-called
-	<emphasis>pull</emphasis> model of updating.  Under the pull
-	model, each client asks the server for updates, if and when they
-	are wanted.  The server waits passively for update requests from
-	its clients.  Thus all updates are instigated by the client.
-	The server never sends unsolicited updates.  Users must either
-	run the <application>CVSup</application> client manually to get
-	an update, or they must set up a <command>cron</command> job to
-	run it automatically on a regular basis.</para>
-
-      <para>The term <application>CVSup</application>, capitalized just
-	so, refers to the entire software package.  Its main components
-	are the client <command>cvsup</command> which runs on each
-	user's machine, and the server <command>cvsupd</command> which
-	runs at each of the FreeBSD mirror sites.</para>
-
-      <para>As you read the FreeBSD documentation and mailing lists, you
-	may see references to <application>sup</application>.
-	<application>Sup</application> was the predecessor of
-	<application>CVSup</application>, and it served a similar
-	purpose.  <application>CVSup</application> is used much in the
-	same way as sup and, in fact, uses configuration files which are
-	backward-compatible with <command>sup</command>'s.
-	<application>Sup</application> is no longer used in the FreeBSD
-	project, because <application>CVSup</application> is both faster
-	and more flexible.</para>
-    </sect2>
-
-    <sect2 xml:id="cvsup-install">
-      <title>Installation</title>
-
-      <para>The easiest way to install <application>CVSup</application>
-	is to use the precompiled <package>net/cvsup</package> package
-	from the FreeBSD <link linkend="ports">packages collection</link>.
-	If you prefer to build <application>CVSup</application> from
-	source, you can use the <package>net/cvsup</package>
-	port instead.  But be forewarned: the
-	<package>net/cvsup</package> port depends on the Modula-3
-	system, which takes a substantial amount of time and
-	disk space to download and build.</para>
-
-	<note>
-	  <para>If you are going to be using
-	  <application>CVSup</application> on a machine which will not have
-	  <application>&xfree86;</application> or <application>&xorg;</application> installed, such as a server, be
-	  sure to use the port which does not include the
-	  <application>CVSup</application> <acronym>GUI</acronym>,
-	  <package>net/cvsup-without-gui</package>.</para>
-	</note>
-    </sect2>
-
-    <sect2 xml:id="cvsup-config">
-      <title>CVSup Configuration</title>
-
-      <para><application>CVSup</application>'s operation is controlled
-	by a configuration file called the <filename>supfile</filename>.
-	There are some sample <filename>supfiles</filename> in the
-	directory <link xlink:href="file://localhost/usr/share/examples/cvsup/"><filename>/usr/share/examples/cvsup/</filename></link>.</para>
-
-      <para>The information in a <filename>supfile</filename> answers
-	the following questions for <application>CVSup</application>:</para>
-
-      <itemizedlist>
-	<listitem>
-	  <para><link linkend="cvsup-config-files">Which files do you
-	      want to receive?</link></para>
-	</listitem>
-
-	<listitem>
-	  <para><link linkend="cvsup-config-vers">Which versions of them
-	      do you want?</link></para>
-	</listitem>
-
-	<listitem>
-	  <para><link linkend="cvsup-config-where">Where do you want to
-	      get them from?</link></para>
-	</listitem>
-
-	<listitem>
-	  <para><link linkend="cvsup-config-dest">Where do you want to
-	      put them on your own machine?</link></para>
-	</listitem>
-
-	<listitem>
-	  <para><link linkend="cvsup-config-status">Where do you want to
-	      put your status files?</link></para>
-	</listitem>
-      </itemizedlist>
-
-      <para>In the following sections, we will construct a typical
-	<filename>supfile</filename> by answering each of these
-	questions in turn.  First, we describe the overall structure of
-	a <filename>supfile</filename>.</para>
-
-      <para>A <filename>supfile</filename> is a text file.  Comments
-	begin with <literal>#</literal> and extend to the end of the
-	line.  Lines that are blank and lines that contain only
-	comments are ignored.</para>
-
-      <para>Each remaining line describes a set of files that the user
-	wishes to receive.  The line begins with the name of a
-	<quote>collection</quote>, a logical grouping of files defined by
-	the server. The name of the collection tells the server which
-	files you want.  After the collection name come zero or more
-	fields, separated by white space.  These fields answer the
-	questions listed above.  There are two types of fields: flag
-	fields and value fields.  A flag field consists of a keyword
-	standing alone, e.g., <literal>delete</literal> or
-	<literal>compress</literal>.  A value field also begins with a
-	keyword, but the keyword is followed without intervening white
-	space by <literal>=</literal> and a second word.  For example,
-	<literal>release=cvs</literal> is a value field.</para>
-
-      <para>A <filename>supfile</filename> typically specifies more than
-	one collection to receive.  One way to structure a
-	<filename>supfile</filename> is to specify all of the relevant
-	fields explicitly for each collection.  However, that tends to
-	make the <filename>supfile</filename> lines quite long, and it
-	is inconvenient because most fields are the same for all of the
-	collections in a <filename>supfile</filename>.
-	<application>CVSup</application> provides a defaulting mechanism
-	to avoid these problems.  Lines beginning with the special
-	pseudo-collection name <literal>*default</literal> can be used
-	to set flags and values which will be used as defaults for the
-	subsequent collections in the <filename>supfile</filename>.  A
-	default value can be overridden for an individual collection, by
-	specifying a different value with the collection itself.
-	Defaults can also be changed or augmented in mid-supfile by
-	additional <literal>*default</literal> lines.</para>
-
-      <para>With this background, we will now proceed to construct a
-	<filename>supfile</filename> for receiving and updating the main
-	source tree of <link linkend="current">FreeBSD-CURRENT</link>.</para>
-
-      <itemizedlist>
-	<listitem>
-	  <para><anchor xml:id="cvsup-config-files"/>Which files do you want
-	    to receive?</para>
-
-	  <para>The files available via <application>CVSup</application>
-	    are organized into named groups called
-	    <quote>collections</quote>.  The collections that are
-	    available are described in the <link linkend="cvsup-collec">following section</link>.  In this
-	    example, we
-	    wish to receive the entire main source tree for the FreeBSD
-	    system.  There is a single large collection
-	    <literal>src-all</literal> which will give us all of that.
-	    As a first step toward constructing our
-	    <filename>supfile</filename>, we
-	    simply list the collections, one per line (in this case,
-	    only one line):</para>
-
-	  <programlisting>src-all</programlisting>
-	</listitem>
-
-	<listitem>
-	  <para><anchor xml:id="cvsup-config-vers"/>Which version(s) of them
-	    do you want?</para>
-
-	  <para>With <application>CVSup</application>, you can receive
-	    virtually any version of the sources that ever existed.
-	    That is possible because the
-	    <application>cvsupd</application> server works directly from
-	    the CVS repository, which contains all of the versions.  You
-	    specify which one of them you want using the
-	    <literal>tag=</literal> and <option>date=</option> value
-	    fields.</para>
-
-	  <warning>
-	    <para>Be very careful to specify any <literal>tag=</literal>
-	      fields correctly.  Some tags are valid only for certain
-	      collections of files.  If you specify an incorrect or
-	      misspelled tag, <application>CVSup</application>
-	      will delete files which you probably
-	      do not want deleted.  In particular, use <emphasis>only
-	      </emphasis> <literal>tag=.</literal> for the
-	      <literal>ports-*</literal> collections.</para>
-	  </warning>
-
-	  <para>The <literal>tag=</literal> field names a symbolic tag
-	    in the repository.  There are two kinds of tags, revision
-	    tags and branch tags.  A revision tag refers to a specific
-	    revision.  Its meaning stays the same from day to day.  A
-	    branch tag, on the other hand, refers to the latest revision
-	    on a given line of development, at any given time.  Because
-	    a branch tag does not refer to a specific revision, it may
-	    mean something different tomorrow than it means
-	    today.</para>
-
-	  <para><xref linkend="cvs-tags"/> contains branch tags that
-	    users might be interested in.  When specifying a tag in
-	    <application>CVSup</application>'s configuration file, it
-	    must be preceded with <literal>tag=</literal>
-	    (<literal>RELENG_4</literal> will become
-	    <literal>tag=RELENG_4</literal>).
-	    Keep in mind that only the <literal>tag=.</literal> is
-	    relevant for the Ports Collection.</para>
-
-	  <warning>
-	    <para>Be very careful to type the tag name exactly as shown.
-	      <application>CVSup</application> cannot distinguish
-	      between valid and invalid tags.  If you misspell the tag,
-	      <application>CVSup</application> will behave as though you
-	      had specified a valid tag which happens to refer to no
-	      files at all.  It will delete your existing sources in
-	      that case.</para>
-	  </warning>
-
-	  <para>When you specify a branch tag, you normally receive the
-	    latest versions of the files on that line of development.
-	    If you wish to receive some past version, you can do so by
-	    specifying a date with the <option>date=</option> value
-	    field. The &man.cvsup.1; manual page explains how to do
-	    that.</para>
-
-	  <para>For our example, we wish to receive FreeBSD-CURRENT.  We
-	    add this line at the beginning of our
-	    <filename>supfile</filename>:</para>
-
-	  <programlisting>*default tag=.</programlisting>
-
-	  <para>There is an important special case that comes into play
-	    if you specify neither a <literal>tag=</literal> field nor a
-	    <literal>date=</literal> field.  In that case, you receive
-	    the actual RCS files directly from the server's CVS
-	    repository, rather than receiving a particular version.
-	    Developers generally prefer this mode of operation.  By
-	    maintaining a copy of the repository itself on their
-	    systems, they gain the ability to browse the revision
-	    histories and examine past versions of files.  This gain is
-	    achieved at a large cost in terms of disk space,
-	    however.</para>
-	</listitem>
-
-	<listitem>
-	  <para><anchor xml:id="cvsup-config-where"/>Where do you want to get
-	    them from?</para>
-
-	  <para>We use the <literal>host=</literal> field to tell
-	    <command>cvsup</command> where to obtain its updates.  Any
-	    of the <link linkend="cvsup-mirrors">CVSup mirror
-	      sites</link> will do, though you should try to select one
-	    that is close to you in cyberspace.  In this example we will
-	    use a fictional FreeBSD distribution site,
-	    <systemitem class="fqdomainname">cvsup99.FreeBSD.org</systemitem>:</para>
-
-	  <programlisting>*default host=cvsup99.FreeBSD.org</programlisting>
-
-	  <para>You will need to change the host to one that actually
-	    exists before running <application>CVSup</application>.
-	    On any particular run of
-	    <command>cvsup</command>, you can override the host  setting
-	    on the command line, with <option>-h
-	      <replaceable>hostname</replaceable></option>.</para>
-	</listitem>
-
-	<listitem>
-	  <para><anchor xml:id="cvsup-config-dest"/>Where do you want to put
-	    them on your own machine?</para>
-
-	  <para>The <literal>prefix=</literal> field tells
-	    <command>cvsup</command> where to put the files it receives.
-	    In this example, we will put the source files directly into
-	    our main source tree, <filename>/usr/src</filename>.  The
-	    <filename>src</filename> directory is already implicit in
-	    the collections we have chosen to receive, so this is the
-	    correct specification:</para>
-
-	  <programlisting>*default prefix=/usr</programlisting>
-	</listitem>
-
-	<listitem>
-	  <para><anchor xml:id="cvsup-config-status"/>Where should
-	    <command>cvsup</command> maintain its status files?</para>
-
-	  <para>The <application>CVSup</application> client maintains
-	    certain status files in what
-	    is called the <quote>base</quote> directory.  These files
-	    help <application>CVSup</application> to work more
-	    efficiently, by keeping track of which updates you have
-	    already received.  We will use the standard base directory,
-	    <filename>/var/db</filename>:</para>
-
-	  <programlisting>*default base=/var/db</programlisting>
-
-	  <para>If your base directory does not already exist, now would
-	    be a good time to create it.  The <command>cvsup</command>
-	    client will refuse to run if the base directory does not
-	    exist.</para>
-	</listitem>
-
-	<listitem>
-	  <para>Miscellaneous <filename>supfile</filename>
-	    settings:</para>
-
-	  <para>There is one more line of boiler plate that normally
-	    needs to be present in the
-	    <filename>supfile</filename>:</para>
-
-	  <programlisting>*default release=cvs delete use-rel-suffix compress</programlisting>
-
-	  <para><literal>release=cvs</literal> indicates that the server
-	    should get its information out of the main FreeBSD CVS
-	    repository.  This is virtually always the case, but there
-	    are other possibilities which are beyond the scope of this
-	    discussion.</para>
-
-	  <para><literal>delete</literal> gives
-	    <application>CVSup</application> permission to delete files.
-	    You should always specify this, so that
-	    <application>CVSup</application> can keep your source tree
-	    fully up-to-date.  <application>CVSup</application> is
-	    careful to delete only those files for which it is
-	    responsible.  Any extra files you happen to have will be
-	    left strictly alone.</para>
-
-	  <para><literal>use-rel-suffix</literal> is ... arcane.  If you
-	    really want to know about it, see the &man.cvsup.1; manual
-	    page.  Otherwise, just specify it and do not worry about
-	    it.</para>
-
-	  <para><literal>compress</literal> enables the use of
-	    gzip-style compression on the communication channel.  If
-	    your network link is T1 speed or faster, you probably should
-	    not use compression.  Otherwise, it helps
-	    substantially.</para>
-	</listitem>
-
-	<listitem>
-	  <para>Putting it all together:</para>
-
-	  <para>Here is the entire <filename>supfile</filename> for our
-	    example:</para>
-
-	  <programlisting>*default tag=.
-*default host=cvsup99.FreeBSD.org
-*default prefix=/usr
-*default base=/var/db
-*default release=cvs delete use-rel-suffix compress
-
-src-all</programlisting>
-	</listitem>
-      </itemizedlist>
-      <sect3 xml:id="cvsup-refuse-file">
-       <title>The <filename>refuse</filename> File</title>
-
-       <para>As mentioned above, <application>CVSup</application> uses
-       a <emphasis>pull method</emphasis>. Basically, this means that
-       you connect to the <application>CVSup</application> server, and
-       it says, <quote>Here is what you can download from
-       me...</quote>, and your client responds <quote>OK, I will take
-       this, this, this, and this.</quote> In the default
-       configuration, the <application>CVSup</application> client will
-       take every file associated with the collection and tag you
-       chose in the configuration file. However, this is not always
-       what you want, especially if you are synching the <filename>doc</filename>, <filename>ports</filename>, or
-       <filename>www</filename> trees &mdash; most people cannot read four or five
-       languages, and therefore they do not need to download the
-       language-specific files. If you are
-       <application>CVSup</application>ing the Ports Collection, you
-       can get around this by specifying each collection individually
-       (e.g., <emphasis>ports-astrology</emphasis>,
-       <emphasis>ports-biology</emphasis>, etc instead of simply
-       saying <emphasis>ports-all</emphasis>). However, since the <filename>doc</filename>
-       and <filename>www</filename> trees do not have language-specific collections, you
-       must use one of <application>CVSup</application>'s many nifty
-       features: the <filename>refuse</filename> file.</para>
-
-       <para>The <filename>refuse</filename> file essentially tells
-       <application>CVSup</application> that it should not take every
-       single file from a collection; in other words, it tells the
-       client to <emphasis>refuse</emphasis> certain files from the
-       server. The <filename>refuse</filename> file can be found (or, if you do not yet
-       have one, should be placed) in
-       <filename>base/sup/</filename>.
-       <replaceable>base</replaceable> is defined in your <filename>supfile</filename>;
-       our defined <replaceable>base</replaceable> is
-       <filename>/var/db</filename>,
-       which means that by default the <filename>refuse</filename> file is
-       <filename>/var/db/sup/refuse</filename>.</para>
-
-       <para>The <filename>refuse</filename> file has a very simple format; it simply
-       contains the names of files or directories that you do not wish
-       to download.  For example, if you cannot speak any languages other
-       than English and some German, and you do not feel the need to read
-       the German translation of documentation, you can put the following in your
-       <filename>refuse</filename> file:</para>
-
-       <screen>doc/bn_*
-doc/da_*
-doc/de_*
-doc/el_*
-doc/es_*
-doc/fr_*
-doc/it_*
-doc/ja_*
-doc/nl_*
-doc/no_*
-doc/pl_*
-doc/pt_*
-doc/ru_*
-doc/sr_*
-doc/tr_*
-doc/zh_*</screen>
-
-       <para>and so forth for the other languages (you can find the
-       full list by browsing the <link xlink:href="http://www.FreeBSD.org/cgi/cvsweb.cgi/">FreeBSD
-       CVS repository</link>).</para>
-
-       <para>With this very useful feature, those users who are on
-       slow links or pay by the minute for their Internet connection
-       will be able to save valuable time as they will no longer need
-       to download files that they will never use. For more
-       information on <filename>refuse</filename> files and other neat
-       features of <application>CVSup</application>, please view its
-       manual page.</para>
-      </sect3>
-    </sect2>
-
-    <sect2>
-      <title>Running <application>CVSup</application></title>
-
-      <para>You are now ready to try an update.  The command line for
-	doing this is quite simple:</para>
-
-      <screen>&prompt.root; <userinput>cvsup supfile</userinput></screen>
-
-      <para>where <filename>supfile</filename>
-	is of course the name of the <filename>supfile</filename> you have just created.
-	Assuming you are running under X11, <command>cvsup</command>
-	will display a GUI window with some buttons to do the usual
-	things.  Press the <guibutton>go</guibutton> button, and watch it
-	run.</para>
-
-      <para>Since you are updating your actual
-	<filename>/usr/src</filename> tree in this example, you will
-	need to run the program as <systemitem class="username">root</systemitem> so that
-	<command>cvsup</command> has the permissions it needs to update
-	your files.  Having just created your configuration file, and
-	having never used this program before, that might
-	understandably make you nervous. There is an easy way to do a
-	trial run without touching your precious files.  Just create an
-	empty directory somewhere convenient, and name it as an extra
-	argument on the command line:</para>
-
-      <screen>&prompt.root; <userinput>mkdir /var/tmp/dest</userinput>
-&prompt.root; <userinput>cvsup supfile /var/tmp/dest</userinput></screen>
-
-      <para>The directory you specify will be used as the destination
-	directory for all file updates.
-	<application>CVSup</application> will examine your usual files
-	in <filename>/usr/src</filename>, but it will not modify or
-	delete any of them.  Any file updates will instead land in
-	<filename>/var/tmp/dest/usr/src</filename>.
-	<application>CVSup</application> will also leave its base
-	directory status files untouched when run this way.  The new
-	versions of those files will be written into the specified
-	directory.  As long as you have read access to
-	<filename>/usr/src</filename>, you do not even need to be
-	<systemitem class="username">root</systemitem> to perform this kind of trial run.</para>
-
-      <para>If you are not running X11 or if you just do not like GUIs,
-	you should add a couple of options to the command line when you
-	run <command>cvsup</command>:</para>
-
-      <screen>&prompt.root; <userinput>cvsup -g -L 2 supfile</userinput></screen>
-
-      <para>The <option>-g</option> tells
-	<application>CVSup</application> not to use its GUI.  This is
-	automatic if you are not running X11, but otherwise you have to
-	specify it.</para>
-
-      <para>The <option>-L 2</option> tells
-	<application>CVSup</application> to print out the
-	details of all the file updates it is doing.  There are three
-	levels of verbosity, from <option>-L 0</option> to
-	<option>-L 2</option>.  The default is 0, which means total
-	silence except for error messages.</para>
-
-      <para>There are plenty of other options available.  For a brief
-	list of them, type <command>cvsup -H</command>.  For more
-	detailed descriptions, see the manual page.</para>
-
-      <para>Once you are satisfied with the way updates are working, you
-	can arrange for regular runs of <application>CVSup</application>
-	using &man.cron.8;.
-	Obviously, you should not let <application>CVSup</application>
-	use its GUI when running it from &man.cron.8;.</para>
-    </sect2>
-
-    <sect2 xml:id="cvsup-collec">
-      <title><application>CVSup</application> File Collections</title>
-
-      <para>The file collections available via
-	<application>CVSup</application> are organized hierarchically.
-	There are a few large collections, and they are divided into
-	smaller sub-collections.  Receiving a large collection is
-	equivalent to receiving each of its sub-collections.  The
-	hierarchical relationships among collections are reflected by
-	the use of indentation in the list below.</para>
-
-      <para>The most commonly used collections are
-	<literal>src-all</literal>, and
-	<literal>ports-all</literal>.  The other collections are used
-	only by small groups of people for specialized purposes, and
-	some mirror sites may not carry all of them.</para>
+-->
 
-      <variablelist>
-	<varlistentry>
-	  <term><literal>cvs-all release=cvs</literal></term>
-
-	  <listitem>
-	    <para>The main FreeBSD CVS repository, including the
-	      cryptography code.</para>
-
-	    <variablelist>
-	      <varlistentry>
-		<term><literal>distrib release=cvs</literal></term>
-
-		<listitem>
-		  <para>Files related to the distribution and mirroring
-		    of FreeBSD.</para>
-		</listitem>
-	      </varlistentry>
-
-	      <varlistentry>
-		<term><literal>doc-all release=cvs</literal></term>
-		<listitem>
-		  <para>Sources for the FreeBSD Handbook and other
-		    documentation.  This does not include files for
-		    the FreeBSD web site.</para>
-		</listitem>
-	      </varlistentry>
-
-	      <varlistentry>
-		<term><literal>ports-all release=cvs</literal></term>
-
-		<listitem>
-		  <para>The FreeBSD Ports Collection.</para>
-
-		  <important xml:id="cvsup-collec-pbase-warn">
-		    <para>If you do not want to update the whole of
-		      <literal>ports-all</literal> (the whole ports tree),
-		      but use one of the subcollections listed below,
-		      make sure that you <emphasis>always</emphasis> update
-		      the <literal>ports-base</literal> subcollection!
-		      Whenever something changes in the ports build
-		      infrastructure represented by
-		      <literal>ports-base</literal>, it is virtually certain
-		      that those changes will be used by <quote>real</quote>
-		      ports real soon.  Thus, if you only update the
-		      <quote>real</quote> ports and they use some of the new
-		      features, there is a very high chance that their build
-		      will fail with some mysterious error message.  The
-		      <emphasis>very first</emphasis> thing to do in this
-		      case is to make sure that your
-		      <literal>ports-base</literal> subcollection is up to
-		      date.</para>
-		  </important>
-
-		  <important xml:id="cvsup-collec-index-warn">
-		    <para>If you are going to be building your own local
-		      copy of <filename>ports/INDEX</filename>, you
-		      <emphasis>must</emphasis> accept
-		      <literal>ports-all</literal> (the whole ports tree).
-		      Building <filename>ports/INDEX</filename> with
-		      a partial tree is not supported.  See the
-		      <link xlink:href="&url.books.faq;/applications.html#MAKE-INDEX">
-		      FAQ</link>.</para>
-		  </important>
-
-		  <variablelist>
-		    <varlistentry>
-		      <term><literal>ports-accessibility
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Software to help disabled users.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-arabic
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Arabic language support.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-archivers
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Archiving tools.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-astro
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Astronomical ports.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-audio
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Sound support.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-base
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>The Ports Collection build infrastructure -
-			  various files located in the
-			  <filename>Mk/</filename> and
-			  <filename>Tools/</filename> subdirectories of
-			  <filename>/usr/ports</filename>.</para>
-
-			<note>
-			  <para>Please see the <link linkend="cvsup-collec-pbase-warn">important
-			    warning above</link>: you should
-			    <emphasis>always</emphasis> update this
-			    subcollection, whenever you update any part of
-			    the FreeBSD Ports Collection!</para>
-			</note>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-benchmarks
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Benchmarks.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-biology
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Biology.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-cad
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Computer aided design tools.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-chinese
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Chinese language support.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-comms
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Communication software.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-converters
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>character code converters.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-databases
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Databases.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-deskutils
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Things that used to be on the desktop
-			  before computers were invented.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-devel
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Development utilities.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-dns
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>DNS related software.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-editors
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Editors.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-emulators
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Emulators for other operating
-			  systems.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-finance
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Monetary, financial and related applications.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-ftp
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>FTP client and server utilities.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-games
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Games.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-german
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>German language support.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-graphics
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Graphics utilities.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-hebrew
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Hebrew language support.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-hungarian
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Hungarian language support.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-irc
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Internet Relay Chat utilities.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-japanese
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Japanese language support.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-java
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>&java; utilities.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-korean
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Korean language support.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-lang
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Programming languages.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-mail
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Mail software.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-math
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Numerical computation software.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-mbone
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>MBone applications.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-misc
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Miscellaneous utilities.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-multimedia
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Multimedia software.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-net
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Networking software.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-net-im
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Instant messaging software.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-net-mgmt
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Network management software.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-net-p2p
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Peer to peer networking.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-news
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>USENET news software.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-palm
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Software support for <trademark class="trade">Palm</trademark>
-			  series.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-polish
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Polish language support.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-portuguese
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Portuguese language support.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-print
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Printing software.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-russian
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Russian language support.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-science
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Science.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-security
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Security utilities.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-shells
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Command line shells.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-sysutils
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>System utilities.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-textproc
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>text processing utilities (does not
-			  include desktop publishing).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-ukrainian
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Ukrainian language support.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-vietnamese
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Vietnamese language support.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-www
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Software related to the World Wide
-			  Web.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-x11
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Ports to support the X window
-			  system.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-x11-clocks
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>X11 clocks.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-x11-fm
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>X11 file managers.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-x11-fonts
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>X11 fonts and font utilities.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-x11-toolkits
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>X11 toolkits.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-x11-servers
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>X11 servers.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-x11-themes
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>X11 themes.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>ports-x11-wm
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>X11 window managers.</para>
-		      </listitem>
-		    </varlistentry>
-		  </variablelist>
-		</listitem>
-	      </varlistentry>
-
-	      <varlistentry>
-		<term><literal>projects-all release=cvs</literal></term>
-		<listitem>
-		  <para>Sources for the FreeBSD projects repository.</para>
-		</listitem>
-	      </varlistentry>
-
-	      <varlistentry>
-		<term><literal>src-all release=cvs</literal></term>
-
-		<listitem>
-		  <para>The main FreeBSD sources, including the
-		    cryptography code.</para>
-
-		  <variablelist>
-		    <varlistentry>
-		      <term><literal>src-base
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Miscellaneous files at the top of
-			  <filename>/usr/src</filename>.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-bin
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>User utilities that may be needed in
-			  single-user mode
-			  (<filename>/usr/src/bin</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-contrib
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Utilities and libraries from outside the
-			  FreeBSD project, used relatively unmodified
-			  (<filename>/usr/src/contrib</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-crypto release=cvs</literal></term>
-
-		      <listitem>
-			<para>Cryptography utilities and libraries from
-			  outside the FreeBSD project, used relatively
-			  unmodified
-			  (<filename>/usr/src/crypto</filename>).</para>
-			  </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-eBones release=cvs</literal></term>
-
-		      <listitem>
-			<para>Kerberos and DES
-			  (<filename>/usr/src/eBones</filename>).  Not
-			  used in current releases of FreeBSD.</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-etc
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>System configuration files
-			  (<filename>/usr/src/etc</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-games
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Games
-			  (<filename>/usr/src/games</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-gnu
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Utilities covered by the GNU Public
-			  License (<filename>/usr/src/gnu</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-include
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Header files
-			  (<filename>/usr/src/include</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-kerberos5
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Kerberos5 security package
-			  (<filename>/usr/src/kerberos5</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-kerberosIV
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>KerberosIV security package
-			  (<filename>/usr/src/kerberosIV</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-lib
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Libraries
-			  (<filename>/usr/src/lib</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-libexec
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>System programs normally executed by other
-			  programs
-			  (<filename>/usr/src/libexec</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-release
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Files required to produce a FreeBSD
-			  release
-			  (<filename>/usr/src/release</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-sbin release=cvs</literal></term>
-
-		      <listitem>
-			<para>System utilities for single-user mode
-			  (<filename>/usr/src/sbin</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-secure
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Cryptographic libraries and commands
-			  (<filename>/usr/src/secure</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-share
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Files that can be shared across multiple
-			  systems
-			  (<filename>/usr/src/share</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-sys
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>The kernel
-			  (<filename>/usr/src/sys</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-sys-crypto
-			release=cvs</literal></term>
-
-		      <listitem>
-			<para>Kernel cryptography code
-			  (<filename>/usr/src/sys/crypto</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-tools
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>Various tools for the maintenance of
-			  FreeBSD
-			  (<filename>/usr/src/tools</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-usrbin
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>User utilities
-			  (<filename>/usr/src/usr.bin</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-
-		    <varlistentry>
-		      <term><literal>src-usrsbin
-			  release=cvs</literal></term>
-
-		      <listitem>
-			<para>System utilities
-			  (<filename>/usr/src/usr.sbin</filename>).</para>
-		      </listitem>
-		    </varlistentry>
-		  </variablelist>
-		</listitem>
-	      </varlistentry>
-
-	      <varlistentry>
-		<term><literal>www release=cvs</literal></term>
-
-		<listitem>
-		  <para>The sources for the FreeBSD WWW site.</para>
-		</listitem>
-	      </varlistentry>
-	    </variablelist>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><literal>distrib release=self</literal></term>
-
-	  <listitem>
-	    <para>The <application>CVSup</application> server's own
-	      configuration files.  Used by <application>CVSup</application>
-	      mirror sites.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><literal>gnats release=current</literal></term>
-
-	  <listitem>
-	    <para>The GNATS bug-tracking database.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><literal>mail-archive release=current</literal></term>
-
-	  <listitem>
-	    <para>FreeBSD mailing list archive.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><literal>www release=current</literal></term>
-
-	  <listitem>
-	    <para>The pre-processed FreeBSD WWW site files (not the
-	      source files).  Used by WWW mirror sites.</para>
-	  </listitem>
-	</varlistentry>
-      </variablelist>
-    </sect2>
-
-    <sect2>
-      <title>For More Information</title>
-
-      <para>For the <application>CVSup</application> FAQ and other
-	information about <application>CVSup</application>, see
-	<link xlink:href="http://www.polstra.com/projects/freeware/CVSup/">The
-	  CVSup Home Page</link>.</para>
-
-      <para>Most FreeBSD-related discussion of
-	<application>CVSup</application> takes place on the
-	&a.hackers;.  New versions of the software are announced there,
-	as well as on the &a.announce;.</para>
-
-      <para>Questions and bug reports should be addressed to the author
-	of the program at <email>cvsup-bugs@polstra.com</email>.</para>
-    </sect2>
-
-    <sect2 xml:id="cvsup-mirrors">
-    <title>CVSup Sites</title>
-
-    <para><link linkend="cvsup">CVSup</link> servers for FreeBSD are running
-      at the following sites:</para>
-
-    &chap.mirrors.cvsup.index.inc;
-
-    &chap.mirrors.lastmod.inc;
-
-    &chap.mirrors.cvsup.inc;
-    </sect2>
-  </sect1>
-
-  <sect1 xml:id="portsnap">
-    <title>Using Portsnap</title>
-
-    <sect2 xml:id="portsnap-intro">
-      <title>Portsnap 簡介</title>
-
-      <para><application>Portsnap</application> is a system for securely
-	distributing the &os; ports tree.  Approximately once an hour,
-	a <quote>snapshot</quote> of the ports tree is generated,
-	repackaged, and cryptographically signed.  The resulting files
-	are then distributed via HTTP.</para>
-
-      <para>Like <application>CVSup</application>,
-	<application>Portsnap</application> uses a
-	<emphasis>pull</emphasis> model of updating: The packaged and
-	signed ports trees are placed on a web server which waits
-	passively for clients to request files.  Users must either run
-	&man.portsnap.8; manually to download updates
-	or set up a &man.cron.8; job to download updates
-	automatically on a regular basis.</para>
-
-      <para>For technical reasons, <application>Portsnap</application>
-	does not update the <quote>live</quote> ports tree in
-	<filename>/usr/ports/</filename> directly; instead, it works
-	via a compressed copy of the ports tree stored in
-	<filename>/var/db/portsnap/</filename> by default.  This
-	compressed copy is then used to update the live ports tree.</para>
-
-      <note>
-	<para>If <application>Portsnap</application> is installed from
-	the &os; Ports Collection, then the default location for its
-	compressed snapshot will be <filename>/usr/local/portsnap/</filename>
-	instead of <filename>/var/db/portsnap/</filename>.</para>
-      </note>
-    </sect2>
-
-    <sect2 xml:id="portsnap-install">
-      <title>Installation</title>
-
-      <para>On &os; 6.0 and more recent versions,
-	<application>Portsnap</application> is contained in the &os;
-	base system.  On older versions of &os;, it can be installed
-	using the <package>sysutils/portsnap</package>
-	port.</para>
-    </sect2>
-
-    <sect2 xml:id="portsnap-config">
-      <title>Portsnap Configuration</title>
-
-      <para><application>Portsnap</application>'s operation is controlled
-	by the <filename>/etc/portsnap.conf</filename> configuration
-	file.  For most users, the default configuration file will
-	suffice; for more details, consult the &man.portsnap.conf.5;
-	manual page.</para>
-
-      <note>
-	<para>If <application>Portsnap</application> is installed from
-	  the &os; Ports Collection, it will use the configuration file
-	  <filename>/usr/local/etc/portsnap.conf</filename> instead of
-	  <filename>/etc/portsnap.conf</filename>.  This configuration
-	  file is not created when the port is installed, but a sample
-	  configuration file is distributed; to copy it into place, run
-	  the following command:</para>
-
-	<screen>&prompt.root; <userinput>cd /usr/local/etc &amp;&amp; cp portsnap.conf.sample portsnap.conf</userinput></screen>
-      </note>
-    </sect2>
-
-    <sect2>
-      <title>Running <application>Portsnap</application> for the First
-	Time</title>
-
-      <para>The first time &man.portsnap.8; is run,
-	it will need to download a compressed snapshot of the entire
-	ports tree into <filename>/var/db/portsnap/</filename> (or
-	<filename>/usr/local/portsnap/</filename> if
-	<application>Portsnap</application> was installed from the
-	Ports Collection).  For the beginning of 2006 this is approximately a 41&nbsp;MB
-	download.</para>
-
-      <screen>&prompt.root; <userinput>portsnap fetch</userinput></screen>
-
-      <para>Once the compressed snapshot has been downloaded, a
-	<quote>live</quote> copy of the ports tree can be extracted into
-	<filename>/usr/ports/</filename>.  This is necessary even if a
-	ports tree has already been created in that directory (e.g., by
-	using <application>CVSup</application>), since it establishes a
-	baseline from which <command>portsnap</command> can
-	determine which parts of the ports tree need to be updated
-	later.</para>
-
-      <screen>&prompt.root; <userinput>portsnap extract</userinput></screen>
-
-      <note>
-	<para>In the default installation
-	  <filename>/usr/ports</filename> is not
-	  created.  If you run &os;&nbsp;6.0-RELEASE, it should be created before
-	  <command>portsnap</command> is used.  On more recent
-	  versions of &os; or <application>Portsnap</application>,
-	  this operation will be done automatically at first use
-	  of the <command>portsnap</command> command.</para>
-      </note>
-    </sect2>
-
-    <sect2>
-      <title>Updating the Ports Tree</title>
-
-      <para>After an initial compressed snapshot of the ports tree has
-	been downloaded and extracted into <filename>/usr/ports/</filename>,
-	updating the ports tree consists of two steps:
-	<emphasis>fetch</emphasis>ing updates to the compressed
-	snapshot, and using them to <emphasis>update</emphasis> the
-	live ports tree.  These two steps can be specified to
-	<command>portsnap</command> as a single command:</para>
-
-      <screen>&prompt.root; <userinput>portsnap fetch update</userinput></screen>
-
-      <note>
-	<para>Some older versions of <command>portsnap</command>
-	  do not support this syntax; if it fails, try instead the
-	  following:</para>
-
-        <screen>&prompt.root; <userinput>portsnap fetch</userinput>
-&prompt.root; <userinput>portsnap update</userinput></screen>
-      </note>
-    </sect2>
-
-    <sect2>
-      <title>Running Portsnap from cron</title>
-
-      <para>In order to avoid problems with <quote>flash crowds</quote>
-	accessing the <application>Portsnap</application> servers,
-	<command>portsnap fetch</command> will not run from
-	a &man.cron.8; job.  Instead, a special
-	<command>portsnap cron</command> command exists, which
-	waits for a random duration up to 3600 seconds before fetching
-	updates.</para>
-
-      <para>In addition, it is strongly recommended that
-	<command>portsnap update</command> not be run from a
-	<command>cron</command> job, since it is liable to cause
-	major problems if it happens to run at the same time as a port
-	is being built or installed.  However, it is safe to update
-	the ports' <filename>INDEX</filename> files, and this can be done by passing the
-	<option>-I</option> flag to
-	<command>portsnap</command>.  (Obviously, if
-	<command>portsnap -I update</command> is run from
-	<command>cron</command>, then it will be necessary to run
-	<command>portsnap update</command> without the <option>-I</option>
-	flag at a later time in order to update the rest of the tree.)</para>
-
-      <para>Adding the following line to <filename>/etc/crontab</filename>
-	will cause <command>portsnap</command> to update its
-	compressed snapshot and the <filename>INDEX</filename> files in
-	<filename>/usr/ports/</filename>, and will send an email if any
-	installed ports are out of date:</para>
-
-      <programlisting>0 3 * * * root portsnap -I cron update &amp;&amp; pkg_version -vIL=</programlisting>
-
-      <note>
-	<para>If the system clock is not set to the local time zone,
-	  please replace <literal>3</literal> with a random
-	  value between 0 and 23, in order to spread the load on the
-	  <application>Portsnap</application> servers more evenly.</para>
-      </note>
-      <note>
-	<para>Some older versions of <command>portsnap</command>
-	  do not support listing multiple commands (e.g., <literal>cron update</literal>)
-	  in the same invocation of <command>portsnap</command>.  If
-	  the line above fails, try replacing
-	  <command>portsnap -I cron update</command> with
-	  <command>portsnap cron &amp;&amp; portsnap -I update</command>.</para>
-      </note>
-    </sect2>
-  </sect1>
-
-  <sect1 xml:id="cvs-tags">
-    <title>CVS Tags</title>
-
-    <para>When obtaining or updating sources using
-      <application>cvs</application> or
-      <application>CVSup</application>, a revision tag must be specified.
-      A revision tag refers to either a particular line of &os;
-      development, or a specific point in time.  The first type are called
-      <quote>branch tags</quote>, and the second type are called
-      <quote>release tags</quote>.</para>
-
-    <sect2>
-      <title>Branch Tags</title>
-
-      <para>All of these, with the exception of <literal>HEAD</literal> (which
-	is always a valid tag), only apply to the <filename>src/</filename>
-	tree.  The <filename>ports/</filename>, <filename>doc/</filename>, and
-	<filename>www/</filename> trees are not branched.</para>
-
-    <variablelist>
-      <varlistentry>
-	<term>HEAD</term>
-
-	<listitem>
-	  <para>Symbolic name for the main line, or FreeBSD-CURRENT.
-	    Also the default when no revision is specified.</para>
-
-	  <para>In <application>CVSup</application>, this tag is represented
-	    by a <literal>.</literal> (not punctuation, but a literal
-	    <literal>.</literal> character).</para>
-
-	  <note>
-	    <para>In CVS, this is the default when no revision tag is
-	      specified.  It is usually <emphasis>not</emphasis>
-	      a good idea to checkout or update to CURRENT sources
-	      on a STABLE machine, unless that is your intent.</para>
-	  </note>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_6</term>
-
-	<listitem>
-	  <para>The line of development for FreeBSD-6.X, also known
-	    as FreeBSD 6-STABLE</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_6_1</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-6.1, used only for
-	    security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_6_0</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-6.0, used only for
-	    security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_5</term>
-
-	<listitem>
-	  <para>The line of development for FreeBSD-5.X, also known
-	    as FreeBSD 5-STABLE.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_5_5</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-5.5, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_5_4</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-5.4, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_5_3</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-5.3, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_5_2</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-5.2 and FreeBSD-5.2.1, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_5_1</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-5.1, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_5_0</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-5.0, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_4</term>
-
-	<listitem>
-	  <para>The line of development for FreeBSD-4.X, also known
-	    as FreeBSD 4-STABLE.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_4_11</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-4.11, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_4_10</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-4.10, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_4_9</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-4.9, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_4_8</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-4.8, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_4_7</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-4.7, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_4_6</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-4.6 and FreeBSD-4.6.2,
-            used only for security advisories and other
-            critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_4_5</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-4.5, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_4_4</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-4.4, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_4_3</term>
-
-	<listitem>
-	  <para>The release branch for FreeBSD-4.3, used only
-	    for security advisories and other critical fixes.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_3</term>
-
-	<listitem>
-	  <para>The line of development for FreeBSD-3.X, also known
-	    as 3.X-STABLE.</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_2_2</term>
-
-	<listitem>
-	  <para>The line of development for FreeBSD-2.2.X, also known
-	    as 2.2-STABLE.  This branch is mostly obsolete.</para>
-	</listitem>
-      </varlistentry>
-    </variablelist>
-    </sect2>
-
-    <sect2>
-      <title>Release Tags</title>
-
-      <para>These tags refer to a specific point in time when a particular
-	version	of &os; was released.  The release engineering process is
-	documented in more detail by the
-	<link xlink:href="&url.base;/releng/">Release Engineering
-	  Information</link> and
-        <link xlink:href="&url.articles.releng;/release-proc.html">Release
-	  Process</link> documents.
-	The <filename>src</filename> tree uses tag names that
-	start with <literal>RELENG_</literal> tags.
-	The <filename>ports</filename> and
-	<filename>doc</filename> trees use tags whose names
-	begin with <literal>RELEASE</literal> tags.
-	Finally, the <filename>www</filename> tree is not
-	tagged with any special name for releases.</para>
-
-    <variablelist>
-      <varlistentry>
-	<term>RELENG_6_1_0_RELEASE</term>
-
-	<listitem>
-	  <para>FreeBSD 6.1</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_6_0_0_RELEASE</term>
-
-	<listitem>
-	  <para>FreeBSD 6.0</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_5_5_0_RELEASE</term>
-
-	<listitem>
-	  <para>FreeBSD 5.5</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_5_4_0_RELEASE</term>
-
-	<listitem>
-	  <para>FreeBSD 5.4</para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_4_11_0_RELEASE</term>
+      <listitem>
+	<address>Linux Center
+	  <street>Galernaya Street, 55</street>
+	  <city>Saint-Petersburg</city>
+	  <postcode>190000</postcode>
+	  <country>Russia</country>
+	  Phone: <phone>+7-812-309-06-86</phone>
+	  Email: <email>info@linuxcenter.ru</email>
+	  WWW: <otheraddr
+	    xlink:href="http://linuxcenter.ru/shop/freebsd">http://linuxcenter.ru/shop/freebsd</otheraddr>
+	</address>
+      </listitem>
+    </itemizedlist>
+  </sect1>
 
-	<listitem>
-	  <para>FreeBSD 4.11</para>
-	</listitem>
-      </varlistentry>
+  <sect1 xml:id="mirrors-ftp">
+    <title><acronym>FTP</acronym> 站</title>
 
-      <varlistentry>
-	<term>RELENG_5_3_0_RELEASE</term>
+    <para>The official sources for &os; are available via anonymous
+      <acronym>FTP</acronym> from a worldwide set of mirror sites.
+      The site <uri
+	xlink:href="ftp://ftp.FreeBSD.org/pub/FreeBSD/">ftp://ftp.FreeBSD.org/pub/FreeBSD/</uri>
+      is well connected and allows a large number of connections to
+      it, but you are probably better off finding a
+      <quote>closer</quote> mirror site (especially if you decide to
+      set up some sort of mirror site).</para>
+
+    <para>Additionally, &os; is available via anonymous
+      <acronym>FTP</acronym> from the following mirror sites.  If you
+      choose to obtain &os; via anonymous <acronym>FTP</acronym>,
+      please try to use a site near you.  The mirror sites listed as
+      <quote>Primary Mirror Sites</quote> typically have the entire
+      &os; archive (all the currently available versions for each of
+      the architectures) but you will probably have faster download
+      times from a site that is in your country or region.  The
+      regional sites carry the most recent versions for the most
+      popular architecture(s) but might not carry the entire &os;
+      archive.  All sites provide access via anonymous
+      <acronym>FTP</acronym> but some sites also provide access via
+      other methods.  The access methods available for each site are
+      provided in parentheses after the hostname.</para>
 
-	<listitem>
-	  <para>FreeBSD 5.3</para>
-	</listitem>
-      </varlistentry>
+    &chap.mirrors.ftp.index.inc;
 
-      <varlistentry>
-	<term>RELENG_4_10_0_RELEASE</term>
+    &chap.mirrors.lastmod.inc;
 
-	<listitem>
-	  <para>FreeBSD 4.10</para>
-	</listitem>
-      </varlistentry>
+    &chap.mirrors.ftp.inc;
+  </sect1>
 
-      <varlistentry>
-	<term>RELENG_5_2_1_RELEASE</term>
+  <sect1 xml:id="ctm">
+    <title>Using CTM</title>
 
-	<listitem>
-	  <para>FreeBSD 5.2.1</para>
-	</listitem>
-      </varlistentry>
+    <indexterm>
+      <primary>CTM</primary>
+    </indexterm>
+
+    <para><application>CTM</application> is a method for keeping a
+      remote directory tree in sync with a central one.  It is built
+      into &os; and can be used to synchronize a system with &os;'s
+      source repositories.  It supports synchronization of an entire
+      repository or just a specified set of branches.</para>
+
+    <para><application>CTM</application> is specifically designed for
+      use on lousy or non-existent TCP/IP connections and provides
+      the ability for changes to be automatically sent by email.  It
+      requires the user to obtain up to three deltas per day for the
+      most active branches.  Update sizes are always kept as small as
+      possible and are typically less than 5K.  About one in very ten
+      updates is 10-50K in size, and there will occasionally be an
+      update larger than 100K+.</para>
+
+    <para>When using <application>CTM</application> to track &os;
+      development, refer to the caveats related to working directly
+      from the development sources rather than a pre-packaged release.
+      These are discussed in <link linkend="current-stable">Tracking
+	a Development Branch</link>.</para>
+
+    <para>Little documentation exists on the process of creating
+      deltas or using <application>CTM</application> for other
+      purposes.  Contact the &a.ctm-users.name; mailing list for
+      answers to questions on using
+      <application>CTM</application>.</para>
 
-      <varlistentry>
-	<term>RELENG_5_2_0_RELEASE</term>
+    <sect2 xml:id="mirrors-ctm">
+      <title>Getting Deltas</title>
 
-	<listitem>
-	  <para>FreeBSD 5.2</para>
-	</listitem>
-      </varlistentry>
+      <para>The <quote>deltas</quote> used by
+	<application>CTM</application> can be obtained either through
+	anonymous <acronym>FTP</acronym> or email.</para>
+
+      <para><acronym>FTP</acronym> deltas can be obtained from the
+	following mirror sites.  When using anonymous
+	<acronym>FTP</acronym> to obtain
+	<application>CTM</application> deltas, select a mirror that is
+	geographically nearby.  In case of problems, contact the
+	&a.ctm-users.name; mailing list.</para>
 
-      <varlistentry>
-	<term>RELENG_4_9_0_RELEASE</term>
+      <variablelist>
+	<varlistentry>
+	  <term>California, Bay Area, official source</term>
 
-	<listitem>
-	  <para>FreeBSD 4.9</para>
-	</listitem>
-      </varlistentry>
+	  <listitem>
+	    <itemizedlist>
+	      <listitem>
+		<para><uri
+		  xlink:href="ftp://ftp.FreeBSD.org/pub/FreeBSD/development/CTM/">ftp://ftp.FreeBSD.org/pub/FreeBSD/development/CTM/</uri></para>
+	      </listitem>
+	      <listitem>
+		<para><uri
+		  xlink:href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CTM/">ftp://ftp.FreeBSD.org/pub/FreeBSD/CTM/</uri></para>
+	      </listitem>
+	    </itemizedlist>
+	  </listitem>
+	</varlistentry>
 
-      <varlistentry>
-	<term>RELENG_5_1_0_RELEASE</term>
+	<varlistentry>
+	  <term>South Africa, backup server for old deltas</term>
 
-	<listitem>
-	  <para>FreeBSD 5.1</para>
-	</listitem>
-      </varlistentry>
+	  <listitem>
+	    <itemizedlist>
+	      <listitem>
+		<para><uri
+		  xlink:href="ftp://ftp.za.FreeBSD.org/pub/FreeBSD/CTM/">ftp://ftp.za.FreeBSD.org/pub/FreeBSD/CTM/</uri></para>
+	      </listitem>
+	    </itemizedlist>
+	  </listitem>
+	</varlistentry>
 
-      <varlistentry>
-	<term>RELENG_4_8_0_RELEASE</term>
+	<varlistentry>
+	  <term>Taiwan/R.O.C.</term>
 
-	<listitem>
-	  <para>FreeBSD 4.8</para>
-	</listitem>
-      </varlistentry>
+	  <listitem>
+	    <itemizedlist>
+	      <listitem>
+		<para><uri
+		  xlink:href="ftp://ctm.tw.FreeBSD.org/pub/FreeBSD/development/CTM/">ftp://ctm.tw.FreeBSD.org/pub/FreeBSD/development/CTM/</uri></para>
+	      </listitem>
+
+	      <listitem>
+		<para><uri
+		  xlink:href="ftp://ctm2.tw.FreeBSD.org/pub/FreeBSD/development/CTM/">ftp://ctm2.tw.FreeBSD.org/pub/FreeBSD/development/CTM/</uri></para>
+	      </listitem>
+
+	      <listitem>
+		<para><uri
+		  xlink:href="ftp://ctm3.tw.FreeBSD.org/pub/FreeBSD/development/CTM/">ftp://ctm3.tw.FreeBSD.org/pub/FreeBSD/development/CTM/</uri></para>
+	      </listitem>
+	    </itemizedlist>
+	  </listitem>
+	</varlistentry>
+      </variablelist>
 
-      <varlistentry>
-	<term>RELENG_5_0_0_RELEASE</term>
+      <para>To instead receive deltas through email, subscribe to one
+	of the <literal>ctm-src</literal> distribution lists available
+	from <uri
+	  xlink:href="http://lists.freebsd.org/mailman/listinfo">http://lists.freebsd.org/mailman/listinfo</uri>.
+	For example, &a.ctm-src-cur.name; supports the head
+	development branch and  &a.ctm-src-9.name; supports the 9.X
+	release branch.</para>
+
+      <para>As <application>CTM</application> updates arrive through
+	email, use <command>ctm_rmail</command> to unpack and apply
+	them.  This command can be run directly from an entry in
+	<filename>/etc/aliases</filename> in order to automate this
+	process.  Refer to &man.ctm.rmail.1; for more details.</para>
 
-	<listitem>
-	  <para>FreeBSD 5.0</para>
-	</listitem>
-      </varlistentry>
+      <note>
+	<para>Regardless of the method which is used to get deltas,
+	  <application>CTM</application> users should subscribe
+	  to the &a.ctm-announce.name; mailing list as this is the
+	  only mechanism by which <application>CTM</application>
+	  announcements are posted.</para>
+      </note>
+    </sect2>
 
-      <varlistentry>
-	<term>RELENG_4_7_0_RELEASE</term>
+    <sect2>
+      <title><application>CTM</application> Usage</title>
 
-	<listitem>
-	  <para>FreeBSD 4.7</para>
-	</listitem>
-      </varlistentry>
+      <para>Before <application>CTM</application> deltas can be used
+	for the first time, a starting point must be produced.</para>
 
-      <varlistentry>
-	<term>RELENG_4_6_2_RELEASE</term>
+      <para>One method is to apply a <quote>starter</quote> delta to
+	an empty directory.  A  starter delta can be recognized by the
+	<filename>XEmpty</filename> in its name, such as
+	<filename>src-cur.3210XEmpty.gz</filename>.  The designation
+	following the <literal>X</literal> corresponds to the origin
+	of the initial <quote>seed</quote>, where
+	<filename>Empty</filename> is an empty directory.  As a rule,
+	a base transition from <literal>Empty</literal> is produced
+	every 100 deltas.  Be aware that starter deltas are large and
+	70 to 80 Megabytes of <command>gzip</command>'d data is common
+	for the <filename>XEmpty</filename> deltas.</para>
+
+      <para>Another method is to copy or extract an initial source
+	from  a RELEASE media as this can  save a significant transfer
+	of data from the Internet.</para>
+
+      <para>Once a base delta has been created, apply all deltas with
+	higher numbers.  To apply the deltas:</para>
+
+      <screen>&prompt.root; <userinput>cd /directory/to/store/the/stuff</userinput>
+&prompt.root; <userinput>ctm -v -v /directory/which/stores/the/deltas/src-xxx.*</userinput></screen>
+
+      <para>Multiple deltas can be applied with a single command as
+	they will be processed one at a time and any deltas that are
+	already applied will be ignored.
+	<application>CTM</application> understands
+	<command>gzip</command> compressed deltas, which saves disk
+	space.</para>
+
+      <para>To verify a delta without applying it, include
+	<option>-c</option> in the command line.
+	<application>CTM</application> will not actually modify the
+	local tree but will instead verify the integrity of the delta
+	to see if it would apply cleanly.  Refer to &man.ctm.1; for
+	more information about available options and an overview of
+	the process <application>CTM</application> uses when applying
+	deltas.</para>
+
+      <para>To keep the local source tree up-to-date, every time a
+	new delta becomes available, apply it through
+	<application>CTM</application>.</para>
+
+      <para>Once applied, it is recommended to not delete the deltas
+	if it is a burden to download them again.  This way, a local
+	copy is available in case it is needed for future disaster
+	recovery.</para>
+    </sect2>
 
-	<listitem>
-	  <para>FreeBSD 4.6.2</para>
-	</listitem>
-      </varlistentry>
+    <sect2>
+      <title>Keeping Local Changes</title>
 
-      <varlistentry>
-	<term>RELENG_4_6_1_RELEASE</term>
+      <para>Developers often experiment with and
+	change files in their local source tree.
+	<application>CTM</application> supports local modifications in
+	a limited way: before checking for the presence of a file,
+	it first looks for a file with the same name and a
+	<filename>.ctm</filename> extension.  If this file exists,
+	<application>CTM</application> will operate on it instead of
+	the original filename.</para>
+
+      <para>This behavior provides a simple way to maintain local
+	changes.  Before modifying a file, make a copy with a
+	<filename>.ctm</filename> suffix.  Make any changes to the
+	original filename, knowing that
+	<application>CTM</application> will only apply updates to the
+	file with the <filename>.ctm</filename> suffix.</para>
+    </sect2>
 
-	<listitem>
-	  <para>FreeBSD 4.6.1</para>
-	</listitem>
-      </varlistentry>
+    <sect2>
+      <title>Other <application>CTM</application> Options</title>
 
-      <varlistentry>
-	<term>RELENG_4_6_0_RELEASE</term>
+      <variablelist>
+	<varlistentry>
+	  <term>Finding Out Exactly What Would Be Touched by an
+	    Update</term>
 
-	<listitem>
-	  <para>FreeBSD 4.6</para>
-	</listitem>
-      </varlistentry>
+	  <listitem>
+	    <para>To determine the list of changes that
+	      <application>CTM</application> will make to the local
+	      source repository, use <option>-l</option>.  This option
+	      is useful for creating logs of the changes or when
+	      performing pre- or post-processing on any of the
+	      modified files.</para>
+	  </listitem>
+	</varlistentry>
 
-      <varlistentry>
-	<term>RELENG_4_5_0_RELEASE</term>
+	<varlistentry>
+	  <term>Making Backups Before Updating</term>
 
-	<listitem>
-	  <para>FreeBSD 4.5</para>
-	</listitem>
-      </varlistentry>
+	  <listitem>
+	    <para>To backup all of the files that would be changed by
+	      a <application>CTM</application> update, specify
+	      <option>-B
+		<replaceable>backup-file</replaceable></option>.  This
+	      option tells <application>CTM</application> to backup
+	      all files touched by the applied
+	      <application>CTM</application> delta to
+	      <filename>backup-file</filename>.</para>
+	  </listitem>
+	</varlistentry>
 
-      <varlistentry>
-	<term>RELENG_4_4_0_RELEASE</term>
+	<varlistentry>
+	  <term>Restricting the Files Touched by an Update</term>
 
-	<listitem>
-	  <para>FreeBSD 4.4</para>
-	</listitem>
-      </varlistentry>
+	  <listitem>
+	    <para>To restrict the scope of a given
+	      <application>CTM</application> update, or to extract
+	      just a few files from a sequence of deltas, filtering
+	      regular expressions can be specified using
+	      <option>-e</option>, which specifies which files to
+	      process, or <option>-x</option>, which specifies which
+	      files to ignore.</para>
+
+	    <para>For example, to extract an up-to-date copy of
+	      <filename>lib/libc/Makefile</filename> from a collection
+	      of saved <application>CTM</application> deltas:</para>
+
+	    <screen>&prompt.root; <userinput>cd /directory/to/extract/to/</userinput>
+&prompt.root; <userinput>ctm -e '^lib/libc/Makefile' /directory/which/stores/the/deltas/src-xxx.*</userinput></screen>
+
+	    <para>For every file specified in a
+	      <application>CTM</application> delta,
+	      <option>-e</option> and <option>-x</option> are
+	      applied in the order given on the command line.  A file
+	      is processed by <application>CTM</application> only if
+	      it is marked as eligible after all <option>-e</option>
+	      and <option>-x</option> options are applied.</para>
+	  </listitem>
+	</varlistentry>
+      </variablelist>
+    </sect2>
+<!--
+Comment out for now until these can be verified.
+    <sect2>
+      <title>Future Plans for <application>CTM</application></title>
 
-      <varlistentry>
-	<term>RELENG_4_3_0_RELEASE</term>
+      <para>Tons of them:</para>
 
+      <itemizedlist>
 	<listitem>
-	  <para>FreeBSD 4.3</para>
+	  <para>Use some kind of authentication into the
+	    <application>CTM</application> system, so as to allow
+	    detection of spoofed <application>CTM</application>
+	    updates.</para>
 	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_4_2_0_RELEASE</term>
 
 	<listitem>
-	  <para>FreeBSD 4.2</para>
+	  <para>Clean up the options to
+	    <application>CTM</application>, they became confusing and
+	    counter intuitive.</para>
 	</listitem>
-      </varlistentry>
+      </itemizedlist>
 
-      <varlistentry>
-	<term>RELENG_4_1_1_RELEASE</term>
+      <para>There is a sequence of deltas for the
+	<literal>ports</literal> collection too, but interest has not
+	been all that high yet.</para>
+    </sect2>
+    -->
+  </sect1>
 
-	<listitem>
-	  <para>FreeBSD 4.1.1</para>
-	</listitem>
-      </varlistentry>
+  <sect1 xml:id="svn">
+    <title>Using <application>Subversion</application></title>
 
-      <varlistentry>
-	<term>RELENG_4_1_0_RELEASE</term>
+    <indexterm>
+      <primary>Subversion</primary>
+    </indexterm>
+
+    <sect2 xml:id="svn-intro">
+      <title>Introduction</title>
+
+      <para>As of July 2012, &os; uses
+	<application>Subversion</application> as the primary version
+	control system for storing all of &os;'s source code,
+	documentation, and the Ports Collection.</para>
 
-	<listitem>
-	  <para>FreeBSD 4.1</para>
-	</listitem>
-      </varlistentry>
+      <note>
+	<para><application>Subversion</application> is generally a
+	  developer tool.  Most users should use
+	  <command>freebsd-update</command> (<xref
+	    linkend="updating-upgrading-freebsdupdate"/>) to update
+	  the &os; base system, and <command>portsnap</command> (<xref
+	    linkend="ports-using"/>) to update the &os; Ports
+	  Collection.</para>
+      </note>
 
-      <varlistentry>
-	<term>RELENG_4_0_0_RELEASE</term>
+      <para>This chapter demonstrates how to install
+	<application>Subversion</application> on a &os; system and
+	then use it to create a local copy of a &os; repository.  It
+	includes a list of the available &os;
+	<application>Subversion</application> mirrors and resources to
+	additional information on how to use
+	<application>Subversion</application>.</para>
+    </sect2>
 
-	<listitem>
-	  <para>FreeBSD 4.0</para>
-	</listitem>
-      </varlistentry>
+    <sect2 xml:id="svn-install">
+      <title>Installation</title>
 
-      <varlistentry>
-	<term>RELENG_3_5_0_RELEASE</term>
+      <para><application>Subversion</application> must be installed
+	before it can be used to check out the contents of any of the
+	repositories.  If a copy of the ports tree is already present,
+	one can install <application>Subversion</application> like
+	this:</para>
 
-	<listitem>
-	  <para>FreeBSD-3.5</para>
-	</listitem>
-      </varlistentry>
+      <screen>&prompt.root; <userinput>cd /usr/ports/devel/subversion</userinput>
+&prompt.root; <userinput>make install clean</userinput></screen>
 
-      <varlistentry>
-	<term>RELENG_3_4_0_RELEASE</term>
+      <para>If the ports tree is not available,
+	<application>Subversion</application> can be installed as a
+	package:</para>
 
-	<listitem>
-	  <para>FreeBSD-3.4</para>
-	</listitem>
-      </varlistentry>
+      <screen>&prompt.root; <userinput>pkg install devel/subversion</userinput></screen>
+    </sect2>
 
-      <varlistentry>
-	<term>RELENG_3_3_0_RELEASE</term>
+    <sect2 xml:id="svn-usage">
+      <title>Running <application>Subversion</application></title>
 
-	<listitem>
-	  <para>FreeBSD-3.3</para>
-	</listitem>
-      </varlistentry>
+      <para>The <command>svn</command> command is used to fetch a
+	clean copy of the sources into a local directory.  The files
+	in this directory are called a <emphasis>local working
+	  copy</emphasis>.</para>
 
-      <varlistentry>
-	<term>RELENG_3_2_0_RELEASE</term>
+      <warning>
+	<para><emphasis>Move or delete the local directory before
+	    using <command>checkout</command>.</emphasis></para>
 
-	<listitem>
-	  <para>FreeBSD-3.2</para>
-	</listitem>
-      </varlistentry>
+	<para>Checkout over an existing
+	  non-<command>svn</command> directory can cause conflicts
+	  between the existing files and those brought in from the
+	  repository.</para>
+      </warning>
 
-      <varlistentry>
-	<term>RELENG_3_1_0_RELEASE</term>
+      <para><application>Subversion</application> uses
+	<acronym>URL</acronym>s to designate a repository, taking the
+	form of <replaceable>protocol://hostname/path</replaceable>.
+	Mirrors may support different protocols as specified below.
+	The first component of the path is the &os; repository to
+	access.  There are three different repositories,
+	<literal>base</literal> for the &os; base system source code,
+	<literal>ports</literal> for the Ports Collection, and
+	<literal>doc</literal> for documentation.  For example, the
+	URL
+	<literal>svn://svn0.us-east.FreeBSD.org/ports/head/</literal>
+	specifies the main branch of the ports repository on the
+	<systemitem
+	  class="fqdomainname">svn0.us-east.FreeBSD.org</systemitem>
+	mirror, using the <literal>svn</literal> protocol.</para>
 
-	<listitem>
-	  <para>FreeBSD-3.1</para>
-	</listitem>
-      </varlistentry>
+      <para>A checkout from a given repository is performed with a
+	command like this:</para>
 
-      <varlistentry>
-	<term>RELENG_3_0_0_RELEASE</term>
+      <screen>&prompt.root; <userinput>svn checkout <replaceable>svn-mirror</replaceable>/<replaceable>repository</replaceable>/<replaceable>branch</replaceable> <replaceable>lwcdir</replaceable></userinput></screen>
+
+      <para>where:</para>
 
+      <itemizedlist>
 	<listitem>
-	  <para>FreeBSD-3.0</para>
+	  <para><replaceable>svn-mirror</replaceable> is a URL for one
+	    of the <link linkend="svn-mirrors">Subversion mirror
+	      sites</link>.</para>
 	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_2_2_8_RELEASE</term>
 
 	<listitem>
-	  <para>FreeBSD-2.2.8</para>
+	  <para><replaceable>repository</replaceable> is one of the
+	    Project repositories, i.e., <literal>base</literal>,
+	    <literal>ports</literal>, or
+	    <literal>doc</literal>.</para>
 	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_2_2_7_RELEASE</term>
 
 	<listitem>
-	  <para>FreeBSD-2.2.7</para>
+	  <para><replaceable>branch</replaceable> depends on the
+	    repository used.  <literal>ports</literal> and
+	    <literal>doc</literal> are mostly updated in the
+	    <literal>head</literal> branch, while
+	    <literal>base</literal> maintains the latest version of
+	    -CURRENT under <literal>head</literal> and the respective
+	    latest versions of the -STABLE branches under
+	    <literal>stable/8</literal> (for
+	    8.<replaceable>x</replaceable>),
+	    <literal>stable/9</literal>
+	    (9.<replaceable>x</replaceable>) and
+	    <literal>stable/10</literal>
+	    (10.<replaceable>x</replaceable>).</para>
 	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>RELENG_2_2_6_RELEASE</term>
 
 	<listitem>
-	  <para>FreeBSD-2.2.6</para>
+	  <para><replaceable>lwcdir</replaceable> is the target
+	    directory where the contents of the specified branch
+	    should be placed.  This is usually
+	    <filename>/usr/ports</filename> for
+	    <literal>ports</literal>,
+	    <filename>/usr/src</filename> for
+	    <literal>base</literal>, and
+	    <filename>/usr/doc</filename> for
+	    <literal>doc</literal>.</para>
 	</listitem>
-      </varlistentry>
+      </itemizedlist>
 
-      <varlistentry>
-	<term>RELENG_2_2_5_RELEASE</term>
+      <para>This example checks out the Ports Collection from the
+	western US repository using the <acronym>HTTPS</acronym>
+	protocol, placing the local working copy in
+	<filename>/usr/ports</filename>.  If
+	<filename>/usr/ports</filename> is already
+	present but was not created by <command>svn</command>,
+	remember to rename or delete it before the checkout.</para>
+
+      <screen>&prompt.root; <userinput>svn checkout <replaceable>https://svn0.us-west.FreeBSD.org</replaceable>/ports/head /usr/ports</userinput></screen>
+
+      <para>Because the initial checkout has to download the full
+	branch of the remote repository, it can take a while.  Please
+	be patient.</para>
+
+      <para>After the initial checkout, the local working copy can be
+	updated by running:</para>
+
+      <screen>&prompt.root; <userinput>svn update <replaceable>lwcdir</replaceable></userinput></screen>
+
+      <para>To update
+	<filename>/usr/ports</filename> created in
+	the example above, use:</para>
+
+      <screen>&prompt.root; <userinput>svn update /usr/ports</userinput></screen>
+
+      <para>The update is much quicker than a checkout, only
+	transferring files that have changed.</para>
+
+      <para>An alternate way of updating the local working copy after
+	checkout is provided by the <filename>Makefile</filename> in
+	the <filename>/usr/ports</filename>,
+	<filename>/usr/src</filename>, and
+	<filename>/usr/doc</filename> directories.
+	Set <varname>SVN_UPDATE</varname> and use the
+	<buildtarget>update</buildtarget> target.  For example, to
+	update <filename>/usr/src</filename>:</para>
+
+      <screen>&prompt.root; <userinput>cd /usr/src</userinput>
+&prompt.root; <userinput>make update SVN_UPDATE=yes</userinput></screen>
+    </sect2>
+
+    <sect2 xml:id="svn-mirrors">
+      <title><application>Subversion</application> Mirror
+	Sites</title>
 
-	<listitem>
-	  <para>FreeBSD-2.2.5</para>
-	</listitem>
-      </varlistentry>
+      <indexterm>
+	<primary>Subversion Repository</primary>
+	<secondary>Mirror Sites</secondary>
+      </indexterm>
 
-      <varlistentry>
-	<term>RELENG_2_2_2_RELEASE</term>
+      <para>All mirrors carry all repositories.</para>
 
-	<listitem>
-	  <para>FreeBSD-2.2.2</para>
-	</listitem>
-      </varlistentry>
+      <para>The master &os; <application>Subversion</application>
+	server, <systemitem
+	  class="fqdomainname">svn.FreeBSD.org</systemitem>, is
+	publicly accessible, read-only.  That may change in the
+	future, so users are encouraged to use one of the official
+	mirrors.  To view the &os;
+	<application>Subversion</application> repositories through a
+	browser, use <link
+	  xlink:href="http://svnweb.FreeBSD.org/">http://svnweb.FreeBSD.org/</link>.</para>
 
-      <varlistentry>
-	<term>RELENG_2_2_1_RELEASE</term>
+      <note>
+	<para>The &os; <application>Subversion</application> mirror
+	  network is still in its early days, and will likely change.
+	  Do not count on this list of mirrors being static.  In
+	  particular, the <acronym>SSL</acronym> certificates of the
+	  servers will likely change at some point.</para>
+      </note>
 
-	<listitem>
-	  <para>FreeBSD-2.2.1</para>
-	</listitem>
-      </varlistentry>
+      <informaltable>
+	<tgroup cols="4">
+	  <colspec colwidth="3*"/>
+	  <colspec colwidth="1*"/>
+	  <colspec colwidth="2*"/>
+	  <colspec colwidth="10*"/>
+	  <thead>
+	    <row>
+	      <entry>Name</entry>
+
+	      <entry>Protocols</entry>
+
+	      <entry>Location</entry>
+
+	      <entry><acronym>SSL</acronym> Fingerprint</entry>
+	    </row>
+	  </thead>
+
+	  <tbody>
+	    <row>
+	      <entry><systemitem
+		class="fqdomainname">svn0.us-west.FreeBSD.org</systemitem></entry>
+
+	      <entry><literal>svn</literal>, <link
+		  xlink:href="http://svn0.us-west.FreeBSD.org/"><literal>http</literal></link>,
+		<link
+		  xlink:href="https://svn0.us-west.FreeBSD.org/"><literal>https</literal></link></entry>
+
+	      <entry>USA, California</entry>
+
+	      <entry>SHA1
+		<literal>1C:BD:85:95:11:9F:EB:75:A5:4B:C8:A3:FE:08:E4:02:73:06:1E:61</literal></entry>
+	    </row>
+
+	    <row>
+	      <entry><systemitem
+		  class="fqdomainname">svn0.us-east.FreeBSD.org</systemitem></entry>
+
+	      <entry><literal>svn</literal>, <link
+		  xlink:href="http://svn0.us-east.FreeBSD.org/"><literal>http</literal></link>,
+		<link
+		  xlink:href="https://svn0.us-east.FreeBSD.org/"><literal>https</literal></link>,
+		<literal>rsync</literal></entry>
+
+	      <entry>USA, New Jersey</entry>
+
+	      <entry>SHA1
+		<literal>1C:BD:85:95:11:9F:EB:75:A5:4B:C8:A3:FE:08:E4:02:73:06:1E:61</literal></entry>
+	    </row>
+
+	    <row>
+	      <entry><systemitem
+		  class="fqdomainname">svn0.eu.FreeBSD.org</systemitem></entry>
+
+	      <entry><literal>svn</literal>, <link
+		  xlink:href="http://svn0.eu.FreeBSD.org/"><literal>http</literal></link>,
+		<link
+		  xlink:href="https://svn0.eu.FreeBSD.org/"><literal>https</literal></link>,
+		<literal>rsync</literal></entry>
+
+	      <entry>Europe, UK</entry>
+
+	      <entry>SHA1
+		<literal>39:B0:53:35:CE:60:C7:BB:00:54:96:96:71:10:94:BB:CE:1C:07:A7</literal></entry>
+	    </row>
+
+	    <row>
+	      <entry><systemitem
+		  class="fqdomainname">svn0.ru.FreeBSD.org</systemitem></entry>
+
+	      <entry><literal>svn</literal>, <link
+		  xlink:href="http://svn0.ru.FreeBSD.org/"><literal>http</literal></link>,
+		<link
+		  xlink:href="https://svn0.ru.FreeBSD.org/"><literal>https</literal></link>,
+		<literal>rsync</literal></entry>
+
+	      <entry>Russia, Moscow</entry>
+
+	      <entry>SHA1
+		<literal>F6:44:AA:B9:03:89:0E:3E:8C:4D:4D:14:F0:27:E6:C7:C1:8B:17:C5</literal></entry>
+	    </row>
+	  </tbody>
+	</tgroup>
+      </informaltable>
+
+      <para><acronym>HTTPS</acronym> is the preferred protocol,
+	providing protection against another computer pretending to be
+	the &os; mirror (commonly known as a <quote>man in the
+	  middle</quote> attack) or otherwise trying to send bad
+	content to the end user.</para>
+
+      <para xml:id="svn-mirrors-fingerprint">On the first connection
+	to an <acronym>HTTPS</acronym> mirror, the user will be asked
+	to verify the server <emphasis>fingerprint</emphasis>:</para>
+
+      <screen>Error validating server certificate for 'https://svn0.us-west.freebsd.org:443':
+ - The certificate is not issued by a trusted authority. Use the
+   fingerprint to validate the certificate manually!
+ - The certificate hostname does not match.
+Certificate information:
+ - Hostname: svnmir.ysv.FreeBSD.org
+ - Valid: from Jul 29 22:01:21 2013 GMT until Dec 13 22:01:21 2040 GMT
+ - Issuer: clusteradm, FreeBSD.org, (null), CA, US (clusteradm@FreeBSD.org)
+ - Fingerprint: 1C:BD:85:95:11:9F:EB:75:A5:4B:C8:A3:FE:08:E4:02:73:06:1E:61
+(R)eject, accept (t)emporarily or accept (p)ermanently?</screen>
+
+      <para>Compare the fingerprint shown to those listed in the table
+	above.  If the fingerprint matches, the server security
+	certificate can be accepted temporarily or permanently.  A
+	temporary certificate will expire after a single session with
+	the server, and the verification step will be repeated on the
+	next connection.  Accepting the certificate permanently will
+	store the authentication credentials in
+	<filename>~/.subversion/auth/</filename> and the user will not
+	be asked to verify the fingerprint again until the certificate
+	expires.</para>
+
+      <para>If <literal>https</literal> cannot be used due to firewall
+	or other problems, <literal>svn</literal> is the next choice,
+	with slightly faster transfers.  When neither can be used, use
+	<literal>http</literal>.</para>
+    </sect2>
 
-      <varlistentry>
-	<term>RELENG_2_2_0_RELEASE</term>
+    <sect2>
+      <title>For More Information</title>
 
-	<listitem>
-	  <para>FreeBSD-2.2.0</para>
-	</listitem>
-      </varlistentry>
-    </variablelist>
+      <para>For other information about using
+	<application>Subversion</application>, please see the
+	<quote>Subversion Book</quote>, titled
+	<link xlink:href="http://svnbook.red-bean.com/">Version
+	  Control with Subversion</link>, or the <link
+	  xlink:href="http://subversion.apache.org/docs/">Subversion
+	  Documentation</link>.</para>
     </sect2>
   </sect1>
 
-  <sect1 xml:id="mirrors-afs">
-    <title>AFS Sites</title>
+  <sect1 xml:id="mirrors-rsync">
+    <title>Using <application>rsync</application></title>
 
-    <para>AFS servers for FreeBSD are running at the following sites:</para>
+    <para>The following sites make &os; available through the rsync
+      protocol.  The <application>rsync</application> utility works in
+      much the same way as the &man.rcp.1; command, but has more
+      options and uses the rsync remote-update protocol which
+      transfers only the differences between two sets of files, thus
+      greatly speeding up the synchronization over the network.  This
+      is most useful if you are a mirror site for the &os;
+      <acronym>FTP</acronym> server, or the CVS repository.  The
+      <application>rsync</application> suite is available for many
+      operating systems, on &os;, see the <package>net/rsync</package>
+      port or use the package.</para>
 
     <variablelist>
       <varlistentry>
-	<term>Sweden</term>
+	<term>Czech Republic</term>
 
 	<listitem>
-	  <para>The path to the files are:
-  	    <filename>/afs/stacken.kth.se/ftp/pub/FreeBSD/</filename></para>
+	  <para>rsync://ftp.cz.FreeBSD.org/</para>
 
-	  <programlisting>stacken.kth.se         # Stacken Computer Club, KTH, Sweden
-130.237.234.43         #hot.stacken.kth.se
-130.237.237.230        #fishburger.stacken.kth.se
-130.237.234.3          #milko.stacken.kth.se</programlisting>
+	  <para>Available collections:</para>
+	  <itemizedlist>
+	    <listitem>
+	      <para>ftp: A partial mirror of the &os;
+		<acronym>FTP</acronym> server.</para>
+	    </listitem>
 
-	  <para>Maintainer <email>ftp@stacken.kth.se</email></para>
+	    <listitem>
+	      <para>&os;: A full mirror of the &os;
+		<acronym>FTP</acronym> server.</para>
+	    </listitem>
+	  </itemizedlist>
 	</listitem>
       </varlistentry>
-    </variablelist>
-  </sect1>
 
-  <sect1 xml:id="mirrors-rsync">
-    <title>rsync Sites</title>
+      <varlistentry>
+	<term>Netherlands</term>
 
-    <para>The following sites make FreeBSD available through the rsync
-      protocol.  The <application>rsync</application> utility works in
-      much the same way as the &man.rcp.1; command,
-      but has more options and uses the rsync remote-update protocol
-      which transfers only the differences between two sets of files,
-      thus greatly speeding up the synchronization over the network.
-      This is most useful if you are a mirror site for the
-      FreeBSD FTP server, or the CVS repository.  The
-      <application>rsync</application> suite is available for many
-      operating systems, on FreeBSD, see the
-      <package>net/rsync</package>
-      port or use the package.</para>
+	<listitem>
+	  <para>rsync://ftp.nl.FreeBSD.org/</para>
+
+	  <para>Available collections:</para>
+	  <itemizedlist>
+	    <listitem>
+	      <para>&os;: A full mirror of the &os;
+		<acronym>FTP</acronym> server.</para>
+	    </listitem>
+	  </itemizedlist>
+	</listitem>
+      </varlistentry>
 
-    <variablelist>
       <varlistentry>
-	<term>Czech Republic</term>
+	<term>Russia</term>
 
 	<listitem>
-	  <para>rsync://ftp.cz.FreeBSD.org/</para>
+	  <para>rsync://ftp.mtu.ru/</para>
 
 	  <para>Available collections:</para>
+
 	  <itemizedlist>
-	    <listitem><para>ftp: A partial mirror of the FreeBSD FTP
-	      server.</para></listitem>
-	    <listitem><para>FreeBSD: A full mirror of the FreeBSD FTP
-	      server.</para></listitem>
+	    <listitem>
+	      <para>&os;: A full mirror of the &os;
+		<acronym>FTP</acronym> server.</para>
+	    </listitem>
+
+	    <listitem>
+	      <para>&os;-Archive: The mirror of &os; Archive
+		<acronym>FTP</acronym> server.</para>
+	    </listitem>
 	  </itemizedlist>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>Germany</term>
+	<term>Sweden</term>
 
 	<listitem>
-	  <para>rsync://grappa.unix-ag.uni-kl.de/</para>
+	  <para>rsync://ftp4.se.freebsd.org/</para>
 
 	  <para>Available collections:</para>
 	  <itemizedlist>
-	    <listitem><para>freebsd-cvs: The full FreeBSD CVS
-	      repository.</para></listitem>
+	    <listitem>
+	      <para>&os;: A full mirror of the &os;
+		<acronym>FTP</acronym> server.</para>
+	    </listitem>
 	  </itemizedlist>
-	  <para>This machine also mirrors the CVS repositories of the
-	    NetBSD and the OpenBSD projects, among others.</para>
 	</listitem>
       </varlistentry>
 
       <varlistentry>
-	<term>Netherlands</term>
+	<term>Taiwan</term>
 
 	<listitem>
-	  <para>rsync://ftp.nl.FreeBSD.org/</para>
+	  <para>rsync://ftp.tw.FreeBSD.org/</para>
+
+	  <para>rsync://ftp2.tw.FreeBSD.org/</para>
+
+	  <para>rsync://ftp6.tw.FreeBSD.org/</para>
 
 	  <para>Available collections:</para>
 	  <itemizedlist>
-	    <listitem><para>vol/4/freebsd-core: A full mirror of the
-	      FreeBSD FTP server.</para></listitem>
+	    <listitem>
+	      <para>&os;: A full mirror of the &os;
+		<acronym>FTP</acronym> server.</para>
+	    </listitem>
 	  </itemizedlist>
 	</listitem>
       </varlistentry>
@@ -3150,12 +885,14 @@
 	<term>United Kingdom</term>
 
 	<listitem>
-	  <para>rsync://rsync.mirror.ac.uk/</para>
+	  <para>rsync://rsync.mirrorservice.org/</para>
 
 	  <para>Available collections:</para>
 	  <itemizedlist>
-	    <listitem><para>ftp.FreeBSD.org: A full mirror of the
-	      FreeBSD FTP server.</para></listitem>
+	    <listitem>
+	      <para>ftp.freebsd.org: A full mirror of the &os;
+		<acronym>FTP</acronym> server.</para>
+	    </listitem>
 	  </itemizedlist>
 	</listitem>
       </varlistentry>
@@ -3166,22 +903,31 @@
 	<listitem>
 	  <para>rsync://ftp-master.FreeBSD.org/</para>
 
-	  <para>This server may only be used by FreeBSD primary mirror
+	  <para>This server may only be used by &os; primary mirror
 	    sites.</para>
+
 	  <para>Available collections:</para>
+
 	  <itemizedlist>
-	    <listitem><para>FreeBSD: The master archive of the FreeBSD
-	      FTP server.</para></listitem>
-	    <listitem><para>acl: The FreeBSD master ACL
-	      list.</para></listitem>
+	    <listitem>
+	      <para>&os;: The master archive of the &os;
+		<acronym>FTP</acronym> server.</para>
+	    </listitem>
+
+	    <listitem>
+	      <para>acl: The &os; master ACL list.</para>
+	    </listitem>
 	  </itemizedlist>
 
 	  <para>rsync://ftp13.FreeBSD.org/</para>
 
 	  <para>Available collections:</para>
+
 	  <itemizedlist>
-	    <listitem><para>FreeBSD: A full mirror of the FreeBSD FTP
-	      server.</para></listitem>
+	    <listitem>
+	      <para>&os;: A full mirror of the &os;
+		<acronym>FTP</acronym> server.</para>
+	    </listitem>
 	  </itemizedlist>
 	</listitem>
       </varlistentry>
Index: zh_TW.UTF-8/books/handbook/network-servers/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/network-servers/chapter.xml
+++ zh_TW.UTF-8/books/handbook/network-servers/chapter.xml
@@ -1,61 +1,79 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
      The FreeBSD Documentation Project
+     The FreeBSD Traditional Chinese Project
 
      $FreeBSD$
-     Original revision: 1.75
+     Original revision: r46077
 -->
-<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="network-servers">
-  <info><title>Network Servers</title>
+<chapter xmlns="http://docbook.org/ns/docbook"
+  xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+  xml:id="network-servers">
+  <!--
+  <chapterinfo>
     <authorgroup>
-      <author><personname><firstname>Murray</firstname><surname>Stokely</surname></personname><contrib>Reorganized by </contrib></author>
+      <author>
+	<firstname>Murray</firstname>
+	<surname>Stokely</surname>
+	<contrib>Reorganized by in July 2004</contrib>
+      </author>
     </authorgroup>
-    
-  </info>
+  </chapterinfo>
+  -->
 
-  
+  <title>網路伺服器</title>
 
   <sect1 xml:id="network-servers-synopsis">
     <title>概述</title>
 
-    <para>This chapter will cover some of the more frequently used
-      network services on &unix; systems.  We will cover how to
-      install, configure, test, and maintain many different types of
+    <para>This chapter covers some of the more frequently used network
+      services on &unix; systems.  This includes installing,
+      configuring, testing, and maintaining many different types of
       network services.  Example configuration files are included
-      throughout this chapter for you to benefit from.</para>
+      throughout this chapter for reference.</para>
 
-    <para>After reading this chapter, you will know:</para>
+    <para>By the end of this chapter, readers will know:</para>
 
     <itemizedlist>
-
       <listitem>
 	<para>How to manage the <application>inetd</application>
 	  daemon.</para>
       </listitem>
 
       <listitem>
-	<para>How to set up a network file system.</para>
+	<para>How to set up the Network File System
+	  (<acronym>NFS</acronym>).</para>
       </listitem>
 
       <listitem>
-	<para>How to set up a network information server for sharing
+	<para>How to set up the Network Information Server
+	  (<acronym>NIS</acronym>) for centralizing and sharing
 	  user accounts.</para>
       </listitem>
 
       <listitem>
-	<para>How to set up automatic network settings using DHCP.</para>
+	<para>How to set &os; up to act as an <acronym>LDAP</acronym>
+	  server or client</para>
+      </listitem>
+
+      <listitem>
+	<para>How to set up automatic network settings using
+	  <acronym>DHCP</acronym>.</para>
       </listitem>
 
       <listitem>
-	<para>How to set up a domain name server.</para>
+	<para>How to set up a Domain Name Server
+	  (<acronym>DNS</acronym>).</para>
       </listitem>
 
       <listitem>
-	<para>How to set up the <application>Apache</application> HTTP Server.</para>
+	<para>How to set up the <application>Apache</application>
+	  <acronym>HTTP</acronym> Server.</para>
       </listitem>
 
       <listitem>
-	<para>How to set up a File Transfer Protocol (FTP) Server.</para>
+	<para>How to set up a File Transfer Protocol
+	  (<acronym>FTP</acronym>) server.</para>
       </listitem>
 
       <listitem>
@@ -65,268 +83,150 @@
 
       <listitem>
 	<para>How to synchronize the time and date, and set up a
-	  time server, with the NTP protocol.</para>
+	  time server using the Network Time Protocol
+	  (<acronym>NTP</acronym>).</para>
       </listitem>
 
+      <listitem>
+	<para>How to set up <acronym>iSCSI</acronym>.</para>
+      </listitem>
     </itemizedlist>
 
-    <para>Before reading this chapter, you should:</para>
+    <para>This chapter assumes a basic knowledge of:</para>
 
     <itemizedlist>
       <listitem>
-	<para>Understand the basics of the
-	  <filename>/etc/rc</filename> scripts.</para>
+	<para><filename>/etc/rc</filename> scripts.</para>
       </listitem>
 
       <listitem>
-	<para>Be familiar with basic network terminology.</para>
+	<para>Network terminology.</para>
       </listitem>
 
       <listitem>
-      <para>Know how to install additional third-party
-        software (<xref linkend="ports"/>).</para>
+	<para>Installation of additional third-party
+	  software (<xref linkend="ports"/>).</para>
       </listitem>
-
     </itemizedlist>
   </sect1>
 
   <sect1 xml:id="network-inetd">
-    <info><title>The <application>inetd</application> <quote>Super-Server</quote></title>
+    <title>The <application>inetd</application>
+      Super-Server</title>
+
+    <!--
+    <sect1info>
       <authorgroup>
-        <author><personname><firstname>Chern</firstname><surname>Lee</surname></personname><contrib>Contributed by </contrib></author>
+	<author>
+	  <firstname>Chern</firstname>
+	  <surname>Lee</surname>
+	  <contrib>Contributed by </contrib>
+	</author>
       </authorgroup>
-    </info>
-
-    
-
-    <sect2 xml:id="network-inetd-overview">
-      <title>Overview</title>
-
-      <para>&man.inetd.8; is referred to as the <quote>Internet
-	Super-Server</quote> because it manages connections for
-	several services.  When a
-	connection is received by <application>inetd</application>, it
-	determines which program the connection is destined for, spawns
-	the particular process and delegates the socket to it (the program
-	is invoked with the service socket as its standard input, output
-	and error descriptors).  Running
-	one instance of <application>inetd</application> reduces the
-	overall system load as compared to running each daemon
-	individually in stand-alone mode.</para>
-
-      <para>Primarily, <application>inetd</application> is used to
-	spawn other daemons, but several trivial protocols are handled
-	directly, such as <application>chargen</application>,
-	<application>auth</application>, and
-	<application>daytime</application>.</para>
-
-      <para>This section will cover the basics in configuring
-	<application>inetd</application> through its command-line
-	options and its configuration file,
-	<filename>/etc/inetd.conf</filename>.</para>
-    </sect2>
-
-    <sect2 xml:id="network-inetd-settings">
-      <title>Settings</title>
-
-      <para><application>inetd</application> is initialized through
-	the <filename>/etc/rc.conf</filename> system.  The
-	<literal>inetd_enable</literal> option is set to
-	<literal>NO</literal> by default, but is often times turned on
-	by <application>sysinstall</application> with the medium
-	security profile.  Placing:
-	<programlisting>inetd_enable="YES"</programlisting> or
-	<programlisting>inetd_enable="NO"</programlisting> into
-	<filename>/etc/rc.conf</filename> can enable or disable
-	<application>inetd</application> starting at boot time.</para>
-
-      <para>Additionally, different command-line options can be passed
-	to <application>inetd</application> via the
-	<literal>inetd_flags</literal> option.</para>
-    </sect2>
-
-    <sect2 xml:id="network-inetd-cmdline">
-      <title>Command-Line Options</title>
-
-      <para><application>inetd</application> synopsis:</para>
-
-      <para><option>     inetd [-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address | hostname]
-           [-p filename] [-R rate] [configuration file]</option></para>
-
-      <variablelist>
-	<varlistentry>
-	  <term>-d</term>
-
-	  <listitem>
-	    <para>Turn on debugging.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term>-l</term>
-
-	  <listitem>
-	    <para>Turn on logging of successful connections.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term>-w</term>
-
-	  <listitem>
-	    <para>Turn on TCP Wrapping for external services (on by
-	      default).</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term>-W</term>
-
-	  <listitem>
-	    <para>Turn on TCP Wrapping for internal services which are
-	      built into <application>inetd</application> (on by
-	      default).</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term>-c maximum</term>
-
-	  <listitem>
-	    <para>Specify the default maximum number of simultaneous
-	      invocations of each service; the default is unlimited.
-	      May be overridden on a per-service basis with the
-	      <option>max-child</option> parameter.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term>-C rate</term>
-
-	  <listitem>
-	    <para>Specify the default maximum number of times a
-	      service can be invoked from a single IP address in one
-	      minute; the default is unlimited.  May be overridden on a
-	      per-service basis with the
-	      <option>max-connections-per-ip-per-minute</option>
-	      parameter.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term>-R rate</term>
-
-	  <listitem>
-	    <para>Specify the maximum number of times a service can be
-	      invoked in one minute; the default is 256.  A rate of 0
-	      allows an unlimited number of invocations.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term>-a</term>
-
-	  <listitem>
-	    <para>Specify one specific IP address to bind to.
-	      Alternatively, a hostname can be specified, in which case
-	      the IPv4 or IPv6 address which corresponds to that
-	      hostname is used.  Usually a hostname is specified when
-	      <application>inetd</application> is run inside a
-	      &man.jail.8;, in which case the hostname corresponds to
-	      the &man.jail.8; environment.</para>
-
-	    <para>When hostname specification is used and both IPv4
-	      and IPv6 bindings are desired, one entry with the
-	      appropriate protocol type for each binding is required
-	      for each service in
-	      <filename>/etc/inetd.conf</filename>.  For example, a
-	      TCP-based service would need two entries, one using
-	      <literal>tcp4</literal> for the protocol and the other
-	      using <literal>tcp6</literal>.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term>-p</term>
-
-	  <listitem>
-	    <para>Specify an alternate file in which to store the
-	      process ID.</para>
-	  </listitem>
-	</varlistentry>
-      </variablelist>
-
-      <para>These options can be passed to
-	<application>inetd</application> using the
-	<literal>inetd_flags</literal> option in
-	<filename>/etc/rc.conf</filename>.  By default,
-	<literal>inetd_flags</literal> is set to
-	<literal>-wW</literal>, which turns on TCP wrapping for
-	<application>inetd</application>'s internal and external
-	services.  For novice users, these parameters usually do not
-	need to be modified or even entered in
-	<filename>/etc/rc.conf</filename>.</para>
+      <authorgroup>
+	<author>
+	  <contrib>Updated by </contrib>
+	  <othername>The &os; Documentation Project</othername>
+	</author>
+      </authorgroup>
+    </sect1info>
+    -->
 
-      <note>
-	<para>An external service is a daemon outside of
-	  <application>inetd</application>, which is invoked when a
-	  connection is received for it.  On the other hand, an
-	  internal service is one that
-	  <application>inetd</application> has the facility of
-	  offering within itself.</para>
-      </note>
+    <para>The &man.inetd.8; daemon is sometimes referred to as a
+      Super-Server because it manages connections for many services.
+      Instead of starting multiple applications, only the
+      <application>inetd</application> service needs to be started.
+      When a connection is received for a service that is managed by
+      <application>inetd</application>, it determines which program
+      the connection is destined for, spawns a process for that
+      program, and delegates the program a socket.  Using
+      <application>inetd</application> for services that are not
+      heavily used can reduce system load, when compared to running
+      each daemon individually in stand-alone mode.</para>
+
+    <para>Primarily, <application>inetd</application> is used to
+      spawn other daemons, but several trivial protocols are handled
+      internally, such as <application>chargen</application>,
+      <application>auth</application>,
+      <application>time</application>,
+      <application>echo</application>,
+      <application>discard</application>, and
+      <application>daytime</application>.</para>
 
-    </sect2>
+    <para>This section covers the basics of configuring
+      <application>inetd</application>.</para>
 
     <sect2 xml:id="network-inetd-conf">
-      <title><filename>inetd.conf</filename></title>
+      <title>Configuration File</title>
 
       <para>Configuration of <application>inetd</application> is
-	controlled through the <filename>/etc/inetd.conf</filename>
-	file.</para>
+	done by editing <filename>/etc/inetd.conf</filename>.  Each
+	line of this configuration file represents an application
+	which can be started by <application>inetd</application>.  By
+	default, every line starts with a comment
+	(<literal>#</literal>), meaning that
+	<application>inetd</application> is not listening for any
+	applications.  To configure <application>inetd</application>
+	to listen for an application's connections, remove the
+	<literal>#</literal> at the beginning of the line for that
+	application.</para>
+
+      <para>After saving your edits, configure
+	<application>inetd</application> to start at system boot by
+	editing <filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>inetd_enable="YES"</programlisting>
+
+      <para>To start  <application>inetd</application> now, so that it
+	listens for the service you configured, type:</para>
+
+      <screen>&prompt.root; <userinput>service inetd start</userinput></screen>
+
+      <para>Once <application>inetd</application> is started, it needs
+	to be notified whenever a modification is made to
+	<filename>/etc/inetd.conf</filename>:</para>
+
+      <example xml:id="network-inetd-reread">
+	<title>Reloading the <application>inetd</application>
+	  Configuration File</title>
+
+	<screen>&prompt.root; <userinput>service inetd reload</userinput></screen>
+      </example>
 
-      <para>When a modification is made to
-	<filename>/etc/inetd.conf</filename>,
-	<application>inetd</application> can be forced to re-read its
-	configuration file by sending a HangUP signal to the
-	<application>inetd</application> process as shown:</para>
+      <para>Typically, the default entry for an application does not
+	need to be edited beyond removing the <literal>#</literal>.
+	In some situations, it may be appropriate to edit the default
+	entry.</para>
 
-      <example xml:id="network-inetd-hangup">
-	<title>Sending <application>inetd</application> a HangUP Signal</title>
+      <para>As an example, this is the default entry for &man.ftpd.8;
+	over IPv4:</para>
 
-	<screen>&prompt.root; <userinput>kill -HUP `cat /var/run/inetd.pid`</userinput></screen>
-      </example>
+      <programlisting>ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l</programlisting>
 
-      <para>Each line of the configuration file specifies an
-	individual daemon.  Comments in the file are preceded by a
-	<quote>#</quote>.  The format of
-	<filename>/etc/inetd.conf</filename> is as follows:</para>
+      <para>The seven columns in an entry are as follows:</para>
 
       <programlisting>service-name
 socket-type
 protocol
-{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
+{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]
 user[:group][/login-class]
 server-program
 server-program-arguments</programlisting>
 
-      <para>An example entry for the <application>ftpd</application> daemon
-	using IPv4:</para>
-
-      <programlisting>ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l</programlisting>
+      <para>where:</para>
 
       <variablelist>
 	<varlistentry>
 	  <term>service-name</term>
 
 	  <listitem>
-	    <para>This is the service name of the particular daemon.
-	      It must correspond to a service listed in
+	    <para>The service name of the daemon to start.  It must
+	      correspond to a service listed in
 	      <filename>/etc/services</filename>.  This determines
-	      which port <application>inetd</application> must listen
-	      to.  If a new service is being created, it must be
-	      placed in <filename>/etc/services</filename>
-	      first.</para>
+	      which port <application>inetd</application> listens on
+	      for incoming connections to that service.  When using a
+	      custom service, it must first be added to
+	      <filename>/etc/services</filename>.</para>
 	  </listitem>
 	</varlistentry>
 
@@ -336,10 +236,10 @@
 	  <listitem>
 	    <para>Either <literal>stream</literal>,
 	      <literal>dgram</literal>, <literal>raw</literal>, or
-	      <literal>seqpacket</literal>.  <literal>stream</literal>
-	      must be used for connection-based, TCP daemons, while
-	      <literal>dgram</literal> is used for daemons utilizing
-	      the <acronym>UDP</acronym> transport protocol.</para>
+	      <literal>seqpacket</literal>.  Use
+	      <literal>stream</literal> for TCP connections and
+	      <literal>dgram</literal> for
+	      <acronym>UDP</acronym> services.</para>
 	  </listitem>
 	</varlistentry>
 
@@ -347,40 +247,47 @@
 	  <term>protocol</term>
 
 	  <listitem>
-	    <para>One of the following:</para>
+	    <para>Use one of the following protocol names:</para>
 
 	    <informaltable frame="none" pgwide="1">
 	      <tgroup cols="2">
 		<thead>
 		  <row>
-		    <entry>Protocol</entry>
+		    <entry>Protocol Name</entry>
 		    <entry>Explanation</entry>
 		  </row>
 		</thead>
+
 		<tbody>
 		  <row>
-		    <entry>tcp, tcp4</entry>
+		    <entry>tcp or tcp4</entry>
 		    <entry>TCP IPv4</entry>
 		  </row>
+
 		  <row>
-		    <entry>udp, udp4</entry>
-		    <entry>UDP IPv4</entry>
+		    <entry>udp or udp4</entry>
+		    <entry><acronym>UDP</acronym> IPv4</entry>
 		  </row>
+
 		  <row>
 		    <entry>tcp6</entry>
 		    <entry>TCP IPv6</entry>
 		  </row>
+
 		  <row>
 		    <entry>udp6</entry>
-		    <entry>UDP IPv6</entry>
+		    <entry><acronym>UDP</acronym> IPv6</entry>
 		  </row>
+
 		  <row>
 		    <entry>tcp46</entry>
-		    <entry>Both TCP IPv4 and v6</entry>
+		    <entry>Both TCP IPv4 and IPv6</entry>
 		  </row>
+
 		  <row>
 		    <entry>udp46</entry>
-		    <entry>Both UDP IPv4 and v6</entry>
+		    <entry>Both <acronym>UDP</acronym> IPv4 and
+		      IPv6</entry>
 		  </row>
 		</tbody>
 	      </tgroup>
@@ -389,61 +296,51 @@
 	</varlistentry>
 
 	<varlistentry>
-	  <term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]</term>
+	  <term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]</term>
 
 	  <listitem>
-	    <para><option>wait|nowait</option> indicates whether the
-	      daemon invoked from <application>inetd</application> is
-	      able to handle its own socket or not.
-	      <option>dgram</option> socket types must use the
-	      <option>wait</option> option, while stream socket
-	      daemons, which are usually multi-threaded, should use
-	      <option>nowait</option>.  <option>wait</option> usually
-	      hands off multiple sockets to a single daemon, while
-	      <option>nowait</option> spawns a child daemon for each
-	      new socket.</para>
+	    <para>In this field, <option>wait</option> or
+	      <option>nowait</option> must be specified.
+	      <option>max-child</option>,
+	      <option>max-connections-per-ip-per-minute</option> and
+	      <option>max-child-per-ip</option> are optional.</para>
+
+	    <para><option>wait|nowait</option> indicates whether or
+	      not the service is able to handle its own socket.
+	      <option>dgram</option> socket types must use
+	      <option>wait</option> while
+	      <option>stream</option> daemons, which are usually
+	      multi-threaded, should use <option>nowait</option>.
+	      <option>wait</option> usually hands off multiple sockets
+	      to a single daemon, while <option>nowait</option> spawns
+	      a child daemon for each new socket.</para>
 
 	    <para>The maximum number of child daemons
-	      <application>inetd</application> may spawn can be set
-	      using the <option>max-child</option> option.  If a limit
-	      of ten instances of a particular daemon is needed, a
-	      <literal>/10</literal> would be placed after
-	      <option>nowait</option>.</para>
-
-	    <para>In addition to <option>max-child</option>, another
-	      option limiting the maximum connections from a single
-	      place to a particular daemon can be enabled.
-	      <option>max-connections-per-ip-per-minute</option> does
-	      just this.  A value of ten here would limit any particular
-	      IP address connecting to a particular service to ten
-	      attempts per minute.  This is useful to prevent
-	      intentional or unintentional resource consumption and
-	      Denial of Service (DoS) attacks to a machine.</para>
+	      <application>inetd</application> may spawn is set by
+	      <option>max-child</option>.  For example, to limit ten
+	      instances of the daemon, place a <literal>/10</literal>
+	      after <option>nowait</option>.  Specifying
+	      <literal>/0</literal> allows an unlimited number of
+	      children.</para>
+
+	    <para><option>max-connections-per-ip-per-minute</option>
+	      limits the number of connections from any particular
+	      <acronym>IP</acronym> address per minute.  Once the
+	      limit  is reached, further connections from this IP
+	      address will be dropped until the end of the minute.
+	      For example, a value of <literal>/10</literal> would
+	      limit any particular <acronym>IP</acronym> address to
+	      ten connection attempts per minute.
+	      <option>max-child-per-ip</option> limits the number of
+	      child processes that can be started on behalf on any
+	      single <acronym>IP</acronym> address at any moment.
+	      These options can limit excessive resource consumption
+	      and help to prevent Denial of Service attacks.</para>
 
-	    <para>In this field, <option>wait</option> or
-	      <option>nowait</option> is mandatory.
-	      <option>max-child</option> and
-	      <option>max-connections-per-ip-per-minute</option> are
-	      optional.</para>
-
-	    <para>A stream-type multi-threaded daemon without any
-	      <option>max-child</option> or
-	      <option>max-connections-per-ip-per-minute</option> limits
-	      would simply be: <literal>nowait</literal>.</para>
-
-	    <para>The same daemon with a maximum limit of ten daemons
-	      would read: <literal>nowait/10</literal>.</para>
-
-	    <para>Additionally, the same setup with a limit of twenty
-	      connections per IP address per minute and a maximum
-	      total limit of ten child daemons would read:
-	      <literal>nowait/10/20</literal>.</para>
-
-	    <para>These options are all utilized by the default
-	      settings of the <application>fingerd</application> daemon,
-	      as seen here:</para>
+	    <para>An example can be seen in the default settings for
+	      &man.fingerd.8;:</para>
 
-	    <programlisting>finger stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -s</programlisting>
+	    <programlisting>finger stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s</programlisting>
 	  </listitem>
 	</varlistentry>
 
@@ -451,12 +348,11 @@
 	  <term>user</term>
 
 	  <listitem>
-	    <para>This is the username that the particular daemon
-	      should run as.  Most commonly, daemons run as the
-	      <systemitem class="username">root</systemitem> user.  For security purposes, it is
-	      common to find some servers running as the
-	      <systemitem class="username">daemon</systemitem> user, or the least privileged
-	      <systemitem class="username">nobody</systemitem> user.</para>
+	    <para>The username the daemon
+	      will run as.  Daemons typically run as
+	      <systemitem class="username">root</systemitem>,
+	      <systemitem class="username">daemon</systemitem>, or
+	      <systemitem class="username">nobody</systemitem>.</para>
 	  </listitem>
 	</varlistentry>
 
@@ -464,11 +360,9 @@
 	  <term>server-program</term>
 
 	  <listitem>
-	    <para>The full path of the daemon to be executed when a
-	      connection is received.  If the daemon is a service
-	      provided by <application>inetd</application> internally,
-	      then <option>internal</option> should be
-	      used.</para>
+	    <para>The full path to the daemon.  If the daemon is a
+	      service provided by <application>inetd</application>
+	      internally, use <option>internal</option>.</para>
 	  </listitem>
 	</varlistentry>
 
@@ -476,150 +370,207 @@
 	  <term>server-program-arguments</term>
 
 	  <listitem>
-	    <para>This works in conjunction with
-	      <option>server-program</option> by specifying the
-	      arguments, starting with <literal>argv[0]</literal>,
-	      passed to the daemon on invocation.  If
-	      <command>mydaemon -d</command> is the command line,
-	      <literal>mydaemon -d</literal> would be the value of
-	      <option>server-program-arguments</option>.  Again, if
-	      the daemon is an internal service, use
-	      <option>internal</option> here.</para>
+	    <para>Used to specify any command arguments to be passed
+	      to the daemon on invocation.  If the daemon is an
+	      internal service, use
+	      <option>internal</option>.</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
     </sect2>
 
-    <sect2 xml:id="network-inetd-security">
-      <title>Security</title>
+    <sect2 xml:id="network-inetd-cmdline">
+      <title>Command-Line Options</title>
 
-      <para>Depending on the security profile chosen at install, many
-	of <application>inetd</application>'s daemons may be enabled
-	by default.  If there is no apparent need for a particular
-	daemon, disable it!  Place a <quote>#</quote> in front of the
-	daemon in question in <filename>/etc/inetd.conf</filename>,
-	and then send a <link linkend="network-inetd-hangup">hangup
-	signal to inetd</link>.  Some daemons, such as
-	<application>fingerd</application>, may not be desired at all
-	because they provide an attacker with too much
-	information.</para>
+      <para>Like most server daemons, <application>inetd</application>
+	has a number of options that can be used to modify its
+	behaviour.  By default, <application>inetd</application> is
+	started with <literal>-wW -C 60</literal>.  These options
+	enable TCP wrappers for all services, including internal
+	services, and prevent any <acronym>IP</acronym> address from
+	requesting any service more than 60 times per minute.</para>
+
+      <para>To change the default options which are passed to
+	<application>inetd</application>, add an entry for
+	<literal>inetd_flags</literal> in
+	<filename>/etc/rc.conf</filename>.  If
+	<application>inetd</application> is already running, restart
+	it with <command>service inetd restart</command>.</para>
 
-      <para>Some daemons are not security-conscious and have long, or
-	non-existent timeouts for connection attempts.  This allows an
-	attacker to slowly send connections to a particular daemon,
-	thus saturating available resources.  It may be a good idea to
-	place <option>max-connections-per-ip-per-minute</option> and
-	<option>max-child</option> limitations on certain
-	daemons.</para>
-
-      <para>By default, TCP wrapping is turned on.  Consult the
-	&man.hosts.access.5; manual page for more information on placing
-	TCP restrictions on various <application>inetd</application>
-	invoked daemons.</para>
-    </sect2>
+      <para>The available rate limiting options are:</para>
+
+      <variablelist>
+	<varlistentry>
+	  <term>-c maximum</term>
 
-    <sect2 xml:id="network-inetd-misc">
-      <title>Miscellaneous</title>
+	  <listitem>
+	    <para>Specify the default maximum number of simultaneous
+	      invocations of each service, where the default is
+	      unlimited.  May be overridden on a per-service basis by
+	      using <option>max-child</option> in
+	      <filename>/etc/inetd.conf</filename>.</para>
+	  </listitem>
+	</varlistentry>
 
-      <para><application>daytime</application>,
-	<application>time</application>,
-	<application>echo</application>,
-	<application>discard</application>,
-	<application>chargen</application>, and
-	<application>auth</application> are all internally provided
-	services of <application>inetd</application>.</para>
-
-      <para>The <application>auth</application> service provides
-	identity (<application>ident</application>,
-	<application>identd</application>) network services, and is
-	configurable to a certain degree.</para>
+	<varlistentry>
+	  <term>-C rate</term>
 
-      <para>Consult the &man.inetd.8; manual page for more in-depth
-	information.</para>
+	  <listitem>
+	    <para>Specify the default maximum number of times a
+	      service can be invoked from a single
+	      <acronym>IP</acronym> address per minute.  May be
+	      overridden on a per-service basis by using
+	      <option>max-connections-per-ip-per-minute</option> in
+	      <filename>/etc/inetd.conf</filename>.</para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term>-R rate</term>
+
+	  <listitem>
+	    <para>Specify the maximum number of times a service can be
+	      invoked in one minute, where the default is
+	      <literal>256</literal>.  A rate of <literal>0</literal>
+	      allows an unlimited number.</para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term>-s maximum</term>
+
+	  <listitem>
+	    <para>Specify the maximum number of times a service can be
+	      invoked from a single <acronym>IP</acronym> address at
+	      any one time, where the default is unlimited.  May be
+	      overridden on a per-service basis by using
+	      <option>max-child-per-ip</option> in
+	      <filename>/etc/inetd.conf</filename>.</para>
+	  </listitem>
+	</varlistentry>
+      </variablelist>
+
+      <para>Additional options are available.  Refer to &man.inetd.8;
+	for the full list of options.</para>
+    </sect2>
+
+    <sect2 xml:id="network-inetd-security">
+      <title>Security Considerations</title>
+
+      <para>Many of the daemons which can be managed by
+	<application>inetd</application> are not security-conscious.
+	Some daemons, such as <application>fingerd</application>, can
+	provide information that may be useful to an attacker.  Only
+	enable the services which are needed and monitor the system
+	for excessive connection attempts.
+	<literal>max-connections-per-ip-per-minute</literal>,
+	<literal>max-child</literal> and
+	<literal>max-child-per-ip</literal> can be used to limit such
+	attacks.</para>
+
+      <para>By default, TCP wrappers is enabled.  Consult
+	&man.hosts.access.5; for more information on placing TCP
+	restrictions on various
+	<application>inetd</application> invoked daemons.</para>
     </sect2>
   </sect1>
 
   <sect1 xml:id="network-nfs">
-    <info><title>Network File System (NFS)</title>
+    <info>
+      <title>Network File System (NFS)</title>
+
       <authorgroup>
-        <author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Reorganized and enhanced by </contrib></author>
+	<author>
+	  <personname>
+	  <firstname>Tom</firstname>
+	  <surname>Rhodes</surname>
+	</personname>
+	  <contrib>Reorganized and enhanced by </contrib>
+	</author>
       </authorgroup>
       <authorgroup>
-        <author><personname><firstname>Bill</firstname><surname>Swingle</surname></personname><contrib>Written by </contrib></author>
+	<author>
+	  <personname>
+	  <firstname>Bill</firstname>
+	  <surname>Swingle</surname>
+	</personname>
+	  <contrib>Written by </contrib>
+	</author>
       </authorgroup>
     </info>
-    
 
     <indexterm><primary>NFS</primary></indexterm>
-    <para>Among the many different file systems that FreeBSD supports
-      is the Network File System, also known as <acronym role="Network       File System">NFS</acronym>.  <acronym role="Network File       System">NFS</acronym> allows a system to share directories and
-      files with others over a network.  By using <acronym role="Network File System">NFS</acronym>, users and programs can
-      access files on remote systems almost as if they were local
-      files.</para>
+    <para>&os; supports the Network File System
+      (<acronym>NFS</acronym>), which allows a server to share
+      directories and files with clients over a network.  With
+      <acronym>NFS</acronym>, users and programs can access files on
+      remote systems as if they were stored locally.</para>
 
-    <para>Some of the most notable benefits that
-      <acronym>NFS</acronym> can provide are:</para>
+    <para><acronym>NFS</acronym> has many practical uses.  Some of
+      the more common uses include:</para>
 
     <itemizedlist>
       <listitem>
-	<para>Local workstations use less disk space because commonly
-	  used data can be stored on a single machine and still remain
-	  accessible to others over the network.</para>
+	<para>Data that would otherwise be duplicated on each client
+	  can be kept in a single location and accessed by clients
+	  on the network.</para>
       </listitem>
 
       <listitem>
-	<para>There is no need for users to have separate home
-	  directories on every network machine.  Home directories
-	  could be set up on the <acronym>NFS</acronym> server and
-	  made available throughout the network.</para>
+	<para>Several clients may need access to the
+	  <filename>/usr/ports/distfiles</filename> directory.
+	  Sharing that directory allows for quick access to the
+	  source files without having to download them to each
+	  client.</para>
       </listitem>
 
       <listitem>
-	<para>Storage devices such as floppy disks, CDROM drives, and
-	  &iomegazip; drives can be used by other machines on the network.
-	  This may reduce the number of removable media drives
-	  throughout the network.</para>
+	<para>On large networks, it is often more convenient to
+	  configure a central <acronym>NFS</acronym> server on which
+	  all user home directories are stored.  Users can log into
+	  a client anywhere on the network and have access to their
+	  home directories.</para>
       </listitem>
-    </itemizedlist>
 
-    <sect2>
-      <title>How <acronym>NFS</acronym> Works</title>
+      <listitem>
+	<para>Administration of <acronym>NFS</acronym> exports is
+	  simplified.  For example, there is only one file system
+	  where security or backup policies must be set.</para>
+      </listitem>
+
+      <listitem>
+	<para>Removable media storage devices can be used by other
+	  machines on the network.  This reduces the number of devices
+	  throughout the network and provides a centralized location
+	  to manage their security.  It is often more convenient to
+	  install software on multiple machines from a centralized
+	  installation media.</para>
+      </listitem>
+    </itemizedlist>
 
-      <para><acronym>NFS</acronym> consists of at least two main
-        parts: a server and one or more clients.  The client remotely
-        accesses the data that is stored on the server machine.  In
-        order for this to function properly a few processes have to be
-        configured and running.</para>
-
-      <note><para>Under &os;&nbsp;4.X, the <application>portmap</application>
-	utility is used in place of the
-	<application>rpcbind</application> utility.  Thus, in &os;&nbsp;4.X
-	the user is required to replace every instance of
-	<application>rpcbind</application> with
-	<application>portmap</application> in the forthcoming
-	examples.</para></note>
+    <para><acronym>NFS</acronym> consists of a server and one or more
+      clients.  The client remotely accesses the data that is stored
+      on the server machine.  In order for this to function properly,
+      a few processes have to be configured and running.</para>
 
-      <para>The server has to be running the following daemons:</para>
-      <indexterm>
-        <primary>NFS</primary>
-        <secondary>server</secondary>
-      </indexterm>
-      <indexterm>
-        <primary>file server</primary>
-        <secondary>UNIX clients</secondary>
+    <para>These daemons must be running on the server:</para>
+    <indexterm>
+      <primary>NFS</primary>
+	<secondary>server</secondary>
+     </indexterm>
+     <indexterm>
+       <primary>file server</primary>
+	<secondary>UNIX clients</secondary>
       </indexterm>
 
       <indexterm>
 	<primary><application>rpcbind</application></primary>
       </indexterm>
       <indexterm>
-        <primary><application>portmap</application></primary>
-      </indexterm>
-      <indexterm>
-        <primary><application>mountd</application></primary>
+	<primary><application>mountd</application></primary>
       </indexterm>
       <indexterm>
-        <primary><application>nfsd</application></primary>
+	<primary><application>nfsd</application></primary>
       </indexterm>
 
       <informaltable frame="none" pgwide="1">
@@ -633,151 +584,119 @@
 	      <entry>Description</entry>
 	    </row>
 	  </thead>
+
 	  <tbody>
 	    <row>
 	      <entry><application>nfsd</application></entry>
 	      <entry>The <acronym>NFS</acronym> daemon which services
-	      requests from the <acronym>NFS</acronym>
-	      clients.</entry>
+		requests from <acronym>NFS</acronym> clients.</entry>
 	    </row>
+
 	    <row>
 	      <entry><application>mountd</application></entry>
-	      <entry>The <acronym>NFS</acronym> mount daemon which carries out
-		the requests that &man.nfsd.8; passes on to it.</entry>
+	      <entry>The <acronym>NFS</acronym> mount daemon which
+		carries out requests received from
+		<application>nfsd</application>.</entry>
 	    </row>
+
 	    <row>
 	      <entry><application>rpcbind</application></entry>
-	      <entry> This daemon allows
-	      <acronym>NFS</acronym> clients to discover which port
-	      the <acronym>NFS</acronym> server is using.</entry>
+	      <entry> This daemon allows <acronym>NFS</acronym>
+		clients to discover which port the
+		<acronym>NFS</acronym> server is using.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
-      <para>The client can also run a daemon, known as
-        <application>nfsiod</application>.  The
-        <application>nfsiod</application> daemon services the requests
-        from the <acronym>NFS</acronym> server.  This is optional, and
-        improves performance, but is not required for normal and
-        correct operation.  See the &man.nfsiod.8; manual page for
-        more information.
-      </para>
-    </sect2>
-
-    <sect2 xml:id="network-configuring-nfs">
-      <title>Configuring <acronym>NFS</acronym></title>
-      <indexterm>
-        <primary>NFS</primary>
-        <secondary>configuration</secondary>
-      </indexterm>
-
-      <para><acronym>NFS</acronym> configuration is a relatively
-        straightforward process.  The processes that need to be
-        running can all start at boot time with a few modifications to
-        your <filename>/etc/rc.conf</filename> file.</para>
-
-      <para>On the <acronym>NFS</acronym> server, make sure that the
-        following options are configured in the
-        <filename>/etc/rc.conf</filename> file:</para>
+      <para>Running &man.nfsiod.8; on the client can improve
+	performance, but is not required.</para>
 
-      <programlisting>rpcbind_enable="YES"
-nfs_server_enable="YES"
-mountd_flags="-r"</programlisting>
-
-      <para><application>mountd</application> runs automatically
-        whenever the <acronym>NFS</acronym> server is enabled.</para>
+      <sect2 xml:id="network-configuring-nfs">
+	<title>Configuring the Server</title>
 
-      <para>On the client, make sure this option is present in
-        <filename>/etc/rc.conf</filename>:</para>
-
-      <programlisting>nfs_client_enable="YES"</programlisting>
-
-      <para>The <filename>/etc/exports</filename> file specifies which
-        file systems <acronym>NFS</acronym> should export (sometimes
-        referred to as <quote>share</quote>).  Each line in
-        <filename>/etc/exports</filename> specifies a file system to be
-        exported and which machines have access to that file system.
-        Along with what machines have access to that file system,
-        access options may also be specified.  There are many such
-        options that can be used in this file but only a few will be
-        mentioned here.  You can easily discover other options by
-        reading over the &man.exports.5; manual page.</para>
+	<indexterm>
+	  <primary>NFS</primary>
+	  <secondary>configuration</secondary>
+	</indexterm>
 
-      <para>Here are a few example <filename>/etc/exports</filename>
-	entries:</para>
+      <para>The file systems which the <acronym>NFS</acronym> server
+	will share are specified in <filename>/etc/exports</filename>.
+	Each line in this file specifies a file system to be exported,
+	which clients have access to that file system, and any access
+	options.  When adding entries to this file, each exported file
+	system, its properties, and allowed hosts must occur on a
+	single line.  If no clients are listed in the entry, then any
+	client on the network can mount that file system.</para>
 
       <indexterm>
-        <primary>NFS</primary>
-        <secondary>export examples</secondary>
+	<primary>NFS</primary>
+	<secondary>export examples</secondary>
       </indexterm>
 
-      <para>The following examples give an idea of how to export
-        file systems, although the settings may be different depending
-        on your environment and network configuration.  For instance,
-        to export the <filename>/cdrom</filename> directory to three
-        example machines that have the same domain name as the server
-        (hence the lack of a domain name for each) or have entries in
-        your <filename>/etc/hosts</filename> file.  The
-        <option>-ro</option> flag makes the exported file system
-        read-only.  With this flag, the remote system will not be able
-        to write any changes to the exported file system.</para>
-
-      <programlisting>/cdrom -ro host1 host2 host3</programlisting>
-
-      <para>The following line exports <filename>/home</filename> to
-	three hosts by IP address.  This is a useful setup if you have
-	a private network without a <acronym>DNS</acronym> server
-	configured.  Optionally the <filename>/etc/hosts</filename>
-	file could be configured for internal hostnames; please review
-	&man.hosts.5; for more information.  The
-	<option>-alldirs</option> flag allows the subdirectories to be
-	mount points.  In other words, it will not mount the
-	subdirectories but permit the client to mount only the
-	directories that are required or needed.</para>
+      <para>The following <filename>/etc/exports</filename> entries
+	demonstrate how to export file systems.  The examples can be
+	modified to match the file systems and client names on the
+	reader's network.  There are many options that can be used in
+	this file, but only a few will be mentioned here.  See
+	&man.exports.5; for the full list of options.</para>
+
+      <para>This example shows how to export
+	<filename>/cdrom</filename> to three hosts named
+	<replaceable>alpha</replaceable>,
+	<replaceable>bravo</replaceable>, and
+	<replaceable>charlie</replaceable>:</para>
+
+      <programlisting>/cdrom -ro <replaceable>alpha</replaceable> <replaceable>bravo</replaceable> <replaceable>charlie</replaceable></programlisting>
+
+      <para>The <literal>-ro</literal> flag makes the file system
+	read-only, preventing clients from making any changes to the
+	exported file system.  This example assumes that the host
+	names are either in <acronym>DNS</acronym> or in
+	<filename>/etc/hosts</filename>.  Refer to &man.hosts.5; if
+	the network does not have a <acronym>DNS</acronym>
+	server.</para>
+
+      <para>The next example exports <filename>/home</filename> to
+	three clients by <acronym>IP</acronym> address.  This can be
+	useful for networks without <acronym>DNS</acronym> or
+	<filename>/etc/hosts</filename> entries.  The
+	<literal>-alldirs</literal> flag allows subdirectories to be
+	mount points.  In other words, it will not automatically mount
+	the subdirectories, but will permit the client to mount the
+	directories that are required as needed.</para>
 
       <programlisting>/home  -alldirs  10.0.0.2 10.0.0.3 10.0.0.4</programlisting>
 
-      <para>The following line exports <filename>/a</filename> so that
-	two clients from different domains may access the file system.
-	The <option>-maproot=root</option> flag allows the
-	<systemitem class="username">root</systemitem> user on the remote system to write
-	data on the exported file system as <systemitem class="username">root</systemitem>.
-	If the <literal>-maproot=root</literal> flag is not specified,
-	then even if a user has <systemitem class="username">root</systemitem> access on
-	the remote system, he will not be able to modify files on
-	the exported file system.</para>
+      <para>This next example exports <filename>/a</filename> so that
+	two clients from different domains may access that file
+	system.  The <option>-maproot=root</option> allows <systemitem
+	  class="username">root</systemitem> on the remote system to
+	write data on the exported file system as <systemitem
+	  class="username">root</systemitem>.  If
+	<literal>-maproot=root</literal> is not specified, the
+	client's <systemitem class="username">root</systemitem> user
+	will be mapped to the server's <systemitem
+	  class="username">nobody</systemitem> account and will be
+	subject to the access limitations defined for <systemitem
+	  class="username">nobody</systemitem>.</para>
 
       <programlisting>/a  -maproot=root  host.example.com box.example.org</programlisting>
 
-      <para>In order for a client to access an exported file system,
-	the client must have permission to do so.  Make sure the
-	client is listed in your <filename>/etc/exports</filename>
-	file.</para>
-
-      <para>In <filename>/etc/exports</filename>, each line represents
-	the export information for one file system to one host.  A
-	remote host can only be specified once per file system, and may
-	only have one default entry.  For example, assume that
-	<filename>/usr</filename> is a single file system.  The
-	following <filename>/etc/exports</filename> would be
-	invalid:</para>
+      <para>A client can only be specified once per file system.  For
+	example, if <filename>/usr</filename> is a single file system,
+	these entries would be invalid as both entries specify the
+	same host:</para>
 
       <programlisting># Invalid when /usr is one file system
 /usr/src   client
 /usr/ports client</programlisting>
 
-      <para>One file system, <filename>/usr</filename>, has two lines
-	specifying exports to the same host, <systemitem>client</systemitem>.
-        The correct format for this situation is:</para>
+      <para>The correct format for this situation is to use one
+	entry:</para>
 
       <programlisting>/usr/src /usr/ports  client</programlisting>
 
-      <para>The properties of one file system exported to a given host
-	must all occur on one line.  Lines without a client specified
-	are treated as a single host.  This limits how you can export
-	file systems, but for most people this is not an issue.</para>
-
       <para>The following is an example of a valid export list, where
 	<filename>/usr</filename> and <filename>/exports</filename>
 	are local file systems:</para>
@@ -791,140 +710,156 @@
 /exports -alldirs -maproot=root      client01 client02
 /exports/obj -ro</programlisting>
 
-      <para>You must restart
-        <application>mountd</application> whenever you modify
-        <filename>/etc/exports</filename> so the changes can take effect.
-        This can be accomplished by sending the HUP signal
-        to the <command>mountd</command> process:</para>
-
-      <screen>&prompt.root; <userinput>kill -HUP `cat /var/run/mountd.pid`</userinput></screen>
-
-      <para>Alternatively, a reboot will make FreeBSD set everything
-        up properly.  A reboot is not necessary though.
-        Executing the following commands as <systemitem class="username">root</systemitem>
-        should start everything up.</para>
-
-      <para>On the <acronym>NFS</acronym> server:</para>
-
-      <screen>&prompt.root; <userinput>rpcbind</userinput>
-&prompt.root; <userinput>nfsd -u -t -n 4</userinput>
-&prompt.root; <userinput>mountd -r</userinput></screen>
-
-      <para>On the <acronym>NFS</acronym> client:</para>
-
-      <screen>&prompt.root; <userinput>nfsiod -n 4</userinput></screen>
-
-      <para>Now everything should be ready to actually mount a remote file
-	system.  In these examples the
-	server's name will be <systemitem>server</systemitem> and the client's
-	name will be <systemitem>client</systemitem>.  If you only want to
-	temporarily mount a remote file system or would rather test the
-	configuration, just execute a command like this as <systemitem class="username">root</systemitem> on the
-        client:</para>
+      <para>To enable the processes required by the
+	<acronym>NFS</acronym> server at boot time, add these options
+	to <filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>rpcbind_enable="YES"
+nfs_server_enable="YES"
+mountd_flags="-r"</programlisting>
+
+      <para>The server can be started now by running this
+	command:</para>
+
+      <screen>&prompt.root; <userinput>service nfsd start</userinput></screen>
+
+      <para>Whenever the <acronym>NFS</acronym> server is started,
+	<application>mountd</application> also starts automatically.
+	However, <application>mountd</application> only reads
+	<filename>/etc/exports</filename> when it is started.  To make
+	subsequent <filename>/etc/exports</filename> edits take effect
+	immediately, force <application>mountd</application> to reread
+	it:</para>
+
+      <screen>&prompt.root; <userinput>service mountd reload</userinput></screen>
+    </sect2>
+
+    <sect2>
+      <title>Configuring the Client</title>
+
+      <para>To enable <acronym>NFS</acronym> clients, set this option
+	in each client's <filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>nfs_client_enable="YES"</programlisting>
+
+      <para>Then, run this command on each <acronym>NFS</acronym>
+	client:</para>
+
+      <screen>&prompt.root; <userinput>service nfsclient start</userinput></screen>
+
+      <para>The client now has everything it needs to mount a remote
+	file system.  In these examples, the server's name is
+	<systemitem>server</systemitem> and the client's name is
+	<systemitem>client</systemitem>.  To mount
+	<filename>/home</filename> on
+	<systemitem>server</systemitem> to the
+	<filename>/mnt</filename> mount point on
+	<systemitem>client</systemitem>:</para>
+
       <indexterm>
-        <primary>NFS</primary>
-        <secondary>mounting</secondary>
+	<primary>NFS</primary>
+	<secondary>mounting</secondary>
       </indexterm>
       <screen>&prompt.root; <userinput>mount server:/home /mnt</userinput></screen>
 
-      <para>This will mount the <filename>/home</filename> directory
-	on the server at <filename>/mnt</filename> on the client.  If
-	everything is set up correctly you should be able to enter
-	<filename>/mnt</filename> on the client and see all the files
-        that are on the server.</para>
-
-      <para>If you want to automatically mount a remote file system
-	each time the computer boots, add the file system to the
-	<filename>/etc/fstab</filename> file.  Here is an example:</para>
+      <para>The files and directories in
+	<filename>/home</filename> will now be available on
+	<systemitem>client</systemitem>, in the
+	<filename>/mnt</filename> directory.</para>
+
+      <para>To mount a remote file system each time the client boots,
+	add it to <filename>/etc/fstab</filename>:</para>
 
       <programlisting>server:/home	/mnt	nfs	rw	0	0</programlisting>
 
-      <para>The &man.fstab.5; manual page lists all the available
-        options.</para>
+      <para>Refer to &man.fstab.5; for a description of all available
+	options.</para>
     </sect2>
 
     <sect2>
-      <title>Practical Uses</title>
+      <title>Locking</title>
 
-      <para><acronym>NFS</acronym> has many practical uses.  Some of
-        the more common ones are listed below:</para>
+      <para>Some applications require file locking to operate
+	correctly.  To enable locking, add these lines to
+	<filename>/etc/rc.conf</filename> on both the client and
+	server:</para>
 
-      <indexterm>
-        <primary>NFS</primary>
-        <secondary>uses</secondary>
-      </indexterm>
-      <itemizedlist>
-        <listitem>
-	  <para>Set several machines to share a CDROM or other media
-	    among them.  This is cheaper and often a more convenient
-	    method to install software on multiple machines.</para>
-	</listitem>
+      <programlisting>rpc_lockd_enable="YES"
+rpc_statd_enable="YES"</programlisting>
 
-	<listitem>
-	  <para>On large networks, it might be more convenient to
-	    configure a central <acronym>NFS</acronym> server in which
-	    to store all the user home directories.  These home
-	    directories can then be exported to the network so that
-	    users would always have the same home directory,
-	    regardless of which workstation they log in to.</para>
-	</listitem>
+      <para>Then start the applications:</para>
 
-	<listitem>
-	  <para>Several machines could have a common
-            <filename>/usr/ports/distfiles</filename> directory.  That
-            way, when you need to install a port on several machines,
-            you can quickly access the source without downloading it
-            on each machine.</para>
-	</listitem>
-      </itemizedlist>
+      <screen>&prompt.root; <userinput>service lockd start</userinput>
+&prompt.root; <userinput>service statd start</userinput></screen>
+
+      <para>If locking is not required on the server, the
+	<acronym>NFS</acronym> client can be configured to lock
+	locally by including <option>-L</option> when running
+	<application>mount</application>.  Refer to &man.mount.nfs.8;
+	for further details.</para>
     </sect2>
 
     <sect2 xml:id="network-amd">
-      <info><title>Automatic Mounts with <application>amd</application></title>
+      <info>
+      <title>Automating Mounts with &man.amd.8;</title>
+
 	<authorgroup>
-	  <author><personname><firstname>Wylie</firstname><surname>Stilwell</surname></personname><contrib>Contributed by </contrib></author>
+	  <author>
+	    <personname>
+	    <firstname>Wylie</firstname>
+	    <surname>Stilwell</surname>
+	  </personname>
+	    <contrib>Contributed by </contrib>
+	  </author>
 	</authorgroup>
 	<authorgroup>
-	  <author><personname><firstname>Chern</firstname><surname>Lee</surname></personname><contrib>Rewritten by </contrib></author>
+	  <author>
+	    <personname>
+	    <firstname>Chern</firstname>
+	    <surname>Lee</surname>
+	    </personname>
+	    <contrib>Rewritten by </contrib>
+	  </author>
 	</authorgroup>
       </info>
-      
 
       <indexterm><primary>amd</primary></indexterm>
-      <indexterm><primary>automatic mounter daemon</primary></indexterm>
+      <indexterm>
+	<primary>automatic mounter daemon</primary>
+      </indexterm>
 
-      <para>&man.amd.8; (the automatic mounter daemon)
-	automatically mounts a
-	remote file system whenever a file or directory within that
-	file system is accessed.  Filesystems that are inactive for a
-	period of time will also be automatically unmounted by
-	<application>amd</application>.  Using
-	<application>amd</application> provides a simple alternative
-	to permanent mounts, as permanent mounts are usually listed in
-        <filename>/etc/fstab</filename>.</para>
-
-      <para><application>amd</application> operates by attaching
-	itself as an NFS server to the <filename>/host</filename> and
-	<filename>/net</filename> directories.  When a file is accessed
-	within one of these directories, <application>amd</application>
-	looks up the corresponding remote mount and automatically mounts
-	it.  <filename>/net</filename> is used to mount an exported
-	file system from an IP address, while <filename>/host</filename>
-	is used to mount an export from a remote hostname.</para>
-
-      <para>An access to a file within
-	<filename>/host/foobar/usr</filename> would tell
-	<application>amd</application> to attempt to mount the
+      <para>The automatic mounter daemon,
+	<application>amd</application>, automatically mounts a remote
+	file system whenever a file or directory within that file
+	system is accessed.  File systems that are inactive for a
+	period of time will be automatically unmounted by
+	<application>amd</application>.</para>
+
+      <para>This daemon provides an alternative to modifying
+	<filename>/etc/fstab</filename> to list every client.  It
+	operates by attaching itself as an  <acronym>NFS</acronym>
+	server to the <filename>/host</filename> and
+	<filename>/net</filename> directories.  When a file is
+	accessed within one of these directories,
+	<application>amd</application> looks up the corresponding
+	remote mount and automatically mounts it.
+	<filename>/net</filename> is used to mount an exported file
+	system from an <acronym>IP</acronym> address while
+	<filename>/host</filename> is used to mount an export from a
+	remote hostname.  For instance, an attempt to access a file
+	within <filename>/host/foobar/usr</filename> would tell
+	<application>amd</application> to mount the
 	<filename>/usr</filename> export on the host
 	<systemitem>foobar</systemitem>.</para>
 
       <example>
-	<title>Mounting an Export with <application>amd</application></title>
+	<title>Mounting an Export with
+	  <application>amd</application></title>
 
-	<para>You can view the available mounts of a remote host with
-	  the <command>showmount</command> command.  For example, to
-	  view the mounts of a host named <systemitem>foobar</systemitem>, you
-	  can use:</para>
+	<para>In this example, <command>showmount -e</command> shows
+	  the exported file systems that can be mounted from the
+	  <acronym>NFS</acronym> server,
+	  <systemitem>foobar</systemitem>:</para>
 
 	<screen>&prompt.user; <userinput>showmount -e foobar</userinput>
 Exports list on foobar:
@@ -933,212 +868,215 @@
 &prompt.user; <userinput>cd /host/foobar/usr</userinput></screen>
       </example>
 
-      <para>As seen in the example, the <command>showmount</command> shows
-	<filename>/usr</filename> as an export.  When changing directories to
-	<filename>/host/foobar/usr</filename>, <application>amd</application>
-	attempts to resolve the hostname <systemitem>foobar</systemitem> and
-	automatically mount the desired export.</para>
+      <para>The output from <command>showmount</command> shows
+	<filename>/usr</filename> as an export.  When changing
+	directories to <filename>/host/foobar/usr</filename>,
+	<application>amd</application> intercepts the request and
+	attempts to resolve the hostname
+	<systemitem>foobar</systemitem>.  If successful,
+	<application>amd</application> automatically mounts the
+	desired export.</para>
 
-      <para><application>amd</application> can be started by the
-	startup scripts by placing the following lines in
-	<filename>/etc/rc.conf</filename>:</para>
+      <para>To enable <application>amd</application> at boot time, add
+	this line to <filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>amd_enable="YES"</programlisting>
 
-      <para>Additionally, custom flags can be passed to
-      <application>amd</application> from the
-      <varname>amd_flags</varname> option.  By default,
-      <varname>amd_flags</varname> is set to:</para>
+      <para>To start <application>amd</application> now:</para>
+
+      <screen>&prompt.root; <userinput>service amd start</userinput></screen>
+
+      <para>Custom flags can be passed to
+	<application>amd</application> from the
+	<varname>amd_flags</varname> environment variable.  By
+	default, <varname>amd_flags</varname> is set to:</para>
 
       <programlisting>amd_flags="-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map"</programlisting>
 
-      <para>The <filename>/etc/amd.map</filename> file defines the
-	default options that exports are mounted with.  The
-	<filename>/etc/amd.conf</filename> file defines some of the more
-	advanced features of <application>amd</application>.</para>
+      <para>The default options with which exports are mounted are
+	defined in <filename>/etc/amd.map</filename>.  Some of the
+	more advanced features of <application>amd</application> are
+	defined in <filename>/etc/amd.conf</filename>.</para>
 
-      <para>Consult the &man.amd.8; and &man.amd.conf.5; manual pages for more
+      <para>Consult &man.amd.8; and &man.amd.conf.5; for more
 	information.</para>
     </sect2>
 
-    <sect2 xml:id="network-nfs-integration">
-      <info><title>Problems Integrating with Other Systems</title>
-        <authorgroup>
-          <author><personname><firstname>John</firstname><surname>Lind</surname></personname><contrib>Contributed by </contrib></author>
-        </authorgroup>
-      </info>
-      
+    <sect2 xml:id="network-autofs">
+      <title>Automating Mounts with &man.autofs.5;</title>
+
+      <note>
+	<para>The &man.autofs.5; automount facility is supported
+	  starting with &os;&nbsp;10.1-RELEASE.  To use the
+	  automounter functionality in older versions of &os;, use
+	  &man.amd.8; instead.  This chapter only describes the
+	  &man.autofs.5; automounter.</para>
+      </note>
+
+
+      <indexterm><primary>autofs</primary></indexterm>
+      <indexterm>
+	<primary>automounter subsystem</primary>
+      </indexterm>
+
+      <para>The &man.autofs.5; facility is a common name for several
+	components that, together, allow for automatic mounting of
+	remote and local filesystems whenever a file or directory
+	within that file system is accessed.  It consists of the
+	kernel component, &man.autofs.5;, and several userspace
+	applications: &man.automount.8;, &man.automountd.8; and
+	&man.autounmountd.8;.  It serves as an alternative for
+	&man.amd.8; from previous &os; releases.  Amd is still
+	provided for backward compatibility purposes, as the two use
+	different map format; the one used by autofs is the same as
+	with other SVR4 automounters, such as the ones in Solaris,
+	MacOS X, and Linux.</para>
+
+      <para>The &man.autofs.5; virtual filesystem is mounted on
+	specified mountpoints by &man.automount.8;, usually invoked
+	during boot.</para>
+
+      <para>Whenever a process attempts to access file within the
+	&man.autofs.5; mountpoint, the kernel will notify
+	&man.automountd.8; daemon and pause the triggering process.
+	The &man.automountd.8; daemon will handle kernel requests by
+	finding the proper map and mounting the filesystem according
+	to it, then signal the kernel to release blocked process.  The
+	&man.autounmountd.8; daemon automatically unmounts automounted
+	filesystems after some time, unless they are still being
+	used.</para>
+
+      <para>The primary autofs configuration file is
+	<filename>/etc/auto_master</filename>.  It assigns individual
+	maps to top-level mounts.  For an explanation of
+	<filename>auto_master</filename> and the map syntax, refer to
+	&man.auto.master.5;.</para>
+
+      <para>There is a special automounter map mounted on
+	<filename>/net</filename>.  When a file is accessed within
+	this directory, &man.autofs.5; looks up the corresponding
+	remote mount and automatically mounts it.  For instance, an
+	attempt to access a file within
+	<filename>/net/foobar/usr</filename> would tell
+	&man.automountd.8; to mount the <filename
+	  class="directory">/usr</filename> export from the host
+	<systemitem class="fqdomainname">foobar</systemitem>.</para>
+
+      <example>
+	<title>Mounting an Export with &man.autofs.5;</title>
 
-      <para>Certain Ethernet adapters for ISA PC systems have limitations
-	which can lead to serious network problems, particularly with NFS.
-	This difficulty is not specific to FreeBSD, but FreeBSD systems
-	are affected by it.</para>
-
-      <para>The problem nearly always occurs when (FreeBSD) PC systems are
-	networked with high-performance workstations, such as those made
-	by Silicon Graphics, Inc., and Sun Microsystems, Inc.  The NFS
-	mount will work fine, and some operations may succeed, but
-	suddenly the server will seem to become unresponsive to the
-	client, even though requests to and from other systems continue to
-	be processed.  This happens to the client system, whether the
-	client is the FreeBSD system or the workstation.  On many systems,
-	there is no way to shut down the client gracefully once this
-	problem has manifested itself.  The only solution is often to
-	reset the client, because the NFS situation cannot be
-	resolved.</para>
-
-      <para>Though the <quote>correct</quote> solution is to get a
-	higher performance and capacity Ethernet adapter for the
-	FreeBSD system, there is a simple workaround that will allow
-	satisfactory operation.  If the FreeBSD system is the
-	<emphasis>server</emphasis>, include the option
-	<option>-w=1024</option> on the mount from the client.  If the
-	FreeBSD system is the <emphasis>client</emphasis>, then mount
-	the NFS file system with the option <option>-r=1024</option>.
-	These options may be specified using the fourth field of the
-	<filename>fstab</filename> entry on the client for automatic
-	mounts, or by using the <option>-o</option> parameter of the
-	&man.mount.8; command for manual mounts.</para>
-
-      <para>It should be noted that there is a different problem,
-	sometimes mistaken for this one, when the NFS servers and
-	clients are on different networks.  If that is the case, make
-	<emphasis>certain</emphasis> that your routers are routing the
-	necessary <acronym>UDP</acronym> information, or you will not get anywhere, no
-	matter what else you are doing.</para>
-
-      <para>In the following examples, <systemitem>fastws</systemitem> is the host
-	(interface) name of a high-performance workstation, and
-	<systemitem>freebox</systemitem> is the host (interface) name of a FreeBSD
-	system with a lower-performance Ethernet adapter.  Also,
-	<filename>/sharedfs</filename> will be the exported NFS
-	file system (see &man.exports.5;), and
-	<filename>/project</filename> will be the mount point on the
-	client for the exported file system.  In all cases, note that
-	additional options, such as <option>hard</option> or
-	<option>soft</option> and <option>bg</option> may be desirable in
-	your application.</para>
-
-      <para>Examples for the FreeBSD system (<systemitem>freebox</systemitem>)
-	as the client in <filename>/etc/fstab</filename> on
-	<systemitem>freebox</systemitem>:</para>
-
-      <programlisting>fastws:/sharedfs /project nfs rw,-r=1024 0 0</programlisting>
-
-      <para>As a manual mount command on <systemitem>freebox</systemitem>:</para>
-
-      <screen>&prompt.root; <userinput>mount -t nfs -o -r=1024 fastws:/sharedfs /project</userinput></screen>
-
-      <para>Examples for the FreeBSD system as the server in
-	<filename>/etc/fstab</filename> on
-	<systemitem>fastws</systemitem>:</para>
-
-      <programlisting>freebox:/sharedfs /project nfs rw,-w=1024 0 0</programlisting>
-
-      <para>As a manual mount command on <systemitem>fastws</systemitem>:</para>
-
-      <screen>&prompt.root; <userinput>mount -t nfs -o -w=1024 freebox:/sharedfs /project</userinput></screen>
-
-      <para>Nearly any 16-bit Ethernet adapter will allow operation
-	without the above restrictions on the read or write size.</para>
-
-      <para>For anyone who cares, here is what happens when the
-	failure occurs, which also explains why it is unrecoverable.
-	NFS typically works with a <quote>block</quote> size of
-	8&nbsp;K (though it may do fragments of smaller sizes).  Since
-	the maximum Ethernet packet is around 1500&nbsp;bytes, the NFS
-	<quote>block</quote> gets split into multiple Ethernet
-	packets, even though it is still a single unit to the
-	upper-level code, and must be received, assembled, and
-	<emphasis>acknowledged</emphasis> as a unit.  The
-	high-performance workstations can pump out the packets which
-	comprise the NFS unit one right after the other, just as close
-	together as the standard allows.  On the smaller, lower
-	capacity cards, the later packets overrun the earlier packets
-	of the same unit before they can be transferred to the host
-	and the unit as a whole cannot be reconstructed or
-	acknowledged.  As a result, the workstation will time out and
-	try again, but it will try again with the entire 8&nbsp;K
-	unit, and the process will be repeated, ad infinitum.</para>
-
-      <para>By keeping the unit size below the Ethernet packet size
-	limitation, we ensure that any complete Ethernet packet
-	received can be acknowledged individually, avoiding the
-	deadlock situation.</para>
-
-      <para>Overruns may still occur when a high-performance
-	workstations is slamming data out to a PC system, but with the
-	better cards, such overruns are not guaranteed on NFS
-	<quote>units</quote>.  When an overrun occurs, the units
-	affected will be retransmitted, and there will be a fair
-	chance that they will be received, assembled, and
-	acknowledged.</para>
+	<para>In this example, <command>showmount -e</command> shows
+	  the exported file systems that can be mounted from the
+	  <acronym>NFS</acronym> server,
+	  <systemitem class="fqdomainname">foobar</systemitem>:</para>
+
+	<screen>&prompt.user; <userinput>showmount -e foobar</userinput>
+Exports list on foobar:
+/usr                               10.10.10.0
+/a                                 10.10.10.0
+&prompt.user; <userinput>cd /net/foobar/usr</userinput></screen>
+      </example>
+
+      <para>The output from <command>showmount</command> shows
+	<filename class="directory">/usr</filename> as an export.
+	When changing directories to <filename
+	  class="directory">/host/foobar/usr</filename>,
+	&man.automountd.8; intercepts the request and attempts to
+	resolve the hostname <systemitem
+	  class="fqdomainname">foobar</systemitem>.  If successful,
+	&man.automountd.8; automatically mounts the source
+	export.</para>
+
+      <para>To enable &man.autofs.5; at boot time, add this line to
+	<filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>autofs_enable="YES"</programlisting>
+
+      <para>Then &man.autofs.5; can be started by running:</para>
+
+      <screen>&prompt.root; <userinput>service automount start</userinput>
+&prompt.root; <userinput>service automountd start</userinput>
+&prompt.root; <userinput>service autounmountd start</userinput></screen>
+
+      <para>The &man.autofs.5; map format is the same as in other
+	operating systems, it might be desirable to consult
+	information from other operating systems, such as the <link
+	  xlink:href="http://images.apple.com/business/docs/Autofs.pdf">Mac
+	  OS X document</link>.</para>
+
+      <para>Consult the &man.automount.8;, &man.automountd.8;,
+      &man.autounmountd.8;, and &man.auto.master.5; manual pages for
+      more information.</para>
     </sect2>
   </sect1>
 
   <sect1 xml:id="network-nis">
-    <info><title>Network Information System (NIS/YP)</title>
+    <!--
+    <sect1info>
       <authorgroup>
-        <author><personname><firstname>Bill</firstname><surname>Swingle</surname></personname><contrib>Written by </contrib></author>
+	<author>
+	  <firstname>Bill</firstname>
+	  <surname>Swingle</surname>
+	  <contrib>Written by </contrib>
+	</author>
       </authorgroup>
       <authorgroup>
-	<author><personname><firstname>Eric</firstname><surname>Ogren</surname></personname><contrib>Enhanced by </contrib></author>
-	<author><personname><firstname>Udo</firstname><surname>Erdelhoff</surname></personname></author>
+	<author>
+	  <firstname>Eric</firstname>
+	  <surname>Ogren</surname>
+	  <contrib>Enhanced by </contrib>
+	</author>
+	<author>
+	  <firstname>Udo</firstname>
+	  <surname>Erdelhoff</surname>
+	</author>
       </authorgroup>
-    </info>
-    
+    </sect1info>
+    -->
+    <title>Network Information System
+      (<acronym>NIS</acronym>)</title>
+
+    <indexterm><primary>NIS</primary></indexterm>
+    <indexterm><primary>Solaris</primary></indexterm>
+    <indexterm><primary>HP-UX</primary></indexterm>
+    <indexterm><primary>AIX</primary></indexterm>
+    <indexterm><primary>Linux</primary></indexterm>
+    <indexterm><primary>NetBSD</primary></indexterm>
+    <indexterm><primary>OpenBSD</primary></indexterm>
+    <indexterm>
+      <primary>yellow pages</primary>
+      <see>NIS</see>
+    </indexterm>
 
-    <sect2>
-      <title>What Is It?</title>
-      <indexterm><primary>NIS</primary></indexterm>
-      <indexterm><primary>Solaris</primary></indexterm>
-      <indexterm><primary>HP-UX</primary></indexterm>
-      <indexterm><primary>AIX</primary></indexterm>
-      <indexterm><primary>Linux</primary></indexterm>
-      <indexterm><primary>NetBSD</primary></indexterm>
-      <indexterm><primary>OpenBSD</primary></indexterm>
-
-      <para><acronym role="Network Information System">NIS</acronym>,
-        which stands for Network Information Services, was developed
-        by Sun Microsystems to centralize administration of &unix;
-        (originally &sunos;) systems.  It has now essentially become
-        an industry standard; all major &unix; like systems
-        (&solaris;, HP-UX, &aix;, Linux, NetBSD, OpenBSD, FreeBSD,
-        etc) support <acronym role="Network Information         System">NIS</acronym>.</para>
-
-      <indexterm><primary>yellow pages</primary><see>NIS</see></indexterm>
-
-      <para><acronym role="Network Information System">NIS</acronym>
-	was formerly known as Yellow Pages, but because of trademark
-	issues, Sun changed the name.  The old term (and yp) is still
-	often seen and used.</para>
+    <para>Network Information System (<acronym>NIS</acronym>) is
+      designed to centralize administration of &unix;-like systems
+      such as &solaris;, HP-UX, &aix;, Linux, NetBSD, OpenBSD, and
+      &os;.  <acronym>NIS</acronym> was originally known as Yellow
+      Pages but the name was changed due to trademark issues.   This
+      is the reason why <acronym>NIS</acronym> commands begin with
+      <literal>yp</literal>.</para>
 
-      <indexterm>
-        <primary>NIS</primary>
-        <secondary>domains</secondary>
+    <indexterm>
+      <primary>NIS</primary>
+      <secondary>domains</secondary>
       </indexterm>
 
-      <para>It is a RPC-based client/server system that allows a group
-	of machines within an NIS domain to share a common set of
-	configuration files.  This permits a system administrator to
-	set up NIS client systems with only minimal configuration data
-	and add, remove or modify configuration data from a single
-	location.</para>
-
-      <indexterm><primary>Windows NT</primary></indexterm>
-
-      <para>It is similar to the &windowsnt; domain system; although
-        the internal implementation of the two are not at all similar,
-        the basic functionality can be compared.</para>
-    </sect2>
+    <para><acronym>NIS</acronym> is a Remote Procedure Call
+      (<acronym>RPC</acronym>)-based client/server system that allows
+      a group of machines within an <acronym>NIS</acronym> domain to
+      share a common set of configuration files.  This permits a
+      system administrator to set up <acronym>NIS</acronym> client
+      systems with only minimal configuration data and to add, remove,
+      or modify configuration data from a single location.</para>
+
+    <para>&os; uses version 2 of the <acronym>NIS</acronym>
+      protocol.</para>
 
     <sect2>
-      <title>Terms/Processes You Should Know</title>
+      <title><acronym>NIS</acronym> Terms and Processes</title>
 
-      <para>There are several terms and several important user
-        processes that you will come across when attempting to
-        implement NIS on FreeBSD, whether you are trying to create an
-        NIS server or act as an NIS client:</para>
+      <para>Table 28.1 summarizes the terms and important processes
+	used by <acronym>NIS</acronym>:</para>
 
       <indexterm>
 	<primary><application>rpcbind</application></primary>
@@ -1147,10 +1085,12 @@
 	<primary><application>portmap</application></primary>
       </indexterm>
 
-      <informaltable frame="none" pgwide="1">
+      <table frame="none" pgwide="1">
+	<title><acronym>NIS</acronym> Terminology</title>
+
 	<tgroup cols="2">
-	<colspec colwidth="1*"/>
-	<colspec colwidth="3*"/>
+	  <colspec colwidth="1*"/>
+	  <colspec colwidth="3*"/>
 
 	  <thead>
 	    <row>
@@ -1158,389 +1098,382 @@
 	      <entry>Description</entry>
 	    </row>
 	  </thead>
+
 	  <tbody>
 	    <row>
-	      <entry>NIS domainname</entry>
+	      <entry><acronym>NIS</acronym> domain name</entry>
 
-	      <entry>An NIS master server and all of its clients
-		(including its slave servers) have a NIS domainname.
-		Similar to an &windowsnt; domain name, the NIS
-		domainname does not have anything to do with
+	      <entry><acronym>NIS</acronym> servers and clients share
+		an <acronym>NIS</acronym> domain name.  Typically,
+		this name does not have anything to do with
 		<acronym>DNS</acronym>.</entry>
 	    </row>
-	    <row>
-	      <entry><application>rpcbind</application></entry>
 
-	      <entry>Must be running in order to enable
-		<acronym>RPC</acronym> (Remote Procedure Call, a
-		network protocol used by NIS).  If
-		<application>rpcbind</application> is not running, it
-		will be impossible to run an NIS server, or to act as
-		an NIS client (Under &os;&nbsp;4.X
-		<application>portmap</application> is used in place of
-		<application>rpcbind</application>).</entry>
-	    </row>
 	    <row>
-	      <entry><application>ypbind</application></entry>
+	      <entry>&man.rpcbind.8;</entry>
 
-	      <entry><quote>Binds</quote> an NIS client to its NIS
-		server.  It will take the NIS domainname from the
-		system, and using <acronym>RPC</acronym>, connect to
-		the server.  <application>ypbind</application> is the
-		core of client-server communication in an NIS
-		environment; if <application>ypbind</application> dies
-		on a client machine, it will not be able to access the
-		NIS server.</entry>
+	      <entry>This service enables <acronym>RPC</acronym> and
+		must be running in order to run an
+		<acronym>NIS</acronym> server or act as an
+		<acronym>NIS</acronym> client.</entry>
 	    </row>
+
 	    <row>
-	      <entry><application>ypserv</application></entry>
-	      <entry>Should only be running on NIS servers; this is
-		the NIS server process itself.  If &man.ypserv.8;
-		dies, then the server will no longer be able to
-		respond to NIS requests (hopefully, there is a slave
-		server to take over for it).  There are some
-		implementations of NIS (but not the FreeBSD one), that
-		do not try to reconnect to another server if the
-		server it used before dies.  Often, the only thing
-		that helps in this case is to restart the server
-		process (or even the whole server) or the
-		<application>ypbind</application> process on the
-		client.
-	      </entry>
+	      <entry>&man.ypbind.8;</entry>
+	      <entry>This service binds an <acronym>NIS</acronym>
+		client to its <acronym>NIS</acronym> server.  It will
+		take the <acronym>NIS</acronym> domain name and use
+		<acronym>RPC</acronym> to connect to the server.  It
+		is the core of client/server communication in an
+		<acronym>NIS</acronym> environment.  If this service
+		is not running on a client machine, it will not be
+		able to access the <acronym>NIS</acronym>
+		server.</entry>
 	    </row>
+
 	    <row>
-	      <entry><application>rpc.yppasswdd</application></entry>
-	      <entry>Another process that should only be running on
-		NIS master servers; this is a daemon that will allow NIS
-		clients to change their NIS passwords.  If this daemon
-		is not running, users will have to login to the NIS
-		master server and change their passwords there.</entry>
+	      <entry>&man.ypserv.8;</entry>
+	      <entry>This is the process for the
+		<acronym>NIS</acronym> server.  If this service stops
+		running, the server will no longer be able to respond
+		to <acronym>NIS</acronym> requests so hopefully, there
+		is a slave server to take over.  Some non-&os; clients
+		will not try to reconnect using a slave server and the
+		<application>ypbind</application> process may need to
+		be restarted on these
+		clients.</entry>
+	    </row>
+
+	    <row>
+	      <entry>&man.rpc.yppasswdd.8;</entry>
+	      <entry>This process only runs on
+		<acronym>NIS</acronym> master servers.  This daemon
+		allows <acronym>NIS</acronym> clients to change their
+		<acronym>NIS</acronym> passwords.  If this daemon is
+		not running, users will have to login to the
+		<acronym>NIS</acronym> master server and change their
+		passwords there.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
-      </informaltable>
+      </table>
       <!-- XXX Missing: rpc.ypxfrd (not important, though) May only run
       on the master -->
-
     </sect2>
 
     <sect2>
-      <title>How Does It Work?</title>
+      <title>Machine Types</title>
+
+      <indexterm><primary>NIS</primary>
+	<secondary>master server</secondary>
+      </indexterm>
+      <indexterm><primary>NIS</primary>
+	<secondary>slave server</secondary>
+      </indexterm>
+      <indexterm><primary>NIS</primary>
+	<secondary>client</secondary>
+      </indexterm>
+
+      <para>There are three types of hosts in an
+	<acronym>NIS</acronym> environment:</para>
+
+      <itemizedlist>
+	<listitem>
+	  <para><acronym>NIS</acronym> master server</para>
+
+	  <para>This server acts as a central repository for host
+	    configuration information and maintains the
+	    authoritative copy of the files used by all of the
+	    <acronym>NIS</acronym> clients.  The
+	    <filename>passwd</filename>, <filename>group</filename>,
+	    and other various files used by <acronym>NIS</acronym>
+	    clients are stored on the master server.  While it is
+	    possible for one machine to be an <acronym>NIS</acronym>
+	    master server for more than one <acronym>NIS</acronym>
+	    domain, this type of configuration will not be covered in
+	    this chapter as it assumes a relatively small-scale
+	    <acronym>NIS</acronym> environment.</para>
+	</listitem>
+
+	<listitem>
+	  <para><acronym>NIS</acronym> slave servers</para>
+
+	  <para><acronym>NIS</acronym> slave servers maintain copies
+	    of the <acronym>NIS</acronym> master's data files in
+	    order to provide redundancy.  Slave servers also help to
+	    balance the load of the master server as
+	    <acronym>NIS</acronym> clients always attach to the
+	    <acronym>NIS</acronym> server which responds
+	    first.</para>
+	</listitem>
+
+	<listitem>
+	  <para><acronym>NIS</acronym> clients</para>
 
-      <para>There are three types of hosts in an NIS environment:
-	master servers, slave servers, and clients.  Servers act as a
-	central repository for host configuration information.  Master
-	servers hold the authoritative copy of this information, while
-	slave servers mirror this information for redundancy.  Clients
-	rely on the servers to provide this information to
-	them.</para>
+	  <para><acronym>NIS</acronym> clients authenticate
+	    against the <acronym>NIS</acronym> server during log
+	    on.</para>
+	</listitem>
+      </itemizedlist>
 
-      <para>Information in many files can be shared in this manner.
-	The <filename>master.passwd</filename>,
+      <para>Information in many files can be shared using
+	<acronym>NIS</acronym>.  The
+	<filename>master.passwd</filename>,
 	<filename>group</filename>, and <filename>hosts</filename>
-	files are commonly shared via NIS.  Whenever a process on a
-	client needs information that would normally be found in these
-	files locally, it makes a query to the NIS server that it is
-	bound to instead.</para>
+	files are commonly shared via <acronym>NIS</acronym>.
+	Whenever a process on a client needs information that would
+	normally be found in these files locally, it makes a query to
+	the <acronym>NIS</acronym> server that it is bound to
+	instead.</para>
+    </sect2>
+
+    <sect2>
+      <title>Planning Considerations</title>
+
+      <para>This section describes a sample <acronym>NIS</acronym>
+	environment which consists of 15 &os; machines with no
+	centralized point of administration.  Each machine has its own
+	<filename>/etc/passwd</filename> and
+	<filename>/etc/master.passwd</filename>.  These files are kept
+	in sync with each other only through manual intervention.
+	Currently, when a user is added to the lab, the process must
+	be repeated on all 15 machines.</para>
+
+      <para>The configuration of the lab will be as follows:</para>
+
+      <informaltable frame="none" pgwide="1">
+	<tgroup cols="3">
+	  <thead>
+	    <row>
+	      <entry>Machine name</entry>
+	      <entry><acronym>IP</acronym> address</entry>
+	      <entry>Machine role</entry>
+	    </row>
+	  </thead>
+
+	  <tbody>
+	    <row>
+	      <entry><systemitem>ellington</systemitem></entry>
+	      <entry><systemitem
+		class="ipaddress">10.0.0.2</systemitem></entry>
+	      <entry><acronym>NIS</acronym> master</entry>
+	    </row>
+
+	    <row>
+	      <entry><systemitem>coltrane</systemitem></entry>
+	      <entry><systemitem
+		class="ipaddress">10.0.0.3</systemitem></entry>
+	      <entry><acronym>NIS</acronym> slave</entry>
+	    </row>
+
+	    <row>
+	      <entry><systemitem>basie</systemitem></entry>
+	      <entry><systemitem
+		class="ipaddress">10.0.0.4</systemitem></entry>
+	      <entry>Faculty workstation</entry>
+	    </row>
+
+	    <row>
+	      <entry><systemitem>bird</systemitem></entry>
+	      <entry><systemitem
+		class="ipaddress">10.0.0.5</systemitem></entry>
+	      <entry>Client machine</entry>
+	    </row>
+
+	    <row>
+	      <entry><systemitem>cli[1-11]</systemitem></entry>
+	      <entry>
+		<systemitem
+		  class="ipaddress">10.0.0.[6-17]</systemitem></entry>
+	      <entry>Other client machines</entry>
+	    </row>
+	  </tbody>
+	</tgroup>
+      </informaltable>
+
+      <para>If this is the first time an <acronym>NIS</acronym>
+	scheme is being developed, it should be thoroughly planned
+	ahead of time.  Regardless of network size, several decisions
+	need to be made as part of the planning process.</para>
+
+      <sect3>
+	<title>Choosing a <acronym>NIS</acronym> Domain Name</title>
+
+	<indexterm>
+	  <primary>NIS</primary>
+	  <secondary>domain name</secondary>
+	</indexterm>
+	<para>When a client broadcasts its requests for info, it
+	  includes the name of the <acronym>NIS</acronym> domain that
+	  it is part of.  This is how multiple servers on one network
+	  can tell which server should answer which request.  Think of
+	  the <acronym>NIS</acronym> domain name as the name for a
+	  group of hosts.</para>
+
+	<para>Some organizations choose to use their Internet domain
+	  name for their <acronym>NIS</acronym> domain name.  This is
+	  not recommended as it can cause confusion when trying to
+	  debug network problems.  The <acronym>NIS</acronym> domain
+	  name should be unique within the network and it is helpful
+	  if it describes the group of machines it represents.  For
+	  example, the Art department at Acme Inc. might be in the
+	  <quote>acme-art</quote> <acronym>NIS</acronym> domain.  This
+	  example will use the domain name
+	  <literal>test-domain</literal>.</para>
+
+	<para>However, some non-&os; operating systems require the
+	  <acronym>NIS</acronym> domain name to be the same as the
+	  Internet domain name.  If one or more machines on the
+	  network have this restriction, the Internet domain name
+	  <emphasis>must</emphasis> be used as the
+	  <acronym>NIS</acronym> domain name.</para>
+      </sect3>
 
       <sect3>
-        <title>Machine Types</title>
+	<title>Physical Server Requirements</title>
 
-        <itemizedlist>
-          <listitem>
-            <para>A <emphasis>NIS master server</emphasis><indexterm><primary>NIS</primary><secondary>master server</secondary></indexterm>.  This
-              server, analogous to a &windowsnt; primary domain
-              controller, maintains the files used by all of the NIS
-              clients.  The <filename>passwd</filename>,
-              <filename>group</filename>, and other various files used
-              by the NIS clients live on the master server.</para>
-
-            <note><para>It is possible for one machine to be an NIS
-              master server for more than one NIS domain.  However,
-              this will not be covered in this introduction, which
-              assumes a relatively small-scale NIS
-              environment.</para></note>
-          </listitem>
-
-          <listitem>
-            <para><emphasis>NIS slave servers</emphasis><indexterm><primary>NIS</primary><secondary>slave server</secondary></indexterm>.  Similar to
-              the &windowsnt; backup domain controllers, NIS slave
-              servers maintain copies of the NIS master's data files.
-              NIS slave servers provide the redundancy, which is
-              needed in important environments.  They also help to
-              balance the load of the master server: NIS Clients
-              always attach to the NIS server whose response they get
-              first, and this includes slave-server-replies.</para>
-          </listitem>
-
-          <listitem>
-            <para><emphasis>NIS clients</emphasis><indexterm><primary>NIS</primary><secondary>client</secondary></indexterm>.  NIS clients, like
-              most &windowsnt; workstations, authenticate against the
-              NIS server (or the &windowsnt; domain controller in the
-              &windowsnt; workstations case) to log on.</para>
-          </listitem>
-        </itemizedlist>
+	<para>There are several things to keep in mind when choosing a
+	  machine to use as a <acronym>NIS</acronym> server.  Since
+	  <acronym>NIS</acronym> clients depend upon the availability
+	  of the server, choose a machine that is not rebooted
+	  frequently.  The <acronym>NIS</acronym> server should
+	  ideally be a stand alone machine whose sole purpose is to be
+	  an <acronym>NIS</acronym> server.  If the network is not
+	  heavily used, it is acceptable to put the
+	  <acronym>NIS</acronym> server on a machine running other
+	  services.  However, if the <acronym>NIS</acronym> server
+	  becomes unavailable, it will adversely affect all
+	  <acronym>NIS</acronym> clients.</para>
       </sect3>
     </sect2>
 
     <sect2>
-      <title>Using NIS/YP</title>
+      <title>Configuring the <acronym>NIS</acronym> Master
+	Server</title>
 
-      <para>This section will deal with setting up a sample NIS
-        environment.</para>
+      <para> The canonical copies of all <acronym>NIS</acronym> files
+	are stored on the master server.  The databases used to store
+	the information are called <acronym>NIS</acronym> maps.  In
+	&os;, these maps are stored in
+	<filename>/var/yp/[domainname]</filename> where
+	<filename>[domainname]</filename> is the name of the
+	<acronym>NIS</acronym> domain.  Since multiple domains are
+	supported, it is possible to have several directories, one for
+	each domain.  Each domain will have its own independent set of
+	maps.</para>
+
+      <para><acronym>NIS</acronym> master and slave servers handle all
+	<acronym>NIS</acronym> requests through &man.ypserv.8;.  This
+	daemon is responsible for receiving incoming requests from
+	<acronym>NIS</acronym> clients, translating the requested
+	domain and map name to a path to the corresponding database
+	file, and transmitting data from the database back to the
+	client.</para>
 
-      <note><para>This section assumes that you are running
-        FreeBSD&nbsp;3.3 or later.  The instructions given here will
-        <emphasis>probably</emphasis> work for any version of FreeBSD
-        greater than 3.0, but there are no guarantees that this is
-        true.</para></note>
+      <indexterm><primary>NIS</primary>
+	<secondary>server configuration</secondary>
+      </indexterm>
+      <para>Setting up a master <acronym>NIS</acronym> server can be
+	relatively straight forward, depending on environmental needs.
+	Since &os; provides built-in <acronym>NIS</acronym> support,
+	it only needs to be enabled by adding the following lines to
+	<filename>/etc/rc.conf</filename>:</para>
 
+      <programlisting>nisdomainname="test-domain"	<co xml:id="network-nis-co-domainname" />
+nis_server_enable="YES"		<co xml:id="network-nis-co-server" />
+nis_yppasswdd_enable="YES"	<co xml:id="network-nis-co-yppasswdd" /></programlisting>
 
-      <sect3>
-        <title>Planning</title>
+      <calloutlist>
+	<callout arearefs="network-nis-co-domainname">
+	  <para>This line sets the <acronym>NIS</acronym> domain name
+	    to <literal>test-domain</literal>.</para>
+	</callout>
 
-        <para>Let us assume that you are the administrator of a small
-          university lab.  This lab, which consists of 15 FreeBSD
-          machines, currently has no centralized point of
-          administration; each machine has its own
-          <filename>/etc/passwd</filename> and
-          <filename>/etc/master.passwd</filename>.  These files are
-          kept in sync with each other only through manual
-          intervention; currently, when you add a user to the lab, you
-          must run <command>adduser</command> on all 15 machines.
-          Clearly, this has to change, so you have decided to convert
-          the lab to use NIS, using two of the machines as
-          servers.</para>
-
-        <para>Therefore, the configuration of the lab now looks something
-          like:</para>
-
-        <informaltable frame="none" pgwide="1">
-          <tgroup cols="3">
-            <thead>
-              <row>
-                <entry>Machine name</entry>
-                <entry>IP address</entry>
-                <entry>Machine role</entry>
-              </row>
-            </thead>
-            <tbody>
-              <row>
-                <entry><systemitem>ellington</systemitem></entry>
-                <entry><systemitem class="ipaddress">10.0.0.2</systemitem></entry>
-                <entry>NIS master</entry>
-              </row>
-              <row>
-                <entry><systemitem>coltrane</systemitem></entry>
-                <entry><systemitem class="ipaddress">10.0.0.3</systemitem></entry>
-                <entry>NIS slave</entry>
-              </row>
-              <row>
-                <entry><systemitem>basie</systemitem></entry>
-                <entry><systemitem class="ipaddress">10.0.0.4</systemitem></entry>
-                <entry>Faculty workstation</entry>
-              </row>
-              <row>
-                <entry><systemitem>bird</systemitem></entry>
-                <entry><systemitem class="ipaddress">10.0.0.5</systemitem></entry>
-                <entry>Client machine</entry>
-              </row>
-              <row>
-                <entry><systemitem>cli[1-11]</systemitem></entry>
-                <entry><systemitem class="ipaddress">10.0.0.[6-17]</systemitem></entry>
-                <entry>Other client machines</entry>
-              </row>
-            </tbody>
-          </tgroup>
-        </informaltable>
-
-        <para>If you are setting up a NIS scheme for the first time, it
-	  is a good idea to think through how you want to go about it.  No
-	  matter what the size of your network, there are a few decisions
-	  that need to be made.</para>
-
-        <sect4>
-          <title>Choosing a NIS Domain Name</title>
-
-	  <indexterm>
-	    <primary>NIS</primary>
-	    <secondary>domainname</secondary>
-	  </indexterm>
-          <para>This might not be the <quote>domainname</quote> that
-	    you are used to.  It is more accurately called the
-	    <quote>NIS domainname</quote>.  When a client broadcasts
-	    its requests for info, it includes the name of the NIS
-	    domain that it is part of.  This is how multiple servers
-	    on one network can tell which server should answer which
-	    request.  Think of the NIS domainname as the name for a
-	    group of hosts that are related in some way.</para>
-
-	  <para>Some organizations choose to use their Internet
-	    domainname for their NIS domainname.  This is not
-	    recommended as it can cause confusion when trying to debug
-	    network problems.  The NIS domainname should be unique
-	    within your network and it is helpful if it describes the
-	    group of machines it represents.  For example, the Art
-	    department at Acme Inc. might be in the
-	    <quote>acme-art</quote> NIS domain.  For this example,
-	    assume you have chosen the name
-	    <literal>test-domain</literal>.</para>
-
-	  <indexterm><primary>SunOS</primary></indexterm>
-          <para>However, some operating systems (notably &sunos;) use
-          their NIS domain name as their Internet domain name.  If one
-          or more machines on your network have this restriction, you
-          <emphasis>must</emphasis> use the Internet domain name as
-          your NIS domain name.</para>
-        </sect4>
-
-        <sect4>
-          <title>Physical Server Requirements</title>
-
-	  <para>There are several things to keep in mind when choosing
-	    a machine to use as a NIS server.  One of the unfortunate
-	    things about NIS is the level of dependency the clients
-	    have on the server.  If a client cannot contact the server
-	    for its NIS domain, very often the machine becomes
-	    unusable.  The lack of user and group information causes
-	    most systems to temporarily freeze up.  With this in mind
-	    you should make sure to choose a machine that will not be
-	    prone to being rebooted regularly, or one that might be
-	    used for development.  The NIS server should ideally be a
-	    stand alone machine whose sole purpose in life is to be an
-	    NIS server.  If you have a network that is not very
-	    heavily used, it is acceptable to put the NIS server on a
-	    machine running other services, just keep in mind that if
-	    the NIS server becomes unavailable, it will affect
-	    <emphasis>all</emphasis> of your NIS clients
-	    adversely.</para>
-        </sect4>
-      </sect3>
+	<callout arearefs="network-nis-co-server">
+	  <para>This automates the start up of the
+	    <acronym>NIS</acronym> server processes when the system
+	    boots.</para>
+	</callout>
+
+	<callout arearefs="network-nis-co-yppasswdd">
+	  <para>This enables the &man.rpc.yppasswdd.8; daemon so that
+	    users can change their <acronym>NIS</acronym> password
+	    from a client machine.</para>
+	</callout>
+      </calloutlist>
+
+      <para>Care must be taken in a multi-server domain where the
+	server machines are also <acronym>NIS</acronym> clients.  It
+	is generally a good idea to force the servers to bind to
+	themselves rather than allowing them to broadcast bind
+	requests and possibly become bound to each other.  Strange
+	failure modes can result if one server goes down and others
+	are dependent upon it.  Eventually, all the clients will time
+	out and attempt to bind to other servers, but the delay
+	involved can be considerable and the failure mode is still
+	present since the servers might bind to each other all over
+	again.</para>
+
+      <para>A server that is also a client can be forced to bind to a
+	particular server by adding these additional lines to
+	<filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>nis_client_enable="YES" # run client stuff as well
+nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</replaceable>"</programlisting>
+
+      <para>After saving the edits, type
+	<command>/etc/netstart</command> to restart the network and
+	apply the values defined in <filename>/etc/rc.conf</filename>.
+	Before initializing the <acronym>NIS</acronym> maps, start
+	&man.ypserv.8;:</para>
+
+      <screen>&prompt.root; <userinput>service ypserv start</userinput></screen>
 
       <sect3>
-        <title>NIS Servers</title>
+	<title>Initializing the <acronym>NIS</acronym> Maps</title>
 
-	<para> The canonical copies of all NIS information are stored
-	  on a single machine called the NIS master server.  The
-	  databases used to store the information are called NIS maps.
-	  In FreeBSD, these maps are stored in
-	  <filename>/var/yp/[domainname]</filename> where
-	  <filename>[domainname]</filename> is the name of the NIS
-	  domain being served.  A single NIS server can support
-	  several domains at once, therefore it is possible to have
-	  several such directories, one for each supported domain.
-	  Each domain will have its own independent set of
-	  maps.</para>
-
-	<para>NIS master and slave servers handle all NIS requests
-	  with the <command>ypserv</command> daemon.
-	  <command>ypserv</command> is responsible for receiving
-	  incoming requests from NIS clients, translating the
-	  requested domain and map name to a path to the corresponding
-	  database file and transmitting data from the database back
-	  to the client.</para>
-
-        <sect4>
-	  <title>Setting Up a NIS Master Server</title>
-	  <indexterm>
-	    <primary>NIS</primary>
-	    <secondary>server configuration</secondary>
-	  </indexterm>
-	  <para>Setting up a master NIS server can be relatively
-	    straight forward, depending on your needs.  FreeBSD comes
-	    with support for NIS out-of-the-box.  All you need is to
-	    add the following lines to
-	    <filename>/etc/rc.conf</filename>, and FreeBSD will do the
-	    rest for you.</para>
-
-          <procedure>
-            <step>
-              <para><programlisting>nisdomainname="test-domain"</programlisting>
-                This line will set the NIS domainname to
-                <literal>test-domain</literal>
-                upon network setup (e.g. after reboot).</para>
-            </step>
-            <step>
-              <para><programlisting>nis_server_enable="YES"</programlisting>
-                This will tell FreeBSD to start up the NIS server processes
-                when the networking is next brought up.</para>
-            </step>
-            <step>
-              <para><programlisting>nis_yppasswdd_enable="YES"</programlisting>
-                This will enable the <command>rpc.yppasswdd</command>
-                daemon which, as mentioned above, will allow users to
-                change their NIS password from a client machine.</para>
-            </step>
-          </procedure>
-
-          <note>
-            <para>Depending on your NIS setup, you may need to add
-              further entries.  See the <link linkend="network-nis-server-is-client">section about NIS
-              servers that are also NIS clients</link>, below, for
-              details.</para>
-          </note>
-
-          <para>Now, all you have to do is to run the command
-            <command>/etc/netstart</command> as superuser.  It will
-            set up everything for you, using the values you defined in
-            <filename>/etc/rc.conf</filename>.</para>
-        </sect4>
-
-        <sect4>
-          <title>Initializing the NIS Maps</title>
-          <indexterm>
-            <primary>NIS</primary>
-            <secondary>maps</secondary>
-          </indexterm>
-          <para>The <emphasis>NIS maps</emphasis> are database files,
-            that are kept in the <filename>/var/yp</filename>
-            directory.  They are generated from configuration files in
-            the <filename>/etc</filename> directory of the NIS master,
-            with one exception: the
-            <filename>/etc/master.passwd</filename> file.  This is for
-            a good reason, you do not want to propagate passwords to
-            your <systemitem class="username">root</systemitem> and other administrative
-            accounts to all the servers in the NIS domain.  Therefore,
-            before we initialize the NIS maps, you should:</para>
+	<indexterm>
+	  <primary>NIS</primary>
+	  <secondary>maps</secondary>
+	</indexterm>
+	<para><acronym>NIS</acronym> maps are generated from the
+	  configuration files in <filename>/etc</filename> on the
+	  <acronym>NIS</acronym> master, with one exception:
+	  <filename>/etc/master.passwd</filename>.  This is to prevent
+	  the propagation of passwords to all the servers in the
+	  <acronym>NIS</acronym> domain.  Therefore, before the
+	  <acronym>NIS</acronym> maps are initialized, configure the
+	  primary password files:</para>
 
-          <screen>&prompt.root; <userinput>cp /etc/master.passwd /var/yp/master.passwd</userinput>
+	<screen>&prompt.root; <userinput>cp /etc/master.passwd /var/yp/master.passwd</userinput>
 &prompt.root; <userinput>cd /var/yp</userinput>
 &prompt.root; <userinput>vi master.passwd</userinput></screen>
 
-          <para>You should remove all entries regarding system
-            accounts (<systemitem class="username">bin</systemitem>,
-            <systemitem class="username">tty</systemitem>, <systemitem class="username">kmem</systemitem>,
-            <systemitem class="username">games</systemitem>, etc), as well as any accounts
-            that you do not want to be propagated to the NIS clients
-            (for example <systemitem class="username">root</systemitem> and any other UID 0
-            (superuser) accounts).</para>
-
-          <note><para>Make sure the
-            <filename>/var/yp/master.passwd</filename> is neither group
-            nor world readable (mode 600)!  Use the
-            <command>chmod</command> command, if appropriate.</para></note>
-
-	  <indexterm><primary>Tru64 UNIX</primary></indexterm>
-
-          <para>When you have finished, it is time to initialize the
-            NIS maps!  FreeBSD includes a script named
-            <command>ypinit</command> to do this for you (see its
-            manual page for more information).  Note that this script
-            is available on most &unix; Operating Systems, but not on
-            all.  On Digital UNIX/Compaq Tru64 UNIX it is called
-            <command>ypsetup</command>.  Because we are generating
-            maps for an NIS master, we are going to pass the
-            <option>-m</option> option to <command>ypinit</command>.
-            To generate the NIS maps, assuming you already performed
-            the steps above, run:</para>
+	<para>It is advisable to remove all entries for system
+	  accounts as well as any user accounts that do not need to be
+	  propagated to the <acronym>NIS</acronym> clients, such as
+	  the <systemitem class="username">root</systemitem> and any
+	  other administrative accounts.</para>
+
+	<note><para>Ensure that the
+	  <filename>/var/yp/master.passwd</filename> is neither group
+	  or world readable by setting its permissions to
+	  <literal>600</literal>.</para>
+	</note>
+
+	<para>After completing this task, initialize the
+	  <acronym>NIS</acronym> maps.  &os; includes the
+	  &man.ypinit.8; script to do this.  When generating maps
+	  for the master server, include <option>-m</option> and
+	  specify the <acronym>NIS</acronym> domain name:</para>
 
-          <screen>ellington&prompt.root; <userinput>ypinit -m test-domain</userinput>
+	<screen>ellington&prompt.root; <userinput>ypinit -m test-domain</userinput>
 Server Type: MASTER Domain: test-domain
 Creating an YP server will require that you answer a few questions.
 Questions will all be asked at the beginning of the procedure.
 Do you want this procedure to quit on non-fatal errors? [y/n: n] <userinput>n</userinput>
 Ok, please remember to go back and redo manually whatever fails.
-If you don't, something might not work.
+If not, something might not work.
 At this point, we have to construct a list of this domains YP servers.
 rod.darktech.org is already known as master server.
 Please continue to add any slave servers, one per line. When you are
@@ -1558,40 +1491,58 @@
 NIS Map update completed.
 ellington has been setup as an YP master server without any errors.</screen>
 
-          <para><command>ypinit</command> should have created
-            <filename>/var/yp/Makefile</filename> from
-            <filename>/var/yp/Makefile.dist</filename>.
-            When created, this file assumes that you are operating
-            in a single server NIS environment with only FreeBSD
-            machines.  Since <literal>test-domain</literal> has
-            a slave server as well, you must edit
-            <filename>/var/yp/Makefile</filename>:</para>
-
-          <screen>ellington&prompt.root; <userinput>vi /var/yp/Makefile</userinput></screen>
-
-	  <para>You should comment out the line that says</para>
-
-	  <programlisting>NOPUSH = "True"</programlisting>
-
-	  <para>(if it is not commented out already).</para>
-        </sect4>
-
-        <sect4>
-	  <title>Setting up a NIS Slave Server</title>
-	  <indexterm>
-	    <primary>NIS</primary>
-	    <secondary>slave server</secondary>
-	  </indexterm>
-	  <para>Setting up an NIS slave server is even more simple than
-	    setting up the master.  Log on to the slave server and edit the
-            file <filename>/etc/rc.conf</filename> as you did before.
-            The only difference is that we now must use the
-            <option>-s</option> option when running <command>ypinit</command>.
-            The <option>-s</option> option requires the name of the NIS
-            master be passed to it as well, so our command line looks
-            like:</para>
+	<para>This will create <filename>/var/yp/Makefile</filename>
+	  from <filename>/var/yp/Makefile.dist</filename>.  By
+	  default, this file assumes that the environment has a
+	  single <acronym>NIS</acronym> server with only &os; clients.
+	  Since <literal>test-domain</literal> has a slave server,
+	  edit this line in <filename>/var/yp/Makefile</filename> so
+	  that it begins with a  comment
+	  (<literal>#</literal>):</para>
+
+	<programlisting>NOPUSH = "True"</programlisting>
+      </sect3>
+
+      <sect3>
+	<title>Adding New Users</title>
+
+	<para>Every time a new user is created, the user account must
+	  be added to the master <acronym>NIS</acronym> server and the
+	  <acronym>NIS</acronym> maps rebuilt.  Until this occurs, the
+	  new user will not be able to login anywhere except on the
+	  <acronym>NIS</acronym> master.  For example, to add the new
+	  user <systemitem class="username">jsmith</systemitem> to the
+	  <literal>test-domain</literal> domain, run these commands on
+	  the master server:</para>
+
+	<screen>&prompt.root; <userinput>pw useradd jsmith</userinput>
+&prompt.root; <userinput>cd /var/yp</userinput>
+&prompt.root; <userinput>make test-domain</userinput></screen>
+
+	<para>The user could also be added using <command>adduser
+	    jsmith</command> instead of <command>pw useradd
+	    smith</command>.</para>
+      </sect3>
+    </sect2>
+
+    <sect2>
+      <title>Setting up a <acronym>NIS</acronym> Slave Server</title>
+
+      <indexterm>
+	<primary>NIS</primary>
+	<secondary>slave server</secondary>
+      </indexterm>
+      <para>To set up an <acronym>NIS</acronym> slave server, log on
+	to the slave server and edit <filename>/etc/rc.conf</filename>
+	as for the master server.  Do not generate any
+	<acronym>NIS</acronym> maps, as these already exist on the
+	master server.  When running <command>ypinit</command> on the
+	slave server, use <option>-s</option> (for slave) instead of
+	<option>-m</option> (for master).  This option requires the
+	name of the <acronym>NIS</acronym> master in addition to the
+	domain name, as  seen in this example:</para>
 
-  <screen>coltrane&prompt.root; <userinput>ypinit -s ellington test-domain</userinput>
+      <screen>coltrane&prompt.root; <userinput>ypinit -s ellington test-domain</userinput>
 
 Server Type: SLAVE Domain: test-domain Master: ellington
 
@@ -1601,7 +1552,7 @@
 Do you want this procedure to quit on non-fatal errors? [y/n: n]  <userinput>n</userinput>
 
 Ok, please remember to go back and redo manually whatever fails.
-If you don't, something might not work.
+If not, something might not work.
 There will be no further questions. The remainder of the procedure
 should take a few minutes, to copy the databases from ellington.
 Transferring netgroup...
@@ -1646,145 +1597,134 @@
 ypxfr: Exiting: Map successfully transferred
 
 coltrane has been setup as an YP slave server without any errors.
-Don't forget to update map ypservers on ellington.</screen>
+Remember to update map ypservers on ellington.</screen>
 
-	  <para>You should now have a directory called
-	    <filename>/var/yp/test-domain</filename>.  Copies of the NIS
-	    master server's maps should be in this directory.  You will
-	    need to make sure that these stay updated.  The following
-	    <filename>/etc/crontab</filename> entries on your slave
-	    servers should do the job:</para>
+      <para>This will generate a directory on the slave server called
+	<filename>/var/yp/test-domain</filename> which contains copies
+	of the <acronym>NIS</acronym> master server's maps.  Adding
+	these <filename>/etc/crontab</filename> entries on each slave
+	server will force the slaves to sync their maps with the maps
+	on the master server:</para>
 
-	  <programlisting>20      *       *       *       *       root   /usr/libexec/ypxfr passwd.byname
+      <programlisting>20      *       *       *       *       root   /usr/libexec/ypxfr passwd.byname
 21      *       *       *       *       root   /usr/libexec/ypxfr passwd.byuid</programlisting>
 
-	  <para>These two lines force the slave to sync its maps with
-	    the maps on the master server.  Although these entries are
-	    not mandatory, since the master server attempts to ensure
-	    any changes to its NIS maps are communicated to its slaves
-	    and because password information is vital to systems
-	    depending on the server, it is a good idea to force the
-	    updates.  This is more important on busy networks where map
-	    updates might not always complete.</para>
-
-          <para>Now, run the command <command>/etc/netstart</command> on the
-            slave server as well, which again starts the NIS server.</para>
-	</sect4>
-      </sect3>
-
-      <sect3>
-        <title>NIS Clients</title>
+      <para>These entries are not mandatory because the master server
+	automatically attempts to push any map changes to its slaves.
+	However, since clients may depend upon the slave server to
+	provide correct password information, it is recommended to
+	force frequent password map updates.  This is especially
+	important on busy networks where map updates might not always
+	complete.</para>
+
+      <para>To finish the configuration, run
+	<command>/etc/netstart</command> on the slave server in order
+	to start the <acronym>NIS</acronym> services.</para>
+    </sect2>
 
-	<para> An NIS client establishes what is called a binding to a
-	  particular NIS server using the
-	  <command>ypbind</command> daemon.
-	  <command>ypbind</command> checks the system's default
-	  domain (as set by the <command>domainname</command> command),
-	  and begins broadcasting RPC requests on the local network.
-	  These requests specify the name of the domain for which
-	  <command>ypbind</command> is attempting to establish a binding.
-	  If a server that has been configured to serve the requested
-	  domain receives one of the broadcasts, it will respond to
-	  <command>ypbind</command>,  which will record the server's
-	  address.  If there are several servers available (a master and
-	  several slaves, for example), <command>ypbind</command> will
-	  use the address of the first one to respond.  From that point
-	  on, the client system will direct all of its NIS requests to
-	  that server.  <command>ypbind</command> will
-	  occasionally <quote>ping</quote> the server to make sure it is
-	  still up and running.  If it fails to receive a reply to one of
-	  its pings within a reasonable amount of time,
-	  <command>ypbind</command> will mark the domain as unbound and
-	  begin broadcasting again in the hopes of locating another
-	  server.</para>
-
-	<sect4>
-	  <title>Setting Up a NIS Client</title>
-	  <indexterm>
-	    <primary>NIS</primary>
-	    <secondary>client configuration</secondary>
-	  </indexterm>
-	  <para>Setting up a FreeBSD machine to be a NIS client is fairly
-	    straightforward.</para>
-
-	  <procedure>
-	    <step>
-	      <para>Edit the file <filename>/etc/rc.conf</filename> and
-                add the following lines in order to set the NIS domainname
-                and start <command>ypbind</command> upon network
-                startup:</para>
+    <sect2>
+      <title>Setting Up an <acronym>NIS</acronym> Client</title>
+
+      <para>An <acronym>NIS</acronym> client binds to an
+	<acronym>NIS</acronym> server using &man.ypbind.8;.  This
+	daemon broadcasts RPC requests on the local network.  These
+	requests specify the domain name configured on the client.  If
+	an <acronym>NIS</acronym> server in the same domain receives
+	one of the broadcasts, it will respond to
+	<application>ypbind</application>, which will record the
+	server's address.  If there are several servers available,
+	the client will use the address of the first server to respond
+	and will direct all of its <acronym>NIS</acronym> requests to
+	that server.  The client will automatically
+	<application>ping</application> the server on a regular basis
+	to make sure it is still available.  If it fails to receive a
+	reply within a reasonable amount of time,
+	<application>ypbind</application> will mark the domain as
+	unbound and begin broadcasting again in the hopes of locating
+	another server.</para>
 
-	      <programlisting>nisdomainname="test-domain"
-nis_client_enable="YES"</programlisting>
-	    </step>
+      <indexterm><primary>NIS</primary>
+	<secondary>client configuration</secondary>
+      </indexterm>
 
-	    <step>
-	      <para>To import all possible password entries from the NIS
-		server, remove all user accounts from your
-		<filename>/etc/master.passwd</filename> file and use
-		<command>vipw</command> to add the following line to
-                the end of the file:</para>
-
-	      <programlisting>+:::::::::</programlisting>
-
-	      <note>
-		<para>This line will afford anyone with a valid account in
-		  the NIS server's password maps an account.  There are
-		  many ways to configure your NIS client by changing this
-		  line.  See the <link linkend="network-netgroups">netgroups
-		  section</link> below for more information.
-                  For more detailed reading see O'Reilly's book on
-		  <literal>Managing NFS and NIS</literal>.</para>
-	      </note>
-
-              <note>
-                <para>You should keep at least one local account (i.e.
-                  not imported via NIS) in your
-                  <filename>/etc/master.passwd</filename> and this
-                  account should also be a member of the group
-                  <systemitem class="groupname">wheel</systemitem>.  If there is something
-                  wrong with NIS, this account can be used to log in
-                  remotely, become <systemitem class="username">root</systemitem>, and fix things.</para>
-              </note>
-            </step>
-
-	    <step>
-	      <para>To import all possible group entries from the NIS
-		server, add this line to your
-		<filename>/etc/group</filename> file:</para>
-
-	      <programlisting>+:*::</programlisting>
-	    </step>
-	  </procedure>
-
-	  <para>After completing these steps, you should be able to run
-	    <command>ypcat passwd</command> and see the NIS server's
-	    passwd map.</para>
-	</sect4>
-      </sect3>
-    </sect2>
+      <para>To configure a &os; machine to be an
+	<acronym>NIS</acronym> client:</para>
 
-    <sect2>
-      <title>NIS Security</title>
+      <procedure>
+	<step>
+	  <para>Edit <filename>/etc/rc.conf</filename> and add the
+	    following lines in order to set the
+	    <acronym>NIS</acronym> domain name and start
+	    &man.ypbind.8; during network startup:</para>
 
-      <para>In general, any remote user can issue an RPC to
-	&man.ypserv.8; and retrieve the contents of your NIS maps,
-	provided the remote user knows your domainname.  To prevent
-	such unauthorized transactions, &man.ypserv.8; supports a
-	feature called <quote>securenets</quote> which can be used to
-	restrict access to a given set of hosts.  At startup,
-	&man.ypserv.8; will attempt to load the securenets information
-	from a file called
-	<filename>/var/yp/securenets</filename>.</para>
+	  <programlisting>nisdomainname="test-domain"
+nis_client_enable="YES"</programlisting>
+	</step>
 
-      <note>
-	<para>This path varies depending on the path specified with the
-	  <option>-p</option> option.  This file contains entries that
-	  consist of a network specification and a network mask separated
-	  by white space.  Lines starting with <quote>#</quote> are
-	  considered to be comments.  A sample securenets file might look
-	  like this:</para>
-      </note>
+	<step>
+	  <para>To import all possible password entries from the
+	    <acronym>NIS</acronym> server, use
+	    <command>vipw</command> to remove all user accounts
+	    except one from <filename>/etc/master.passwd</filename>.
+	    When removing the accounts, keep in mind that at least one
+	    local account should remain and this account should be a
+	    member of <systemitem
+	      class="groupname">wheel</systemitem>.  If there is a
+	    problem with <acronym>NIS</acronym>, this local account
+	    can be used to log in remotely, become the superuser, and
+	    fix the problem.  Before saving the edits, add the
+	    following line to the end of the file:</para>
+
+	  <programlisting>+:::::::::</programlisting>
+
+	  <para>This line configures the client to provide anyone with
+	    a valid account in the <acronym>NIS</acronym> server's
+	    password maps an account on the client.  There are many
+	    ways to configure the <acronym>NIS</acronym> client by
+	    modifying this line.  One method is described in <xref
+	      linkend="network-netgroups"/>.  For more detailed
+	    reading, refer to the book
+	    <literal>Managing NFS and NIS</literal>, published by
+	    O'Reilly Media.</para>
+	</step>
+
+	<step>
+	  <para>To import all possible group entries from the
+	    <acronym>NIS</acronym> server, add this line to
+	    <filename>/etc/group</filename>:</para>
+
+	  <programlisting>+:*::</programlisting>
+	</step>
+      </procedure>
+
+      <para>To start the <acronym>NIS</acronym> client immediately,
+	execute the following commands as the superuser:</para>
+
+      <screen>&prompt.root; <userinput>/etc/netstart</userinput>
+&prompt.root; <userinput>service ypbind start</userinput></screen>
+
+      <para>After completing these steps, running
+	<command>ypcat passwd</command> on the client should show
+	the server's <filename>passwd</filename> map.</para>
+    </sect2>
+
+    <sect2>
+      <title><acronym>NIS</acronym> Security</title>
+
+      <para>Since <acronym>RPC</acronym> is a broadcast-based service,
+	any system running <application>ypbind</application> within
+	the same domain can retrieve the contents of the
+	<acronym>NIS</acronym> maps.  To prevent unauthorized
+	transactions, &man.ypserv.8; supports a feature called
+	<quote>securenets</quote> which can be used to restrict access
+	to a given set of hosts.  By default, this information is
+	stored in <filename>/var/yp/securenets</filename>, unless
+	&man.ypserv.8; is started with <option>-p</option> and an
+	alternate path.  This file contains entries that consist of a
+	network specification and a network mask separated by white
+	space.  Lines starting with <literal>#</literal> are
+	considered to be comments.  A sample
+	<filename>securenets</filename> might look like this:</para>
 
       <programlisting># allow connections from local host -- mandatory
 127.0.0.1     255.255.255.255
@@ -1800,82 +1740,65 @@
 	matches one of these rules, it will process the request
 	normally.  If the address fails to match a rule, the request
 	will be ignored and a warning message will be logged.  If the
-	<filename>/var/yp/securenets</filename> file does not exist,
+	<filename>securenets</filename> does not exist,
 	<command>ypserv</command> will allow connections from any
 	host.</para>
 
-      <para>The <command>ypserv</command> program also has support for
-	Wietse Venema's <application>TCP Wrapper</application> package.
-	This allows the administrator to use the
-	<application>TCP Wrapper</application> configuration files for
-	access control instead of
-	<filename>/var/yp/securenets</filename>.</para>
-
-      <note>
-        <para>While both of these access control mechanisms provide some
-          security, they, like the privileged port test, are
-          vulnerable to <quote>IP spoofing</quote> attacks.  All
-          NIS-related traffic should be blocked at your firewall.</para>
-
-        <para>Servers using <filename>/var/yp/securenets</filename>
-          may fail to serve legitimate NIS clients with archaic TCP/IP
-          implementations.  Some of these implementations set all
-          host bits to zero when doing broadcasts and/or fail to
-          observe the subnet mask when calculating the broadcast
-          address.  While some of these problems can be fixed by
-          changing the client configuration, other problems may force
-          the retirement of the client systems in question or the
-          abandonment of <filename>/var/yp/securenets</filename>.</para>
-
-        <para>Using <filename>/var/yp/securenets</filename> on a
-          server with such an archaic implementation of TCP/IP is a
-          really bad idea and will lead to loss of NIS functionality
-          for large parts of your network.</para>
-
-	<indexterm><primary>TCP Wrappers</primary></indexterm>
-        <para>The use of the <application>TCP Wrapper</application>
-          package increases the latency of your NIS server.  The
-          additional delay may be long enough to cause timeouts in
-          client programs, especially in busy networks or with slow
-          NIS servers.  If one or more of your client systems
-          suffers from these symptoms, you should convert the client
-          systems in question into NIS slave servers and force them
-          to bind to themselves.</para>
-      </note>
-    </sect2>
-
-    <sect2>
-      <title>Barring Some Users from Logging On</title>
+      <para><xref linkend="tcpwrappers"/> is an alternate mechanism
+	for providing access control instead of
+	<filename>securenets</filename>.  While either access control
+	mechanism adds some security, they are both vulnerable to
+	<quote><acronym>IP</acronym> spoofing</quote> attacks.  All
+	<acronym>NIS</acronym>-related traffic should be blocked at
+	the firewall.</para>
+
+      <para>Servers using <filename>securenets</filename>
+	may fail to serve legitimate <acronym>NIS</acronym> clients
+	with archaic TCP/IP implementations.  Some of these
+	implementations set all host bits to zero when doing
+	broadcasts or fail to observe the subnet mask when
+	calculating the broadcast address.  While some of these
+	problems can be fixed by changing the client configuration,
+	other problems may force the retirement of these client
+	systems or the abandonment of
+	<filename>securenets</filename>.</para>
+
+      <indexterm><primary>TCP Wrapper</primary></indexterm>
+      <para>The use of <application>TCP Wrapper</application>
+	increases the latency of the <acronym>NIS</acronym> server.
+	The additional delay may be long enough to cause timeouts in
+	client programs, especially in busy networks with slow
+	<acronym>NIS</acronym> servers.  If one or more clients suffer
+	from latency, convert those clients into
+	<acronym>NIS</acronym> slave servers and force them to bind to
+	themselves.</para>
 
-      <para>In our lab, there is a machine <systemitem>basie</systemitem> that
-        is supposed to be a faculty only workstation.  We do not want
-        to take this machine out of the NIS domain, yet the
-        <filename>passwd</filename> file on the master NIS server
-        contains accounts for both faculty and students.  What can we
-        do?</para>
-
-      <para>There is a way to bar specific users from logging on to a
-        machine, even if they are present in the NIS database.  To do
-        this, all you must do is add
-        <literal>-username</literal> to the
-        end of the <filename>/etc/master.passwd</filename> file on the
-        client machine, where <replaceable>username</replaceable> is
-        the username of the user you wish to bar from logging in.
-        This should preferably be done using <command>vipw</command>,
-        since <command>vipw</command> will sanity check your changes
-        to <filename>/etc/master.passwd</filename>, as well as
-        automatically rebuild the password database when you finish
-        editing.  For example, if we wanted to bar user
-        <systemitem class="username">bill</systemitem> from logging on to
-        <systemitem>basie</systemitem> we would:</para>
-
-        <screen>basie&prompt.root; <userinput>vipw</userinput>
-<userinput>[add -bill to the end, exit]</userinput>
-vipw: rebuilding the database...
-vipw: done
+      <sect3>
+	<title>Barring Some Users</title>
 
-basie&prompt.root; <userinput>cat /etc/master.passwd</userinput>
+	<para>In this example, the <systemitem>basie</systemitem>
+	  system is a faculty workstation within the
+	  <acronym>NIS</acronym> domain.  The
+	  <filename>passwd</filename> map on the master
+	  <acronym>NIS</acronym> server contains accounts for both
+	  faculty and students.  This section demonstrates how to
+	  allow faculty logins on this system while refusing student
+	  logins.</para>
+
+	<para>To prevent specified users from logging on to a system,
+	  even if they are present in the <acronym>NIS</acronym>
+	  database, use <command>vipw</command> to add
+	  <literal>-<replaceable>username</replaceable></literal> with
+	  the correct number of colons towards the end of
+	  <filename>/etc/master.passwd</filename> on the client,
+	  where <replaceable>username</replaceable> is the username of
+	  a user to bar from logging in.  The line with the blocked
+	  user must be before the <literal>+</literal> line that
+	  allows <acronym>NIS</acronym> users.  In this example,
+	  <systemitem class="username">bill</systemitem> is barred
+	  from logging on to <systemitem>basie</systemitem>:</para>
 
+	<screen>basie&prompt.root; <userinput>cat /etc/master.passwd</userinput>
 root:[password]:0:0::0:0:The super-user:/root:/bin/csh
 toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh
 daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
@@ -1891,169 +1814,160 @@
 xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/sbin/nologin
 pop:*:68:6::0:0:Post Office Owner:/nonexistent:/sbin/nologin
 nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
+-bill:::::::::
 +:::::::::
--bill
 
 basie&prompt.root;</screen>
+      </sect3>
     </sect2>
 
     <sect2 xml:id="network-netgroups">
-      <info><title>Using Netgroups</title>
-        <authorgroup>
-          <author><personname><firstname>Udo</firstname><surname>Erdelhoff</surname></personname><contrib>Contributed by </contrib></author>
-        </authorgroup>
-      </info>
+      <!--
+      <sect2info>
+	<authorgroup>
+	  <author>
+	    <firstname>Udo</firstname>
+	    <surname>Erdelhoff</surname>
+	    <contrib>Contributed by </contrib>
+	  </author>
+	</authorgroup>
+      </sect2info>
+      -->
+
+      <title>Using Netgroups</title>
 
-      
       <indexterm><primary>netgroups</primary></indexterm>
 
-      <para>The method shown in the previous section works reasonably
-        well if you need special rules for a very small number of
-        users and/or machines.  On larger networks, you
-        <emphasis>will</emphasis> forget to bar some users from logging
-        onto sensitive machines, or you may even have to modify each
-        machine separately, thus losing the main benefit of NIS:
-        <emphasis>centralized</emphasis> administration.</para>
-
-      <para>The NIS developers' solution for this problem is called
-        <emphasis>netgroups</emphasis>.  Their purpose and semantics
-        can be compared to the normal groups used by &unix; file
-        systems.  The main differences are the lack of a numeric ID
-        and the ability to define a netgroup by including both user
-        accounts and other netgroups.</para>
+      <para>Barring specified users from logging on to individual
+	systems becomes unscaleable on larger networks and quickly
+	loses the main benefit of <acronym>NIS</acronym>:
+	<emphasis>centralized</emphasis> administration.</para>
 
       <para>Netgroups were developed to handle large, complex networks
-        with hundreds of users and machines.  On one hand, this is
-        a Good Thing if you are forced to deal with such a situation.
-        On the other hand, this complexity makes it almost impossible to
-        explain netgroups with really simple examples.  The example
-        used in the remainder of this section demonstrates this
-        problem.</para>
-
-      <para>Let us assume that your successful introduction of NIS in
-        your laboratory caught your superiors' interest.  Your next
-        job is to extend your NIS domain to cover some of the other
-        machines on campus.  The two tables contain the names of the
-        new users and new machines as well as brief descriptions of
-        them.</para>
+	with hundreds of users and machines.  Their use is comparable
+	to &unix; groups, where the main difference is the lack of a
+	numeric ID and the ability to define a netgroup by including
+	both user accounts and other netgroups.</para>
+
+      <para>To expand on the example used in this chapter, the
+	<acronym>NIS</acronym> domain will be extended to add the
+	users and systems shown in Tables 28.2 and 28.3:</para>
 
-      <informaltable frame="none" pgwide="1">
-        <tgroup cols="2">
-          <thead>
-            <row>
-              <entry>User Name(s)</entry>
-              <entry>Description</entry>
-            </row>
-          </thead>
-
-          <tbody>
-            <row>
-              <entry><systemitem class="username">alpha</systemitem>, <systemitem class="username">beta</systemitem></entry>
-              <entry>Normal employees of the IT department</entry>
-            </row>
-
-            <row>
-              <entry><systemitem class="username">charlie</systemitem>, <systemitem class="username">delta</systemitem></entry>
-              <entry>The new apprentices of the IT department</entry>
-            </row>
-
-            <row>
-              <entry><systemitem class="username">echo</systemitem>, <systemitem class="username">foxtrott</systemitem>, <systemitem class="username">golf</systemitem>, ...</entry>
-              <entry>Ordinary employees</entry>
-            </row>
-
-            <row>
-              <entry><systemitem class="username">able</systemitem>, <systemitem class="username">baker</systemitem>, ...</entry>
-              <entry>The current interns</entry>
-            </row>
-          </tbody>
-        </tgroup>
-      </informaltable>
+      <table frame="none" pgwide="1">
+	<title>Additional Users</title>
 
-      <informaltable frame="none" pgwide="1">
-        <tgroup cols="2">
-          <thead>
-            <row>
-              <entry>Machine Name(s)</entry>
-              <entry>Description</entry>
-            </row>
-          </thead>
-
-          <tbody>
-            <row>
-              <!--  Names taken from "Good Omens" by Neil Gaiman and Terry
-                    Pratchett.  Many thanks for a brilliant book.  -->
-
-              <entry><systemitem>war</systemitem>, <systemitem>death</systemitem>,
-              <systemitem>famine</systemitem>,
-              <systemitem>pollution</systemitem></entry>
-              <entry>Your most important servers.  Only the IT
-                employees are allowed to log onto these
-                machines.</entry>
-            </row>
-            <row>
-              <!-- gluttony was omitted because it was too fat -->
-
-              <entry><systemitem>pride</systemitem>, <systemitem>greed</systemitem>,
-              <systemitem>envy</systemitem>, <systemitem>wrath</systemitem>,
-              <systemitem>lust</systemitem>, <systemitem>sloth</systemitem></entry>
-              <entry>Less important servers.  All members of the IT
-              department are allowed to login onto these
-              machines.</entry>
-            </row>
-
-            <row>
-              <entry><systemitem>one</systemitem>, <systemitem>two</systemitem>,
-                <systemitem>three</systemitem>, <systemitem>four</systemitem>,
-                ...</entry>
-
-              <entry>Ordinary workstations.  Only the
-                <emphasis>real</emphasis> employees are allowed to use
-                these machines.</entry>
-            </row>
-
-            <row>
-              <entry><systemitem>trashcan</systemitem></entry>
-              <entry>A very old machine without any critical data.
-                Even the intern is allowed to use this box.</entry>
-            </row>
-          </tbody>
-        </tgroup>
-      </informaltable>
+	<tgroup cols="2">
+	  <thead>
+	    <row>
+	      <entry>User Name(s)</entry>
+	      <entry>Description</entry>
+	    </row>
+	  </thead>
+
+	  <tbody>
+	    <row>
+	      <entry><systemitem class="username">alpha</systemitem>,
+		<systemitem class="username">beta</systemitem></entry>
+	      <entry>IT department employees</entry>
+	    </row>
+
+	    <row>
+	      <entry><systemitem
+		  class="username">charlie</systemitem>, <systemitem
+		  class="username">delta</systemitem></entry>
+	      <entry>IT department apprentices</entry>
+	    </row>
+
+	    <row>
+	      <entry><systemitem class="username">echo</systemitem>,
+		<systemitem class="username">foxtrott</systemitem>,
+		<systemitem class="username">golf</systemitem>,
+		...</entry>
+	      <entry>employees</entry>
+	    </row>
+
+	    <row>
+	      <entry><systemitem class="username">able</systemitem>,
+		<systemitem class="username">baker</systemitem>,
+		...</entry>
+	      <entry>interns</entry>
+	    </row>
+	  </tbody>
+	</tgroup>
+      </table>
+
+      <table frame="none" pgwide="1">
+	<title>Additional Systems</title>
+
+	<tgroup cols="2">
+	  <thead>
+	    <row>
+	      <entry>Machine Name(s)</entry>
+	      <entry>Description</entry>
+	    </row>
+	  </thead>
+
+	  <tbody>
+	    <row>
+	      <!--  Names taken from "Good Omens" by Neil Gaiman and Terry
+		    Pratchett.  Many thanks for a brilliant book.  -->
+	      <entry><systemitem>war</systemitem>,
+		<systemitem>death</systemitem>,
+		<systemitem>famine</systemitem>,
+		<systemitem>pollution</systemitem></entry>
+	      <entry>Only IT employees are allowed to log onto these
+		servers.</entry>
+	    </row>
+
+	    <row>
+	      <!-- gluttony was omitted because it was too fat -->
+	      <entry><systemitem>pride</systemitem>,
+		<systemitem>greed</systemitem>,
+		<systemitem>envy</systemitem>,
+		<systemitem>wrath</systemitem>,
+		<systemitem>lust</systemitem>,
+		<systemitem>sloth</systemitem></entry>
+	      <entry>All members of the IT department are allowed to
+		login onto these servers.</entry>
+	    </row>
+
+	    <row>
+	      <entry><systemitem>one</systemitem>,
+		<systemitem>two</systemitem>,
+		<systemitem>three</systemitem>,
+		<systemitem>four</systemitem>,
+		...</entry>
+	      <entry>Ordinary workstations used by
+		employees.</entry>
+	    </row>
+
+	    <row>
+	      <entry><systemitem>trashcan</systemitem></entry>
+	      <entry>A very old machine without any critical data.
+		Even interns are allowed to use this system.</entry>
+	    </row>
+	  </tbody>
+	</tgroup>
+      </table>
 
-      <para>If you tried to implement these restrictions by separately
-        blocking each user, you would have to add one
-        <literal>-user</literal> line to
-        each system's <filename>passwd</filename> for each user who is
-        not allowed to login onto that system.  If you forget just one
-        entry, you could be in trouble.  It may be feasible to do this
-        correctly during the initial setup, however you
-        <emphasis>will</emphasis> eventually forget to add the lines
-        for new users during day-to-day operations.  After all, Murphy
-        was an optimist.</para>
-
-      <para>Handling this situation with netgroups offers several
-        advantages.  Each user need not be handled separately; you
-        assign a user to one or more netgroups and allow or forbid
-        logins for all members of the netgroup.  If you add a new
-        machine, you will only have to define login restrictions for
-        netgroups.  If a new user is added, you will only have to add
-        the user to one or more netgroups.  Those changes are
-        independent of each other: no more <quote>for each combination
-        of user and machine do...</quote> If your NIS setup is planned
-        carefully, you will only have to modify exactly one central
-        configuration file to grant or deny access to machines.</para>
-
-      <para>The first step is the initialization of the NIS map
-        netgroup.  FreeBSD's &man.ypinit.8; does not create this map by
-        default, but its NIS implementation will support it once it has
-        been created.  To create an empty map, simply type</para>
-
-      <screen>ellington&prompt.root; <userinput>vi /var/yp/netgroup</userinput></screen>
-
-      <para>and start adding content.  For our example, we need at
-         least four netgroups: IT employees, IT apprentices, normal
-         employees and interns.</para>
+      <para>When using netgroups to configure this scenario, each user
+	is assigned to one or more netgroups and logins are then
+	allowed or forbidden for all members of the netgroup.  When
+	adding a new machine, login restrictions must be defined for
+	all netgroups.  When a new user is added, the account must be
+	added to one or more netgroups.  If the
+	<acronym>NIS</acronym> setup is planned carefully, only one
+	central configuration file needs modification to grant or deny
+	access to machines.</para>
+
+      <para>The first step is the initialization of the
+	<acronym>NIS</acronym> <literal>netgroup</literal> map.  In
+	&os;, this map is not created by default.  On the
+	<acronym>NIS</acronym> master server, use an editor to create
+	a map named <filename>/var/yp/netgroup</filename>.</para>
+
+      <para>This example creates four netgroups to represent IT
+	employees, IT apprentices, employees, and interns:</para>
 
       <programlisting>IT_EMP  (,alpha,test-domain)    (,beta,test-domain)
 IT_APP  (,charlie,test-domain)  (,delta,test-domain)
@@ -2061,86 +1975,81 @@
         (,golf,test-domain)
 INTERNS (,able,test-domain)     (,baker,test-domain)</programlisting>
 
-      <para><literal>IT_EMP</literal>, <literal>IT_APP</literal> etc.
-        are the names of the netgroups.  Each bracketed group adds
-        one or more user accounts to it.  The three fields inside a
-        group are:</para>
+      <para>Each entry configures a netgroup.  The first column in an
+	entry is the name of the netgroup.  Each set of brackets
+	represents  either a group of one or more users or the name of
+	another netgroup.  When specifying a user, the three
+	comma-delimited fields inside each group represent:</para>
 
       <orderedlist>
-        <listitem>
-          <para>The name of the host(s) where the following items are
-            valid.  If you do not specify a hostname, the entry is
-            valid on all hosts.  If you do specify a hostname, you
-            will enter a realm of darkness, horror and utter confusion.</para>
-        </listitem>
-
-        <listitem>
-          <para>The name of the account that belongs to this
-            netgroup.</para>
-        </listitem>
-
-        <listitem>
-          <para>The NIS domain for the account.  You can import
-            accounts from other NIS domains into your netgroup if you
-            are one of the unlucky fellows with more than one NIS
-            domain.</para>
-        </listitem>
+	<listitem>
+	  <para>The name of the host(s) where the other fields
+	    representing the user are valid.  If a hostname is not
+	    specified, the entry is valid on all hosts.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The name of the account that belongs to this
+	    netgroup.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <acronym>NIS</acronym> domain for the account.
+	    Accounts may be imported from other <acronym>NIS</acronym>
+	    domains into a netgroup.</para>
+	</listitem>
       </orderedlist>
 
-      <para>Each of these fields can contain wildcards.  See
-        &man.netgroup.5; for details.</para>
+      <para>If a group contains multiple users, separate each user
+	with  whitespace.  Additionally, each field may contain
+	wildcards.  See &man.netgroup.5; for details.</para>
 
-      <note>
-        <indexterm><primary>netgroups</primary></indexterm>
-        <para>Netgroup names longer than 8 characters should not be
-          used, especially if you have machines running other
-          operating systems within your NIS domain.  The names are
-          case sensitive; using capital letters for your netgroup
-          names is an easy way to distinguish between user, machine
-          and netgroup names.</para>
-
-        <para>Some NIS clients (other than FreeBSD) cannot handle
-          netgroups with a large number of entries.  For example, some
-          older versions of &sunos; start to cause trouble if a netgroup
-          contains more than 15 <emphasis>entries</emphasis>.  You can
-          circumvent this limit by creating several sub-netgroups with
-          15 users or less and a real netgroup that consists of the
-          sub-netgroups:</para>
+      <indexterm><primary>netgroups</primary></indexterm>
+      <para>Netgroup names longer than 8 characters should not be
+	The names are case sensitive and using capital letters
+	for netgroup names is an easy way to distinguish
+	between user, machine and netgroup names.</para>
+
+      <para>Some non-&os; <acronym>NIS</acronym> clients cannot
+	handle netgroups containing more than 15 entries.  This
+	limit may be circumvented by creating several sub-netgroups
+	with 15 users or fewer and a real netgroup consisting of the
+	sub-netgroups, as seen in this example:</para>
 
-        <programlisting>BIGGRP1  (,joe1,domain)  (,joe2,domain)  (,joe3,domain) [...]
+      <programlisting>BIGGRP1  (,joe1,domain)  (,joe2,domain)  (,joe3,domain) [...]
 BIGGRP2  (,joe16,domain)  (,joe17,domain) [...]
 BIGGRP3  (,joe31,domain)  (,joe32,domain)
 BIGGROUP  BIGGRP1 BIGGRP2 BIGGRP3</programlisting>
 
-        <para>You can repeat this process if you need more than 225
-          users within a single netgroup.</para>
-      </note>
+      <para>Repeat this process if more than 225 (15 times 15) users
+	exist within a single netgroup.</para>
 
-      <para>Activating and distributing your new NIS map is
-        easy:</para>
+      <para>To activate and distribute the new
+	<acronym>NIS</acronym> map:</para>
 
       <screen>ellington&prompt.root; <userinput>cd /var/yp</userinput>
 ellington&prompt.root; <userinput>make</userinput></screen>
 
-      <para>This will generate the three NIS maps
-        <filename>netgroup</filename>,
-        <filename>netgroup.byhost</filename> and
-        <filename>netgroup.byuser</filename>.  Use &man.ypcat.1; to
-        check if your new NIS maps are available:</para>
+      <para>This will generate the three <acronym>NIS</acronym> maps
+	<filename>netgroup</filename>,
+	<filename>netgroup.byhost</filename> and
+	<filename>netgroup.byuser</filename>.  Use the map key option
+	of &man.ypcat.1; to check if the new <acronym>NIS</acronym>
+	maps are available:</para>
 
       <screen>ellington&prompt.user; <userinput>ypcat -k netgroup</userinput>
 ellington&prompt.user; <userinput>ypcat -k netgroup.byhost</userinput>
 ellington&prompt.user; <userinput>ypcat -k netgroup.byuser</userinput></screen>
 
       <para>The output of the first command should resemble the
-        contents of <filename>/var/yp/netgroup</filename>.  The second
-        command will not produce output if you have not specified
-        host-specific netgroups.  The third command can be used to
-        get the list of netgroups for a user.</para>
-
-      <para>The client setup is quite simple.  To configure the server
-        <systemitem>war</systemitem>, you only have to start
-        &man.vipw.8; and replace the line</para>
+	contents of <filename>/var/yp/netgroup</filename>.  The second
+	command only produces output if host-specific netgroups were
+	created.  The third command is used to get the list of
+	netgroups for a user.</para>
+
+      <para>To configure a client, use &man.vipw.8; to specify the
+	name  of the netgroup.  For example, on the server named
+	<systemitem>war</systemitem>,  replace this line:</para>
 
       <programlisting>+:::::::::</programlisting>
 
@@ -2148,115 +2057,95 @@
 
       <programlisting>+@IT_EMP:::::::::</programlisting>
 
-      <para>Now, only the data for the users defined in the netgroup
-        <literal>IT_EMP</literal> is imported into
-        <systemitem>war</systemitem>'s password database and only
-        these users are allowed to login.</para>
+      <para>This specifies that only the users defined in the netgroup
+	<literal>IT_EMP</literal> will be imported into this system's
+	password database and only those users are allowed to login to
+	this system.</para>
 
-      <para>Unfortunately, this limitation also applies to the
+      <para>This configuration also applies to the
 	<literal>~</literal> function of the shell and all routines
-	converting between user names and numerical user IDs.  In
-	other words, <command>cd
-	~user</command> will not work,
-	<command>ls -l</command> will show the numerical ID instead of
-	the username and <command>find . -user joe -print</command>
-	will fail with <errorname>No such user</errorname>.  To fix
-	this, you will have to import all user entries
-	<emphasis>without allowing them to login onto your
-	servers</emphasis>.</para>
-
-      <para>This can be achieved by adding another line to
-        <filename>/etc/master.passwd</filename>.  This line should
-        contain:</para>
-
-      <para><literal>+:::::::::/sbin/nologin</literal>, meaning
-        <quote>Import all entries but replace the shell with
-        <filename>/sbin/nologin</filename> in the imported
-        entries</quote>.  You can replace any field in the
-        <literal>passwd</literal> entry by placing a default value in
-        your <filename>/etc/master.passwd</filename>.</para>
+	which convert between user names and numerical user IDs.  In
+	other words,
+	<command>cd ~<replaceable>user</replaceable></command> will
+	not work, <command>ls -l</command> will show the numerical ID
+	instead of the username, and <command>find . -user joe
+	  -print</command> will fail with the message
+	<errorname>No such user</errorname>.  To fix this, import all
+	user entries without allowing them to login into the servers.
+	This can be achieved by adding an extra line:</para>
+
+      <programlisting>+:::::::::/sbin/nologin</programlisting>
+
+      <para>This line configures the client to import all entries but
+	to replace the shell in those entries with
+	<filename>/sbin/nologin</filename>.</para>
 
       <!-- Been there, done that, got the scars to prove it - ue -->
-      <warning>
-        <para>Make sure that the line
-        <literal>+:::::::::/sbin/nologin</literal> is placed after
-        <literal>+@IT_EMP:::::::::</literal>.  Otherwise, all user
-        accounts imported from NIS will have <filename>/sbin/nologin</filename> as their
-        login shell.</para>
-      </warning>
-
-      <para>After this change, you will only have to change one NIS
-        map if a new employee joins the IT department.  You could use
-        a similar approach for the less important servers by replacing
-        the old <literal>+:::::::::</literal> in their local version
-        of <filename>/etc/master.passwd</filename> with something like
-        this:</para>
+      <para>Make sure that extra line is placed
+	<emphasis>after</emphasis>
+	<literal>+@IT_EMP:::::::::</literal>.  Otherwise, all user
+	accounts imported from <acronym>NIS</acronym> will have
+	<filename>/sbin/nologin</filename> as their login
+	shell and no one will be able to login to the system.</para>
+
+      <para>To configure the less important servers, replace the old
+	<literal>+:::::::::</literal> on the servers with these
+	lines:</para>
 
       <programlisting>+@IT_EMP:::::::::
 +@IT_APP:::::::::
 +:::::::::/sbin/nologin</programlisting>
 
-      <para>The corresponding lines for the normal workstations
-        could be:</para>
+      <para>The corresponding lines for the workstations
+	would be:</para>
 
       <programlisting>+@IT_EMP:::::::::
 +@USERS:::::::::
 +:::::::::/sbin/nologin</programlisting>
 
-      <para>And everything would be fine until there is a policy
-        change a few weeks later: The IT department starts hiring
-        interns.  The IT interns are allowed to use the normal
-        workstations and the less important servers; and the IT
-        apprentices are allowed to login onto the main servers.  You
-        add a new netgroup <literal>IT_INTERN</literal>, add the new
-        IT interns to this netgroup and start to change the
-        configuration on each and every machine...  As the old saying
-        goes: <quote>Errors in centralized planning lead to global
-        mess</quote>.</para>
-
-      <para>NIS' ability to create netgroups from other netgroups can
-        be used to prevent situations like these.  One possibility
-        is the creation of role-based netgroups.  For example, you
-        could create a netgroup called
-        <literal>BIGSRV</literal> to define the login
-        restrictions for the important servers, another netgroup
-        called <literal>SMALLSRV</literal> for the less
-        important servers and a third netgroup called
-        <literal>USERBOX</literal> for the normal
-        workstations.  Each of these netgroups contains the netgroups
-        that are allowed to login onto these machines.  The new
-        entries for your NIS map netgroup should look like this:</para>
+      <para>NIS supports the creation of netgroups from other
+	netgroups which can be useful if the policy regarding user
+	access changes.  One possibility is the creation of role-based
+	netgroups.  For example, one might create a netgroup called
+	<literal>BIGSRV</literal> to define the login restrictions for
+	the important servers, another netgroup called
+	<literal>SMALLSRV</literal> for the less important servers,
+	and a third netgroup called <literal>USERBOX</literal> for the
+	workstations.  Each of these netgroups contains the netgroups
+	that are allowed to login onto these machines.  The new
+	entries for the <acronym>NIS</acronym>
+	<literal>netgroup</literal> map would look like this:</para>
 
       <programlisting>BIGSRV    IT_EMP  IT_APP
 SMALLSRV  IT_EMP  IT_APP  ITINTERN
 USERBOX   IT_EMP  ITINTERN USERS</programlisting>
 
       <para>This method of defining login restrictions works
-        reasonably well if you can define groups of machines with
-        identical restrictions.  Unfortunately, this is the exception
-        and not the rule.  Most of the time, you will need the ability
-        to define login restrictions on a per-machine basis.</para>
-
-      <para>Machine-specific netgroup definitions are the other
-        possibility to deal with the policy change outlined above.  In
-        this scenario, the <filename>/etc/master.passwd</filename> of
-        each box contains two lines starting with <quote>+</quote>.
-        The first of them adds a netgroup with the accounts allowed to
-        login onto this machine, the second one adds all other
-        accounts with <filename>/sbin/nologin</filename> as shell.  It
-        is a good idea to use the <quote>ALL-CAPS</quote> version of
-        the machine name as the name of the netgroup.  In other words,
-        the lines should look like this:</para>
+	reasonably well when it is possible to define groups of
+	machines with identical restrictions.  Unfortunately, this is
+	the exception and not the rule.  Most of the time, the ability
+	to define login restrictions on a per-machine basis is
+	required.</para>
+
+      <para>Machine-specific netgroup definitions are another
+	possibility to deal with the policy changes.  In this
+	scenario, the <filename>/etc/master.passwd</filename> of each
+	system contains two lines starting with <quote>+</quote>.
+	The first line adds a netgroup with the accounts allowed to
+	login onto this machine and the second line adds all other
+	accounts with <filename>/sbin/nologin</filename> as shell.  It
+	is recommended to use the <quote>ALL-CAPS</quote> version of
+	the hostname as the name of the netgroup:</para>
 
       <programlisting>+@<replaceable>BOXNAME</replaceable>:::::::::
 +:::::::::/sbin/nologin</programlisting>
 
-      <para>Once you have completed this task for all your machines,
-        you will not have to modify the local versions of
-        <filename>/etc/master.passwd</filename> ever again.  All
-        further changes can be handled by modifying the NIS map.  Here
-        is an example of a possible netgroup map for this
-        scenario with some additional goodies:</para>
+      <para>Once this task is completed on all the machines, there is
+	no longer a need to modify the local versions of
+	<filename>/etc/master.passwd</filename> ever again.  All
+	further changes can be handled by modifying the
+	<acronym>NIS</acronym> map.  Here is an example of a possible
+	<literal>netgroup</literal> map for this scenario:</para>
 
       <programlisting># Define groups of users first
 IT_EMP    (,alpha,test-domain)    (,beta,test-domain)
@@ -2294,802 +2183,1059 @@
 TWO       (,hotel,test-domain)
 # [...more groups to follow]</programlisting>
 
-      <para>If you are using some kind of database to manage your user
-        accounts, you should be able to create the first part of the
-        map with your database's report tools.  This way, new users
-        will automatically have access to the boxes.</para>
-
-      <para>One last word of caution: It may not always be advisable
-        to use machine-based netgroups.  If you are deploying a couple of
-        dozen or even hundreds of identical machines for student labs,
-        you should use role-based netgroups instead of machine-based
-        netgroups to keep the size of the NIS map within reasonable
-        limits.</para>
-    </sect2>
-
-    <sect2>
-      <title>Important Things to Remember</title>
-
-      <para>There are still a couple of things that you will need to do
-        differently now that you are in an NIS environment.</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>Every time you wish to add a user to the lab, you
-            must add it to the master NIS server <emphasis>only</emphasis>,
-            and <emphasis>you must remember to rebuild the NIS
-            maps</emphasis>.  If you forget to do this, the new user will
-            not be able to login anywhere except on the NIS master.
-            For example, if we needed to add a new user
-            <systemitem class="username">jsmith</systemitem> to the lab, we would:</para>
-
-          <screen>&prompt.root; <userinput>pw useradd jsmith</userinput>
-&prompt.root; <userinput>cd /var/yp</userinput>
-&prompt.root; <userinput>make test-domain</userinput></screen>
-
-          <para>You could also run <command>adduser jsmith</command> instead
-            of <command>pw useradd jsmith</command>.</para>
-        </listitem>
-        <listitem>
-          <para><emphasis>Keep the administration accounts out of the
-            NIS maps</emphasis>.  You do not want to be propagating
-            administrative accounts and passwords to machines that
-            will have users that should not have access to those
-            accounts.</para>
-        </listitem>
-        <listitem>
-          <para><emphasis>Keep the NIS master and slave secure, and
-            minimize their downtime</emphasis>.  If somebody either
-            hacks or simply turns off these machines, they have
-            effectively rendered many people without the ability to
-            login to the lab.</para>
-
-          <para>This is the chief weakness of any centralized administration
-            system.  If you do
-            not protect your NIS servers, you will have a lot of angry
-            users!</para>
-        </listitem>
-      </itemizedlist>
-    </sect2>
-
-    <sect2>
-      <title>NIS v1 Compatibility</title>
-
-      <para> FreeBSD's <application>ypserv</application> has some
-	support for serving NIS v1 clients.  FreeBSD's NIS
-	implementation only uses the NIS v2 protocol, however other
-	implementations include support for the v1 protocol for
-	backwards compatibility with older systems.  The
-	<application>ypbind</application> daemons supplied with these
-	systems will try to establish a binding to an NIS v1 server
-	even though they may never actually need it (and they may
-	persist in broadcasting in search of one even after they
-	receive a response from a v2 server).  Note that while support
-	for normal client calls is provided, this version of
-	<application>ypserv</application> does not handle v1 map
-	transfer requests; consequently, it cannot be used as a master
-	or slave in conjunction with older NIS servers that only
-	support the v1 protocol.  Fortunately, there probably are not
-	any such servers still in use today.</para>
-    </sect2>
-
-    <sect2 xml:id="network-nis-server-is-client">
-      <title>NIS Servers That Are Also NIS Clients</title>
-
-      <para> Care must be taken when running
-	<application>ypserv</application> in a multi-server domain
-	where the server machines are also NIS clients.  It is
-	generally a good idea to force the servers to bind to
-	themselves rather than allowing them to broadcast bind
-	requests and possibly become bound to each other.  Strange
-	failure modes can result if one server goes down and others
-	are dependent upon it.  Eventually all the clients will time
-	out and attempt to bind to other servers, but the delay
-	involved can be considerable and the failure mode is still
-	present since the servers might bind to each other all over
-	again.</para>
-
-      <para>You can force a host to bind to a particular server by running
-	<command>ypbind</command> with the <option>-S</option>
-	flag.  If you do not want to do this manually each time you
-        reboot your NIS server, you can add the following lines to
-        your <filename>/etc/rc.conf</filename>:</para>
-
-      <programlisting>nis_client_enable="YES"	# run client stuff as well
-nis_client_flags="-S <replaceable>NIS domain</replaceable>,<replaceable>server</replaceable>"</programlisting>
-
-      <para>See &man.ypbind.8; for further information.</para>
+      <para>It may not always be advisable
+	to use machine-based netgroups.  When deploying a couple of
+	dozen or hundreds of systems,
+	role-based netgroups instead of machine-based netgroups may be
+	used to keep the size of the <acronym>NIS</acronym> map within
+	reasonable limits.</para>
     </sect2>
 
     <sect2>
       <title>Password Formats</title>
+
       <indexterm>
-        <primary>NIS</primary>
-	<secondary>password formats</secondary>
+	<primary>NIS</primary>
+	  <secondary>password formats</secondary>
       </indexterm>
-      <para>One of the most common issues that people run into when trying
-	to implement NIS is password format compatibility.  If your NIS
-	server is using DES encrypted passwords, it will only support
-	clients that are also using DES.  For example, if you have
-	&solaris; NIS clients in your network, then you will almost certainly
-	need to use DES encrypted passwords.</para>
-
-      <para>To check which format your servers
-	and clients are using, look at <filename>/etc/login.conf</filename>.
-	If the host is configured to use DES encrypted passwords, then the
-	<literal>default</literal> class will contain an entry like this:</para>
+      <para><acronym>NIS</acronym> requires that all hosts within an
+	<acronym>NIS</acronym> domain use the same format for
+	encrypting passwords.  If users have trouble authenticating on
+	an <acronym>NIS</acronym> client, it may be due to a differing
+	password format.  In a heterogeneous network, the format must
+	be supported by all operating systems, where
+	<acronym>DES</acronym> is the lowest common standard.</para>
+
+      <para>To check which format a server or client is using, look
+	at this section of
+	<filename>/etc/login.conf</filename>:</para>
 
       <programlisting>default:\
 	:passwd_format=des:\
 	:copyright=/etc/COPYRIGHT:\
 	[Further entries elided]</programlisting>
 
-      <para>Other possible values for the <literal>passwd_format</literal>
-	capability include <literal>blf</literal> and <literal>md5</literal>
-	(for Blowfish and MD5 encrypted passwords, respectively).</para>
-
-      <para>If you have made changes to
-	<filename>/etc/login.conf</filename>, you will also need to
-	rebuild the login capability database, which is achieved by
-	running the following command as
-	<systemitem class="username">root</systemitem>:</para>
+      <para>In this example, the system is using the
+	<acronym>DES</acronym> format.  Other possible values are
+	<literal>blf</literal> for Blowfish and <literal>md5</literal>
+	for MD5 encrypted passwords.</para>
+
+      <para>If the format on a host needs to be edited to match the
+	one  being used in the <acronym>NIS</acronym> domain, the
+	login capability database must be rebuilt after saving the
+	change:</para>
 
       <screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
 
-      <note><para>The format of passwords already in
-	<filename>/etc/master.passwd</filename> will not be updated
-	until a user changes his password for the first time
-	<emphasis>after</emphasis> the login capability database is
-	rebuilt.</para></note>
-
-      <para>Next, in order to ensure that passwords are encrypted with
-	the format that you have chosen, you should also check that
-	the <literal>crypt_default</literal> in
-	<filename>/etc/auth.conf</filename> gives precedence to your
-	chosen password format.  To do this, place the format that you
-	have chosen first in the list.  For example, when using DES
-	encrypted passwords, the entry would be:</para>
-
-      <programlisting>crypt_default	=	des blf md5</programlisting>
-
-      <para>Having followed the above steps on each of the &os; based
-	NIS servers and clients, you can be sure that they all agree
-	on which password format is used within your network.  If you
-	have trouble authenticating on an NIS client, this is a pretty
-	good place to start looking for possible problems.  Remember:
-	if you want to deploy an NIS server for a heterogenous
-	network, you will probably have to use DES on all systems
-	because it is the lowest common standard.</para>
+      <note>
+	<para>The format of passwords for existing user accounts will
+	  not be updated until each user changes their password
+	  <emphasis>after</emphasis> the login capability database is
+	  rebuilt.</para>
+      </note>
     </sect2>
   </sect1>
 
-  <sect1 xml:id="network-dhcp">
-    <info><title>Automatic Network Configuration (DHCP)</title>
+  <sect1 xml:id="network-ldap">
+    <info>
+    <title>Lightweight Directory Access Protocol
+      (<acronym>LDAP</acronym>)</title>
+
       <authorgroup>
-        <author><personname><firstname>Greg</firstname><surname>Sutter</surname></personname><contrib>Written by </contrib></author>
+	<author>
+	<personname>
+	  <firstname>Tom</firstname>
+	  <surname>Rhodes</surname>
+	</personname>
+	  <contrib>Written by </contrib>
+	</author>
       </authorgroup>
     </info>
-    
-
-    <sect2>
-      <title>What Is DHCP?</title>
-      <indexterm>
-        <primary>Dynamic Host Configuration Protocol</primary>
-        <see>DHCP</see>
-      </indexterm>
-      <indexterm>
-        <primary>Internet Software Consortium (ISC)</primary>
-      </indexterm>
 
-      <para>DHCP, the Dynamic Host Configuration Protocol, describes
-        the means by which a system can connect to a network and obtain the
-        necessary information for communication upon that network.  FreeBSD
-	versions prior to 6.0 use the ISC (Internet Software
-	Consortium) DHCP client (&man.dhclient.8;) implementation.
-	Later versions use the OpenBSD <command>dhclient</command>
-	taken from OpenBSD&nbsp;3.7.  All
-	information here regarding <command>dhclient</command> is for
-	use with either of the ISC or OpenBSD DHCP clients. The DHCP
-	server is the one included in the ISC distribution.</para>
-    </sect2>
+    <indexterm><primary>LDAP</primary></indexterm>
 
-    <sect2>
-      <title>What This Section Covers</title>
+    <para>The Lightweight Directory Access Protocol
+      (<acronym>LDAP</acronym>) is an application layer protocol used
+      to access, modify, and authenticate objects using a distributed
+      directory information service.  Think of it as a phone or record
+      book which stores several levels of hierarchical, homogeneous
+      information.  It is used in Active Directory and
+      <application>OpenLDAP</application> networks and allows users to
+      access to several levels of internal information utilizing a
+      single account.  For example, email authentication, pulling
+      employee contact information, and internal website
+      authentication might all make use of a single user account in
+      the <acronym>LDAP</acronym> server's record base.</para>
+
+    <para>This section provides a quick start guide for configuring an
+      <acronym>LDAP</acronym> server on a &os; system.  It assumes
+      that the administrator already has a design plan which includes
+      the type of information to store, what that information will be
+      used for, which users should have access to that information,
+      and how to secure this information from unauthorized
+      access.</para>
+
+    <sect2>
+      <title><acronym>LDAP</acronym> Terminology and Structure</title>
+
+      <para><acronym>LDAP</acronym> uses several terms which should be
+	understood before starting the configuration.  All directory
+	entries consist of a group of
+	<firstterm>attributes</firstterm>.  Each of these attribute
+	sets contains a unique identifier known as a
+	<firstterm>Distinguished Name</firstterm>
+	(<acronym>DN</acronym>) which is normally built from several
+	other attributes such as the common or
+	<firstterm>Relative Distinguished Name</firstterm>
+	(<acronym>RDN</acronym>).  Similar to how directories have
+	absolute and relative paths, consider a <acronym>DN</acronym>
+	as an absolute path and the <acronym>RDN</acronym> as the
+	relative path.</para>
+
+      <para>An example <acronym>LDAP</acronym> entry looks like the
+	following.  This example searches for the entry for the
+	specified user account (<literal>uid</literal>),
+	organizational unit (<literal>ou</literal>), and organization
+	(<literal>o</literal>):</para>
 
-      <para>This section describes both the client-side components of the ISC and OpenBSD DHCP client and
-        server-side components of the ISC DHCP system.  The
-        client-side program, <command>dhclient</command>, comes
-        integrated within FreeBSD, and the server-side portion is
-        available from the <package>net/isc-dhcp3-server</package> port.  The
-        &man.dhclient.8;, &man.dhcp-options.5;, and
-        &man.dhclient.conf.5; manual pages, in addition to the
-        references below, are useful resources.</para>
-    </sect2>
+      <screen>&prompt.user; <userinput>ldapsearch -xb "uid=<replaceable>trhodes</replaceable>,ou=<replaceable>users</replaceable>,o=<replaceable>example.com</replaceable>"</userinput>
+# extended LDIF
+#
+# LDAPv3
+# base &lt;uid=trhodes,ou=users,o=example.com&gt; with scope subtree
+# filter: (objectclass=*)
+# requesting: ALL
+#
 
-    <sect2>
-      <title>How It Works</title>
-      <indexterm><primary>UDP</primary></indexterm>
-      <para>When <command>dhclient</command>, the DHCP client, is
-	executed on the client machine, it begins broadcasting
-	requests for configuration information.  By default, these
-	requests are on UDP port 68.  The server replies on UDP 67,
-	giving the client an IP address and other relevant network
-	information such as netmask, router, and DNS servers.  All of
-	this information comes in the form of a DHCP
-	<quote>lease</quote> and is only valid for a certain time
-	(configured by the DHCP server maintainer).  In this manner,
-	stale IP addresses for clients no longer connected to the
-	network can be automatically reclaimed.</para>
-
-      <para>DHCP clients can obtain a great deal of information from
-        the server.  An exhaustive list may be found in
-        &man.dhcp-options.5;.</para>
-    </sect2>
+# trhodes, users, example.com
+dn: uid=trhodes,ou=users,o=example.com
+mail: trhodes@example.com
+cn: Tom Rhodes
+uid: trhodes
+telephoneNumber: (123) 456-7890
+
+# search result
+search: 2
+result: 0 Success
+
+# numResponses: 2
+# numEntries: 1</screen>
+
+      <para>This example entry shows the values for the
+	<literal>dn</literal>, <literal>mail</literal>,
+	<literal>cn</literal>, <literal>uid</literal>, and
+	<literal>telephoneNumber</literal> attributes.  The
+	<acronym>cn</acronym> attribute is the
+	<acronym>RDN</acronym>.</para>
+
+      <para>More information about <acronym>LDAP</acronym> and its
+	terminology can be found at <uri
+	  xlink:href="http://www.openldap.org/doc/admin24/intro.html">http://www.openldap.org/doc/admin24/intro.html</uri>.</para>
+    </sect2>
+
+    <sect2 xml:id="ldap-config">
+      <title>Configuring an <acronym>LDAP</acronym> Server</title>
+
+      <indexterm><primary>LDAP Server</primary></indexterm>
+
+      <para>&os; does not provide a built-in <acronym>LDAP</acronym>
+	server.  Begin the configuration by installing the <package
+	  role="port">net/openldap24-server</package> package or port.
+	Since the port has many configurable options, it is
+	recommended that the default options are reviewed to see if
+	the package is sufficient, and to instead compile the port if
+	any options should be changed.  In most cases, the defaults
+	are fine.  However, if SQL support is needed, this option must
+	be enabled and the port compiled using the instructions in
+	<xref linkend="ports-using"/>.</para>
+
+      <para>Next, create the directories to hold the data and to store
+	the certificates:</para>
+
+      <screen>&prompt.root; <userinput>mkdir /var/db/openldap-data</userinput>
+&prompt.root; <userinput>mkdir /usr/local/etc/openldap/private</userinput></screen>
+
+      <para>Copy over the database configuration file:</para>
+
+      <screen>&prompt.root; <userinput>cp /usr/local/etc/openldap/DB_CONFIG.example /var/db/openldap-data/DB_CONFIG</userinput></screen>
+
+      <para>The next phase is to configure the certificate authority.
+	The following commands must be executed from
+	<filename>/usr/local/etc/openldap/private</filename>.  This is
+	important as the file permissions need to be restrictive and
+	users should not have access to these files.  To create the
+	certificate authority, start with this command and follow the
+	prompts:</para>
+
+      <screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -x509 -keyout ca.key -out ../ca.crt</userinput></screen>
+
+      <para>The entries for the prompts may be generic
+	<emphasis>except</emphasis> for the
+	<literal>Common Name</literal>.  This entry must be
+	<emphasis>different</emphasis> than the system hostname.  If
+	this will be a self signed certificate, prefix the hostname
+	with <literal>CA</literal> for certificate authority.</para>
+
+      <para>The next task is to create a certificate signing request
+	and a private key.  Input this command and follow the
+	prompts:</para>
+
+      <screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout server.key -out server.csr</userinput></screen>
+
+      <para>During the certificate generation process, be sure to
+	correctly set the <literal>Common Name</literal> attribute.
+	Once complete, sign the key:</para>
+
+      <screen>&prompt.root; <userinput>openssl x509 -req -days <replaceable>365</replaceable> -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial</userinput></screen>
+
+      <para>The final part of the certificate generation process is to
+	generate and sign the client certificates:</para>
+
+      <screen>&prompt.root; <userinput>openssl req -days <replaceable>365</replaceable> -nodes -new -keyout client.key -out client.csr</userinput>
+&prompt.root; <userinput>openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key</userinput></screen>
+
+      <para>Remember to use the same <literal>Common Name</literal>
+	attribute when prompted.  When finished, ensure that a total
+	of eight (8) new files have been generated through the
+	proceeding commands.  If so, the next step is to edit
+	<filename>/usr/local/etc/openldap/slapd.conf</filename> and
+	add the following options:</para>
+
+      <programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3
+TLSCertificateFile /usr/local/etc/openldap/server.crt
+TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key
+TLSCACertificateFile /usr/local/etc/openldap/ca.crt</programlisting>
+
+      <para>Then, edit
+	<filename>/usr/local/etc/openldap/ldap.conf</filename> and add
+	the following lines:</para>
+
+      <programlisting>TLS_CACERT /usr/local/etc/openldap/ca.crt
+TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting>
+
+      <para>While editing this file, uncomment the following entries
+	and set them to the desired values: <option>BASE</option>,
+	<option>URI</option>, <option>SIZELIMIT</option> and
+	<option>TIMELIMIT</option>.  Set the <option>URI</option> to
+	contain <option>ldap://</option> and
+	<option>ldaps://</option>.  Then, add two entries pointing to
+	the certificate authority.  When finished, the entries should
+	look similar to the following:</para>
+
+      <programlisting>BASE    dc=example,dc=com
+URI     ldap:// ldaps://
+
+SIZELIMIT       12
+TIMELIMIT       15
+
+TLS_CACERT /usr/local/etc/openldap/ca.crt
+TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3</programlisting>
+
+      <para>The default password for the server should then be
+	changed:</para>
+
+      <screen>&prompt.root; <userinput>slappasswd -h "{SHA}" &gt;&gt; /usr/local/etc/openldap/slapd.conf</userinput></screen>
+
+      <para>This command will prompt for the password and, if the
+	process does not fail, a password hash will be added to the
+	end of <filename>slapd.conf</filename>.  Several hashing
+	formats are supported.  Refer to the manual page for
+	<command>slappasswd</command> for more information.</para>
+
+      <para>Next, edit
+	<filename>/usr/local/etc/openldap/slapd.conf</filename> and
+	add the following lines:</para>
+
+      <programlisting>password-hash {sha}
+allow bind_v2</programlisting>
+
+      <para>The <option>suffix</option> in this file must be updated
+	to match the <option>BASE</option> used in
+	<filename>/usr/local/etc/openldap/ldap.conf</filename> and
+	<option>rootdn</option> should also be set.  A recommended
+	value for <option>rootdn</option> is something like
+	<option>cn=Manager</option>.  Before saving this file, place
+	the <option>rootpw</option> in front of the password output
+	from <command>slappasswd</command> and delete the old
+	<option>rootpw</option>.  The end result should
+	look similar to this:</para>
+
+      <programlisting>TLSCipherSuite HIGH:MEDIUM:+SSLv3
+TLSCertificateFile /usr/local/etc/openldap/server.crt
+TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key
+TLSCACertificateFile /usr/local/etc/openldap/ca.crt
+rootpw  {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=</programlisting>
+
+      <para>Finally, enable the <application>OpenLDAP</application>
+	service in <filename>/etc/rc.conf</filename> and set the
+	<acronym>URI</acronym>:</para>
+
+      <programlisting>slapd_enable="YES"
+slapd_flags="-4 -h ldaps:///"</programlisting>
+
+      <para>At this point the server can be started and tested:</para>
+
+      <screen>&prompt.root; <userinput>service slapd start</userinput></screen>
+
+      <para>If everything is configured correctly, a search of the
+	directory should show a successful connection with a single
+	response as in this example:</para>
 
-    <sect2>
-      <title>FreeBSD Integration</title>
+      <screen>&prompt.root; <userinput>ldapsearch -Z</userinput>
+# extended LDIF
+#
+# LDAPv3
+# base &lt;dc=example,dc=com&gt; (default) with scope subtree
+# filter: (objectclass=*)
+# requesting: ALL
+#
 
-      <para>&os; fully integrates the ISC or OpenBSD DHCP client,
-        <command>dhclient</command> (according to the &os; version you run).  DHCP client support is provided
-        within both the installer and the base system, obviating the need
-        for detailed knowledge of network configurations on any network
-        that runs a DHCP server.  <command>dhclient</command> has been
-        included in all FreeBSD distributions since 3.2.</para>
-        <indexterm>
-          <primary><application>sysinstall</application></primary>
-        </indexterm>
-
-        <para>DHCP is supported by
-          <application>sysinstall</application>.  When configuring a
-          network interface within
-          <application>sysinstall</application>, the second question
-          asked is: <quote>Do you want to try DHCP configuration of
-          the interface?</quote>. Answering affirmatively will
-          execute <command>dhclient</command>, and if successful, will
-          fill in the network configuration information
-          automatically.</para>
-
-        <para>There are two things you must do to have your system use
-	  DHCP upon startup:</para>
-        <indexterm>
-          <primary>DHCP</primary>
-          <secondary>requirements</secondary>
-        </indexterm>
-	<itemizedlist>
-	  <listitem>
-            <para>Make sure that the <filename>bpf</filename>
-	      device is compiled into your kernel.  To do this, add
-	      <literal>device bpf</literal> (<literal>pseudo-device
-	      bpf</literal> under &os;&nbsp;4.X) to your kernel
-	      configuration file, and rebuild the kernel.  For more
-	      information about building kernels, see <xref linkend="kernelconfig"/>.</para> <para>The
-	      <filename>bpf</filename> device is already part of
-	      the <filename>GENERIC</filename> kernel that is supplied
-	      with FreeBSD, so if you do not have a custom kernel, you
-	      should not need to create one in order to get DHCP
-	      working.</para>
-	    <note>
-	      <para>For those who are particularly security conscious,
-	        you should be warned that <filename>bpf</filename>
-		is also the device that allows packet sniffers to work
-		correctly (although they still have to be run as
-		<systemitem class="username">root</systemitem>).  <filename>bpf</filename>
-		<emphasis>is</emphasis> required to use DHCP, but if
-		you are very sensitive about security, you probably
-		should not add <filename>bpf</filename> to your
-		kernel in the expectation that at some point in the
-		future you will be using DHCP.</para>
-	    </note>
-	  </listitem>
-          <listitem>
-            <para>Edit your <filename>/etc/rc.conf</filename> to
-	      include the following:</para>
-
-            <programlisting>ifconfig_fxp0="DHCP"</programlisting>
-
-            <note>
-              <para>Be sure to replace <literal>fxp0</literal> with the
-                designation for the interface that you wish to dynamically
-                 configure, as described in
-		 <xref linkend="config-network-setup"/>.</para>
-            </note>
-
-            <para>If you are using a different location for
-              <command>dhclient</command>, or if you wish to pass additional
-              flags to <command>dhclient</command>, also include the
-              following (editing as necessary):</para>
-
-            <programlisting>dhcp_program="/sbin/dhclient"
-dhcp_flags=""</programlisting>
-          </listitem>
-        </itemizedlist>
-
-        <indexterm>
-          <primary>DHCP</primary>
-          <secondary>server</secondary>
-        </indexterm>
-        <para>The DHCP server, <application>dhcpd</application>, is included
-          as part of the <package>net/isc-dhcp3-server</package> port in the ports
-          collection.  This port contains the ISC DHCP server and
-          documentation.</para>
-    </sect2>
+# search result
+search: 3
+result: 32 No such object
 
-    <sect2>
-      <title>Files</title>
-      <indexterm>
-        <primary>DHCP</primary>
-        <secondary>configuration files</secondary>
-      </indexterm>
-      <itemizedlist>
-        <listitem><para><filename>/etc/dhclient.conf</filename></para>
-          <para><command>dhclient</command> requires a configuration file,
-            <filename>/etc/dhclient.conf</filename>.  Typically the file
-            contains only comments, the defaults being reasonably sane.  This
-            configuration file is described by the &man.dhclient.conf.5;
-            manual page.</para>
-        </listitem>
-
-        <listitem><para><filename>/sbin/dhclient</filename></para>
-          <para><command>dhclient</command> is statically linked and
-            resides in <filename>/sbin</filename>.  The &man.dhclient.8;
-            manual page gives more information about
-            <command>dhclient</command>.</para>
-        </listitem>
-
-        <listitem><para><filename>/sbin/dhclient-script</filename></para>
-          <para><command>dhclient-script</command> is the FreeBSD-specific
-            DHCP client configuration script.  It is described in
-            &man.dhclient-script.8;, but should not need any user
-            modification to function properly.</para>
-        </listitem>
-
-        <listitem><para><filename>/var/db/dhclient.leases</filename></para>
-          <para>The DHCP client keeps a database of valid leases in this
-            file, which is written as a log.  &man.dhclient.leases.5;
-            gives a slightly longer description.</para>
-        </listitem>
-      </itemizedlist>
-    </sect2>
+# numResponses: 1</screen>
 
-    <sect2>
-      <title>Further Reading</title>
+      <note>
+	<para>If the command fails and the configuration looks
+	  correct, stop the <command>slapd</command> service and
+	  restart it with debugging options:</para>
 
-      <para>The DHCP protocol is fully described in
-        <link xlink:href="http://www.freesoft.org/CIE/RFC/2131/">RFC 2131</link>.
-        An informational resource has also been set up at
-        <uri xlink:href="http://www.dhcp.org/">http://www.dhcp.org/</uri>.</para>
-    </sect2>
+	<screen>&prompt.root; <userinput>service slapd stop</userinput>
+&prompt.root; <userinput>/usr/local/libexec/slapd -d -1</userinput></screen>
+      </note>
 
-    <sect2 xml:id="network-dhcp-server">
-	<title>Installing and Configuring a DHCP Server</title>
+      <para>Once the service is responding, the directory can be
+	populated using <command>ldapadd</command>.  In this example,
+	a file containing this list of users is first created.  Each
+	user should use the following format:</para>
+
+      <programlisting>dn: dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>
+objectclass: dcObject
+objectclass: organization
+o: <replaceable>Example</replaceable>
+dc: <replaceable>Example</replaceable>
+
+dn: cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>
+objectclass: organizationalRole
+cn: <replaceable>Manager</replaceable></programlisting>
+
+      <para>To import this file, specify the file name.  The following
+	command will prompt for the password specified earlier and the
+	output should look something like this:</para>
+
+      <screen>&prompt.root; <userinput>ldapadd -Z -D "cn=<replaceable>Manager</replaceable>,dc=<replaceable>example</replaceable>,dc=<replaceable>com</replaceable>" -W -f <replaceable>import.ldif</replaceable></userinput>
+Enter LDAP Password:
+adding new entry "dc=example,dc=com"
 
-	<sect3>
-	  <title>What This Section Covers</title>
+adding new entry "cn=Manager,dc=example,dc=com"</screen>
 
-	  <para>This section provides information on how to configure
-	    a FreeBSD system to act as a DHCP server using the ISC
-	    (Internet Software Consortium) implementation of the DHCP
-	    suite.</para>
-
-	  <para>The server portion of the suite is not provided as part of
-	    FreeBSD, and so you will need to install the
-	    <package>net/isc-dhcp3-server</package>
-	    port to provide this service.  See <xref linkend="ports"/> for
-	    more information on using the Ports Collection.</para>
-	</sect3>
-
-	<sect3>
-	  <title>DHCP Server Installation</title>
-	  <indexterm>
-	    <primary>DHCP</primary>
-	    <secondary>installation</secondary>
-	  </indexterm>
-	  <para>In order to configure your FreeBSD system as a DHCP
-	    server, you will need to ensure that the &man.bpf.4;
-	    device is compiled into your kernel.  To do this, add
-	    <literal>device bpf</literal> (<literal>pseudo-device
-	    bpf</literal> under &os;&nbsp;4.X) to your kernel
-	    configuration file, and rebuild the kernel.  For more
-	    information about building kernels, see <xref linkend="kernelconfig"/>.</para>
-
-	  <para>The <filename>bpf</filename> device is already
-	    part of the <filename>GENERIC</filename> kernel that is
-	    supplied with FreeBSD, so you do not need to create a custom
-	    kernel in order to get DHCP working.</para>
-
-	    <note>
-	      <para>Those who are particularly security conscious
-	        should note that <filename>bpf</filename>
-		is also the device that allows packet sniffers to work
-		correctly (although such programs still need privileged
-		access).  <filename>bpf</filename>
-		<emphasis>is</emphasis> required to use DHCP, but if
-		you are very sensitive about security, you probably
-		should not include <filename>bpf</filename> in your
-		kernel purely because you expect to use DHCP at some
-		point in the future.</para>
-	    </note>
-
-	  <para>The next thing that you will need to do is edit the sample
-	    <filename>dhcpd.conf</filename> which was installed by the
-	    <package>net/isc-dhcp3-server</package> port.
-	    By default, this will be
-	    <filename>/usr/local/etc/dhcpd.conf.sample</filename>, and you
-	    should copy this to
-	    <filename>/usr/local/etc/dhcpd.conf</filename> before proceeding
-	    to make changes.</para>
-	</sect3>
-
-	<sect3>
-	  <title>Configuring the DHCP Server</title>
-	  <indexterm>
-	    <primary>DHCP</primary>
-	    <secondary>dhcpd.conf</secondary>
-	  </indexterm>
-	  <para><filename>dhcpd.conf</filename> is
-	    comprised of declarations regarding subnets and hosts, and is
-	    perhaps most easily explained using an example :</para>
+      <para>Verify the data was added by issuing a search on the
+	server using <command>ldapsearch</command>:</para>
 
-	  <programlisting>option domain-name "example.com";<co xml:id="domain-name"/>
-option domain-name-servers 192.168.4.100;<co xml:id="domain-name-servers"/>
-option subnet-mask 255.255.255.0;<co xml:id="subnet-mask"/>
+      <screen>&prompt.user; <userinput>ldapsearch -Z</userinput>
+# extended LDIF
+#
+# LDAPv3
+# base &lt;dc=example,dc=com&gt; (default) with scope subtree
+# filter: (objectclass=*)
+# requesting: ALL
+#
 
-default-lease-time 3600;<co xml:id="default-lease-time"/>
-max-lease-time 86400;<co xml:id="max-lease-time"/>
-ddns-update-style none;<co xml:id="ddns-update-style"/>
+# example.com
+dn: dc=example,dc=com
+objectClass: dcObject
+objectClass: organization
+o: Example
+dc: Example
+
+# Manager, example.com
+dn: cn=Manager,dc=example,dc=com
+objectClass: organizationalRole
+cn: Manager
+
+# search result
+search: 3
+result: 0 Success
 
-subnet 192.168.4.0 netmask 255.255.255.0 {
-  range 192.168.4.129 192.168.4.254;<co xml:id="range"/>
-  option routers 192.168.4.1;<co xml:id="routers"/>
-}
+# numResponses: 3
+# numEntries: 2</screen>
 
-host mailhost {
-  hardware ethernet 02:03:04:05:06:07;<co xml:id="hardware"/>
-  fixed-address mailhost.example.com;<co xml:id="fixed-address"/>
-}</programlisting>
+      <para>At this point, the server should be configured and
+	functioning properly.</para>
+    </sect2>
+  </sect1>
 
-	  <calloutlist>
-	    <callout arearefs="domain-name">
-	      <para>This option specifies the domain that will be provided
-		to clients as the default search domain.  See
-		&man.resolv.conf.5; for more information on what this
-		means.</para>
-	    </callout>
-
-	    <callout arearefs="domain-name-servers">
-	      <para>This option specifies a comma separated list of DNS
-		servers that the client should use.</para>
-	    </callout>
-
-	    <callout arearefs="subnet-mask">
-	      <para>The netmask that will be provided to clients.</para>
-	    </callout>
-
-	    <callout arearefs="default-lease-time">
-	      <para>A client may request a specific length of time that a
-		lease will be valid.  Otherwise the server will assign
-		a lease with this expiry value (in seconds).</para>
-	    </callout>
-
-	    <callout arearefs="max-lease-time">
-	      <para>This is the maximum length of time that the server will
-		lease for.  Should a client request a longer lease, a lease
-		will be issued, although it will only be valid for
-		<literal>max-lease-time</literal> seconds.</para>
-	    </callout>
-
-	    <callout arearefs="ddns-update-style">
-	      <para>This option specifies whether the DHCP server should
-		attempt to update DNS when a lease is accepted or released.
-		In the ISC implementation, this option is
-		<emphasis>required</emphasis>.</para>
-	    </callout>
-
-	    <callout arearefs="range">
-	      <para>This denotes which IP addresses should be used in
-		the pool reserved for allocating to clients.  IP
-		addresses between, and including, the ones stated are
-		handed out to clients.</para>
-	    </callout>
-
-	    <callout arearefs="routers">
-	      <para>Declares the default gateway that will be provided to
-		clients.</para>
-	    </callout>
-
-	    <callout arearefs="hardware">
-	      <para>The hardware MAC address of a host (so that the DHCP server
-		can recognize a host when it makes a request).</para>
-	    </callout>
-
-	    <callout arearefs="fixed-address">
-	      <para>Specifies that the host should always be given the
-		same IP address.  Note that using a hostname is
-		correct here, since the DHCP server will resolve the
-		hostname itself before returning the lease
-		information.</para>
-	    </callout>
-	  </calloutlist>
-
-	  <para>Once you have finished writing your
-	    <filename>dhcpd.conf</filename>, you can proceed to start the
-	    server by issuing the following command:</para>
-
-	  <screen>&prompt.root; <userinput>/usr/local/etc/rc.d/isc-dhcpd.sh start</userinput></screen>
-
-	  <para>Should you need to make changes to the configuration of your
-	    server in the future, it is important to note that sending a
-	    <literal>SIGHUP</literal> signal to
-	    <application>dhcpd</application> does <emphasis>not</emphasis>
-	    result in the configuration being reloaded, as it does with most
-	    daemons.  You will need to send a <literal>SIGTERM</literal>
-	    signal to stop the process, and then restart it using the command
-	    above.</para>
-	</sect3>
-
-	<sect3>
-	  <title>Files</title>
-	  <indexterm>
-	    <primary>DHCP</primary>
-	    <secondary>configuration files</secondary>
-	  </indexterm>
-	  <itemizedlist>
-	    <listitem><para><filename>/usr/local/sbin/dhcpd</filename></para>
-	      <para><application>dhcpd</application> is statically linked and
-		resides in <filename>/usr/local/sbin</filename>.  The
-		&man.dhcpd.8; manual page installed with the
-		port gives more information about
-		<application>dhcpd</application>.</para>
-	    </listitem>
+  <sect1 xml:id="network-dhcp">
+    <!--
+    <sect1info>
+      <authorgroup>
+	<author>
+	  <firstname>Greg</firstname>
+	  <surname>Sutter</surname>
+	  <contrib>Written by </contrib>
+	</author>
+      </authorgroup>
+    </sect1info>
+    -->
+    <title>Dynamic Host Configuration Protocol
+      (<acronym>DHCP</acronym>)</title>
 
-	    <listitem><para><filename>/usr/local/etc/dhcpd.conf</filename></para>
-	      <para><application>dhcpd</application> requires a configuration
-		file, <filename>/usr/local/etc/dhcpd.conf</filename> before it
-		will start providing service to clients.  This file needs to
-		contain all the information that should be provided to clients
-		that are being serviced, along with information regarding the
-		operation of the server.  This configuration file is described
-		by the &man.dhcpd.conf.5; manual page installed
-		by the port.</para>
-	    </listitem>
+    <indexterm>
+      <primary>Dynamic Host Configuration Protocol</primary>
+      <see><acronym>DHCP</acronym></see>
+    </indexterm>
+    <indexterm>
+      <primary>Internet Systems Consortium (ISC)</primary>
+    </indexterm>
 
-	    <listitem><para><filename>/var/db/dhcpd.leases</filename></para>
-	      <para>The DHCP server keeps a database of leases it has issued
-		in this file, which is written as a log.  The manual page
-		&man.dhcpd.leases.5;, installed by the port
-		gives a slightly longer description.</para>
-	    </listitem>
+    <para>The Dynamic Host Configuration Protocol
+      (<acronym>DHCP</acronym>) allows a system to connect to a
+      network in order to be assigned the necessary addressing
+      information for communication on that network.  &os; includes
+      the OpenBSD version of <command>dhclient</command> which is used
+      by the client to obtain the addressing information.  &os; does
+      not install a <acronym>DHCP</acronym> server, but several
+      servers are available in the &os; Ports Collection.  The
+      <acronym>DHCP</acronym> protocol is fully described in <link
+	xlink:href="http://www.freesoft.org/CIE/RFC/2131/">RFC
+	2131</link>.
+      Informational resources are also available at <link
+	xlink:href="http://www.isc.org/downloads/dhcp/">isc.org/downloads/dhcp/</link>.</para>
+
+    <para>This section describes how to use the built-in
+      <acronym>DHCP</acronym> client.  It then describes how to
+      install and configure a <acronym>DHCP</acronym> server.</para>
+
+    <note>
+      <para>In &os;, the &man.bpf.4; device is needed by both the
+	<acronym>DHCP</acronym> server and <acronym>DHCP</acronym>
+	client.  This device is included in the
+	<filename>GENERIC</filename>  kernel that is installed with
+	&os;.  Users who prefer to create a custom kernel need to keep
+	this device if  <acronym>DHCP</acronym> is used.</para>
+
+      <para>It should be noted that <filename>bpf</filename> also
+	allows privileged users to run network packet sniffers on
+	that system.</para>
+    </note>
+
+    <sect2>
+      <title>Configuring a <acronym>DHCP</acronym> Client</title>
+
+      <para><acronym>DHCP</acronym> client support is included in the
+	&os; installer, making it easy to configure a newly installed
+	system to automatically receive its networking addressing
+	information from an existing <acronym>DHCP</acronym> server.
+	Refer to <xref linkend="bsdinstall-post"/> for examples of
+	network configuration.</para>
+
+      <indexterm><primary><acronym>UDP</acronym></primary></indexterm>
+      <para>When <command>dhclient</command> is executed on the client
+	machine, it begins broadcasting requests for configuration
+	information.  By default, these requests use
+	<acronym>UDP</acronym> port 68.  The server replies on
+	<acronym>UDP</acronym> port 67, giving the client an
+	<acronym>IP</acronym> address and other relevant network
+	information such as a subnet mask, default gateway, and
+	<acronym>DNS</acronym> server addresses.  This information is
+	in the form of a <acronym>DHCP</acronym>
+	<quote>lease</quote> and is valid for a configurable time.
+	This allows stale <acronym>IP</acronym> addresses for clients
+	no longer connected to the network to automatically be reused.
+	<acronym>DHCP</acronym> clients can obtain a great deal of
+	information from the server.  An exhaustive list may be found
+	in &man.dhcp-options.5;.</para>
+
+      <para>By default, when a &os; system boots, its
+	<acronym>DHCP</acronym> client runs in the background, or
+	<firstterm>asynchronously</firstterm>.  Other startup scripts
+	continue to run while the <acronym>DHCP</acronym> process
+	completes, which speeds up system startup.</para>
+
+      <para>Background <acronym>DHCP</acronym> works well when the
+	<acronym>DHCP</acronym> server responds quickly to the
+	client's requests.  However, <acronym>DHCP</acronym> may take
+	a long time to complete on some systems.  If network services
+	attempt to run before <acronym>DHCP</acronym> has assigned the
+	network addressing information, they will fail.  Using
+	<acronym>DHCP</acronym> in <firstterm>synchronous</firstterm>
+	mode prevents this problem as it pauses startup until the
+	<acronym>DHCP</acronym> configuration has completed.</para>
+
+      <para>This line in <filename>/etc/rc.conf</filename> is used to
+	configure background or asynchronous mode:</para>
+
+      <programlisting>ifconfig_<replaceable>fxp0</replaceable>="DHCP"</programlisting>
+
+      <para>This line may already exist if the system was configured
+	to use <acronym>DHCP</acronym> during installation.  Replace
+	the <replaceable>fxp0</replaceable> shown in these examples
+	with the name of the interface to be dynamically configured,
+	as described in <xref linkend="config-network-setup"/>.</para>
+
+      <para>To instead configure the system to use synchronous mode,
+	and to pause during startup while <acronym>DHCP</acronym>
+	completes, use
+	<quote><literal>SYNCDHCP</literal></quote>:</para>
+
+      <programlisting>ifconfig_<replaceable>fxp0</replaceable>="SYNCDHCP"</programlisting>
+
+      <para>Additional client options are available.  Search for
+	<literal>dhclient</literal> in &man.rc.conf.5; for
+	details.</para>
 
-	    <listitem><para><filename>/usr/local/sbin/dhcrelay</filename></para>
-	      <para><application>dhcrelay</application> is used in advanced
-		environments where one DHCP server forwards a request from a
-		client to another DHCP server on a separate network.  If you
-		require this functionality, then install the <package>net/isc-dhcp3-relay</package> port.  The
-		&man.dhcrelay.8; manual page provided with the
-		port contains more detail.</para>
-	    </listitem>
-	  </itemizedlist>
-	</sect3>
+      <indexterm>
+	<primary><acronym>DHCP</acronym></primary>
+	<secondary>configuration files</secondary>
+      </indexterm>
 
-      </sect2>
+      <para>The <acronym>DHCP</acronym> client uses the following
+	files:</para>
 
-  </sect1>
+      <itemizedlist>
+	<listitem>
+	  <para><filename>/etc/dhclient.conf</filename></para>
 
-  <sect1 xml:id="network-dns">
-    <info><title>Domain Name System (DNS)</title>
-      <authorgroup>
-        <author><personname><firstname>Chern</firstname><surname>Lee</surname></personname><contrib>Contributed by </contrib></author>
-      </authorgroup>
-    </info>
-    
+	  <para>The configuration file used by
+	    <command>dhclient</command>.  Typically, this file
+	    contains only comments as the defaults are suitable for
+	    most clients.  This configuration file is described in
+	    &man.dhclient.conf.5;.</para>
+	</listitem>
 
-    <sect2>
-      <title>Overview</title>
-      <indexterm><primary>BIND</primary></indexterm>
+	<listitem>
+	  <para><filename>/sbin/dhclient</filename></para>
+
+	  <para>More information about the command itself can
+	    be found in &man.dhclient.8;.</para>
+	</listitem>
+
+	<listitem>
+	  <para><filename>/sbin/dhclient-script</filename></para>
+
+	  <para>The
+	    &os;-specific <acronym>DHCP</acronym> client configuration
+	    script.  It is described in &man.dhclient-script.8;, but
+	    should not need any user modification to function
+	    properly.</para>
+	</listitem>
+
+	<listitem>
+	  <para><filename>/var/db/dhclient.leases.<replaceable>interface</replaceable></filename></para>
 
-      <para>FreeBSD utilizes, by default, a version of BIND (Berkeley
-        Internet Name Domain), which is the most common implementation
-        of the DNS protocol.  DNS is the protocol through which names
-        are mapped to IP addresses, and vice versa.  For example, a
-        query for <systemitem class="fqdomainname">www.FreeBSD.org</systemitem> will
-        receive a reply with the IP address of The FreeBSD Project's
-        web server, whereas, a query for <systemitem class="fqdomainname">ftp.FreeBSD.org</systemitem> will return the IP
-        address of the corresponding FTP machine.  Likewise, the
-        opposite can happen.  A query for an IP address can resolve
-        its hostname.  It is not necessary to run a name server to
-        perform DNS lookups on a system.
-      </para>
-
-      <indexterm><primary>DNS</primary></indexterm>
-      <para>DNS is coordinated across the Internet through a somewhat
-        complex system of authoritative root name servers, and other
-        smaller-scale name servers who host and cache individual domain
-        information.
-      </para>
-
-      <para>
-        This document refers to BIND 8.x, as it is the stable version
-	used in &os;.  Versions of &os;&nbsp;5.3 and beyond include
-	<acronym>BIND</acronym>9 and the configuration instructions
-	may be found later in this chapter.  Users of &os;&nbsp;5.2
-	and other previous versions may install <acronym>BIND</acronym>9
-	from the <package>net/bind9</package> port.</para>
-
-      <para>
-        RFC1034 and RFC1035 dictate the DNS protocol.
-      </para>
-
-      <para>
-        Currently, BIND is maintained by the
-        Internet Software Consortium <uri xlink:href="http://www.isc.org/">http://www.isc.org/</uri>.
-      </para>
+	  <para>The <acronym>DHCP</acronym> client keeps a database of
+	    valid leases in this file, which is written as a log and
+	    is described in &man.dhclient.leases.5;.</para>
+	</listitem>
+      </itemizedlist>
     </sect2>
 
-    <sect2>
-      <title>Terminology</title>
+    <sect2 xml:id="network-dhcp-server">
+      <title>Installing and Configuring a <acronym>DHCP</acronym>
+	Server</title>
 
-      <para>To understand this document, some terms related to DNS must be
-	understood.</para>
+      <para>This section demonstrates how to configure a &os; system
+	to act as a <acronym>DHCP</acronym> server using the Internet
+	Systems Consortium (<acronym>ISC</acronym>) implementation of
+	the <acronym>DHCP</acronym> server.  This implementation and
+	its documentation can be installed using the
+	<package>net/isc-dhcp42-server</package> package or
+	port.</para>
 
-      <indexterm><primary>resolver</primary></indexterm>
-      <indexterm><primary>reverse DNS</primary></indexterm>
-      <indexterm><primary>root zone</primary></indexterm>
-      <informaltable frame="none" pgwide="1">
-	<tgroup cols="2">
-	  <colspec colwidth="1*"/>
-	  <colspec colwidth="3*"/>
+      <indexterm>
+	<primary><acronym>DHCP</acronym></primary>
+	<secondary>server</secondary>
+      </indexterm>
 
-	  <thead>
-	    <row>
-	      <entry>Term</entry>
-	      <entry>Definition</entry>
-	    </row>
-	  </thead>
+      <indexterm>
+	<primary><acronym>DHCP</acronym></primary>
+	  <secondary>installation</secondary>
+      </indexterm>
 
-	  <tbody>
-	    <row>
-	      <entry>Forward DNS</entry>
-	      <entry>Mapping of hostnames to IP addresses</entry>
-	    </row>
+      <para>The installation of
+	<package>net/isc-dhcp42-server</package> installs a sample
+	configuration file.  Copy
+	<filename>/usr/local/etc/dhcpd.conf.example</filename> to
+	<filename>/usr/local/etc/dhcpd.conf</filename> and make any
+	edits to this new file.</para>
 
-	    <row>
-	      <entry>Origin</entry>
-	      <entry>Refers to the domain covered in a particular zone
-		file</entry>
-	    </row>
+      <indexterm>
+	<primary><acronym>DHCP</acronym></primary>
+	  <secondary>dhcpd.conf</secondary>
+      </indexterm>
+      <para>The configuration file is comprised of declarations for
+	subnets and hosts which define the  information that is
+	provided to <acronym>DHCP</acronym>  clients.  For example,
+	these  lines configure the following:</para>
 
-	    <row>
-	      <entry><application>named</application>, BIND, name server</entry>
-	      <entry>Common names for the BIND name server package within
-		FreeBSD</entry>
-	    </row>
+      <programlisting>option domain-name "example.org";<co xml:id="domain-name"/>
+option domain-name-servers ns1.example.org;<co xml:id="domain-name-servers"/>
+option subnet-mask 255.255.255.0;<co xml:id="subnet-mask"/>
 
-	    <row>
-	      <entry>Resolver</entry>
-	      <entry>A system process through which a
-		machine queries a name server for zone information</entry>
-	    </row>
+default-lease-time 600;<co xml:id="default-lease-time"/>
+max-lease-time 72400;<co xml:id="max-lease-time"/>
+ddns-update-style none;<co xml:id="ddns-update-style"/>
 
-	    <row>
-	      <entry>Reverse DNS</entry>
-	      <entry>The opposite of forward DNS; mapping of IP addresses to
-		hostnames</entry>
-	    </row>
+subnet 10.254.239.0 netmask 255.255.255.224 {
+  range 10.254.239.10 10.254.239.20;<co xml:id="range"/>
+  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;<co xml:id="routers"/>
+}
 
-	    <row>
-	      <entry>Root zone</entry>
+host fantasia {
+  hardware ethernet 08:00:07:26:c0:a5;<co xml:id="hardware"/>
+  fixed-address fantasia.fugue.com;<co xml:id="fixed-address"/>
+}</programlisting>
 
-	      <entry>The beginning of the Internet zone hierarchy.
-		All zones fall under the root zone, similar to how
-		all files in a file system fall under the root directory.</entry>
-	    </row>
+      <calloutlist>
+	<callout arearefs="domain-name">
+	  <para>This option specifies the default search domain that
+	    will be provided to clients.  Refer to
+	    &man.resolv.conf.5; for more information.</para>
+	</callout>
 
-	    <row>
-	      <entry>Zone</entry>
-	      <entry>An individual domain, subdomain, or portion of the DNS administered by
-		the same authority</entry>
-	    </row>
-	  </tbody>
-	</tgroup>
-      </informaltable>
+	<callout arearefs="domain-name-servers">
+	  <para>This option specifies a comma separated list of
+	    <acronym>DNS</acronym> servers that the client should use.
+	    They can be listed by their Fully Qualified Domain Names
+	    (<acronym>FQDN</acronym>), as seen in the example, or by
+	    their <acronym>IP</acronym> addresses.</para>
+	</callout>
+
+	<callout arearefs="subnet-mask">
+	  <para>The subnet mask that will be provided to
+	    clients.</para>
+	</callout>
+
+	<callout arearefs="default-lease-time">
+	  <para>The default lease expiry time in seconds.  A client
+	    can be configured to override this value.  </para>
+	</callout>
+
+	<callout arearefs="max-lease-time">
+	  <para>The maximum allowed length of time, in seconds, for a
+	    lease.  Should a client request a longer lease, a lease
+	    will still be issued, but it will only be valid for
+	    <literal>max-lease-time</literal>.</para>
+	</callout>
+
+	<callout arearefs="ddns-update-style">
+	  <para>The default of <option>none</option> disables dynamic
+	    DNS updates.  Changing this to <option>interim</option>
+	    configures the <acronym>DHCP</acronym> server to update a
+	    <acronym>DNS</acronym> server whenever it hands out a
+	    lease so that the <acronym>DNS</acronym> server knows
+	    which <acronym>IP</acronym> addresses are associated with
+	    which computers in the network.  Do not change the default
+	    setting unless the <acronym>DNS</acronym> server has  been
+	    configured to support dynamic
+	    <acronym>DNS</acronym>.</para>
+	</callout>
+
+	<callout arearefs="range">
+	  <para>This line creates a pool of available
+	    <acronym>IP</acronym> addresses which are reserved for
+	    allocation to <acronym>DHCP</acronym> clients.  The range
+	    of addresses must be valid for the network or subnet
+	    specified in the previous line.</para>
+	</callout>
+
+	<callout arearefs="routers">
+	  <para>Declares the default gateway that is valid for the
+	    network or subnet specified before the opening
+	    <literal>{</literal> bracket.</para>
+	</callout>
+
+	<callout arearefs="hardware">
+	  <para>Specifies the hardware <acronym>MAC</acronym> address
+	    of a client so that the <acronym>DHCP</acronym> server can
+	    recognize the client when it makes a request.</para>
+	</callout>
+
+	<callout arearefs="fixed-address">
+	  <para>Specifies that this host should always be given the
+	    same <acronym>IP</acronym> address.  Using the hostname is
+	    correct, since the <acronym>DHCP</acronym> server will
+	    resolve the hostname before returning the lease
+	    information.</para>
+	</callout>
+      </calloutlist>
+
+      <para>This configuration file supports many more options.  Refer
+	to dhcpd.conf(5), installed with the server, for details and
+	examples.</para>
+
+      <para>Once the configuration of <filename>dhcpd.conf</filename>
+	is complete, enable the <acronym>DHCP</acronym> server in
+	<filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>dhcpd_enable="YES"
+dhcpd_ifaces="dc0"</programlisting>
+
+      <para>Replace the <literal>dc0</literal> with the interface (or
+	interfaces, separated by whitespace) that the
+	<acronym>DHCP</acronym> server should listen on for
+	<acronym>DHCP</acronym> client requests.</para>
+
+      <para>Start the server by issuing the following command:</para>
+
+      <screen>&prompt.root; <userinput>service isc-dhcpd start</userinput></screen>
+
+      <para>Any future changes to the configuration of the server will
+	require the <application>dhcpd</application> service to be
+	stopped and then started using &man.service.8;.</para>
+
+      <para>The <acronym>DHCP</acronym> server uses the following
+	files.  Note that the manual pages are installed with the
+	server software.</para>
 
       <indexterm>
-	<primary>zones</primary>
-	<secondary>examples</secondary>
+	<primary><acronym>DHCP</acronym></primary>
+	<secondary>configuration files</secondary>
       </indexterm>
-
-      <para>Examples of zones:
-      </para>
       <itemizedlist>
-        <listitem>
-          <para><systemitem>.</systemitem> is the root zone</para>
-        </listitem>
-        <listitem>
-          <para><systemitem>org.</systemitem> is a zone under the root zone</para>
-        </listitem>
-        <listitem>
-          <para><systemitem class="fqdomainname">example.org.</systemitem> is a
-          zone under the <systemitem>org.</systemitem> zone</para>
-        </listitem>
-        <listitem>
-          <para><systemitem class="fqdomainname">foo.example.org.</systemitem> is
-            a subdomain, a zone under the <systemitem class="fqdomainname">example.org.</systemitem> zone</para>
-        </listitem>
-        <listitem>
-          <para>
-            <systemitem>1.2.3.in-addr.arpa</systemitem> is a zone referencing
-	    all IP addresses which fall under the <systemitem class="ipaddress">3.2.1.*</systemitem> IP space.
-          </para>
-        </listitem>
-      </itemizedlist>
+	<listitem>
+	  <para><filename>/usr/local/sbin/dhcpd</filename></para>
 
-      <para>As one can see, the more specific part of a hostname
-        appears to its left.  For example, <systemitem class="fqdomainname">example.org.</systemitem> is more specific than
-        <systemitem>org.</systemitem>, as <systemitem>org.</systemitem> is more
-        specific than the root zone.  The layout of each part of a
-        hostname is much like a file system: the
-        <filename>/dev</filename> directory falls within the root, and
-        so on.</para>
+	  <para>More information about the
+	    <application>dhcpd</application> server can be found in
+	    dhcpd(8).</para>
+	</listitem>
+
+	<listitem>
+	  <para><filename>/usr/local/etc/dhcpd.conf</filename></para>
 
+	  <para>The server configuration file needs to contain all the
+	    information that should be provided to clients, along with
+	    information regarding the operation of the server.  This
+	    configuration file is described in dhcpd.conf(5).</para>
+	</listitem>
+
+	<listitem>
+	  <para><filename>/var/db/dhcpd.leases</filename></para>
 
+	  <para>The <acronym>DHCP</acronym> server keeps a database of
+	    leases it has issued in this file, which is written as a
+	    log.  Refer to dhcpd.leases(5), which gives a slightly
+	    longer description.</para>
+	</listitem>
+
+	<listitem>
+	  <para><filename>/usr/local/sbin/dhcrelay</filename></para>
+
+	  <para>This daemon is used in advanced environments where one
+	    <acronym>DHCP</acronym> server forwards a request from a
+	    client to another <acronym>DHCP</acronym> server on a
+	    separate network.  If this functionality is required,
+	    install the <package>net/isc-dhcp42-relay</package>
+	    package or port.  The installation includes dhcrelay(8)
+	    which provides more detail.</para>
+	</listitem>
+      </itemizedlist>
     </sect2>
+  </sect1>
+
+  <sect1 xml:id="network-dns">
+    <!--
+    <sect1info>
+      <authorgroup>
+	<author>
+	  <firstname>Chern</firstname>
+	  <surname>Lee</surname>
+	  <contrib>Contributed by </contrib>
+	</author>
+
+	<author>
+	  <firstname>Tom</firstname>
+	  <surname>Rhodes</surname>
+	</author>
+
+	<author>
+	  <firstname>Daniel</firstname>
+	  <surname>Gerzo</surname>
+	</author>
+      </authorgroup>
+    </sect1info>
+    -->
+    <title>Domain Name System (<acronym>DNS</acronym>)</title>
+
+    <indexterm><primary>DNS</primary></indexterm>
+
+    <para>Domain Name System (<acronym>DNS</acronym>) is the protocol
+      through which domain names are mapped to <acronym>IP</acronym>
+      addresses, and vice versa.  <acronym>DNS</acronym> is
+      coordinated across the Internet through a somewhat complex
+      system of authoritative root, Top Level Domain
+      (<acronym>TLD</acronym>), and other smaller-scale name servers,
+      which host and cache individual domain information.  It is not
+      necessary to run a name server to perform
+      <acronym>DNS</acronym> lookups on a system.</para>
+
+    <indexterm><primary>BIND</primary></indexterm>
+
+    <para>In &os; 10, the Berkeley Internet Name Domain
+      (<acronym>BIND</acronym>) has been removed from the base system
+      and replaced with Unbound.  Unbound as configured in the &os;
+      Base is a local caching resolver.  <acronym>BIND</acronym> is
+      still available from The Ports Collection as <package
+      role="port">dns/bind99</package> or <package
+      role="port">dns/bind98</package>.  In &os; 9 and lower,
+      <acronym>BIND</acronym> is included in &os; Base.  The &os;
+      version provides enhanced security features, a new file system
+      layout, and automated &man.chroot.8; configuration.
+      <acronym>BIND</acronym> is maintained by the <link
+	xlink:href="https://www.isc.org/">Internet Systems
+	Consortium</link>.</para>
+
+    <indexterm><primary>resolver</primary></indexterm>
+    <indexterm><primary>reverse
+      <acronym>DNS</acronym></primary></indexterm>
+    <indexterm><primary>root zone</primary></indexterm>
+
+    <para>The following table describes some of the terms associated
+      with <acronym>DNS</acronym>:</para>
+
+    <table frame="none" pgwide="1">
+      <title><acronym>DNS</acronym> Terminology</title>
+
+      <tgroup cols="2">
+	<colspec colwidth="1*"/>
+	<colspec colwidth="3*"/>
+
+	<thead>
+	  <row>
+	    <entry>Term</entry>
+	    <entry>Definition</entry>
+	  </row>
+	</thead>
+
+	<tbody>
+	  <row>
+	    <entry>Forward <acronym>DNS</acronym></entry>
+	    <entry>Mapping of hostnames to <acronym>IP</acronym>
+	      addresses.</entry>
+	  </row>
+
+	  <row>
+	    <entry>Origin</entry>
+	    <entry>Refers to the domain covered in a particular zone
+	      file.</entry>
+	  </row>
+
+	  <row>
+	    <entry><application>named</application>, BIND</entry>
+	    <entry>Common names for the BIND name server package
+	      within &os;.</entry>
+	  </row>
+
+	  <row>
+	    <entry>Resolver</entry>
+	    <entry>A system process through which a machine queries
+	      a name server for zone information.</entry>
+	  </row>
+
+	  <row>
+	    <entry>Reverse <acronym>DNS</acronym></entry>
+	    <entry>Mapping of <acronym>IP</acronym> addresses to
+	      hostnames.</entry>
+	  </row>
+
+	  <row>
+	    <entry>Root zone</entry>
+
+	    <entry>The beginning of the Internet zone hierarchy.  All
+	      zones fall under the root zone, similar to how all files
+	      in a file system fall under the root directory.</entry>
+	  </row>
+
+	  <row>
+	    <entry>Zone</entry>
+	    <entry>An individual domain, subdomain, or portion of the
+	      <acronym>DNS</acronym> administered by the same
+	      authority.</entry>
+	  </row>
+	</tbody>
+      </tgroup>
+    </table>
+
+    <indexterm>
+      <primary>zones</primary>
+      <secondary>examples</secondary>
+    </indexterm>
+
+    <para>Examples of zones:</para>
+
+    <itemizedlist>
+      <listitem>
+	<para><systemitem>.</systemitem> is how the root zone is
+	  usually referred to in documentation.</para>
+      </listitem>
+
+      <listitem>
+	<para><systemitem>org.</systemitem> is a Top Level Domain
+	  (<acronym>TLD</acronym>) under the root zone.</para>
+      </listitem>
+
+      <listitem>
+	<para><systemitem
+	    class="fqdomainname">example.org.</systemitem> is a zone
+	  under the <systemitem>org.</systemitem>
+	  <acronym>TLD</acronym>.</para>
+      </listitem>
+
+      <listitem>
+	<para><systemitem>1.168.192.in-addr.arpa</systemitem> is a
+	  zone referencing all <acronym>IP</acronym> addresses which
+	  fall under the <systemitem
+	      class="ipaddress">192.168.1.*</systemitem>
+	  <acronym>IP</acronym> address space.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>As one can see, the more specific part of a hostname
+      appears to its left.  For example, <systemitem
+	class="fqdomainname">example.org.</systemitem> is more
+      specific than <systemitem>org.</systemitem>, as
+      <systemitem>org.</systemitem> is more specific than the root
+      zone.  The layout of each part of a hostname is much like a file
+      system: the <filename>/dev</filename> directory falls within the
+      root, and so on.</para>
 
     <sect2>
       <title>Reasons to Run a Name Server</title>
 
-      <para>Name servers usually come in two forms: an authoritative
-	name server, and a caching name server.</para>
+      <para>Name servers generally come in two forms: authoritative
+	name servers, and caching (also known as resolving) name
+	servers.</para>
 
       <para>An authoritative name server is needed when:</para>
 
       <itemizedlist>
 	<listitem>
-	  <para>one wants to serve DNS information to the
-	    world, replying authoritatively to queries.</para>
+	  <para>One wants to serve <acronym>DNS</acronym> information
+	    to the world, replying authoritatively to queries.</para>
 	</listitem>
+
 	<listitem>
-	  <para>a domain, such as <systemitem class="fqdomainname">example.org</systemitem>, is
-	    registered and IP addresses need to be assigned to hostnames
-	    under it.</para>
+	  <para>A domain, such as <systemitem
+	      class="fqdomainname">example.org</systemitem>, is
+	    registered and <acronym>IP</acronym> addresses need to be
+	    assigned to hostnames under it.</para>
 	</listitem>
+
 	<listitem>
-	  <para>an IP address block requires reverse DNS entries (IP to
-	    hostname).</para>
+	  <para>An <acronym>IP</acronym> address block requires
+	    reverse <acronym>DNS</acronym> entries
+	    (<acronym>IP</acronym> to hostname).</para>
 	</listitem>
+
 	<listitem>
-	  <para>a backup name server, called a slave, must reply to queries
-	    when the primary is down or inaccessible.</para>
-	  </listitem>
+	  <para>A backup or second name server, called a slave, will
+	    reply to queries.</para>
+	</listitem>
       </itemizedlist>
 
       <para>A caching name server is needed when:</para>
 
       <itemizedlist>
 	<listitem>
-	  <para>a local DNS server may cache and respond more quickly
-	    than querying an outside name server.</para>
-	</listitem>
-	<listitem>
-	  <para>a reduction in overall network traffic is desired (DNS
-	    traffic has been measured to account for 5% or more of total
-	    Internet traffic).</para>
+	  <para>A local <acronym>DNS</acronym> server may cache and
+	    respond more quickly than querying an outside name
+	    server.</para>
 	</listitem>
       </itemizedlist>
 
-      <para>When one queries for <systemitem class="fqdomainname">www.FreeBSD.org</systemitem>, the resolver usually
-	queries the uplink ISP's name server, and retrieves the reply.
-	With a local, caching DNS server, the query only has to be
-	made once to the outside world by the caching DNS server.
-	Every additional query will not have to look to the outside of
-	the local network, since the information is cached
-	locally.</para>
+      <para>When one queries for <systemitem
+	  class="fqdomainname">www.FreeBSD.org</systemitem>, the
+	resolver usually queries the uplink <acronym>ISP</acronym>'s
+	name server, and retrieves the reply.  With a local, caching
+	<acronym>DNS</acronym> server, the query only has to be made
+	once to the outside world by the caching
+	<acronym>DNS</acronym> server.  Additional queries will not
+	have to go outside the local network, since the information is
+	cached locally.</para>
+    </sect2>
+
+    <sect2>
+      <title><acronym>DNS</acronym> Server Configuration in &os; 10.0
+	and Later</title>
+
+      <para>In &os; 10.0, <application>BIND</application> has been
+	replaced with <application>Unbound</application>.
+	<application>Unbound</application> is a validating caching
+	resolver only.  If an authoritative server is needed, many are
+	available from the Ports Collection.</para>
+
+      <para><application>Unbound</application> is provided in the &os;
+	base system.  By default, it will provide
+	<acronym>DNS</acronym> resolution to the local machine only.
+	While the base system package can be configured to provide
+	resolution services beyond the local machine, it is
+	recommended that such requirements be addressed by installing
+	<application>Unbound</application> from the &os; Ports
+	Collection.</para>
+
+      <para>To enable <application>Unbound</application>, add the
+	following to <filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>local_unbound_enable="YES"</programlisting>
+
+      <para>Any existing nameservers in
+	<filename>/etc/resolv.conf</filename> will be configured as
+	forwarders in the new <application>Unbound</application>
+	configuration.</para>
+
+      <note>
+	<para>If any of the listed nameservers do not support
+	  <acronym>DNSSEC</acronym>, local <acronym>DNS</acronym>
+	  resolution will fail.  Be sure to test each nameserver and
+	  remove any that fail the test.  The following command will
+	  show the trust tree or a failure for a nameserver running on
+	  <systemitem
+	    class="ipaddress">192.168.1.1</systemitem>:</para>
+      </note>
 
+      <screen>&prompt.user; <userinput>drill -S FreeBSD.org @<replaceable>192.168.1.1</replaceable></userinput></screen>
+
+      <para>Once each nameserver is confirmed to support
+	<acronym>DNSSEC</acronym>, start
+	<application>Unbound</application>:</para>
+
+      <screen>&prompt.root; <userinput>service local_unbound onestart</userinput></screen>
+
+      <para>This will take care of updating
+	<filename>/etc/resolv.conf</filename> so that queries for
+	<acronym>DNSSEC</acronym> secured domains will now work.  For
+	example, run the following to validate the FreeBSD.org
+	<acronym>DNSSEC</acronym> trust tree:</para>
+
+      <screen>&prompt.user; <userinput>drill -S FreeBSD.org</userinput>
+;; Number of trusted keys: 1
+;; Chasing: freebsd.org. A
+
+DNSSEC Trust tree:
+freebsd.org. (A)
+|---freebsd.org. (DNSKEY keytag: 36786 alg: 8 flags: 256)
+    |---freebsd.org. (DNSKEY keytag: 32659 alg: 8 flags: 257)
+    |---freebsd.org. (DS keytag: 32659 digest type: 2)
+        |---org. (DNSKEY keytag: 49587 alg: 7 flags: 256)
+            |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257)
+            |---org. (DNSKEY keytag: 21366 alg: 7 flags: 257)
+            |---org. (DS keytag: 21366 digest type: 1)
+            |   |---. (DNSKEY keytag: 40926 alg: 8 flags: 256)
+            |       |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
+            |---org. (DS keytag: 21366 digest type: 2)
+                |---. (DNSKEY keytag: 40926 alg: 8 flags: 256)
+                    |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
+;; Chase successful</screen>
     </sect2>
 
     <sect2>
-      <title>How It Works</title>
-      <para>In FreeBSD, the BIND daemon is called
-	<application>named</application> for obvious reasons.</para>
+      <title>DNS Server Configuration in &os;
+	9.<replaceable>X</replaceable> and Earlier</title>
+
+      <para>In &os;, the BIND daemon is called
+	<application>named</application>.</para>
 
       <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
@@ -3102,296 +3248,499 @@
 
 	  <tbody>
 	    <row>
-	      <entry><application>named</application></entry>
-	      <entry>the BIND daemon</entry>
+	      <entry>&man.named.8;</entry>
+	      <entry>The BIND daemon.</entry>
 	    </row>
 
 	    <row>
-	      <entry><command>ndc</command></entry>
-	      <entry>name daemon control program</entry>
+	      <entry>&man.rndc.8;</entry>
+	      <entry>Name server control utility.</entry>
 	    </row>
 
 	    <row>
 	      <entry><filename>/etc/namedb</filename></entry>
-	      <entry>directory where BIND zone information resides</entry>
+	      <entry>Directory where BIND zone information
+		resides.</entry>
 	    </row>
 
 	    <row>
 	      <entry><filename>/etc/namedb/named.conf</filename></entry>
-	      <entry>daemon configuration file</entry>
+	      <entry>Configuration file of the daemon.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>
 
-      <para>
-        Zone files are usually contained within the
-        <filename>/etc/namedb</filename>
-        directory, and contain the DNS zone information
-	served by the name server.
-      </para>
-    </sect2>
+      <para>Depending on how a given zone is configured on the server,
+	the files related to that zone can be found in the
+	<filename>master</filename>,
+	<filename>slave</filename>, or
+	<filename>dynamic</filename> subdirectories
+	of the <filename>/etc/namedb</filename>
+	directory.  These files contain the <acronym>DNS</acronym>
+	information that will be given out by the name server in
+	response to queries.</para>
 
-    <sect2>
+    <sect3>
       <title>Starting BIND</title>
+
       <indexterm>
-        <primary>BIND</primary>
+	<primary>BIND</primary>
 	<secondary>starting</secondary>
       </indexterm>
-      <para>
-        Since BIND is installed by default, configuring it all is
-        relatively simple.
-      </para>
-      <para>
-        To ensure the <application>named</application> daemon is
-         started at boot, put the following line in
-         <filename>/etc/rc.conf</filename>:
-      </para>
+
+      <para>Since BIND is installed by default, configuring it is
+	relatively simple.</para>
+
+      <para>The default <application>named</application> configuration
+	is that of a basic resolving name server, running in a
+	&man.chroot.8; environment, and restricted to listening on the
+	local IPv4 loopback address (127.0.0.1).  To start the server
+	one time with this configuration, use the following
+	command:</para>
+
+      <screen>&prompt.root; <userinput>service named onestart</userinput></screen>
+
+      <para>To ensure the <application>named</application> daemon is
+	started at boot each time, put the following line into the
+	<filename>/etc/rc.conf</filename>:</para>
+
       <programlisting>named_enable="YES"</programlisting>
-      <para>To start the daemon manually (after configuring it):</para>
-      <screen>&prompt.root; <userinput>ndc start</userinput></screen>
-    </sect2>
 
-    <sect2>
+      <para>There are many configuration options for
+	<filename>/etc/namedb/named.conf</filename> that are beyond
+	the scope of this document.  Other startup options
+	for <application>named</application> on &os; can be found in
+	the <literal>named_<replaceable>*</replaceable></literal>
+	flags in <filename>/etc/defaults/rc.conf</filename> and in
+	&man.rc.conf.5;.  The
+	<xref linkend="configtuning-rcd"/> section is also a good
+	read.</para>
+    </sect3>
+
+    <sect3>
       <title>Configuration Files</title>
+
       <indexterm>
-        <primary>BIND</primary>
+	<primary>BIND</primary>
 	<secondary>configuration files</secondary>
       </indexterm>
-      <sect3>
-        <title>Using <command>make-localhost</command></title>
-        <para>Be sure to:
-        </para>
-        <screen>&prompt.root; <userinput>cd /etc/namedb</userinput>
-&prompt.root; <userinput>sh make-localhost</userinput></screen>
-        <para>to properly create the local reverse DNS zone file in
-          <filename>/etc/namedb/master/localhost.rev</filename>.
-        </para>
-      </sect3>
 
-      <sect3>
-        <title><filename>/etc/namedb/named.conf</filename></title>
+      <para>Configuration files for <application>named</application>
+	currently reside in
+	<filename>/etc/namedb</filename> directory
+	and will need modification before use unless all that is
+	needed is a simple resolver.  This is where most of the
+	configuration will be performed.</para>
+
+      <sect4>
+	<title><filename>/etc/namedb/named.conf</filename></title>
 
-        <programlisting>// &dollar;FreeBSD$
+	<programlisting>// &dollar;FreeBSD&dollar;
 //
-// Refer to the named(8) manual page for details.  If you are ever going
-// to setup a primary server, make sure you've understood the hairy
-// details of how DNS is working.  Even with simple mistakes, you can
-// break connectivity for affected parties, or cause huge amount of
-// useless Internet traffic.
+// Refer to the named.conf(5) and named(8) man pages, and the documentation
+// in /usr/share/doc/bind9 for more details.
+//
+// If you are going to set up an authoritative server, make sure you
+// understand the hairy details of how DNS works.  Even with
+// simple mistakes, you can break connectivity for affected parties,
+// or cause huge amounts of useless Internet traffic.
 
 options {
-        directory "/etc/namedb";
-
-// In addition to the "forwarders" clause, you can force your name
-// server to never initiate queries of its own, but always ask its
-// forwarders only, by enabling the following line:
-//
-//      forward only;
+	// All file and path names are relative to the chroot directory,
+	// if any, and should be fully qualified.
+	directory	"/etc/namedb/working";
+	pid-file	"/var/run/named/pid";
+	dump-file	"/var/dump/named_dump.db";
+	statistics-file	"/var/stats/named.stats";
+
+// If named is being used only as a local resolver, this is a safe default.
+// For named to be accessible to the network, comment this option, specify
+// the proper IP address, or delete this option.
+	listen-on	{ 127.0.0.1; };
+
+// If you have IPv6 enabled on this system, uncomment this option for
+// use as a local resolver.  To give access to the network, specify
+// an IPv6 address, or the keyword "any".
+//	listen-on-v6	{ ::1; };
+
+// These zones are already covered by the empty zones listed below.
+// If you remove the related empty zones below, comment these lines out.
+	disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
+	disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+	disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
 
 // If you've got a DNS server around at your upstream provider, enter
 // its IP address here, and enable the line below.  This will make you
-// benefit from its cache, thus reduce overall DNS traffic in the
-Internet.
+// benefit from its cache, thus reduce overall DNS traffic in the Internet.
 /*
-        forwarders {
-                127.0.0.1;
-        };
-*/</programlisting>
+	forwarders {
+		127.0.0.1;
+	};
+*/
 
-        <para>
-	  Just as the comment says, to benefit from an uplink's cache,
-          <literal>forwarders</literal> can be enabled here.  Under normal
-          circumstances, a name server will recursively query the Internet
-          looking at certain name servers until it finds the answer it is
-          looking for.  Having this enabled will have it query the uplink's
-          name server (or name server provided) first, taking advantage of
-          its cache.  If the uplink name server in question is a heavily
-          trafficked, fast name server, enabling this may be worthwhile.
-        </para>
-
-	<warning><para><systemitem class="ipaddress">127.0.0.1</systemitem>
-            will <emphasis>not</emphasis> work here.
-            Change this IP address to a name server at your uplink.</para>
-        </warning>
-
-        <programlisting>        /*
-         * If there is a firewall between you and name servers you want
-         * to talk to, you might need to uncomment the query-source
-         * directive below.  Previous versions of BIND always asked
-         * questions using port 53, but BIND 8.1 uses an unprivileged
-         * port by default.
-         */
-        // query-source address * port 53;
-
-        /*
-         * If running in a sandbox, you may have to specify a different
-         * location for the dumpfile.
-         */
-        // dump-file "s/named_dump.db";
-};
+// If the 'forwarders' clause is not empty the default is to 'forward first'
+// which will fall back to sending a query from your local server if the name
+// servers in 'forwarders' do not have the answer.  Alternatively you can
+// force your name server to never initiate queries of its own by enabling the
+// following line:
+//	forward only;
+
+// If you wish to have forwarding configured automatically based on
+// the entries in /etc/resolv.conf, uncomment the following line and
+// set named_auto_forward=yes in /etc/rc.conf.  You can also enable
+// named_auto_forward_only (the effect of which is described above).
+//	include "/etc/namedb/auto_forward.conf";</programlisting>
+
+	<para>Just as the comment says, to benefit from an uplink's
+	  cache, <literal>forwarders</literal> can be enabled here.
+	  Under normal circumstances, a name server will recursively
+	  query the Internet looking at certain name servers until it
+	  finds the answer it is looking for.  Having this enabled
+	  will have it query the uplink's name server (or name server
+	  provided) first, taking advantage of its cache.  If the
+	  uplink name server in question is a heavily trafficked, fast
+	  name server, enabling this may be worthwhile.</para>
 
-// Note: the following will be supported in a future release.
-/*
-host { any; } {
-        topology {
-                127.0.0.0/8;
-        };
+	<warning>
+	  <para><systemitem class="ipaddress">127.0.0.1</systemitem>
+	    will <emphasis>not</emphasis> work here.  Change this
+	    <acronym>IP</acronym> address to a name server at the
+	    uplink.</para>
+	</warning>
+
+	<programlisting>	/*
+	   Modern versions of BIND use a random <acronym>UDP</acronym> port for each outgoing
+	   query by default in order to dramatically reduce the possibility
+	   of cache poisoning.  All users are strongly encouraged to utilize
+	   this feature, and to configure their firewalls to accommodate it.
+
+	   AS A LAST RESORT in order to get around a restrictive firewall
+	   policy you can try enabling the option below.  Use of this option
+	   will significantly reduce your ability to withstand cache poisoning
+	   attacks, and should be avoided if at all possible.
+
+	   Replace NNNNN in the example with a number between 49160 and 65530.
+	*/
+	// query-source address * port NNNNN;
 };
-*/
 
-// Setting up secondaries is way easier and the rough picture for this
-// is explained below.
-//
 // If you enable a local name server, don't forget to enter 127.0.0.1
-// into your /etc/resolv.conf so this server will be queried first.
+// first in your /etc/resolv.conf so this server will be queried.
 // Also, make sure to enable it in /etc/rc.conf.
 
+// The traditional root hints mechanism. Use this, OR the slave zones below.
+zone "." { type hint; file "/etc/namedb/named.root"; };
+
+/*	Slaving the following zones from the root name servers has some
+	significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+	3. Greater resilience to any potential root server failure/DDoS
+
+	On the other hand, this method requires more monitoring than the
+	hints file to be sure that an unexpected failure mode has not
+	incapacitated your server.  Name servers that are serving a lot
+	of clients will benefit more from this approach than individual
+	hosts.  Use with caution.
+
+	To use this mechanism, uncomment the entries below, and comment
+	the hint zone above.
+
+	As documented at http://dns.icann.org/services/axfr/ these zones:
+	"." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET
+	are available for AXFR from these servers on IPv4 and IPv6:
+	xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
+*/
+/*
 zone "." {
-        type hint;
-        file "named.root";
+	type slave;
+	file "/etc/namedb/slave/root.slave";
+	masters {
+		192.5.5.241;	// F.ROOT-SERVERS.NET.
+	};
+	notify no;
 };
-
-zone "0.0.127.IN-ADDR.ARPA" {
-        type master;
-        file "localhost.rev";
+zone "arpa" {
+	type slave;
+	file "/etc/namedb/slave/arpa.slave";
+	masters {
+		192.5.5.241;	// F.ROOT-SERVERS.NET.
+	};
+	notify no;
 };
+*/
+
+/*	Serving the following zones locally will prevent any queries
+	for these zones leaving your network and going to the root
+	name servers.  This has two significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+*/
+// RFCs 1912 and 5735 (and BCP 32 for localhost)
+zone "localhost"	{ type master; file "/etc/namedb/master/localhost-forward.db"; };
+zone "127.in-addr.arpa"	{ type master; file "/etc/namedb/master/localhost-reverse.db"; };
+zone "255.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+
+// RFC 1912-style zone for IPv6 localhost address
+zone "0.ip6.arpa"	{ type master; file "/etc/namedb/master/localhost-reverse.db"; };
+
+// "This" Network (RFCs 1912 and 5735)
+zone "0.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+
+// Private Use Networks (RFCs 1918 and 5735)
+zone "10.in-addr.arpa"	   { type master; file "/etc/namedb/master/empty.db"; };
+zone "16.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "17.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "18.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "19.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "20.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "21.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "22.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "23.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "24.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "25.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "26.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "27.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "28.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "29.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "30.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "31.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "168.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+
+// Link-local/APIPA (RFCs 3927 and 5735)
+zone "254.169.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+
+// IETF protocol assignments (RFCs 5735 and 5736)
+zone "0.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+
+// TEST-NET-[1-3] for Documentation (RFCs 5735 and 5737)
+zone "2.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "100.51.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "113.0.203.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+
+// IPv6 Range for Documentation (RFC 3849)
+zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+
+// Domain Names for Documentation and Testing (BCP 32)
+zone "test" { type master; file "/etc/namedb/master/empty.db"; };
+zone "example" { type master; file "/etc/namedb/master/empty.db"; };
+zone "invalid" { type master; file "/etc/namedb/master/empty.db"; };
+zone "example.com" { type master; file "/etc/namedb/master/empty.db"; };
+zone "example.net" { type master; file "/etc/namedb/master/empty.db"; };
+zone "example.org" { type master; file "/etc/namedb/master/empty.db"; };
+
+// Router Benchmark Testing (RFCs 2544 and 5735)
+zone "18.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+zone "19.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
+
+// IANA Reserved - Old Class E Space (RFC 5735)
+zone "240.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "241.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "242.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "243.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "244.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "245.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "246.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "247.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "248.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "249.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "250.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "251.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "252.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "253.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "254.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+
+// IPv6 Unassigned Addresses (RFC 4291)
+zone "1.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "3.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "4.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "5.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "6.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "7.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "8.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "9.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "a.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "b.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "c.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "d.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "e.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "0.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "1.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "2.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "3.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "4.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "5.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "6.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "7.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "8.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "9.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "a.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "b.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "0.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "1.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "2.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "3.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "4.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "5.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "6.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "7.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+
+// IPv6 ULA (RFC 4193)
+zone "c.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "d.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+
+// IPv6 Link Local (RFC 4291)
+zone "8.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "9.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "a.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "b.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+
+// IPv6 Deprecated Site-Local Addresses (RFC 3879)
+zone "c.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "d.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "e.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+zone "f.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
+
+// IP6.INT is Deprecated (RFC 4159)
+zone "ip6.int"		{ type master; file "/etc/namedb/master/empty.db"; };
 
 // NB: Do not use the IP addresses below, they are faked, and only
 // serve demonstration/documentation purposes!
 //
-// Example secondary config entries.  It can be convenient to become
-// a secondary at least for the zone where your own domain is in.  Ask
+// Example slave zone config entries.  It can be convenient to become
+// a slave at least for the zone your own domain is in.  Ask
 // your network administrator for the IP address of the responsible
-// primary.
+// master name server.
 //
-// Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
-// (This is the first bytes of the respective IP address, in reverse
-// order, with ".IN-ADDR.ARPA" appended.)
+// Do not forget to include the reverse lookup zone!
+// This is named after the first bytes of the IP address, in reverse
+// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
 //
-// Before starting to setup a primary zone, better make sure you fully
-// understand how DNS and BIND works, however.  There are sometimes
-// unobvious pitfalls.  Setting up a secondary is comparably simpler.
+// Before starting to set up a master zone, make sure you fully
+// understand how DNS and BIND work.  There are sometimes
+// non-obvious pitfalls.  Setting up a slave zone is usually simpler.
 //
 // NB: Don't blindly enable the examples below. :-)  Use actual names
 // and addresses instead.
-//
-// NOTE!!! FreeBSD runs BIND in a sandbox (see named_flags in rc.conf).
-// The directory containing the secondary zones must be write accessible
-// to BIND.  The following sequence is suggested:
-//
-//      mkdir /etc/namedb/s
-//      chown bind:bind /etc/namedb/s
-//      chmod 750 /etc/namedb/s</programlisting>
-
-	<para>For more information on running BIND in a sandbox, see
-	  <link linkend="network-named-sandbox">Running named in a sandbox</link>.
-	</para>
-
-	<programlisting>/*
-zone "example.com" {
-        type slave;
-        file "s/example.com.bak";
-        masters {
-                192.168.1.1;
-        };
+
+/* An example dynamic zone
+key "exampleorgkey" {
+	algorithm hmac-md5;
+	secret "sf87HJqjkqh8ac87a02lla==";
+};
+zone "example.org" {
+	type master;
+	allow-update {
+		key "exampleorgkey";
+	};
+	file "/etc/namedb/dynamic/example.org";
 };
+*/
 
-zone "0.168.192.in-addr.arpa" {
-        type slave;
-        file "s/0.168.192.in-addr.arpa.bak";
-        masters {
-                192.168.1.1;
-        };
+/* Example of a slave reverse zone
+zone "1.168.192.in-addr.arpa" {
+	type slave;
+	file "/etc/namedb/slave/1.168.192.in-addr.arpa";
+	masters {
+		192.168.1.1;
+	};
 };
 */</programlisting>
-        <para>In <filename>named.conf</filename>, these are examples of slave
-	  entries for a forward and reverse zone.</para>
 
-        <para>For each new zone served, a new zone entry must be added to
-	  <filename>named.conf</filename>.</para>
+	<para>In <filename>named.conf</filename>, these are examples
+	  of slave entries for a forward and reverse zone.</para>
+
+	<para>For each new zone served, a new zone entry must be added
+	  to <filename>named.conf</filename>.</para>
 
-        <para>For example, the simplest zone entry for
-	  <systemitem class="fqdomainname">example.org</systemitem> can look like:</para>
+	<para>For example, the simplest zone entry for
+	  <systemitem class="fqdomainname">example.org</systemitem>
+	  can look like:</para>
 
-        <programlisting>zone "example.org" {
+	<programlisting>zone "example.org" {
 	type master;
-	file "example.org";
+	file "master/example.org";
 };</programlisting>
 
-	<para>The zone is a master, as indicated by the <option>type</option>
-	  statement, holding its zone information in
-	  <filename>/etc/namedb/example.org</filename> indicated by
-	  the <option>file</option> statement.</para>
+	<para>The zone is a master, as indicated by the
+	  <option>type</option> statement, holding its zone
+	  information in
+	  <filename>/etc/namedb/master/example.org</filename>
+	  indicated by the <option>file</option> statement.</para>
 
-        <programlisting>zone "example.org" {
+	<programlisting>zone "example.org" {
 	type slave;
-	file "example.org";
+	file "slave/example.org";
 };</programlisting>
 
-        <para>In the slave case, the zone information is transferred from
-	  the master name server for the particular zone, and saved in the
-	  file specified.  If and when the master server dies or is
-	  unreachable, the slave name server will have the transferred
-	  zone information and will be able to serve it.</para>
-      </sect3>
+	<para>In the slave case, the zone information is transferred
+	  from the master name server for the particular zone, and
+	  saved in the file specified.  If and when the master server
+	  dies or is unreachable, the slave name server will have the
+	  transferred zone information and will be able to serve
+	  it.</para>
+      </sect4>
 
-      <sect3>
-        <title>Zone Files</title>
-        <para>
-          An example master zone file for <systemitem class="fqdomainname">example.org</systemitem> (existing within
-	  <filename>/etc/namedb/example.org</filename>) is as follows:
-        </para>
+      <sect4>
+	<title>Zone Files</title>
 
-        <programlisting>$TTL 3600
+	<indexterm>
+	  <primary>BIND</primary>
+	  <secondary>zone files</secondary>
+	</indexterm>
 
-example.org. IN SOA ns1.example.org. admin.example.org. (
-                        5               ; Serial
-                        10800           ; Refresh
-                        3600            ; Retry
-                        604800          ; Expire
-                        86400 )         ; Minimum TTL
+	<para>An example master zone file for <systemitem
+	    class="fqdomainname">example.org</systemitem> (existing
+	  within <filename>/etc/namedb/master/example.org</filename>)
+	  is as follows:</para>
+
+	<programlisting>&dollar;TTL 3600        ; 1 hour default TTL
+example.org.    IN      SOA      ns1.example.org. admin.example.org. (
+                                2006051501      ; Serial
+                                10800           ; Refresh
+                                3600            ; Retry
+                                604800          ; Expire
+                                300             ; Negative Response TTL
+                        )
 
 ; DNS Servers
-@       IN NS           ns1.example.org.
-@       IN NS           ns2.example.org.
+                IN      NS      ns1.example.org.
+                IN      NS      ns2.example.org.
+
+; MX Records
+                IN      MX 10   mx.example.org.
+                IN      MX 20   mail.example.org.
+
+                IN      A       192.168.1.1
 
 ; Machine Names
-localhost       IN A    127.0.0.1
-ns1             IN A    3.2.1.2
-ns2             IN A    3.2.1.3
-mail            IN A    3.2.1.10
-@               IN A    3.2.1.30
+localhost       IN      A       127.0.0.1
+ns1             IN      A       192.168.1.2
+ns2             IN      A       192.168.1.3
+mx              IN      A       192.168.1.4
+mail            IN      A       192.168.1.5
 
 ; Aliases
-www             IN CNAME        @
+www             IN      CNAME   example.org.</programlisting>
+
+	<para>Note that every hostname ending in a <quote>.</quote> is
+	  an exact hostname, whereas everything without a trailing
+	  <quote>.</quote> is relative to the origin.  For example,
+	  <literal>ns1</literal> is translated into
+	  <literal>ns1.<replaceable>example.org.</replaceable></literal></para>
 
-; MX Record
-@               IN MX   10      mail.example.org.</programlisting>
+	<para>The format of a zone file follows:</para>
 
-        <para>
-          Note that every hostname ending in a <quote>.</quote> is an
-          exact hostname, whereas everything without a trailing
-          <quote>.</quote> is referenced to the origin.  For example,
-          <literal>www</literal> is translated into
-          <literal>www.origin</literal>.
-          In our fictitious zone file, our origin is
-          <systemitem>example.org.</systemitem>, so <literal>www</literal>
-          would translate to <systemitem>www.example.org.</systemitem>
-        </para>
-
-        <para>
-          The format of a zone file follows:
-        </para>
-        <programlisting>recordname      IN recordtype   value</programlisting>
+	<programlisting>recordname      IN recordtype   value</programlisting>
 
 	<indexterm>
-	  <primary>DNS</primary>
+	  <primary><acronym>DNS</acronym></primary>
 	  <secondary>records</secondary>
 	</indexterm>
-        <para>
-          The most commonly used DNS records:
-        </para>
+
+	<para>The most commonly used <acronym>DNS</acronym>
+	  records:</para>
 
 	<variablelist>
 	  <varlistentry>
@@ -3403,8 +3752,9 @@
 	  <varlistentry>
 	    <term>NS</term>
 
-	    <listitem><para>an authoritative name server</para></listitem>
-	  </varlistentry>
+	    <listitem>
+	      <para>an authoritative name server</para>
+	    </listitem></varlistentry>
 
 	  <varlistentry>
 	    <term>A</term>
@@ -3415,7 +3765,8 @@
 	  <varlistentry>
 	    <term>CNAME</term>
 
-	    <listitem><para>the canonical name for an alias</para></listitem>
+	    <listitem><para>the canonical name for an
+	      alias</para></listitem>
 	  </varlistentry>
 
 	  <varlistentry>
@@ -3427,903 +3778,858 @@
 	  <varlistentry>
 	    <term>PTR</term>
 
-	    <listitem><para>a domain name pointer (used in reverse DNS)
-	      </para></listitem>
+	    <listitem>
+	      <para>a domain name pointer (used in reverse
+		<acronym>DNS</acronym>)</para>
+	    </listitem>
 	  </varlistentry>
 	</variablelist>
 
-        <programlisting>
-example.org. IN SOA ns1.example.org. admin.example.org. (
-                        5               ; Serial
+	<programlisting>example.org. IN SOA ns1.example.org. admin.example.org. (
+                        2006051501      ; Serial
                         10800           ; Refresh after 3 hours
                         3600            ; Retry after 1 hour
                         604800          ; Expire after 1 week
-                        86400 )         ; Minimum TTL of 1 day</programlisting>
-
-
+                        300 )           ; Negative Response TTL</programlisting>
 
 	<variablelist>
 	  <varlistentry>
-	    <term><systemitem class="fqdomainname">example.org.</systemitem></term>
+	    <term><systemitem
+		class="fqdomainname">example.org.</systemitem></term>
 
-	    <listitem><para>the domain name, also the origin for this
-		zone file.</para></listitem>
+	    <listitem>
+	      <para>the domain name, also the origin for this
+		zone file.</para>
+	    </listitem>
 	  </varlistentry>
 
 	  <varlistentry>
-	    <term><systemitem class="fqdomainname">ns1.example.org.</systemitem></term>
+	    <term><systemitem
+		class="fqdomainname">ns1.example.org.</systemitem></term>
 
-	    <listitem><para>the primary/authoritative name server for this
-		zone.</para></listitem>
+	    <listitem>
+	      <para>the primary/authoritative name server for this
+		zone.</para>
+	    </listitem>
 	  </varlistentry>
 
 	  <varlistentry>
 	    <term><literal>admin.example.org.</literal></term>
 
-	    <listitem><para>the responsible person for this zone,
+	    <listitem>
+	      <para>the responsible person for this zone,
 		email address with <quote>@</quote>
-          replaced.  (<email>admin@example.org</email> becomes
+		replaced.  (<email>admin@example.org</email> becomes
 		<literal>admin.example.org</literal>)</para>
 	    </listitem>
 	  </varlistentry>
 
 	  <varlistentry>
-	    <term><literal>5</literal></term>
+	    <term><literal>2006051501</literal></term>
 
-	      <listitem><para>the serial number of the file.  This
-		  must be incremented each time the zone file is
-		  modified.  Nowadays, many admins prefer a
-		  <literal>yyyymmddrr</literal> format for the serial
-		  number.  <literal>2001041002</literal> would mean
-		  last modified 04/10/2001, the latter
-		  <literal>02</literal> being the second time the zone
-		  file has been modified this day.  The serial number
-		  is important as it alerts slave name servers for a
-		  zone when it is updated.</para>
-	      </listitem>
+	    <listitem>
+	      <para>the serial number of the file.  This must be
+		incremented each time the zone file is modified.
+		Nowadays, many admins prefer a
+		<literal>yyyymmddrr</literal> format for the serial
+		number.  <literal>2006051501</literal> would mean last
+		modified 05/15/2006, the latter <literal>01</literal>
+		being the first time the zone file has been modified
+		this day.  The serial number is important as it alerts
+		slave name servers for a zone when it is
+		updated.</para>
+	    </listitem>
 	  </varlistentry>
 	</variablelist>
 
-        <programlisting>
-@       IN NS           ns1.example.org.</programlisting>
+	<programlisting>       IN NS           ns1.example.org.</programlisting>
 
-        <para>
-          This is an NS entry.  Every name server that is going to reply
-          authoritatively for the zone must have one of these entries.
-	  The <literal>@</literal> as seen here could have been
-	  <systemitem class="fqdomainname">example.org.</systemitem>
-	  The <literal>@</literal> translates to the origin.
-        </para>
-
-        <programlisting>
-localhost       IN A    127.0.0.1
-ns1             IN A    3.2.1.2
-ns2             IN A    3.2.1.3
-mail            IN A    3.2.1.10
-@               IN A    3.2.1.30</programlisting>
-
-        <para>
-          The A record indicates machine names.  As seen above,
-          <systemitem class="fqdomainname">ns1.example.org</systemitem> would resolve
-          to <systemitem class="ipaddress">3.2.1.2</systemitem>.  Again, the
-          origin symbol, <literal>@</literal>, is used here, thus
-          meaning <systemitem class="fqdomainname">example.org</systemitem> would
-          resolve to <systemitem class="ipaddress">3.2.1.30</systemitem>.
-        </para>
-
-        <programlisting>
-www             IN CNAME        @</programlisting>
-
-        <para>
-          The canonical name record is usually used for giving aliases
-          to a machine.  In the example, <systemitem>www</systemitem> is
-          aliased to the machine addressed to the origin, or
-          <systemitem class="fqdomainname">example.org</systemitem>
-          (<systemitem class="ipaddress">3.2.1.30</systemitem>).
-          CNAMEs can be used to provide alias
-          hostnames, or round robin one hostname among multiple
-          machines.
-        </para>
+	<para>This is an NS entry.  Every name server that is going to
+	  reply authoritatively for the zone must have one of these
+	  entries.</para>
+
+	<programlisting>localhost       IN      A       127.0.0.1
+ns1             IN      A       192.168.1.2
+ns2             IN      A       192.168.1.3
+mx              IN      A       192.168.1.4
+mail            IN      A       192.168.1.5</programlisting>
+
+	<para>The A record indicates machine names.  As seen above,
+	  <systemitem
+	    class="fqdomainname">ns1.example.org</systemitem> would
+	  resolve to <systemitem
+	    class="ipaddress">192.168.1.2</systemitem>.</para>
+
+	<programlisting>                IN      A       192.168.1.1</programlisting>
+
+	<para>This line assigns <acronym>IP</acronym> address
+	  <systemitem class="ipaddress">192.168.1.1</systemitem> to
+	  the current origin, in this case <systemitem
+	    class="fqdomainname">example.org</systemitem>.</para>
+
+	<programlisting>www             IN CNAME        @</programlisting>
+
+	<para>The canonical name record is usually used for giving
+	  aliases to a machine.  In the example,
+	  <systemitem>www</systemitem> is aliased to the
+	  <quote>master</quote> machine whose name happens to be the
+	  same as the domain name <systemitem
+	    class="fqdomainname">example.org</systemitem>
+	  (<systemitem class="ipaddress">192.168.1.1</systemitem>).
+	  CNAMEs can never be used together with another kind of
+	  record for the same hostname.</para>
 
 	<indexterm>
 	  <primary>MX record</primary>
 	</indexterm>
 
-        <programlisting>
-@               IN MX   10      mail.example.org.</programlisting>
+	<programlisting>               IN MX   10      mail.example.org.</programlisting>
 
-        <para>
-          The MX record indicates which mail
-          servers are responsible for handling incoming mail for the
-          zone.  <systemitem class="fqdomainname">mail.example.org</systemitem> is the
-          hostname of the mail server, and 10 being the priority of
-          that mail server.
-        </para>
-
-        <para>
-          One can have several mail servers, with priorities of 3, 2,
-          1.  A mail server attempting to deliver to <systemitem class="fqdomainname">example.org</systemitem> would first try the
-          highest priority MX, then the second highest, etc, until the
-          mail can be properly delivered.
-        </para>
-
-        <para>
-          For in-addr.arpa zone files (reverse DNS), the same format is
-          used, except with PTR entries instead of
-	  A or CNAME.
-        </para>
+	<para>The MX record indicates which mail servers are
+	  responsible for handling incoming mail for the zone.
+	  <systemitem
+	    class="fqdomainname">mail.example.org</systemitem> is the
+	  hostname of a mail server, and 10 is the priority of that
+	  mail server.</para>
+
+	<para>One can have several mail servers, with priorities of
+	  10, 20 and so on.  A mail server attempting to deliver to
+	  <systemitem class="fqdomainname">example.org</systemitem>
+	  would first try the highest priority MX (the record with the
+	  lowest priority number), then the second highest, etc, until
+	  the mail can be properly delivered.</para>
+
+	<para>For in-addr.arpa zone files (reverse
+	  <acronym>DNS</acronym>), the same format is used, except
+	  with PTR entries instead of A or CNAME.</para>
 
-        <programlisting>$TTL 3600
+	<programlisting>$TTL 3600
 
-1.2.3.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. (
-                        5               ; Serial
+1.168.192.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. (
+                        2006051501      ; Serial
                         10800           ; Refresh
                         3600            ; Retry
                         604800          ; Expire
-                        3600 )          ; Minimum
-
-@       IN NS   ns1.example.org.
-@       IN NS   ns2.example.org.
+                        300 )           ; Negative Response TTL
 
-2       IN PTR  ns1.example.org.
-3       IN PTR  ns2.example.org.
-10      IN PTR  mail.example.org.
-30      IN PTR  example.org.</programlisting>
+        IN      NS      ns1.example.org.
+        IN      NS      ns2.example.org.
 
-        <para>This file gives the proper IP address to hostname
-          mappings of our above fictitious domain.</para>
-      </sect3>
-    </sect2>
+1       IN      PTR     example.org.
+2       IN      PTR     ns1.example.org.
+3       IN      PTR     ns2.example.org.
+4       IN      PTR     mx.example.org.
+5       IN      PTR     mail.example.org.</programlisting>
+
+	<para>This file gives the proper <acronym>IP</acronym> address
+	  to hostname mappings for the above fictitious domain.</para>
+
+	<para>It is worth noting that all names on the right side
+	  of a PTR record need to be fully qualified (i.e., end in
+	  a <quote>.</quote>).</para>
+      </sect4>
+    </sect3>
 
-    <sect2>
+    <sect3>
       <title>Caching Name Server</title>
-      <indexterm>
-        <primary>BIND</primary>
-        <secondary>caching name server</secondary>
-      </indexterm>
 
-      <para>A caching name server is a name server that is not
-        authoritative for any zones.  It simply asks queries of its
-        own, and remembers them for later use.  To set one up, just
-        configure the name server as usual, omitting any inclusions of
-        zones.</para>
-    </sect2>
-
-    <sect2 xml:id="network-named-sandbox">
-      <title>Running <application>named</application> in a Sandbox</title>
       <indexterm>
-        <primary>BIND</primary>
-        <secondary>running in a sandbox</secondary>
-      </indexterm>
-
-      <indexterm>
-        <primary><command>chroot</command></primary>
-      </indexterm>
-      <para>For added security you may want to run &man.named.8; as an
-	unprivileged user, and configure it to &man.chroot.8; into a
-	sandbox directory.  This makes everything outside of the
-	sandbox inaccessible to the <application>named</application>
-	daemon.  Should <application>named</application> be
-	compromised, this will help to reduce the damage that can be
-	caused.  By default, FreeBSD has a user and a group called
-	<systemitem class="groupname">bind</systemitem>, intended for this use.</para>
-
-      <note><para>Various people would recommend that instead of configuring
-	<application>named</application> to <command>chroot</command>, you
-	should run <application>named</application> inside a &man.jail.8;.
-	This section does not attempt to cover this situation.</para>
-      </note>
-
-      <para>Since <application>named</application> will not be able to
-	access anything outside of the sandbox (such as shared
-	libraries, log sockets, and so on), there are a number of steps
-	that need to be followed in order to allow
-	<application>named</application> to function correctly.  In the
-	following checklist, it is assumed that the path to the sandbox
-	is <filename>/etc/namedb</filename> and that you have made no
-	prior modifications to the contents of this directory.  Perform
-	the following steps as <systemitem class="username">root</systemitem>:</para>
-
-      <itemizedlist>
-	<listitem>
-	  <para>Create all directories that <application>named</application>
-	    expects to see:</para>
-
-	  <screen>&prompt.root; <userinput>cd /etc/namedb</userinput>
-&prompt.root; <userinput>mkdir -p bin dev etc var/tmp var/run master slave</userinput>
-&prompt.root; <userinput>chown bind:bind slave var/*</userinput><co xml:id="chown-slave"/></screen>
-
-
-
-	  <calloutlist>
-	    <callout arearefs="chown-slave">
-	      <para><application>named</application> only needs write access to
-		these directories, so that is all we give it.</para>
-	    </callout>
-	  </calloutlist>
-	</listitem>
-
-	<listitem>
-	  <para>Rearrange and create basic zone and configuration files:</para>
-	  <screen>&prompt.root; <userinput>cp /etc/localtime etc</userinput><co xml:id="localtime"/>
-&prompt.root; <userinput>mv named.conf etc &amp;&amp; ln -sf etc/named.conf</userinput>
-&prompt.root; <userinput>mv named.root master</userinput>
-<!-- I don't like this next bit -->
-&prompt.root; <userinput>sh make-localhost</userinput>
-&prompt.root; <userinput>cat &gt; master/named.localhost
-$ORIGIN localhost.
-$TTL 6h
-@	IN	SOA	localhost. postmaster.localhost. (
-			1	; serial
-			3600	; refresh
-			1800	; retry
-			604800	; expiration
-			3600 )	; minimum
-	IN	NS	localhost.
-	IN	A		127.0.0.1
-^D</userinput></screen>
-
-	  <calloutlist>
-	    <callout arearefs="localtime">
-	      <para>This allows <application>named</application> to log the
-		correct time to &man.syslogd.8;.</para>
-	    </callout>
-	  </calloutlist>
-	</listitem>
-
-	<listitem>
-
-        <indexterm><primary>syslog</primary></indexterm>
-        <indexterm><primary>log files</primary>
-	  <secondary>named</secondary></indexterm>
-
-	  <para>If you are running a version of &os; prior to 4.9-RELEASE, build a statically linked copy of
-	    <application>named-xfer</application>, and copy it into the sandbox:</para>
-
-	      <screen>&prompt.root; <userinput>cd /usr/src/lib/libisc</userinput>
-&prompt.root; <userinput>make cleandir &amp;&amp; make cleandir &amp;&amp; make depend &amp;&amp; make all</userinput>
-&prompt.root; <userinput>cd /usr/src/lib/libbind</userinput>
-&prompt.root; <userinput>make cleandir &amp;&amp; make cleandir &amp;&amp; make depend &amp;&amp; make all</userinput>
-&prompt.root; <userinput>cd /usr/src/libexec/named-xfer</userinput>
-&prompt.root; <userinput>make cleandir &amp;&amp; make cleandir &amp;&amp; make depend &amp;&amp; make NOSHARED=yes all</userinput>
-&prompt.root; <userinput>cp named-xfer /etc/namedb/bin &amp;&amp; chmod 555 /etc/namedb/bin/named-xfer</userinput><co xml:id="clean-cruft"/></screen>
-
-	  <para>After your statically linked
-	    <command>named-xfer</command> is installed some cleaning up
-	    is required, to avoid leaving stale copies of libraries or
-	    programs in your source tree:</para>
-
-	  <screen>&prompt.root; <userinput>cd /usr/src/lib/libisc</userinput>
-&prompt.root; <userinput>make cleandir</userinput>
-&prompt.root; <userinput>cd /usr/src/lib/libbind</userinput>
-&prompt.root; <userinput>make cleandir</userinput>
-&prompt.root; <userinput>cd /usr/src/libexec/named-xfer</userinput>
-&prompt.root; <userinput>make cleandir</userinput></screen>
-
-	  <calloutlist>
-	    <callout arearefs="clean-cruft">
-	      <para>This step has been reported to fail occasionally.  If this
-		happens to you, then issue the command:</para>
-
-	      <screen>&prompt.root; <userinput>cd /usr/src &amp;&amp; make cleandir &amp;&amp; make cleandir</userinput></screen>
-
-	      <para>and delete your <filename>/usr/obj</filename> tree:</para>
-
-	      <screen>&prompt.root; <userinput>rm -fr /usr/obj &amp;&amp; mkdir /usr/obj</userinput></screen>
-
-		<para>This will clean out any <quote>cruft</quote> from your
-		  source tree, and retrying the steps above should then work.</para>
-	    </callout>
-	  </calloutlist>
-
-	  <para>If you are running &os; version 4.9-RELEASE or later,
-	    then the copy of <command>named-xfer</command> in
-	    <filename>/usr/libexec</filename> is statically linked by
-	    default, and you can simply use &man.cp.1; to copy it into
-	    your sandbox.</para>
-	</listitem>
-
-	<listitem>
-	  <para>Make a <filename>dev/null</filename> that
-	    <application>named</application> can see and write to:</para>
-
-	  <screen>&prompt.root; <userinput>cd /etc/namedb/dev &amp;&amp; mknod null c 2 2</userinput>
-&prompt.root; <userinput>chmod 666 null</userinput></screen>
-	</listitem>
-
-	<listitem>
-	  <para>Symlink <filename> /var/run/ndc</filename> to
-	    <filename>/etc/namedb/var/run/ndc</filename>:</para>
-
-	  <screen>&prompt.root; <userinput>ln -sf /etc/namedb/var/run/ndc /var/run/ndc</userinput></screen>
-
-	  <note>
-	    <para>This simply avoids having to specify the
-	      <option>-c</option> option to &man.ndc.8; every time you
-	      run it.  Since the contents of
-	      <filename>/var/run</filename> are deleted on boot, it may
-	      be useful to add this command to
-	      <systemitem class="username">root</systemitem>'s &man.crontab.5;, using the
-	      <option>@reboot</option> option.</para>
-	  </note>
-
-	</listitem>
-
-	<listitem>
-
-        <indexterm><primary>syslog</primary></indexterm>
-        <indexterm><primary>log files</primary>
-	  <secondary>named</secondary></indexterm>
-
-	  <para>Configure &man.syslogd.8; to create an extra
-	    <filename>log</filename> socket that
-	    <application>named</application> can write to.  To do this,
-	    add <literal>-l /etc/namedb/dev/log</literal> to the
-	    <varname>syslogd_flags</varname> variable in
-	    <filename>/etc/rc.conf</filename>.</para>
-	</listitem>
-
-	<listitem>
-
-          <indexterm><primary><command>chroot</command></primary></indexterm>
-
-	  <para>Arrange to have <application>named</application> start
-	    and <command>chroot</command> itself to the sandbox by
-	    adding the following to
-	    <filename>/etc/rc.conf</filename>:</para>
-
-	  <programlisting>named_enable="YES"
-named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf"</programlisting>
-
-	  <note>
-	    <para>Note that the configuration file
-	    <replaceable>/etc/named.conf</replaceable> is denoted by a full
-	    pathname <emphasis>relative to the sandbox</emphasis>, i.e. in
-	    the line above, the file referred to is actually
-	    <filename>/etc/namedb/etc/named.conf</filename>.</para>
-	  </note>
-	</listitem>
-      </itemizedlist>
-
-      <para>The next step is to edit
-	<filename>/etc/namedb/etc/named.conf</filename> so that
-	<application>named</application> knows which zones to load and
-	where to find them on the disk.  There follows a commented
-	example (anything not specifically commented here is no
-	different from the setup for a DNS server not running in a
-	sandbox):</para>
-
-	<programlisting>options {
-        directory "/";<co xml:id="directory"/>
-        named-xfer "/bin/named-xfer";<co xml:id="named-xfer"/>
-        version "";		// Don't reveal BIND version
-        query-source address * port 53;
-};
-// ndc control socket
-controls {
-        unix "/var/run/ndc" perm 0600 owner 0 group 0;
-};
-// Zones follow:
-zone "localhost" IN {
-        type master;
-        file "master/named.localhost";<co xml:id="master"/>
-        allow-transfer { localhost; };
-        notify no;
-};
-zone "0.0.127.in-addr.arpa" IN {
-        type master;
-        file "master/localhost.rev";
-        allow-transfer { localhost; };
-        notify no;
-};
-zone "." IN {
-        type hint;
-        file "master/named.root";
-};
-zone "private.example.net" in {
-        type master;
-        file "master/private.example.net.db";
-	allow-transfer { 192.168.10.0/24; };
-};
-zone "10.168.192.in-addr.arpa" in {
-        type slave;
-        masters { 192.168.10.2; };
-        file "slave/192.168.10.db";<co xml:id="slave"/>
-};</programlisting>
-
-      <calloutlist>
-	<callout arearefs="directory">
-	  <para>The
-	    <literal>directory</literal> statement is specified as
-	    <filename>/</filename>, since all files that
-	    <application>named</application> needs are within this
-	    directory (recall that this is equivalent to a
-	    <quote>normal</quote> user's
-	    <filename>/etc/namedb</filename>).</para>
-	</callout>
-
-	<callout arearefs="named-xfer">
-	  <para>Specifies the full path
-	    to the <command>named-xfer</command> binary (from
-	    <application>named</application>'s frame of reference).  This
-	    is necessary since <application>named</application> is
-	    compiled to look for <command>named-xfer</command> in
-	    <filename>/usr/libexec</filename> by default.</para>
-	</callout>
-	<callout arearefs="master"><para>Specifies the filename (relative
-	  to the <literal>directory</literal> statement above) where
-	  <application>named</application> can find the zone file for this
-	  zone.</para>
-	</callout>
-	<callout arearefs="slave"><para>Specifies the filename
-	    (relative to the <literal>directory</literal> statement above)
-	    where <application>named</application> should write a copy of
-	    the zone file for this zone after successfully transferring it
-	    from the master server.  This is why we needed to change the
-	    ownership of the directory <filename>slave</filename> to
-	    <systemitem class="groupname">bind</systemitem> in the setup stages above.</para>
-	</callout>
-      </calloutlist>
-
-      <para>After completing the steps above, either reboot your
-	server or restart &man.syslogd.8; and start &man.named.8;, making
-	sure to use the new options specified in
-	<varname>syslogd_flags</varname> and
-	<varname>named_flags</varname>.  You should now be running a
-	sandboxed copy of <application>named</application>!</para>
-
-    </sect2>
-
-    <sect2>
-      <title>Security</title>
-
-      <para>Although BIND is the most common implementation of DNS,
-        there is always the issue of security.  Possible and
-        exploitable security holes are sometimes found.
-      </para>
-
-      <para>
-        It is a good idea to read <link xlink:href="http://www.cert.org/">CERT</link>'s security advisories and
-	to subscribe to the &a.security-notifications;
-        to stay up to date with the current Internet and FreeBSD security
-        issues.
-      </para>
-
-      <tip><para>If a problem arises, keeping sources up to date and
-        having a fresh build of <application>named</application> would
-        not hurt.</para></tip>
-    </sect2>
-
-    <sect2>
-      <title>Further Reading</title>
-
-      <para>BIND/<application>named</application> manual pages:
-      &man.ndc.8; &man.named.8; &man.named.conf.5;</para>
-
-      <itemizedlist>
-	<listitem>
-	  <para><link xlink:href="http://www.isc.org/products/BIND/">Official ISC BIND
-	      Page</link></para>
-	</listitem>
-
-	<listitem>
-	  <para><link xlink:href="http://www.nominum.com/getOpenSourceResource.php?id=6">
-	  BIND FAQ</link></para>
-	</listitem>
-
-	<listitem>
-	  <para><link xlink:href="http://www.oreilly.com/catalog/dns4/">O'Reilly
-         DNS and BIND 4th Edition</link></para>
-	</listitem>
-
-	<listitem>
-	  <para><link xlink:href="ftp://ftp.isi.edu/in-notes/rfc1034.txt">RFC1034
-	      - Domain Names - Concepts and Facilities</link></para>
-	</listitem>
-
-	<listitem>
-	  <para><link xlink:href="ftp://ftp.isi.edu/in-notes/rfc1035.txt">RFC1035
-	      - Domain Names - Implementation and Specification</link></para>
-	</listitem>
-      </itemizedlist>
-    </sect2>
-  </sect1>
-
-  <sect1 xml:id="network-bind9">
-    <info><title><acronym>BIND</acronym>9 and &os;</title>
-      <authorgroup>
-	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by </contrib></author>
-      </authorgroup>
-    </info>
-    
-
-<!-- This section is here to get users up with BIND9 configurations!  It
-  does not cover the terminology, theoretical discussion (why run a name
-  server) or the further reading which is still in the previous section.
-  I did things this way to avoid repetition of content and obviously we
-  cannot just remove the previous section since other supported releases
-  use it.  When the previous section is removed then those comments
-  should be moved here.  // Tom Rhodes -->
-
-    <indexterm><primary>bind9</primary>
-      <secondary>setting up</secondary></indexterm>
-
-    <para>The release of &os;&nbsp;5.3 brought the
-      <acronym>BIND</acronym>9 <acronym>DNS</acronym> server software
-      into the distribution.  New security features, a new file system
-      layout and automated &man.chroot.8; configuration came with the
-      import.  This section has been written in two parts, the first
-      will discuss new features and their configuration; the latter
-      will cover upgrades to aid in move to &os;&nbsp;5.3.  From this
-      moment on, the server will be referred to simply as
-      &man.named.8; in place of <acronym>BIND</acronym>.  This section
-      skips over the terminology described in the previous section as
-      well as some of the theoretical discussions; thus, it is
-      recommended that the previous section be consulted before reading
-      any further here.</para>
-
-    <para>Configuration files for <application>named</application> currently
-      reside in
-      <filename>/var/named/etc/namedb/</filename> and
-      will need modification before use.  This is where most of the
-      configuration will be performed.</para>
-
-    <sect2>
-      <title>Configuration of a Master Zone</title>
-
-      <para>To configure a master zone visit
-	<filename>/var/named/etc/namedb/</filename>
-	and run the following command:</para>
-
-      <screen>&prompt.root; <userinput>sh make-localhost</userinput></screen>
-
-      <para>If all went well a new file should exist in the
-	<filename>master</filename> directory.  The
-	filenames should be <filename>localhost.rev</filename> for
-	the local domain name and <filename>localhost-v6.rev</filename>
-	for <acronym>IPv6</acronym> configurations.  As the default
-	configuration file, configuration for its use will already
-	be present in the <filename>named.conf</filename> file.</para>
-    </sect2>
+	<primary>BIND</primary>
+	<secondary>caching name server</secondary>
+      </indexterm>
 
-    <sect2>
-      <title>Configuration of a Slave Zone</title>
+      <para>A caching name server is a name server whose primary role
+	is to resolve recursive queries.  It simply asks queries of
+	its own, and remembers the answers for later use.</para>
+    </sect3>
+
+    <sect3>
+      <title><acronym role="Domain Name Security
+	  Extensions">DNSSEC</acronym></title>
 
-      <para>Configuration for extra domains or sub domains may be
-	done properly by setting them as a slave zone.  In most cases,
-	the <filename>master/localhost.rev</filename> file could just be
-	copied over into the <filename>slave</filename>
-	directory and modified.  Once completed, the files need
-	to be properly added in <filename>named.conf</filename> such
-	as in the following configuration for
-	<systemitem class="fqdomainname">example.com</systemitem>:</para>
-
-      <programlisting>zone "example.com" {
-        type slave;
-        file "slave/example.com";
-        masters {
-                10.0.0.1;
-        };
-};
+      <indexterm>
+	<primary>BIND</primary>
+	<secondary><acronym>DNS</acronym> security
+	    extensions</secondary>
+      </indexterm>
 
-zone "0.168.192.in-addr.arpa" {
-        type slave;
-        file "slave/0.168.192.in-addr.arpa";
-        masters {
-                10.0.0.1;
-        };
+      <para>Domain Name System Security Extensions, or <acronym
+	  role="Domain Name Security Extensions">DNSSEC</acronym> for
+	short, is a suite of specifications to protect resolving name
+	servers from forged <acronym>DNS</acronym> data, such as
+	spoofed <acronym>DNS</acronym> records.  By using digital
+	signatures, a resolver can verify the integrity of the record.
+	Note that <acronym role="Domain Name Security
+	  Extensions">DNSSEC</acronym> only provides integrity via
+	digitally signing the Resource Records (<acronym
+	  role="Resource Record">RR</acronym>s).  It provides neither
+	confidentiality nor protection against false end-user
+	assumptions.  This means that it cannot protect against people
+	going to <systemitem
+	  class="fqdomainname">example.net</systemitem> instead of
+	<systemitem class="fqdomainname">example.com</systemitem>.
+	The only thing <acronym>DNSSEC</acronym> does is authenticate
+	that the data has not been compromised in transit.  The
+	security of <acronym>DNS</acronym> is an important step in
+	securing the Internet in general.  For more in-depth details
+	of how <acronym>DNSSEC</acronym> works, the relevant
+	<acronym>RFC</acronym>s are a good place to start.  See the
+	list in <xref linkend="dns-read"/>.</para>
+
+      <para>The following sections will demonstrate how to enable
+	<acronym>DNSSEC</acronym> for an authoritative
+	<acronym>DNS</acronym> server and a recursive (or caching)
+	<acronym>DNS</acronym> server running <acronym>BIND</acronym>
+	9.  While all versions of <acronym>BIND</acronym> 9 support
+	<acronym>DNSSEC</acronym>, it is necessary to have at least
+	version 9.6.2 in order to be able to use the signed root zone
+	when validating <acronym>DNS</acronym> queries.  This is
+	because earlier versions lack the required algorithms to
+	enable validation using the root zone key.  It is strongly
+	recommended to use the latest version of
+	<acronym>BIND</acronym> 9.7 or later to take advantage of
+	automatic key updating for the root key, as well as other
+	features to automatically keep zones signed and signatures up
+	to date.  Where configurations differ between 9.6.2 and 9.7
+	and later, differences will be pointed out.</para>
+
+      <sect4>
+	<title>Recursive <acronym>DNS</acronym> Server
+	  Configuration</title>
+
+	<para>Enabling <acronym>DNSSEC</acronym> validation of queries
+	  performed by a recursive <acronym>DNS</acronym> server
+	  requires a few changes to <filename>named.conf</filename>.
+	  Before making these changes the root zone key, or trust
+	  anchor, must be acquired.  Currently the root zone key is
+	  not available in a file format <acronym>BIND</acronym>
+	  understands, so it has to be manually converted into the
+	  proper format.  The key itself can be obtained by querying
+	  the root zone for it using <application>dig</application>.
+	  By running</para>
+
+	<screen>&prompt.user; <userinput>dig +multi +noall +answer DNSKEY . &gt; root.dnskey</userinput></screen>
+
+	<para>the key will end up in <filename>root.dnskey</filename>.
+	  The contents should look something like this:</para>
+
+	<programlisting>. 93910 IN DNSKEY 257 3 8 (
+	AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
+	bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
+	/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
+	JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
+	oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
+	LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
+	Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
+	LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
+	) ; key id = 19036
+. 93910 IN DNSKEY 256 3 8 (
+	AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf
+	UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE
+	g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V
+	EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt
+) ; key id = 34525</programlisting>
+
+	<para>Do not be alarmed if the obtained keys differ from this
+	  example.  They might have changed since these instructions
+	  were last updated.  This output actually contains two keys.
+	  The first key in the listing, with the value 257 after the
+	  DNSKEY record type, is the one needed.  This value indicates
+	  that this is a Secure Entry Point
+	  (<acronym role="Secure Entry Point">SEP</acronym>), commonly
+	  known as a Key Signing Key
+	  (<acronym role="Key Signing Key">KSK</acronym>).  The second
+	  key, with value 256, is a subordinate key, commonly called a
+	  Zone Signing Key
+	  (<acronym role="Zone Signing Key">ZSK</acronym>).  More on
+	  the different key types later in
+	  <xref linkend="dns-dnssec-auth"/>.</para>
+
+	<para>Now the key must be verified and formatted so that
+	  <acronym>BIND</acronym> can use it.  To verify the key,
+	  generate a <acronym role="Delegation Signer">DS</acronym>
+	  <acronym role="Resource Record">RR</acronym> set.  Create a
+	  file containing these
+	  <acronym role="Resource Record">RR</acronym>s with</para>
+
+	<screen>&prompt.user; <userinput>dnssec-dsfromkey -f root.dnskey . &gt; root.ds</userinput></screen>
+
+	<para>These records use SHA-1 and SHA-256 respectively, and
+	  should look similar to the following example, where the
+	  longer is using SHA-256.</para>
+
+	<programlisting>.  IN DS 19036 8 1
+	B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E
+. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</programlisting>
+
+	<para>The SHA-256 <acronym>RR</acronym> can now be compared to
+	  the digest in <link
+	    xlink:href="https://data.iana.org/root-anchors/root-anchors.xml">https://data.iana.org/root-anchors/root-anchors.xml</link>.
+	  To be absolutely sure that the key has not been tampered
+	  with the data in the <acronym>XML</acronym> file can be
+	  verified using the <acronym>PGP</acronym> signature in
+	  <link
+	    xlink:href="https://data.iana.org/root-anchors/root-anchors.asc">https://data.iana.org/root-anchors/root-anchors.asc</link>.</para>
+
+	<para>Next, the key must be formatted properly.  This differs
+	  a little between <acronym>BIND</acronym> versions 9.6.2 and
+	  9.7 and later.  In version 9.7 support was added to
+	  automatically track changes to the key and update it as
+	  necessary.  This is done using
+	  <literal>managed-keys</literal> as seen in the example
+	  below.  When using the older version, the key is added using
+	  a <literal>trusted-keys</literal> statement and updates must
+	  be done manually.  For <acronym>BIND</acronym> 9.6.2 the
+	  format should look like:</para>
+
+	<programlisting>trusted-keys {
+	"." 257 3 8
+	"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+	FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+	bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+	X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+	W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+	Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+	QxA+Uk1ihz0=";
 };</programlisting>
 
-      <para>Note well that in this example, the master
-	<acronym>IP</acronym> address is the primary domain server
-	from which the zones are transferred; it does not necessary serve
-	as <acronym>DNS</acronym> server itself.</para>
-    </sect2>
+	<para>For 9.7 the format will instead be:</para>
 
-    <sect2>
-      <title>System Initialization Configuration</title>
+	<programlisting>managed-keys {
+	"." initial-key 257 3 8
+	"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+	FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+	bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+	X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+	W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+	Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+	QxA+Uk1ihz0=";
+};</programlisting>
 
-      <para>In order for the <application>named</application> daemon to start
-	when the system is booted, the following option must be present
-	in the <filename>rc.conf</filename> file:</para>
+	<para>The root key can now be added to
+	  <filename>named.conf</filename> either directly or by
+	  including a file containing the key.  After these steps,
+	  configure <acronym>BIND</acronym> to do
+	  <acronym>DNSSEC</acronym> validation on queries by editing
+	  <filename>named.conf</filename> and adding the following to
+	  the <literal>options</literal> directive:</para>
+
+	<programlisting>dnssec-enable yes;
+dnssec-validation yes;</programlisting>
+
+	<para>To verify that it is actually working use
+	  <application>dig</application> to make a query for a signed
+	  zone using the resolver just configured.  A successful reply
+	  will contain the <literal>AD</literal> flag to indicate the
+	  data was authenticated.  Running a query such as</para>
+
+	<screen>&prompt.user; <userinput>dig @<replaceable>resolver</replaceable> +dnssec se ds </userinput></screen>
+
+	<para>should return the <acronym>DS</acronym>
+	  <acronym>RR</acronym> for the <literal>.se</literal> zone.
+	  In the <literal>flags:</literal> section the
+	  <literal>AD</literal> flag should be set, as seen
+	  in:</para>
+
+	<programlisting>...
+;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
+...</programlisting>
+
+	<para>The resolver is now capable of authenticating
+	  <acronym>DNS</acronym> queries.</para>
+      </sect4>
+
+      <sect4 xml:id="dns-dnssec-auth">
+	<title>Authoritative <acronym>DNS</acronym> Server
+	  Configuration</title>
+
+	<para>In order to get an authoritative name server to serve a
+	  <acronym>DNSSEC</acronym> signed zone a little more work is
+	  required.  A zone is signed using cryptographic keys which
+	  must be generated.  It is possible to use only one key for
+	  this.  The preferred method however is to have a strong
+	  well-protected Key Signing Key
+	  (<acronym role="Key Signing Key">KSK</acronym>) that is
+	  not rotated very often and a Zone Signing Key
+	  (<acronym role="Zone Signing Key">ZSK</acronym>) that is
+	  rotated more frequently.  Information on recommended
+	  operational practices can be found in <link
+	    xlink:href="http://tools.ietf.org/rfc/rfc4641.txt"><acronym>RFC</acronym>
+	    4641: <acronym>DNSSEC</acronym> Operational
+	    Practices</link>.  Practices regarding the root zone can
+	  be found in <link
+	    xlink:href="http://www.root-dnssec.org/wp-content/uploads/2010/06/icann-dps-00.txt"><acronym>DNSSEC</acronym>
+	    Practice Statement for the Root Zone
+	  <acronym>KSK</acronym> operator</link> and <link
+	    xlink:href="http://www.root-dnssec.org/wp-content/uploads/2010/06/vrsn-dps-00.txt"><acronym>DNSSEC</acronym>
+	    Practice Statement for the Root Zone
+	  <acronym>ZSK</acronym> operator</link>.  The
+	  <acronym role="Key Signing Key">KSK</acronym> is used to
+	  build a chain of authority to the data in need of validation
+	  and as such is also called a Secure Entry Point
+	  (<acronym role="Secure Entry Point">SEP</acronym>) key.  A
+	  message digest of this key, called a Delegation Signer
+	  (<acronym role="Delegation Signer">DS</acronym>) record,
+	  must be published in the parent zone to establish the trust
+	  chain.  How this is accomplished depends on the parent zone
+	  owner.  The <acronym role="Zone Signing Key">ZSK</acronym>
+	  is used to sign the zone, and only needs to be published
+	  there.</para>
+
+	<para>To enable <acronym>DNSSEC</acronym> for the <systemitem
+	    class="fqdomainname">example.com</systemitem> zone
+	  depicted in previous examples, the first step is to use
+	  <application>dnssec-keygen</application> to generate the
+	  <acronym>KSK</acronym> and <acronym>ZSK</acronym> key pair.
+	  This key pair can utilize different cryptographic
+	  algorithms.  It is recommended to use RSA/SHA256 for the
+	  keys and 2048 bits key length should be enough.  To generate
+	  the <acronym>KSK</acronym> for <systemitem
+	    class="fqdomainname">example.com</systemitem>, run</para>
+
+	<screen>&prompt.user; <userinput>dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE example.com</userinput></screen>
+
+	<para>and to generate the <acronym>ZSK</acronym>, run</para>
+
+	<screen>&prompt.user; <userinput>dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com</userinput></screen>
+
+	<para><application>dnssec-keygen</application> outputs two
+	  files, the public and the private keys in files named
+	  similar to <filename>Kexample.com.+005+nnnnn.key</filename>
+	  (public) and
+	  <filename>Kexample.com.+005+nnnnn.private</filename>
+	  (private).  The <literal>nnnnn</literal> part of the file
+	  name is a five digit key ID.  Keep track of which key ID
+	  belongs to which key.  This is especially important when
+	  having more than one key in a zone.  It is also possible to
+	  rename the keys.  For each <acronym>KSK</acronym> file
+	  do:</para>
+
+	<screen>&prompt.user; <userinput>mv Kexample.com.+005+nnnnn.key Kexample.com.+005+nnnnn.KSK.key</userinput>
+&prompt.user; <userinput>mv Kexample.com.+005+nnnnn.private Kexample.com.+005+nnnnn.KSK.private</userinput></screen>
+
+	<para>For the <acronym>ZSK</acronym> files, substitute
+	  <literal>KSK</literal> for <literal>ZSK</literal> as
+	  necessary.  The files can now be included in the zone file,
+	  using the <literal>$include</literal> statement.  It should
+	  look something like this:</para>
+
+	<programlisting>$include Kexample.com.+005+nnnnn.KSK.key ; KSK
+$include Kexample.com.+005+nnnnn.ZSK.key    ; ZSK</programlisting>
+
+	<para>Finally, sign the zone and tell <acronym>BIND</acronym>
+	  to use the signed zone file.  To sign a zone
+	  <application>dnssec-signzone</application> is used.  The
+	  command to sign the zone <systemitem
+	    class="fqdomainname">example.com</systemitem>, located in
+	  <filename>example.com.db</filename> would look similar
+	  to</para>
+
+	<screen>&prompt.user; <userinput>dnssec-signzone -o
+	example.com -k Kexample.com.+005+nnnnn.KSK example.com.db
+	Kexample.com.+005+nnnnn.ZSK.key</userinput></screen>
+
+	<para>The key supplied to the <option>-k</option> argument is
+	  the <acronym>KSK</acronym> and the other key file is the
+	  <acronym>ZSK</acronym> that should be used in the signing.
+	  It is possible to supply more than one
+	  <acronym>KSK</acronym> and <acronym>ZSK</acronym>, which
+	  will result in the zone being signed with all supplied keys.
+	  This can be needed to supply zone data signed using more
+	  than one algorithm.  The output of
+	  <application>dnssec-signzone</application> is a zone file
+	  with all <acronym>RR</acronym>s signed.  This output will
+	  end up in a file with the extension
+	  <literal>.signed</literal>, such as
+	  <filename>example.com.db.signed</filename>.  The
+	  <acronym role="Delegation Signer">DS</acronym> records will
+	  also be written to a separate file
+	  <filename>dsset-example.com</filename>.  To use this signed
+	  zone just modify the zone directive in
+	  <filename>named.conf</filename> to use
+	  <filename>example.com.db.signed</filename>.  By default, the
+	  signatures are only valid 30 days, meaning that the zone
+	  needs to be resigned in about 15 days to be sure that
+	  resolvers are not caching records with stale signatures.  It
+	  is possible to make a script and a cron job to do this.  See
+	  relevant manuals for details.</para>
+
+	<para>Be sure to keep private keys confidential, as with all
+	  cryptographic keys.  When changing a key it is best to
+	  include the new key into the zone, while still signing with
+	  the old one, and then move over to using the new key to
+	  sign.  After these steps are done the old key can be removed
+	  from the zone.  Failure to do this might render the
+	  <acronym>DNS</acronym> data unavailable for a time, until
+	  the new key has propagated through the
+	  <acronym>DNS</acronym> hierarchy.  For more information on
+	  key rollovers and other <acronym>DNSSEC</acronym>
+	  operational issues, see <link
+	    xlink:href="http://www.ietf.org/rfc/rfc4641.txt"><acronym>RFC</acronym>
+	    4641: <acronym>DNSSEC</acronym> Operational
+	    practices</link>.</para>
+      </sect4>
+
+      <sect4>
+	<title>Automation Using <acronym>BIND</acronym> 9.7 or
+	  Later</title>
+
+	<para>Beginning with <acronym>BIND</acronym> version 9.7 a new
+	  feature called <emphasis>Smart Signing</emphasis> was
+	  introduced.  This feature aims to make the key management
+	  and signing process simpler by automating parts of the task.
+	  By putting the keys into a directory called a
+	  <emphasis>key repository</emphasis>, and using the new
+	  option <literal>auto-dnssec</literal>, it is possible to
+	  create a dynamic zone which will be resigned as needed.  To
+	  update this zone use <application>nsupdate</application>
+	  with the new option <option>-l</option>.
+	  <application>rndc</application> has also grown the ability
+	  to sign zones with keys in the key repository, using the
+	  option <option>sign</option>.  To tell
+	  <acronym>BIND</acronym> to use this automatic signing and
+	  zone updating for <systemitem
+	    class="fqdomainname">example.com</systemitem>, add the
+	  following to <filename>named.conf</filename>:</para>
 
-      <programlisting>named_enable="YES"</programlisting>
+	<programlisting>zone example.com {
+	type master;
+	key-directory "/etc/named/keys";
+	update-policy local;
+	auto-dnssec maintain;
+	file "/etc/named/dynamic/example.com.zone";
+};</programlisting>
 
-      <para>While other options exist, this is the bare minimal
-	requirement.  Consult the &man.rc.conf.5; manual page for
-	a list of the other options.  If nothing is entered in the
-	<filename>rc.conf</filename> file then <application>named</application>
-	may be started on the command line by invoking:</para>
+	<para>After making these changes, generate keys for the zone
+	  as explained in <xref linkend="dns-dnssec-auth"/>, put those
+	  keys in the key repository given as the argument to the
+	  <literal>key-directory</literal> in the zone configuration
+	  and the zone will be signed automatically.  Updates to a
+	  zone configured this way must be done using
+	  <application>nsupdate</application>, which will take care of
+	  re-signing the zone with the new data added.  For further
+	  details, see <xref linkend="dns-read"/> and the
+	  <acronym>BIND</acronym> documentation.</para>
+      </sect4>
+    </sect3>
 
-      <screen>&prompt.root; <userinput>/etc/rc.d/named start</userinput></screen>
-    </sect2>
+    <sect3>
+      <title>Security</title>
 
-    <sect2>
-      <title><acronym>BIND</acronym>9 Security</title>
+      <para>Although BIND is the most common implementation of
+	<acronym>DNS</acronym>, there is always the issue of security.
+	Possible and exploitable security holes are sometimes
+	found.</para>
+
+      <para>While &os; automatically drops
+	<application>named</application> into a &man.chroot.8;
+	environment; there are several other security mechanisms in
+	place which could help to lure off possible
+	<acronym>DNS</acronym> service attacks.</para>
+
+      <para>It is always good idea to read
+	<link xlink:href="http://www.cert.org/">CERT</link>'s security
+	advisories and to subscribe to the &a.security-notifications;
+	to stay up to date with the current Internet and &os; security
+	issues.</para>
+
+      <tip>
+	<para>If a problem arises, keeping sources up to date and
+	  having a fresh build of <application>named</application>
+	  may help.</para>
+      </tip>
+    </sect3>
 
-      <para>While &os; automatically drops <application>named</application>
-	into a &man.chroot.8; environment; there are several other
-	security mechanisms in place which could help to lure off
-	possible <acronym>DNS</acronym> service attacks.</para>
+    <sect3 xml:id="dns-read">
+      <title>Further Reading</title>
 
-      <sect3>
-	<title>Query Access Control Lists</title>
+      <para>BIND/<application>named</application> manual pages:
+	&man.rndc.8; &man.named.8; &man.named.conf.5; &man.nsupdate.1;
+	&man.dnssec-signzone.8; &man.dnssec-keygen.8;</para>
 
-	<para>A query access control list can be used to restrict
-	  queries against the zones.  The configuration works by
-	  defining the network inside of the <literal>acl</literal>
-	  token and then listing <acronym>IP</acronym> addresses in
-	  the zone configuration.  To permit domains to query the
-	  example host, just define it like this:</para>
+      <itemizedlist>
+	<listitem>
+	  <para><link
+	      xlink:href="https://www.isc.org/software/bind">Official
+	      ISC BIND Page</link></para>
+	</listitem>
 
-	<programlisting>acl "example.com" {
-        192.168.0.0/24;
-};
+	<listitem>
+	  <para><link
+	      xlink:href="https://www.isc.org/software/guild">Official
+	      ISC BIND Forum</link></para>
+	</listitem>
 
-zone "example.com" {
-        type slave;
-        file "slave/example.com";
-        masters {
-                10.0.0.1;
-        };
-	allow-query { example.com; };
-};
+	<listitem>
+	  <para><link
+	      xlink:href="http://www.oreilly.com/catalog/dns5/">O'Reilly
+	      <acronym>DNS</acronym> and BIND 5th
+	      Edition</link></para>
+	</listitem>
 
-zone "0.168.192.in-addr.arpa" {
-        type slave;
-        file "slave/0.168.192.in-addr.arpa";
-        masters {
-                10.0.0.1;
-        };
-	allow-query { example.com; };
-};</programlisting>
-      </sect3>
+	<listitem>
+	  <para><link
+	      xlink:href="http://www.root-dnssec.org/documentation/">Root
+	      <acronym>DNSSEC</acronym></link></para>
+	</listitem>
 
-      <sect3>
-	<title>Restrict Version</title>
+	<listitem>
+	  <para><link
+	      xlink:href="http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html"><acronym>DNSSEC</acronym>
+	      Trust Anchor Publication for the Root
+	      Zone</link></para>
+	</listitem>
 
-	<para>Permitting version lookups on the <acronym>DNS</acronym>
-	  server could be opening the doors for an attacker.  A
-	  malicious user may use this information to hunt up known
-	  exploits or bugs to utilize against the host.</para>
+	<listitem>
+	  <para><link
+	      xlink:href="http://tools.ietf.org/html/rfc1034">RFC1034
+	      - Domain Names - Concepts and Facilities</link></para>
+	</listitem>
 
-	<warning>
-	  <para>Setting a false version will not protect the server
-	    from exploits.  Only upgrading to a version that is not
-	    vulnerable will protect your server.</para>
-	</warning>
+	<listitem>
+	  <para><link
+	      xlink:href="http://tools.ietf.org/html/rfc1035">RFC1035
+	      - Domain Names - Implementation and
+	      Specification</link></para>
+	</listitem>
 
-	<para>A false version string can be placed the
-	  <literal>options</literal> section of
-	  <filename>named.conf</filename>:</para>
-
-	<programlisting>options {
-        directory       "/etc/namedb";
-        pid-file        "/var/run/named/pid";
-        dump-file       "/var/dump/named_dump.db";
-        statistics-file "/var/stats/named.stats";
-        version		"None of your business";
-};</programlisting>
-      </sect3>
+	<listitem>
+	  <para><link
+	      xlink:href="http://tools.ietf.org/html/rfc4033">RFC4033
+	      - <acronym>DNS</acronym> Security Introduction and
+	      Requirements</link></para>
+	</listitem>
 
-<!-- Here is where I stopped for now
-      <sect3>
-        <title>Authentication</title>
+	<listitem>
+	  <para><link
+	      xlink:href="http://tools.ietf.org/html/rfc4034">RFC4034
+	      - Resource Records for the <acronym>DNS</acronym>
+	      Security Extensions</link></para>
+	</listitem>
+
+	<listitem>
+	  <para><link
+	      xlink:href="http://tools.ietf.org/html/rfc4035">RFC4035
+	      - Protocol Modifications for the <acronym>DNS</acronym>
+	      Security Extensions</link></para>
+	</listitem>
 
-	<para> ... </para>
+	<listitem>
+	  <para><link
+	      xlink:href="http://tools.ietf.org/html/rfc4641">RFC4641
+	      - DNSSEC Operational Practices</link></para>
+	</listitem>
 
--->
+	<listitem>
+	  <para><link
+	      xlink:href="http://tools.ietf.org/html/rfc5011">RFC 5011
+	      - Automated Updates of <acronym>DNS</acronym> Security
+	      (<acronym>DNSSEC</acronym>
+	      Trust Anchors</link></para>
+	</listitem>
+      </itemizedlist>
+    </sect3>
     </sect2>
   </sect1>
 
-
   <sect1 xml:id="network-apache">
-    <info><title>Apache HTTP Server</title>
+    <info>
+    <title>Apache HTTP Server</title>
+
       <authorgroup>
-	<author><personname><firstname>Murray</firstname><surname>Stokely</surname></personname><contrib>Contributed by </contrib></author>
+	<author>
+	<personname>
+	  <firstname>Murray</firstname>
+	  <surname>Stokely</surname>
+	  </personname>
+	  <contrib>Contributed by </contrib>
+	</author>
       </authorgroup>
     </info>
-    
 
     <indexterm><primary>web servers</primary>
       <secondary>setting up</secondary></indexterm>
     <indexterm><primary>Apache</primary></indexterm>
 
-    <sect2>
-      <title>Overview</title>
-
-      <para>&os; is used to run some of the busiest web sites in the
-        world.  The majority of web servers on the Internet are using
-        the <application>Apache HTTP Server</application>.
-        <application>Apache</application> software packages should be
-        included on your FreeBSD installation media.  If you did not
-        install <application>Apache</application> when you first
-        installed FreeBSD, then you can install it from the <package>www/apache13</package> or <package>www/apache20</package> port.</para>
-
-      <para>Once <application>Apache</application> has been installed
-        successfully, it must be configured.</para>
-
-      <note><para>This section covers version 1.3.X of the
-        <application>Apache HTTP Server</application> as that is the
-        most widely used version for &os;.  <application>Apache</application>&nbsp;2.X introduces many
-        new technologies but they are not discussed here.  For more
-        information about <application>Apache</application>&nbsp;2.X, please see <uri xlink:href="http://httpd.apache.org/">http://httpd.apache.org/</uri>.</para></note>
-
-    </sect2>
+    <para>The open source
+      <application>Apache HTTP Server</application> is the most widely
+      used web server.  &os; does not install this web server by
+      default, but it can be installed from the
+      <package>www/apache24</package> package or port.</para>
+
+    <para>This section summarizes how to configure and start version
+      2.<replaceable>x</replaceable> of the <application>Apache HTTP
+	Server</application> on &os;.  For more detailed information
+      about <application>Apache</application>&nbsp;2.X and its
+      configuration directives, refer to <link
+	xlink:href="http://httpd.apache.org/">httpd.apache.org</link>.</para>
 
     <sect2>
-      <title>Configuration</title>
+      <title>Configuring and Starting Apache</title>
 
       <indexterm><primary>Apache</primary>
 	<secondary>configuration file</secondary></indexterm>
 
-      <para>The main <application>Apache HTTP Server</application> configuration file is
-	installed as
-	<filename>/usr/local/etc/apache/httpd.conf</filename> on &os;.
-	This file is a typical &unix; text configuration file with
-	comment lines beginning with the <literal>#</literal>
-	character.  A comprehensive description of all possible
-	configuration options is outside the scope of this book, so
-	only the most frequently modified directives will be described
-	here.</para>
+      <para>In &os;, the main <application>Apache HTTP
+	  Server</application> configuration file is installed as
+	<filename>/usr/local/etc/apache2<replaceable>x</replaceable>/httpd.conf</filename>,
+	where <replaceable>x</replaceable> represents the version
+	number.  This <acronym>ASCII</acronym> text file begins
+	comment lines with a <literal>#</literal>.  The most
+	frequently modified directives are:</para>
 
       <variablelist>
 	<varlistentry>
 	  <term><literal>ServerRoot "/usr/local"</literal></term>
 
 	  <listitem>
-	    <para>This specifies the default directory hierarchy for
-	    the <application>Apache</application> installation.  Binaries are stored in the
-	    <filename>bin</filename> and
-	    <filename>sbin</filename> subdirectories
-	    of the server root, and configuration files are stored in
-	    <filename>etc/apache</filename>.</para>
+	    <para>Specifies the default directory hierarchy for the
+	      <application>Apache</application> installation.
+	      Binaries are stored in the <filename>bin</filename> and
+	      <filename>sbin</filename> subdirectories of the server
+	      root and configuration files are stored in the <filename
+		class="directory">etc/apache2<replaceable>x</replaceable></filename>
+	      subdirectory.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
-	  <term><literal>ServerAdmin you@your.address</literal></term>
+	  <term><literal>ServerAdmin you@example.com</literal></term>
 
 	  <listitem>
-	    <para>The address to which problems with the server should
-	      be emailed.  This address appears on some
+	    <para>Change this to the email address to receive problems
+	      with the server.  This address also appears on some
 	      server-generated pages, such as error documents.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
-	  <term><literal>ServerName www.example.com</literal></term>
+	  <term><literal>ServerName
+	      www.example.com:80</literal></term>
 
 	  <listitem>
-	    <para><literal>ServerName</literal> allows you to set a host name which is
-	      sent back to clients for your server if it is different
-	      to the one that the host is configured with (i.e., use <systemitem>www</systemitem>
-	      instead of the host's real name).</para>
+	    <para>Allows an administrator to set a hostname which is
+	      sent back to clients for the server.  For example,
+	      <systemitem>www</systemitem> can be used instead of the
+	      actual hostname.  If the system does not have a
+	      registered <acronym>DNS</acronym> name, enter its
+	      <acronym>IP</acronym> address instead.  If the server
+	      will listen on an alternate report, change
+	      <literal>80</literal> to the alternate port
+	      number.</para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
-	  <term><literal>DocumentRoot "/usr/local/www/data"</literal></term>
+	  <term><literal>DocumentRoot
+	    "/usr/local/www/apache2<replaceable>x</replaceable>/data"</literal></term>
 
 	  <listitem>
-	    <para><literal>DocumentRoot</literal>: The directory out of which you will
-	      serve your documents. By default, all requests are taken
-	      from this directory, but symbolic links and aliases may
-	      be used to point to other locations.</para>
+	    <para>The directory where documents will be served from.
+	      By default, all requests are taken from this directory,
+	      but symbolic links and aliases may be used to point to
+	      other locations.</para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
 
-      <para>It is always a good idea to make backup copies of your
-	<application>Apache</application> configuration file before making changes.  Once you are
-	satisfied with your initial configuration you are ready to
-	start running <application>Apache</application>.</para>
-
-<!-- sect3 for performance tuning directives?  maxservers minservers -->
-<!-- etc..?? -->
-
-<!-- Advanced configuration section.
-
-Performance tuning directives.
-
-Log file format -->
-
-    </sect2>
-
-    <sect2>
-      <title>Running <application>Apache</application></title>
+      <para>It is always a good idea to make a backup copy of the
+	default <application>Apache</application> configuration file
+	before making changes.  When the configuration of
+	<application>Apache</application> is complete, save the file
+	and verify the configuration using
+	<command>apachectl</command>.  Running <command>apachectl
+	  configtest</command> should return <literal>Syntax
+	  OK</literal>.</para>
 
       <indexterm><primary>Apache</primary>
 	<secondary>starting or stopping</secondary></indexterm>
 
-      <para><application>Apache</application> does not run from the
-        <application>inetd</application> super server as many other
-        network servers do.  It is configured to run standalone for
-        better performance for incoming HTTP requests from client web
-        browsers.  A shell script wrapper is included to make
-        starting, stopping, and restarting the server as simple as
-        possible.  To start up <application>Apache</application> for
-        the first time, just run:</para>
-
-      <screen>&prompt.root; <userinput>/usr/local/sbin/apachectl start</userinput></screen>
-
-      <para>You can stop the server at any time by typing:</para>
-
-      <screen>&prompt.root; <userinput>/usr/local/sbin/apachectl stop</userinput></screen>
-
-      <para>After making changes to the configuration file for any
-      reason, you will need to restart the server:</para>
-
-      <screen>&prompt.root; <userinput>/usr/local/sbin/apachectl restart</userinput></screen>
-
-      <para>To restart <application>Apache</application> without
-	aborting current connections, run:</para>
-
-      <screen>&prompt.root; <userinput>/usr/local/sbin/apachectl graceful</userinput></screen>
-
-      <para>Additional information available at
-	&man.apachectl.8; manual page.</para>
-
       <para>To launch <application>Apache</application> at system
-        startup, add the following line to
-        <filename>/etc/rc.conf</filename>:</para>
+	startup, add the following line to
+	<filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>apache<replaceable>24</replaceable>_enable="YES"</programlisting>
 
-      <programlisting>apache_enable="YES"</programlisting>
+      <para>If <application>Apache</application> should be started
+	with non-default options, the following line may be added to
+	<filename>/etc/rc.conf</filename> to specify the needed
+	flags:</para>
+
+      <programlisting>apache<replaceable>24</replaceable>_flags=""</programlisting>
+
+      <para>If <application>apachectl</application> does not report
+	configuration errors, start <command>httpd</command>
+	now:</para>
+
+      <screen>&prompt.root; <userinput>service apache<replaceable>24</replaceable> start</userinput></screen>
+
+      <para>The <command>httpd</command> service can be tested by
+	entering
+	<literal>http://<replaceable>localhost</replaceable></literal>
+	in a web browser, replacing
+	<replaceable>localhost</replaceable> with the fully-qualified
+	domain name of the machine running <command>httpd</command>.
+	The default web page that is displayed is
+	<filename>/usr/local/www/apache<replaceable>24</replaceable>/data/index.html</filename>.</para>
+
+      <para>The <application>Apache</application> configuration can be
+	tested for errors after making subsequent configuration
+	changes while <command>httpd</command> is running using the
+	following command:</para>
 
-      <para>If you would like to supply additional command line
-	options for the <application>Apache</application>
-	<command>httpd</command> program started at system boot, you
-	may specify them with an additional line in
-	<filename>rc.conf</filename>:</para>
-
-      <programlisting>apache_flags=""</programlisting>
-
-      <para>Now that the web server is running, you can view your web
-        site by pointing a web browser to
-        <literal>http://localhost/</literal>.  The default web page
-        that is displayed is
-        <filename>/usr/local/www/data/index.html</filename>.</para>
+      <screen>&prompt.root; <userinput>service apache<replaceable>24</replaceable> configtest</userinput></screen>
 
+      <note>
+	<para>It is important to note that
+	  <literal>configtest</literal> is not an &man.rc.8; standard,
+	  and should not be expected to work for all startup
+	  scripts.</para>
+      </note>
     </sect2>
 
     <sect2>
       <title>Virtual Hosting</title>
 
-      <para><application>Apache</application> supports two different
-	types of Virtual Hosting. The first method is Name-based
-	Virtual Hosting. Name-based virtual hosting uses the clients
-	HTTP/1.1 headers to figure out the hostname. This allows many
-	different domains to share the same IP address.</para>
+      <para>Virtual hosting allows multiple websites to run on one
+	<application>Apache</application> server.  The virtual hosts
+	can be <firstterm>IP-based</firstterm> or
+	<firstterm>name-based</firstterm>.
+	<acronym>IP</acronym>-based virtual hosting uses a different
+	<acronym>IP</acronym> address for each website.  Name-based
+	virtual hosting uses the clients HTTP/1.1 headers to figure
+	out the hostname, which allows the websites to share the same
+	<acronym>IP</acronym> address.</para>
 
       <para>To setup <application>Apache</application> to use
-        Name-based Virtual Hosting add an entry like the following to
-        your <filename>httpd.conf</filename>:</para>
-
-      <programlisting>NameVirtualHost *</programlisting>
-
-      <para>If your webserver was named <systemitem class="fqdomainname">www.domain.tld</systemitem> and
-        you wanted to setup a virtual domain for
-        <systemitem class="fqdomainname">www.someotherdomain.tld</systemitem> then you would add
-        the following entries to
-        <filename>httpd.conf</filename>:</para>
+	name-based virtual hosting, add a
+	<literal>VirtualHost</literal> block for each website.  For
+	example, for the webserver named <systemitem
+	  class="fqdomainname">www.domain.tld</systemitem> with a
+	virtual domain of <systemitem
+	  class="fqdomainname">www.someotherdomain.tld</systemitem>,
+	add the following entries to
+	<filename>httpd.conf</filename>:</para>
 
       <screen>&lt;VirtualHost *&gt;
-ServerName www.domain.tld
-DocumentRoot /www/domain.tld
+ServerName <replaceable>www.domain.tld</replaceable>
+DocumentRoot <replaceable>/www/domain.tld</replaceable>
 &lt;/VirtualHost&gt;
 
 &lt;VirtualHost *&gt;
-ServerName www.someotherdomain.tld
-DocumentRoot /www/someotherdomain.tld
+ServerName <replaceable>www.someotherdomain.tld</replaceable>
+DocumentRoot <replaceable>/www/someotherdomain.tld</replaceable>
 &lt;/VirtualHost&gt;</screen>
 
-      <para>Replace the addresses with the addresses you want to use
-        and the path to the documents with what you are using.</para>
+      <para>For each virtual host, replace the values for
+	<literal>ServerName</literal> and
+	<literal>DocumentRoot</literal> with the values to be
+	used.</para>
 
       <para>For more information about setting up virtual hosts,
-        please consult the official <application>Apache</application>
-        documentation at: <uri xlink:href="http://httpd.apache.org/docs/vhosts/">http://httpd.apache.org/docs/vhosts/</uri>.</para>
-
+	consult the official <application>Apache</application>
+	documentation at: <uri
+	  xlink:href="http://httpd.apache.org/docs/vhosts/">http://httpd.apache.org/docs/vhosts/</uri>.</para>
     </sect2>
 
     <sect2>
@@ -4332,280 +4638,381 @@
       <indexterm><primary>Apache</primary>
 	<secondary>modules</secondary></indexterm>
 
-      <para>There are many different <application>Apache</application> modules available to add
-        functionality to the basic server.  The FreeBSD Ports
-        Collection provides an easy way to install
-        <application>Apache</application> together with some of the
-        more popular add-on modules.</para>
+      <para><application>Apache</application> uses modules to augment
+	the functionality provided by the basic server.  Refer to <uri
+	  xlink:href="http://httpd.apache.org/docs/current/mod/">http://httpd.apache.org/docs/current/mod/</uri>
+	for a complete listing of and the configuration details for
+	the available modules.</para>
+
+      <para>In &os;, some modules can be compiled with the
+	<package>www/apache24</package> port.  Type <command>make
+	  config</command> within
+	<filename>/usr/ports/www/apache24</filename> to see which
+	modules are available and which are enabled by default.  If
+	the module is not compiled with the port, the &os; Ports
+	Collection provides an easy way to install many modules.  This
+	section describes three of the most commonly used
+	modules.</para>
 
       <sect3>
-        <title>mod_ssl</title>
+	<title><filename>mod_ssl</filename></title>
 
-	<indexterm><primary>web servers</primary>
-          <secondary>secure</secondary></indexterm>
+	<indexterm>
+	  <primary>web servers</primary>
+	  <secondary>secure</secondary>
+	</indexterm>
 	<indexterm><primary>SSL</primary></indexterm>
 	<indexterm><primary>cryptography</primary></indexterm>
 
-        <para>The <application>mod_ssl</application> module uses the OpenSSL library to provide
-          strong cryptography via the Secure Sockets Layer (SSL v2/v3)
-          and Transport Layer Security (TLS v1) protocols.  This
-          module provides everything necessary to request a signed
-          certificate from a trusted certificate signing authority so
-          that you can run a secure web server on &os;.</para>
-
-	<para>If you have not yet installed
-	  <application>Apache</application>, then a version of <application>Apache</application>
-	  1.3.X that includes <application>mod_ssl</application> may be installed with the <package>www/apache13-modssl</package> port.  SSL
-	  support is also available for <application>Apache</application>&nbsp;2.X in the
-	  <package>www/apache20</package> port,
-	  where it is enabled by default.</para>
-
-<!-- XXX add more information about configuring mod_ssl here. -->
-<!-- Generating keys, getting the key signed, setting up your secure -->
-<!-- web server! -->
+	<para>The <filename>mod_ssl</filename> module uses the
+	  <application>OpenSSL</application> library to provide strong
+	  cryptography via the Secure Sockets Layer
+	  (<acronym>SSLv3</acronym>) and Transport Layer Security
+	  (<acronym>TLSv1</acronym>) protocols.  This module provides
+	  everything necessary to request a signed certificate from a
+	  trusted certificate signing authority to run a secure web
+	  server on &os;.</para>
+
+	<para>In &os;, <filename>mod_ssl</filename> module is enabled
+	  by default in both the package and the port.  The available
+	  configuration directives are explained at <uri
+	    xlink:href="http://httpd.apache.org/docs/current/mod/mod_ssl.html">http://httpd.apache.org/docs/current/mod/mod_ssl.html</uri>.</para>
       </sect3>
 
       <sect3>
-        <title>Dynamic Websites with Perl &amp; PHP</title>
-        <para>In the past few years, more businesses have turned to the
-          Internet in order to enhance their revenue and increase
-          exposure.  This has also increased the need for interactive
-          web content.  While some companies, such as &microsoft;, have
-          introduced solutions into their proprietary products, the
-          open source community answered the call.  Two options for
-          dynamic web content include mod_perl &amp; mod_php.</para>
-
-        <sect4>
-        <title>mod_perl</title>
+	<title><filename>mod_perl</filename></title>
 
 	<indexterm>
-          <primary>mod_perl</primary>
-          <secondary>Perl</secondary>
-        </indexterm>
-
-        <para>The <application>Apache</application>/Perl integration project brings together the
-	  full power of the Perl programming language and the <application>Apache
-	  HTTP Server</application>.  With the <application>mod_perl</application> module it is possible to
-	  write <application>Apache</application> modules entirely in Perl.  In addition, the
+	  <primary>mod_perl</primary>
+	  <secondary>Perl</secondary>
+	</indexterm>
+
+	<para>The
+	  <filename>mod_perl</filename> module makes it possible to
+	  write <application>Apache</application> modules in
+	  <application>Perl</application>.  In addition, the
 	  persistent interpreter embedded in the server avoids the
 	  overhead of starting an external interpreter and the penalty
-	  of Perl start-up time.</para>
+	  of <application>Perl</application> start-up time.</para>
 
-          <para><application>mod_perl</application> is available a few
-            different ways.  To use <application>mod_perl</application>
-            remember that <application>mod_perl</application> 1.0 only
-            works with <application>Apache</application> 1.3 and
-            <application>mod_perl</application> 2.0 only works with
-            <application>Apache</application> 2.
-            <application>mod_perl</application> 1.0 is available in
-            <package>www/mod_perl</package> and a
-            statically compiled version is available in
-            <package>www/apache13-modperl</package>.
-            <application>mod_perl</application> 2.0 is avaliable in
-            <package>www/mod_perl2</package>.</para>
-        </sect4>
+	<para>The <filename>mod_perl</filename> can be installed using
+	  the <package>www/mod_perl2</package> package or port.
+	  Documentation for using this module can be found at <uri
+	    xlink:href="http://perl.apache.org/docs/2.0/index.html">http://perl.apache.org/docs/2.0/index.html</uri>.</para>
+      </sect3>
+
+      <sect3>
+	<info>
+	<title><filename>mod_php</filename></title>
 
-        <sect4>
-          <info><title>mod_php</title>
 	  <authorgroup>
-	    <author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by </contrib></author>
+	    <author>
+	    <personname>
+	      <firstname>Tom</firstname>
+	      <surname>Rhodes</surname>
+	    </personname>
+	      <contrib>Written by </contrib>
+	    </author>
 	  </authorgroup>
-        </info>
-        
+	</info>
 
 	<indexterm>
-          <primary>mod_php</primary>
-          <secondary>PHP</secondary>
-        </indexterm>
-
-	<para><acronym>PHP</acronym>, also known as <quote>PHP:
-          Hypertext Preprocessor</quote> is a general-purpose scripting
-          language that is especially suited for Web development.
-          Capable of being embedded into <acronym>HTML</acronym> its
-          syntax draws upon C, &java;, and Perl with the intention of
-          allowing web developers to write dynamically generated
-          webpages quickly.</para>
+	  <primary>mod_php</primary>
+	  <secondary>PHP</secondary>
+	</indexterm>
+
+	<para><firstterm>PHP: Hypertext Preprocessor</firstterm>
+	  (<acronym>PHP</acronym>) is a general-purpose scripting
+	  language that is especially suited for web development.
+	  Capable of being embedded into <acronym>HTML</acronym>, its
+	  syntax draws upon <application>C</application>, &java;, and
+	  <application>Perl</application> with the intention of
+	  allowing web developers to write dynamically generated
+	  webpages quickly.</para>
 
 	<para>To gain support for <acronym>PHP</acronym>5 for the
-	  <application>Apache</application> web server, begin by
-	  installing the
-	  <package>www/mod_php5</package>
-	  port.</para>
-
-	<para>This will install and configure the modules required
-          to support dynamic <acronym>PHP</acronym> applications.  Check
-          to ensure the following lines have been added to
-	  <filename>/usr/local/etc/apache/httpd.conf</filename>:</para>
+	  <application>Apache</application> web server, install the
+	  <package>www/mod_php5</package> package or port.  This will
+	  install and configure the modules required to support
+	  dynamic <acronym>PHP</acronym> applications.  The
+	  installation will automatically add this line to
+	  <filename>/usr/local/etc/apache2<replaceable>4</replaceable>/httpd.conf</filename>:</para>
+
+	<programlisting>LoadModule php5_module        libexec/apache24/libphp5.so</programlisting>
 
-	<programlisting>LoadModule php5_module        libexec/apache/libphp5.so
+<!--
+I don't think this is still needed
 AddModule mod_php5.c
     &lt;IfModule mod_php5.c&gt;
         DirectoryIndex index.php index.html
     &lt;/IfModule&gt;
-
     &lt;IfModule mod_php5.c&gt;
         AddType application/x-httpd-php .php
         AddType application/x-httpd-php-source .phps
     &lt;/IfModule&gt;</programlisting>
 
-          <para>Once completed, a simple call to the
-            <command>apachectl</command> command for a graceful
-            restart is needed to load the <acronym>PHP</acronym>
-            module:</para>
+    -->
+
+	<para>Then, perform a graceful restart to load the
+	  <acronym>PHP</acronym> module:</para>
 
 	<screen>&prompt.root; <userinput>apachectl graceful</userinput></screen>
 
-          <para>The <acronym>PHP</acronym> support in &os; is extremely
-            modular so the base install is very limited.  It is very easy
-            to add support using the
-            <package>lang/php5-extensions</package> port.
-            This port provides a menu driven interface to
-            <acronym>PHP</acronym> extension installation.
-            Alternatively, individual extensions can be installed using
-            the appropriate port.</para>
-
-	<para>For instance, to add support for the
-	  <application>MySQL</application> database server to
-	  <acronym>PHP</acronym>5, simply install the
-	  <package>databases/php5-mysql</package>
-	  port.</para>
-
-          <para>After installing an extension, the
-            <application>Apache</application> server must be reloaded to
-              pick up the new configuration changes.</para>
+	<para>The <acronym>PHP</acronym> support provided by
+	  <package>www/mod_php5</package> is limited.  Additional
+	  support can be installed using the
+	  <package>lang/php5-extensions</package> port which provides
+	  a menu driven interface to the available
+	  <acronym>PHP</acronym> extensions.</para>
+
+	<para>Alternatively, individual extensions can be installed
+	  using the appropriate port.  For instance, to add
+	  <acronym>PHP</acronym> support for the
+	  <application>MySQL</application> database server, install
+	  <filename>databases/php5-mysql</filename>.</para>
+
+	<para>After installing an extension, the
+	  <application>Apache</application> server must be reloaded to
+	  pick up the new configuration changes:</para>
 
 	<screen>&prompt.root; <userinput>apachectl graceful</userinput></screen>
-        </sect4>
       </sect3>
     </sect2>
-  </sect1>
 
-  <sect1 xml:id="network-ftp">
-    <info><title>File Transfer Protocol (FTP)</title>
-      <authorgroup>
-	<author><personname><firstname>Murray</firstname><surname>Stokely</surname></personname><contrib>Contributed by </contrib></author>
-      </authorgroup>
-    </info>
-    
+    <sect2>
+      <title>Dynamic Websites</title>
+
+      <indexterm>
+	<primary>web servers</primary>
+	<secondary>dynamic</secondary>
+      </indexterm>
 
-    <indexterm><primary>FTP servers</primary></indexterm>
+      <para>In addition to <application>mod_perl</application> and
+	<application>mod_php</application>, other languages are
+	available for creating dynamic web content.  These include
+	<application>Django</application> and
+	<application>Ruby on Rails</application>.</para>
 
-    <sect2>
-      <title>Overview</title>
+      <sect3>
+	<title>Django</title>
 
-      <para>The File Transfer Protocol (FTP) provides users with a
-	simple way to transfer files to and from an <acronym role="File Transfer Protocol">FTP</acronym> server.  &os;
-	includes <acronym role="File Transfer Protocol">FTP</acronym>
-	server software, <application>ftpd</application>, in the base
-	system.  This makes setting up and administering an <acronym role="File Transfer Protocol">FTP</acronym> server on FreeBSD
-	very straightforward.</para>
+	<indexterm><primary>Python</primary></indexterm>
+	<indexterm><primary>Django</primary></indexterm>
+
+	<para><application>Django</application> is a BSD-licensed
+	  framework designed to allow developers to write high
+	  performance, elegant web applications quickly.  It provides
+	  an object-relational mapper so that data types are developed
+	  as <application>Python</application> objects.  A rich
+	  dynamic database-access <acronym>API</acronym> is provided
+	  for those objects without the developer ever having to write
+	  <acronym>SQL</acronym>.  It also provides an extensible
+	  template system so that the logic of the application is
+	  separated from the <acronym>HTML</acronym>
+	  presentation.</para>
+
+	<para>Django depends on <filename>mod_python</filename>, and
+	  an <acronym>SQL</acronym> database engine.  In &os;, the
+	  <package>www/py-django</package> port automatically installs
+	  <filename>mod_python</filename> and supports the
+	  <application>PostgreSQL</application>,
+	  <application>MySQL</application>, or
+	  <application>SQLite</application> databases, with the
+	  default being <application>SQLite</application>.  To change
+	  the database engine, type <command>make config</command>
+	  within <filename>/usr/ports/www/py-django</filename>, then
+	  install the port.</para>
+
+	<para>Once <application>Django</application> is installed, the
+	  application will need a project directory along with the
+	  <application>Apache</application> configuration in order to
+	  use the embedded <application>Python</application>
+	  interpreter.  This interpreter is used to call the
+	  application for specific <acronym>URL</acronym>s on the
+	  site.</para>
+
+	<para>To configure <application>Apache</application> to pass
+	  requests for certain <acronym>URL</acronym>s to the web
+	  application, add the following to
+	  <filename>httpd.conf</filename>, specifying the full path to
+	  the project directory:</para>
+
+	  <screen>&lt;Location "/"&gt;
+    SetHandler python-program
+    PythonPath "['<replaceable>/dir/to/the/django/packages/</replaceable>'] + sys.path"
+    PythonHandler django.core.handlers.modpython
+    SetEnv DJANGO_SETTINGS_MODULE mysite.settings
+    PythonAutoReload On
+    PythonDebug On
+&lt;/Location&gt;</screen>
+
+	<para>Refer to <uri
+	    xlink:href="https://docs.djangoproject.com/en/1.6/">https://docs.djangoproject.com/en/1.6/</uri>
+	  for more information on how to use
+	  <application>Django</application>.</para>
+      </sect3>
+
+      <sect3>
+	<title>Ruby on Rails</title>
+
+	<indexterm><primary>Ruby on Rails</primary></indexterm>
+
+	<para><application>Ruby on Rails</application> is another open
+	  source web framework that provides a full development stack.
+	  It is optimized to make web developers more productive and
+	  capable of writing powerful applications quickly.  On &os;,
+	  it can be installed using the
+	  <package>www/rubygem-rails</package> package or port.</para>
+
+	<para>Refer to <uri
+	    xlink:href="http://rubyonrails.org/documentation">http://rubyonrails.org/documentation</uri>
+	  for more information on how to use <application>Ruby on
+	    Rails</application>.</para>
+      </sect3>
     </sect2>
+  </sect1>
+
+  <sect1 xml:id="network-ftp">
+    <!--
+    <sect1info>
+      <authorgroup>
+	<author>
+	  <firstname>Murray</firstname>
+	  <surname>Stokely</surname>
+	  <contrib>Contributed by </contrib>
+	</author>
+      </authorgroup>
+    </sect1info>
+    -->
+    <title>File Transfer Protocol (<acronym>FTP</acronym>)</title>
+
+    <indexterm><primary><acronym>FTP</acronym>
+	servers</primary></indexterm>
+
+    <para>The File Transfer Protocol (<acronym>FTP</acronym>) provides
+      users with a simple way to transfer files to and from an
+      <acronym>FTP</acronym> server.  &os; includes
+      <acronym>FTP</acronym> server software,
+      <application>ftpd</application>, in the base system.</para>
+
+    <para>&os; provides several configuration files for controlling
+      access to the <acronym>FTP</acronym> server.  This section
+      summarizes these files.  Refer to &man.ftpd.8; for more details
+      about the built-in <acronym>FTP</acronym> server.</para>
 
     <sect2>
       <title>Configuration</title>
 
       <para>The most important configuration step is deciding which
-	accounts will be allowed access to the FTP server.  A normal
-	FreeBSD system has a number of system accounts used for
-	various daemons, but unknown users should not be allowed to
-	log in with these accounts.  The
-	<filename>/etc/ftpusers</filename> file is a list of users
-	disallowed any FTP access.  By default, it includes the
-	aforementioned system accounts, but it is possible to add
-	specific users here that should not be allowed access to
-	FTP.</para>
-
-      <para>You may want to restrict the access of some users without
-	preventing them completely from using FTP.  This can be
-	accomplished with the <filename>/etc/ftpchroot</filename>
-	file.  This file lists users and groups subject to FTP access
-	restrictions.  The &man.ftpchroot.5; manual page has all of
-	the details so it will not be described in detail here.</para>
+	accounts will be allowed access to the <acronym>FTP</acronym>
+	server.  A &os; system has a number of system accounts which
+	should not be allowed <acronym>FTP</acronym> access.  The list
+	of users disallowed any <acronym>FTP</acronym> access can be
+	found in <filename>/etc/ftpusers</filename>.  By default, it
+	includes system accounts.  Additional users that should not be
+	allowed access to <acronym>FTP</acronym> can be added.</para>
+
+      <para>In some cases it may be desirable to restrict the access
+	of some users without preventing them completely from using
+	<acronym>FTP</acronym>.  This can be accomplished be creating
+	<filename>/etc/ftpchroot</filename> as described in
+	&man.ftpchroot.5;.  This file lists users and groups subject
+	to <acronym>FTP</acronym> access restrictions.</para>
 
       <indexterm>
-	<primary>FTP</primary>
+	<primary><acronym>FTP</acronym></primary>
 	<secondary>anonymous</secondary>
       </indexterm>
 
-      <para>If you would like to enable anonymous FTP access to your
-	server, then you must create a user named
-	<systemitem class="username">ftp</systemitem> on your &os; system.  Users will then
-	be able to log on to your FTP server with a username of
-	<systemitem class="username">ftp</systemitem> or <systemitem class="username">anonymous</systemitem> and
-	with any password (by convention an email address for the user
-	should be used as the password).  The FTP server will call
-	&man.chroot.2; when an anonymous user logs in, to restrict
-	access to only the home directory of the
-	<systemitem class="username">ftp</systemitem> user.</para>
-
-      <para>There are two text files that specify welcome messages to
-	be displayed to FTP clients.  The contents of the file
+      <para>To enable anonymous <acronym>FTP</acronym> access to the
+	server, create a user named <systemitem
+	  class="username">ftp</systemitem> on the &os; system.  Users
+	will then be able to log on to the
+	<acronym>FTP</acronym> server with a username of
+	<systemitem class="username">ftp</systemitem> or <systemitem
+	  class="username">anonymous</systemitem>.  When prompted for
+	the password, any input will be accepted, but by convention,
+	an email address should be used as the password.  The
+	<acronym>FTP</acronym> server will call &man.chroot.2; when an
+	anonymous user logs in, to restrict access to only the home
+	directory of the <systemitem
+	  class="username">ftp</systemitem> user.</para>
+
+      <para>There are two text files that can be created to specify
+	welcome messages to be displayed to <acronym>FTP</acronym>
+	clients.  The contents of
 	<filename>/etc/ftpwelcome</filename> will be displayed to
 	users before they reach the login prompt.  After a successful
-	login, the contents of the file
+	login, the contents of
 	<filename>/etc/ftpmotd</filename> will be displayed.  Note
-	that the path to this file is relative to the login environment, so the
-	file <filename>~ftp/etc/ftpmotd</filename> would be displayed
-	for anonymous users.</para>
-
-      <para>Once the FTP server has been configured properly, it must
-        be enabled in <filename>/etc/inetd.conf</filename>.  All that
-        is required here is to remove the comment symbol
-        <quote>#</quote> from in front of the existing
-        <application>ftpd</application> line :</para>
-
-      <programlisting>ftp	stream	tcp	nowait	root	/usr/libexec/ftpd	ftpd -l</programlisting>
-
-      <para>As explained in <xref linkend="network-inetd-hangup"/>, a
-        HangUP Signal must be sent to <application>inetd</application>
-        after this configuration file is changed.</para>
+	that the path to this file is relative to the login
+	environment, so the contents of
+	<filename>~ftp/etc/ftpmotd</filename> would be displayed for
+	anonymous users.</para>
 
-      <para>You can now log on to your FTP server by typing:</para>
+      <para>Once the <acronym>FTP</acronym> server has been
+	configured, set the appropriate variable in
+	<filename>/etc/rc.conf</filename> to start the service during
+	boot:</para>
 
-      <screen>&prompt.user; <userinput>ftp localhost</userinput></screen>
+      <programlisting>ftpd_enable="YES"</programlisting>
 
-    </sect2>
+      <para>To start the service now:</para>
 
-    <sect2>
-      <title>Maintaining</title>
+      <screen>&prompt.root; <userinput>service ftpd start</userinput></screen>
+
+      <para>Test the connection to the <acronym>FTP</acronym> server
+	by typing:</para>
+
+      <screen>&prompt.user; <userinput>ftp localhost</userinput></screen>
 
       <indexterm><primary>syslog</primary></indexterm>
       <indexterm><primary>log files</primary>
-	<secondary>FTP</secondary></indexterm>
+	<secondary><acronym>FTP</acronym></secondary></indexterm>
 
       <para>The <application>ftpd</application> daemon uses
-        &man.syslog.3; to log messages.  By default, the system log
-        daemon will put messages related to FTP in the
-        <filename>/var/log/xferlog</filename> file.  The location of
-        the FTP log can be modified by changing the following line in
-        <filename>/etc/syslog.conf</filename>:</para>
+	&man.syslog.3; to log messages.  By default, the system log
+	daemon will write messages related to <acronym>FTP</acronym>
+	in <filename>/var/log/xferlog</filename>.  The location of
+	the <acronym>FTP</acronym> log can be modified by changing the
+	following line in
+	<filename>/etc/syslog.conf</filename>:</para>
 
       <programlisting>ftp.info      /var/log/xferlog</programlisting>
 
       <indexterm>
-	<primary>FTP</primary>
+	<primary><acronym>FTP</acronym></primary>
 	<secondary>anonymous</secondary>
       </indexterm>
 
-      <para>Be aware of the potential problems involved with running
-        an anonymous FTP server.  In particular, you should think
-        twice about allowing anonymous users to upload files.  You may
-        find that your FTP site becomes a forum for the trade of
-        unlicensed commercial software or worse.  If you do need to
-        allow anonymous FTP uploads, then you should set up the
-        permissions so that these files can not be read by other
-        anonymous users until they have been reviewed.</para>
-
+      <note>
+	<para>Be aware of the potential problems involved with running
+	  an anonymous <acronym>FTP</acronym> server.  In particular,
+	  think twice about allowing anonymous users to upload files.
+	  It may turn out that the <acronym>FTP</acronym> site becomes
+	  a forum for the trade of unlicensed commercial software or
+	  worse.  If anonymous <acronym>FTP</acronym> uploads are
+	  required, then verify the permissions so that these files
+	  can not be read by other anonymous users until they have
+	  been reviewed by an administrator.</para>
+      </note>
     </sect2>
   </sect1>
 
   <sect1 xml:id="network-samba">
-    <info><title>File and Print Services for &microsoft.windows; clients (Samba)</title>
+    <!--
+    <sect1info>
       <authorgroup>
-	<author><personname><firstname>Murray</firstname><surname>Stokely</surname></personname><contrib>Contributed by </contrib></author>
+	<author>
+	  <firstname>Murray</firstname>
+	  <surname>Stokely</surname>
+	  <contrib>Contributed by </contrib>
+	</author>
       </authorgroup>
-    </info>
-    
+    </sect1info>
+    -->
+    <title>File and Print Services for &microsoft.windows; Clients
+      (Samba)</title>
 
     <indexterm><primary>Samba server</primary></indexterm>
     <indexterm><primary>Microsoft Windows</primary></indexterm>
@@ -4618,70 +5025,87 @@
       <secondary>Windows clients</secondary>
     </indexterm>
 
-    <sect2>
-      <title>Overview</title>
-
-      <para><application>Samba</application> is a popular open source
-        software package that provides file and print services for
-        &microsoft.windows; clients.  Such clients can connect to and
-        use FreeBSD filespace as if it was a local disk drive, or
-        FreeBSD printers as if they were local printers.</para>
-
-      <para><application>Samba</application> software packages should
-        be included on your FreeBSD installation media.  If you did
-        not install <application>Samba</application> when you first
-        installed FreeBSD, then you can install it from the <package>net/samba3</package> port or package.</para>
+    <para><application>Samba</application> is a popular open source
+      software package that provides file and print services using the
+      <acronym>SMB/CIFS</acronym> protocol.  This protocol is built
+      into &microsoft.windows; systems.  It can be added to
+      non-&microsoft.windows; systems by installing the
+      <application>Samba</application> client libraries.  The protocol
+      allows clients to access shared data and printers.  These shares
+      can be mapped as a local disk drive and shared printers can be
+      used as if they were local printers.</para>
+
+    <para>On &os;, the <application>Samba</application> client
+      libraries can be installed using the
+      <package>net/samba-smbclient</package> port or package.  The
+      client provides the ability for a &os; system to access
+      <acronym>SMB/CIFS</acronym> shares in a &microsoft.windows;
+      network.</para>
+
+    <para>A &os; system can also be configured to act as a
+      <application>Samba</application> server.  This allows the
+      administrator to create <acronym>SMB/CIFS</acronym> shares on
+      the &os; system which can be accessed by clients running
+      &microsoft.windows; or the <application>Samba</application>
+      client libraries.  In order to configure a
+      <application>Samba</application> server on &os;, the
+      <package>net/samba36</package> port or package must first be
+      installed.  The rest of this section provides an overview of how
+      to configure a <application>Samba</application> server on
+      &os;.</para>
 
 <!-- mention LDAP, Active Directory, WinBIND, ACL, Quotas, PAM, .. -->
 
-    </sect2>
-
     <sect2>
       <title>Configuration</title>
 
       <para>A default <application>Samba</application> configuration
-        file is installed as
-        <filename>/usr/local/etc/smb.conf.default</filename>.  This
-        file must be copied to
-        <filename>/usr/local/etc/smb.conf</filename> and customized
-        before <application>Samba</application> can be used.</para>
-
-      <para>The <filename>smb.conf</filename> file contains runtime
-        configuration information for
-        <application>Samba</application>, such as definitions of the
-        printers and <quote>file system shares</quote> that you would
-        like to share with &windows; clients.  The
-        <application>Samba</application> package includes a web based
-        tool called <application>swat</application> which provides a
-        simple way of configuring the <filename>smb.conf</filename>
-        file.</para>
+	file is installed as
+	<filename>/usr/local/share/examples/samba36/smb.conf.default</filename>.
+	This file must be copied to
+	<filename>/usr/local/etc/smb.conf</filename> and customized
+	before <application>Samba</application> can be used.</para>
+
+      <para>Runtime configuration information for
+	<application>Samba</application> is found in
+	<filename>smb.conf</filename>, such as definitions of the
+	printers and <quote>file system shares</quote> that will
+	be shared with &windows; clients.  The
+	<application>Samba</application> package includes a web based
+	tool called <application>swat</application> which provides a
+	simple way for configuring
+	<filename>smb.conf</filename>.</para>
 
       <sect3>
 	<title>Using the Samba Web Administration Tool (SWAT)</title>
 
 	<para>The Samba Web Administration Tool (SWAT) runs as a
-	  daemon from <application>inetd</application>.  Therefore, the
-	  following line in <filename>/etc/inetd.conf</filename>
-	  should be uncommented before <application>swat</application> can be
-	  used to configure <application>Samba</application>:</para>
-
-	<programlisting>swat   stream  tcp     nowait/400      root    /usr/local/sbin/swat</programlisting>
-        <para>As explained in <xref linkend="network-inetd-hangup"/>, a
-          HangUP Signal must be sent to
-          <application>inetd</application> after this configuration
-          file is changed.</para>
-
-	<para>Once <application>swat</application> has been enabled in
-	  <filename>inetd.conf</filename>, you can use a browser to
-	  connect to <uri xlink:href="http://localhost:901">http://localhost:901</uri>.  You will
-	  first have to log on with the system <systemitem class="username">root</systemitem> account.</para>
-
-<!-- XXX screenshots go here, loader is creating them -->
-
-	<para>Once you have successfully logged on to the main
-	  <application>Samba</application> configuration page, you can
-	  browse the system documentation, or begin by clicking on the
-	  <guimenu>Globals</guimenu> tab.  The <guimenu>Globals</guimenu> section corresponds to the
+	  daemon from <application>inetd</application>.  Therefore,
+	  <application>inetd</application> must be enabled as shown in
+	  <xref linkend="network-inetd"/>.  To enable
+	  <application>swat</application>, uncomment the following
+	  line in <filename>/etc/inetd.conf</filename>:</para>
+
+	<programlisting>swat   stream  tcp     nowait/400      root    /usr/local/sbin/swat    swat</programlisting>
+
+	<para>As explained in <xref linkend="network-inetd-reread"/>,
+	  the <application>inetd</application> configuration must be
+	  reloaded after this configuration file is changed.</para>
+
+	<para>Once <application>swat</application> has been enabled,
+	  use a web browser to connect to <uri
+	    xlink:href="http://localhost:901">http://localhost:901</uri>.
+	  At first login, enter the credentials for <systemitem
+	    class="username">root</systemitem>.</para>
+
+<!-- XXX screenshots go here, loader is creating them
+     XXXTR: I'll believe it when I see it.  -->
+
+	<para>Once logged in, the main
+	  <application>Samba</application> configuration page and the
+	  system documentation will be available.  Begin configuration
+	  by clicking on the <guimenu>Globals</guimenu> tab.  The
+	  <guimenu>Globals</guimenu> section corresponds to the
 	  variables that are set in the <literal>[global]</literal>
 	  section of
 	  <filename>/usr/local/etc/smb.conf</filename>.</para>
@@ -4690,19 +5114,18 @@
       <sect3>
 	<title>Global Settings</title>
 
-	<para>Whether you are using <application>swat</application> or
-	  editing <filename>/usr/local/etc/smb.conf</filename>
-	  directly, the first directives you are likely to encounter
-	  when configuring <application>Samba</application>
-	  are:</para>
+	<para>Whether <application>swat</application> is used or
+	  <filename>/usr/local/etc/smb.conf</filename> is edited
+	  directly, the first directives encountered when configuring
+	  <application>Samba</application> are:</para>
 
-        <variablelist>
+	<variablelist>
 	  <varlistentry>
 	    <term><literal>workgroup</literal></term>
 
 	    <listitem>
-	      <para>NT Domain-Name or Workgroup-Name for the computers
-	        that will be accessing this server.</para>
+	      <para>The domain name or workgroup name for the
+		computers that will be accessing this server.</para>
 	    </listitem>
 	  </varlistentry>
 
@@ -4710,11 +5133,10 @@
 	    <term><literal>netbios name</literal></term>
 
 	    <listitem>
-	      <indexterm><primary>NetBIOS</primary></indexterm>
-
-	      <para>This sets the NetBIOS name by which a <application>Samba</application> server
-		is known. By default it is the same as the first
-		component of the host's DNS name.</para>
+	      <para>The NetBIOS name by which a
+		<application>Samba</application> server is known.  By
+		default it is the same as the first component of the
+		host's <acronym>DNS</acronym> name.</para>
 	    </listitem>
 	  </varlistentry>
 
@@ -4722,13 +5144,13 @@
 	    <term><literal>server string</literal></term>
 
 	    <listitem>
-	      <para>This sets the string that will be displayed with
-		the <command>net view</command> command and some other
+	      <para>The string that will be displayed in the output of
+		<command>net view</command> and some other
 		networking tools that seek to display descriptive text
 		about the server.</para>
 	    </listitem>
 	  </varlistentry>
-        </variablelist>
+	</variablelist>
       </sect3>
 
       <sect3>
@@ -4736,29 +5158,29 @@
 
 	<para>Two of the most important settings in
 	  <filename>/usr/local/etc/smb.conf</filename> are the
-	  security model chosen, and the backend password format for
-	  client users.  The following directives control these
+	  security model and the backend password format for client
+	  users.  The following directives control these
 	  options:</para>
 
-        <variablelist>
+	<variablelist>
 	  <varlistentry>
 	    <term><literal>security</literal></term>
 
 	    <listitem>
-	      <para>The two most common options here are
-	        <literal>security = share</literal> and <literal>security
-	        = user</literal>.  If your clients use usernames that
-	        are the same as their usernames on your &os; machine
-	        then you will want to use user level security.  This
-	        is the default security policy and it requires clients
-	        to first log on before they can access shared
-	        resources.</para>
-
-	      <para>In share level security, client do not need to log
-	        onto the server with a valid username and password
-	        before attempting to connect to a shared resource.
-	        This was the default security model for older versions
-	        of <application>Samba</application>.</para>
+	      <para>The two most common options are
+		<literal>security = share</literal> and
+		<literal>security = user</literal>.  If the clients
+		use usernames that are the same as their usernames on
+		the &os; machine, user level security should be
+		used.  This is the default security policy and it
+		requires clients to first log on before they can
+		access shared resources.</para>
+
+	      <para>In share level security, clients do not need to
+		log onto the server with a valid username and password
+		before attempting to connect to a shared resource.
+		This was the default security model for older versions
+		of <application>Samba</application>.</para>
 	    </listitem>
 	  </varlistentry>
 
@@ -4766,279 +5188,247 @@
 	    <term><literal>passdb backend</literal></term>
 
 	    <listitem>
+	      <indexterm><primary>NIS+</primary></indexterm>
+	      <indexterm><primary>LDAP</primary></indexterm>
+	      <indexterm><primary>SQL database</primary></indexterm>
+
 	      <para><application>Samba</application> has several
-	        different backend authentication models.  You can
-	        authenticate clients with LDAP<indexterm><primary>LDAP</primary></indexterm>,
-		NIS+<indexterm><primary>NIS+</primary></indexterm>, a SQL database<indexterm><primary>SQL database</primary></indexterm>,
-	        or a modified password file.  The default
-	        authentication method is <literal>smbpasswd</literal>,
-	        and that is all that will be covered here.</para>
+		different backend authentication models.  Clients may
+		be authenticated with LDAP, NIS+, an SQL database,
+		or a modified password file.  The default
+		authentication method is <literal>smbpasswd</literal>,
+		and that is all that will be covered here.</para>
 	    </listitem>
 	  </varlistentry>
 	</variablelist>
 
 	<para>Assuming that the default <literal>smbpasswd</literal>
-	  backend is used, the
-	  <filename>/usr/local/private/smbpasswd</filename> file must
-	  be created to allow <application>Samba</application> to
-	  authenticate clients.  If you would like to give all of
-	  your &unix; user accounts access from &windows; clients, use the
-	  following command:</para>
-
-	<screen>&prompt.root; <userinput>grep -v "^#" /etc/passwd | make_smbpasswd &gt; /usr/local/private/smbpasswd</userinput>
-&prompt.root; <userinput>chmod 600 /usr/local/private/smbpasswd</userinput></screen>
-
-	<para>Please see the <application>Samba</application>
-	  documentation for additional information about configuration
-	  options.  With the basics outlined here, you should have
-	  everything you need to start running
-	  <application>Samba</application>.</para>
+	  backend is used,
+	  <filename>/usr/local/etc/samba/smbpasswd</filename>
+	  must be created to allow <application>Samba</application> to
+	  authenticate clients.  To provide &unix; user accounts
+	  access from &windows; clients, use the following command to
+	  add each required user to that file:</para>
+
+	<screen>&prompt.root; <userinput>smbpasswd -a <replaceable>username</replaceable></userinput></screen>
+
+	<note>
+	  <para>The recommended backend is now
+	    <literal>tdbsam</literal>.  If this backend is selected,
+	    use the following command to add user accounts:</para>
+
+	  <screen>&prompt.root; <userinput>pdbedit -a -u <replaceable>username</replaceable></userinput></screen>
+	</note>
+
+	<para>This section has only mentioned the most commonly used
+	  settings.  Refer to the <link
+	    xlink:href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/">Official
+	    Samba HOWTO</link> for additional information about the
+	  available configuration options.</para>
       </sect3>
-
     </sect2>
+
     <sect2>
       <title>Starting <application>Samba</application></title>
 
-      <para>To enable <application>Samba</application> when your
-        system boots, add the following line to
-        <filename>/etc/rc.conf</filename>:</para>
+      <para>To enable <application>Samba</application> at boot time,
+	add the following line to
+	<filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>samba_enable="YES"</programlisting>
 
-      <para>You can then start <application>Samba</application> at any
-        time by typing:</para>
+      <para>Alternately, its services can be started
+	separately:</para>
+
+      <programlisting>nmbd_enable="YES"</programlisting>
 
-      <screen>&prompt.root; <userinput>/usr/local/etc/rc.d/samba.sh start</userinput>
+      <programlisting>smbd_enable="YES"</programlisting>
+
+      <para>To start <application>Samba</application> now:</para>
+
+      <screen>&prompt.root; <userinput>service samba start</userinput>
 Starting SAMBA: removing stale tdbs :
 Starting nmbd.
 Starting smbd.</screen>
 
-      <para><application>Samba</application> actually consists of
-        three separate daemons.  You should see that both the
-        <application>nmbd</application> and <application>smbd</application> daemons
-        are started by the <filename>samba.sh</filename> script.  If
-        you enabled winbind name resolution services in
-        <filename>smb.conf</filename>, then you will also see that
-        the <application>winbindd</application> daemon is started.</para>
+      <para><application>Samba</application> consists of three
+	separate daemons.  Both the <application>nmbd</application>
+	and <application>smbd</application> daemons are started by
+	<varname>samba_enable</varname>.  If winbind name resolution
+	services are enabled in <filename>smb.conf</filename>, the
+	<application>winbindd</application> daemon is started as
+	well.</para>
 
-      <para>You can stop <application>Samba</application> at any time
-        by typing :</para>
+      <para><application>Samba</application> may be stopped at any
+	time by typing:</para>
 
-      <screen>&prompt.root; <userinput>/usr/local/etc/rc.d/samba.sh stop</userinput></screen>
+      <screen>&prompt.root; <userinput>service samba stop</userinput></screen>
 
       <para><application>Samba</application> is a complex software
-        suite with functionality that allows broad integration with
-        &microsoft.windows; networks.  For more information about
-        functionality beyond the basic installation described here,
-        please see <uri xlink:href="http://www.samba.org">http://www.samba.org</uri>.</para>
+	suite with functionality that allows broad integration with
+	&microsoft.windows; networks.  For more information about
+	functionality beyond the basic configuration described here,
+	refer to <uri
+	  xlink:href="http://www.samba.org">http://www.samba.org</uri>.</para>
     </sect2>
-
   </sect1>
 
   <sect1 xml:id="network-ntp">
-    <info><title>Clock Synchronization with NTP</title>
+    <!--
+    <sect1info>
       <authorgroup>
-	<author><personname><firstname>Tom</firstname><surname>Hukins</surname></personname><contrib>Contributed by </contrib></author>
+	<author>
+	  <firstname>Tom</firstname>
+	  <surname>Hukins</surname>
+	  <contrib>Contributed by </contrib>
+	</author>
       </authorgroup>
-    </info>
-    
-
-    <indexterm><primary>NTP</primary></indexterm>
-
-    <sect2>
-      <title>Overview</title>
-
-      <para>Over time, a computer's clock is prone to drift.  The
-	Network Time Protocol (NTP) is one way to ensure your clock stays
-	accurate.</para>
-
-      <para>Many Internet services rely on, or greatly benefit from,
-	computers' clocks being accurate.  For example, a web server
-	may receive requests to send a file if it has been modified since a
-	certain time.  In a local area network environment, it is
-	essential that computers sharing files from the same file
-	server have synchronized clocks so that file timestamps stay
-	consistent.  Services such as &man.cron.8; also rely on
-	an accurate system clock to run commands at the specified
-	times.</para>
-
-      <indexterm>
-	<primary>NTP</primary>
-	<secondary>ntpd</secondary>
-      </indexterm>
-      <para>FreeBSD ships with the &man.ntpd.8; <acronym role="Network  Time Protocol">NTP</acronym> server which can be used to query
-	other <acronym role="Network Time Protocol">NTP</acronym>
-	servers to set the clock on your machine or provide time
-	services to others.</para>
-    </sect2>
+    </sect1info>
+    -->
+    <title>Clock Synchronization with NTP</title>
 
-    <sect2>
-      <title>Choosing Appropriate NTP Servers</title>
-
-      <indexterm>
-	<primary>NTP</primary>
-	<secondary>choosing servers</secondary>
-      </indexterm>
+    <indexterm><primary>NTP</primary>
+      <secondary>ntpd</secondary>
+    </indexterm>
 
-      <para>In order to synchronize your clock, you will need to find
-	one or more <acronym role="Network Time  Protocol">NTP</acronym> servers to use.  Your network
-	administrator or ISP may have set up an NTP server for this
-	purpose&mdash;check their documentation to see if this is the
-	case.  There is an <link xlink:href="http://ntp.isc.org/bin/view/Servers/WebHome">online
-	list of publicly accessible NTP servers</link> which you can
-	use to find an NTP server near to you.  Make sure you are
-	aware of the policy for any servers you choose, and ask for
-	permission if required.</para>
-
-      <para>Choosing several unconnected NTP servers is a good idea in
-	case one of the servers you are using becomes unreachable or
-	its clock is unreliable.  &man.ntpd.8; uses the responses it
-	receives from other servers intelligently&mdash;it will favor
-	unreliable servers less than reliable ones.</para>
-    </sect2>
+    <para>Over time, a computer's clock is prone to drift.   This is
+      problematic as many network services require the computers on a
+      network to share the same accurate time.  Accurate time is also
+      needed to ensure that file timestamps stay consistent.  The
+      Network Time Protocol (<acronym>NTP</acronym>) is one way to
+      provide clock accuracy in a network.</para>
+
+    <para>&os; includes &man.ntpd.8; which can be configured to query
+      other <acronym>NTP</acronym> servers in order to synchronize the
+      clock on that machine or to provide time services to other
+      computers in the network.  The servers which are queried can be
+      local to the network or provided by an <acronym>ISP</acronym>.
+      In addition, an <link
+	xlink:href="http://support.ntp.org/bin/view/Servers/WebHome">online
+	list of publicly accessible <acronym>NTP</acronym>
+      servers</link> is available.  When choosing a public
+      <acronym>NTP</acronym> server, select one that is geographically
+      close and review its usage policy.</para>
+
+    <para>Choosing several <acronym>NTP</acronym> servers is
+      recommended in case one of the servers becomes unreachable or
+      its clock proves unreliable.  As <application>ntpd</application>
+      receives responses, it favors reliable servers over the less
+      reliable ones.</para>
+
+    <para>This section describes how to configure
+      <application>ntpd</application> on &os;.  Further documentation
+      can be found in <filename>/usr/share/doc/ntp/</filename> in HTML
+      format.</para>
 
     <sect2>
-      <title>Configuring Your Machine</title>
+      <title><acronym>NTP</acronym> Configuration</title>
 
-      <indexterm>
-	<primary>NTP</primary>
-	<secondary>configuration</secondary>
+      <indexterm><primary>NTP</primary>
+	<secondary>ntp.conf</secondary>
       </indexterm>
 
-      <sect3>
-	<title>Basic Configuration</title>
-	<indexterm><primary>ntpdate</primary></indexterm>
-
-	<para>If you only wish to synchronize your clock when the
-	  machine boots up, you can use &man.ntpdate.8;.  This may be
-	  appropriate for some desktop machines which are frequently
-	  rebooted and only require infrequent synchronization, but
-	  most machines should run &man.ntpd.8;.</para>
-
-	<para>Using &man.ntpdate.8; at boot time is also a good idea
-	  for machines that run &man.ntpd.8;.  The &man.ntpd.8;
-	  program changes the clock gradually, whereas &man.ntpdate.8;
-	  sets the clock, no matter how great the difference between a
-	  machine's current clock setting and the correct time.</para>
-
-	<para>To enable &man.ntpdate.8; at boot time, add
-	  <literal>ntpdate_enable="YES"</literal> to
-	  <filename>/etc/rc.conf</filename>.  You will also need to
-	  specify all servers you wish to synchronize with and any
-	  flags to be passed to &man.ntpdate.8; in
-	  <varname>ntpdate_flags</varname>.</para>
-      </sect3>
-
-      <sect3>
-	<title>General Configuration</title>
-
-	<indexterm>
-	  <primary>NTP</primary>
-	  <secondary>ntp.conf</secondary>
-	</indexterm>
+      <para>On &os;, the built-in <application>ntpd</application> can
+	be used to synchronize a system's clock.  To enable
+	<application>ntpd</application> at boot time, add
+	<literal>ntpd_enable="YES"</literal> to
+	<filename>/etc/rc.conf</filename>.  Additional variables can
+	be specified in <filename>/etc/rc.conf</filename>.  Refer to
+	&man.rc.conf.5; and &man.ntpd.8; for
+	details.</para>
+
+      <para>This application reads <filename>/etc/ntp.conf</filename>
+	to determine which <acronym>NTP</acronym> servers to query.
+	Here is a simple example of an
+	<filename>/etc/ntp.conf</filename>:</para>
 
-	<para>NTP is configured by the
-	  <filename>/etc/ntp.conf</filename> file in the format
-	  described in &man.ntp.conf.5;.  Here is a simple
-	  example:</para>
+      <example>
+	<title> Sample <filename>/etc/ntp.conf</filename></title>
 
 	<programlisting>server ntplocal.example.com prefer
 server timeserver.example.org
 server ntp2a.example.net
 
 driftfile /var/db/ntp.drift</programlisting>
+      </example>
 
-	<para>The <literal>server</literal> option specifies which
-	  servers are to be used, with one server listed on each line.
-	  If a server is specified with the <literal>prefer</literal>
-	  argument, as with <systemitem class="fqdomainname">ntplocal.example.com</systemitem>, that server is
-	  preferred over other servers.  A response from a preferred
-	  server will be discarded if it differs significantly from
-	  other servers' responses, otherwise it will be used without
-	  any consideration to other responses.  The
-	  <literal>prefer</literal> argument is normally used for NTP
-	  servers that are known to be highly accurate, such as those
-	  with special time monitoring hardware.</para>
-
-	<para>The <literal>driftfile</literal> option specifies which
-	  file is used to store the system clock's frequency offset.
-	  The &man.ntpd.8; program uses this to automatically
-	  compensate for the clock's natural drift, allowing it to
-	  maintain a reasonably correct setting even if it is cut off
-	  from all external time sources for a period of time.</para>
-
-	<para>The <literal>driftfile</literal> option specifies which
-	  file is used to store information about previous responses
-	  from the NTP servers you are using.  This file contains
-	  internal information for NTP.  It should not be modified by
-	  any other process.</para>
-      </sect3>
+      <para>The format of this file is described in &man.ntp.conf.5;.
+	The <literal>server</literal> option specifies which servers
+	to query, with one server listed on each line.  If a server
+	entry includes <literal>prefer</literal>, that server is
+	preferred over other servers.  A response from a preferred
+	server will be discarded if it differs significantly from
+	other servers' responses; otherwise it will be used.  The
+	<literal>prefer</literal> argument should only be used for
+	<acronym>NTP</acronym> servers that are known to be highly
+	accurate, such as those with special time monitoring
+	hardware.</para>
+
+      <para>The <literal>driftfile</literal> entry specifies which
+	file is used to store the system clock's frequency offset.
+	<application>ntpd</application> uses this to automatically
+	compensate for the clock's natural drift, allowing it to
+	maintain a reasonably correct setting even if it is cut off
+	from all external time sources for a period of time.  This
+	file also stores information about previous responses
+	from <acronym>NTP</acronym> servers.  Since this file contains
+	internal information for <acronym>NTP</acronym>, it should not
+	be modified.</para>
+
+      <para>By default, an <acronym>NTP</acronym> server is accessible
+	to any network host.  The <literal>restrict</literal> option
+	in <filename>/etc/ntp.conf</filename> can be used to control
+	which systems can access the server.  For example, to deny all
+	machines from accessing the <acronym>NTP</acronym> server, add
+	the following line to
+	<filename>/etc/ntp.conf</filename>:</para>
 
-      <sect3>
-	<title>Controlling Access to Your Server</title>
+      <programlisting>restrict default ignore</programlisting>
 
-	<para>By default, your NTP server will be accessible to all
-	  hosts on the Internet.  The <literal>restrict</literal>
-	  option in <filename>/etc/ntp.conf</filename> allows you to
-	  control which machines can access your server.</para>
-
-	<para>If you want to deny all machines from accessing your NTP
-	  server, add the following line to
-	  <filename>/etc/ntp.conf</filename>:</para>
-
-        <programlisting>restrict default ignore</programlisting>
-
-        <para>If you only want to allow machines within your own
-	  network to synchronize their clocks with your server, but
-	  ensure they are not allowed to configure the server or used
-	  as peers to synchronize against, add</para>
-
-        <programlisting>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap</programlisting>
-
-	<para>instead, where <systemitem class="ipaddress">192.168.1.0</systemitem> is
-	  an IP address on your network and <systemitem class="netmask">255.255.255.0</systemitem> is your network's
-	  netmask.</para>
-
-	<para><filename>/etc/ntp.conf</filename> can contain multiple
-	  <literal>restrict</literal> options.  For more details, see
-	  the <literal>Access Control Support</literal> subsection of
-	  &man.ntp.conf.5;.</para>
-      </sect3>
-    </sect2>
+      <note>
+	<para>This will also prevent access from other
+	  <acronym>NTP</acronym> servers.  If there is a need to
+	  synchronize with an external <acronym>NTP</acronym> server,
+	  allow only that specific server.  Refer to &man.ntp.conf.5;
+	  for more information.</para>
+      </note>
 
-    <sect2>
-      <title>Running the NTP Server</title>
+      <para>To allow machines within the network to synchronize their
+	clocks with the server, but ensure they are not allowed to
+	configure the server or be used as peers to synchronize
+	against, instead use:</para>
 
-      <para>To ensure the NTP server is started at boot time, add the
-	line <literal>ntpd_enable="YES"</literal> to
-	<filename>/etc/rc.conf</filename>.  If you wish to pass
-	additional flags to &man.ntpd.8;, edit the
-	<varname>ntpd_flags</varname> parameter in
-	<filename>/etc/rc.conf</filename>.</para>
-
-      <para>To start the server without rebooting your machine, run
-	<command>ntpd</command> being sure to specify any additional
-	parameters from <varname>ntpd_flags</varname> in
-	<filename>/etc/rc.conf</filename>.  For example:</para>
+      <programlisting>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap</programlisting>
 
-      <screen>&prompt.root; <userinput>ntpd -p /var/run/ntpd.pid</userinput></screen>
+      <para>where <systemitem
+	  class="ipaddress">192.168.1.0</systemitem> is the local
+	network address and <systemitem
+	  class="netmask">255.255.255.0</systemitem> is the network's
+	subnet mask.</para>
 
-      <note>
-	<para>Under &os;&nbsp;4.X,
-	  you have to replace every instance of <literal>ntpd</literal>
-	  with <literal>xntpd</literal> in the options above.</para></note>
+      <para>Multiple <literal>restrict</literal> entries are
+	supported.  For more details, refer to the <literal>Access
+	  Control Support</literal> subsection of
+	&man.ntp.conf.5;.</para>
+
+      <para>Once <literal>ntpd_enable="YES"</literal> has been added
+	to <filename>/etc/rc.conf</filename>,
+	<application>ntpd</application> can be started now without
+	rebooting the system by typing:</para>
+
+      <screen>&prompt.root; <userinput>service ntpd start</userinput></screen>
     </sect2>
 
     <sect2>
-      <title>Using ntpd with a Temporary Internet
-	Connection</title>
+      <title>Using <acronym>NTP</acronym> with a
+	<acronym>PPP</acronym> Connection</title>
 
-      <para>The &man.ntpd.8; program does not need a permanent
+      <para><application>ntpd</application> does not need a permanent
 	connection to the Internet to function properly.  However, if
-	you have a temporary connection that is configured to dial out
-	on demand, it is a good idea to prevent NTP traffic from
-	triggering a dial out or keeping the connection alive.  If you
-	are using user PPP, you can use <literal>filter</literal>
+	a <acronym>PPP</acronym> connection is configured to dial out
+	on demand, <acronym>NTP</acronym> traffic should be prevented
+	from triggering a dial out or keeping the connection alive.
+	This can be configured with <literal>filter</literal>
 	directives in <filename>/etc/ppp/ppp.conf</filename>.  For
 	example:</para>
 
@@ -5051,23 +5441,349 @@
  # Prevent outgoing NTP traffic from keeping the connection open
  set filter alive 2 permit 0/0 0/0</programlisting>
 
-      <para>For more details see the <literal>PACKET
-	FILTERING</literal> section in &man.ppp.8; and the examples in
+      <para>For more details, refer to the
+	<literal>PACKET FILTERING</literal> section in &man.ppp.8; and
+	the examples in
 	<filename>/usr/share/examples/ppp/</filename>.</para>
 
       <note>
 	<para>Some Internet access providers block low-numbered ports,
-	  preventing NTP from functioning since replies never
-	  reach your machine.</para>
+	  preventing NTP from functioning since replies never reach
+	  the machine.</para>
       </note>
     </sect2>
+  </sect1>
 
-    <sect2>
-      <title>Further Information</title>
+  <sect1 xml:id="network-iscsi">
+    <!--
+    <sect1info>
+      <authorgroup>
+	<author>
+	  <firstname>Edward Tomasz</firstname>
+	  <surname>Napierala</surname>
+	</author>
+      </authorgroup>
+    </sect1info>
+          -->
+
+    <title><acronym>iSCSI</acronym> Initiator and Target
+      Configuration</title>
 
-      <para>Documentation for the NTP server can be found in
-	<filename>/usr/share/doc/ntp/</filename> in HTML
-	format.</para>
+    <para><acronym>iSCSI</acronym> is a way to share storage over a
+      network.  Unlike <acronym>NFS</acronym>, which works at the file
+      system level, <acronym>iSCSI</acronym> works at the block device
+      level.</para>
+
+    <para>In <acronym>iSCSI</acronym> terminology, the system that
+      shares the storage is known as the <emphasis>target</emphasis>.
+      The storage can be a physical disk, or an area representing
+      multiple disks or a portion of a physical disk.  For example, if
+      the disk(s) are formatted with <acronym>ZFS</acronym>, a zvol
+      can be created to use as the <acronym>iSCSI</acronym>
+      storage.</para>
+
+    <para>The clients which access the <acronym>iSCSI</acronym>
+      storage are called <emphasis>initiators</emphasis>.  To
+      initiators, the storage available through
+      <acronym>iSCSI</acronym> appears as a raw, unformatted disk
+      known as a <acronym>LUN</acronym>.  Device nodes for the disk
+      appear in <filename>/dev/</filename> and the device must be
+      separately formatted and mounted.</para>
+
+    <para>Beginning with 10.0-RELEASE, &os; provides a native,
+      kernel-based <acronym>iSCSI</acronym> target and initiator.
+      This section describes how to configure a &os; system as a
+      target or an initiator.</para>
+
+    <sect2 xml:id="network-iscsi-target">
+      <title>Configuring an <acronym>iSCSI</acronym> Target</title>
+
+      <note>
+	<para>The native <acronym>iSCSI</acronym> target is supported
+	  starting with &os; 10.0-RELEASE.  To use
+	  <acronym>iSCSI</acronym> in older versions of &os;, install
+	  a userspace target from the Ports Collection, such as
+	  <package>net/istgt</package>.  This chapter only describes
+	  the native target.</para>
+      </note>
+
+      <para>To configure an <acronym>iSCSI</acronym> target, create
+	the <filename>/etc/ctl.conf</filename> configuration file, add
+	a line to <filename>/etc/rc.conf</filename> to make sure the
+	&man.ctld.8; daemon is automatically started at boot, and then
+	start the daemon.</para>
+
+      <para>The following is an example of a simple
+	<filename>/etc/ctl.conf</filename> configuration file.  Refer
+	to &man.ctl.conf.5; for a more complete description of this
+	file's available options.</para>
+
+      <programlisting>portal-group pg0 {
+	discovery-auth-group no-authentication
+	listen 0.0.0.0
+	listen [::]
+}
+
+target iqn.2012-06.com.example:target0 {
+	auth-group no-authentication
+	portal-group pg0
+
+	lun 0 {
+		path /data/target0-0
+		size 4G
+	}
+}</programlisting>
+
+      <para>The first entry defines the <literal>pg0</literal> portal
+	group.  Portal groups define which network addresses the
+	&man.ctld.8; daemon will listen on.  The
+	<literal>discovery-auth-group no-authentication</literal>
+	entry indicates that any initiator is allowed to perform
+	<acronym>iSCSI</acronym> target discovery without
+	authentication.  Lines three and four configure &man.ctld.8;
+	to listen on all <acronym>IPv4</acronym>
+	(<literal>listen 0.0.0.0</literal>) and
+	<acronym>IPv6</acronym> (<literal>listen [::]</literal>)
+	addresses on the default port of 3260.</para>
+
+      <para>It is not necessary to define a portal group as there is a
+	built-in portal group called <literal>default</literal>.  In
+	this case, the difference between <literal>default</literal>
+	and <literal>pg0</literal> is that with
+	<literal>default</literal>, target discovery is always denied,
+	while with <literal>pg0</literal>, it is always
+	allowed.</para>
+
+      <para>The second entry defines a single target.  Target has two
+	possible meanings: a machine serving <acronym>iSCSI</acronym>
+	or a named group of <acronym>LUNs</acronym>.  This example
+	uses the latter meaning, where
+	<literal>iqn.2012-06.com.example:target0</literal> is the
+	target name.  This target name is suitable for testing
+	purposes.  For actual use, change
+	<literal>com.example</literal> to the real domain name,
+	reversed.  The <literal>2012-06</literal> represents the year
+	and month of acquiring control of that domain name, and
+	<literal>target0</literal> can be any value.  Any number of
+	targets can be defined in this configuration file.</para>
+
+      <para>The <literal>auth-group no-authentication</literal> line
+	allows all initiators to connect to the specified target and
+	<literal>portal-group pg0</literal> makes the target reachable
+	through the <literal>pg0</literal> portal group.</para>
+
+      <para>The next section defines the <acronym>LUN</acronym>.  To
+	the initiator, each <acronym>LUN</acronym> will be visible as
+	a separate disk device.  Multiple <acronym>LUNs</acronym> can
+	be defined for each target.  Each <acronym>LUN</acronym> is
+	identified by a number, where <acronym>LUN</acronym> 0 is
+	mandatory.  The <literal>path /data/target0-0</literal> line
+	defines the full path to a file or zvol backing the
+	<acronym>LUN</acronym>.  That path must exist before starting
+	&man.ctld.8;.  The second line is optional and specifies the
+	size of the <acronym>LUN</acronym>.</para>
+
+      <para>Next, to make sure the &man.ctld.8; daemon is started at
+	boot, add this line to
+	<filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>ctld_enable="YES"</programlisting>
+
+      <para>To start &man.ctld.8; now, run this command:</para>
+
+      <screen>&prompt.root; <userinput>service ctld start</userinput></screen>
+
+      <para>As the &man.ctld.8; daemon is started, it reads
+	<filename>/etc/ctl.conf</filename>.  If this file is edited
+	after the daemon starts, use this command so that the changes
+	take effect immediately:</para>
+
+      <screen>&prompt.root; <userinput>service ctld reload</userinput></screen>
+
+      <sect3>
+	<title>Authentication</title>
+
+	<para>The previous example is inherently insecure as it uses
+	  no authentication, granting anyone full access to all
+	  targets.  To require a username and password to access
+	  targets, modify the configuration as follows:</para>
+
+	<programlisting>auth-group ag0 {
+	chap username1 secretsecret
+	chap username2 anothersecret
+}
+
+portal-group pg0 {
+	discovery-auth-group no-authentication
+	listen 0.0.0.0
+	listen [::]
+}
+
+target iqn.2012-06.com.example:target0 {
+	auth-group ag0
+	portal-group pg0
+	lun 0 {
+		path /data/target0-0
+		size 4G
+	}
+}</programlisting>
+
+	<para>The <literal>auth-group</literal> section defines
+	  username and password pairs.  An initiator trying to connect
+	  to <literal>iqn.2012-06.com.example:target0</literal> must
+	  first specify a defined username and secret.  However,
+	  target discovery is still permitted without authentication.
+	  To require target discovery authentication, set
+	  <literal>discovery-auth-group</literal> to a defined
+	  <literal>auth-group</literal> name instead of
+	  <literal>no-authentication</literal>.</para>
+
+	<para>It is common to define a single exported target for
+	  every initiator.  As a shorthand for the syntax above, the
+	  username and password can be specified directly in the
+	  target entry:</para>
+
+	<programlisting>target iqn.2012-06.com.example:target0 {
+	portal-group pg0
+	chap username1 secretsecret
+
+	lun 0 {
+		path /data/target0-0
+		size 4G
+	}
+}</programlisting>
+      </sect3>
+    </sect2>
+
+    <sect2 xml:id="network-iscsi-initiator">
+      <title>Configuring an <acronym>iSCSI</acronym> Initiator</title>
+
+      <note>
+	<para>The <acronym>iSCSI</acronym> initiator described in this
+	  section is supported starting with &os; 10.0-RELEASE.  To
+	  use the <acronym>iSCSI</acronym> initiator available in
+	  older versions, refer to &man.iscontrol.8;.</para>
+      </note>
+
+      <para>The <acronym>iSCSI</acronym> initiator requires that the
+	&man.iscsid.8; daemon is running.  This daemon does not use a
+	configuration file.  To start it automatically at boot, add
+	this line to <filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>iscsid_enable="YES"</programlisting>
+
+      <para>To start &man.iscsid.8; now, run this command:</para>
+
+      <screen>&prompt.root; <userinput>service iscsid start</userinput></screen>
+
+      <para>Connecting to a target can be done with or without an
+	<filename>/etc/iscsi.conf</filename> configuration file.  This
+	section demonstrates both types of connections.</para>
+
+      <sect3>
+	<title>Connecting to a Target Without a Configuration
+	  File</title>
+
+	<para>To connect an initiator to a single target, specify the
+	  <acronym>IP</acronym> address of the portal and the name of
+	  the target:</para>
+
+	<screen>&prompt.root; <userinput>iscsictl -A -p <replaceable>10.10.10.10</replaceable> -t <replaceable>iqn.2012-06.com.example:target0</replaceable></userinput></screen>
+
+	<para>To verify if the connection succeeded, run
+	  <command>iscsictl</command> without any arguments.  The
+	  output should look similar to this:</para>
+
+	<programlisting>Target name                                     Target portal   State
+iqn.2012-06.com.example:target0                 10.10.10.10     Connected: da0</programlisting>
+
+	<para>In this example, the <acronym>iSCSI</acronym> session
+	  was successfully established, with
+	  <filename>/dev/da0</filename> representing the attached
+	  <acronym>LUN</acronym>.  If the
+	  <literal>iqn.2012-06.com.example:target0</literal> target
+	  exports more than one <acronym>LUN</acronym>, multiple
+	  device nodes will be shown in that section of the
+	  output:</para>
+
+	<screen>Connected: da0 da1 da2.</screen>
+
+	<para>Any errors will be reported in the output, as well as
+	  the system logs.  For example, this message usually means
+	  that the &man.iscsid.8; daemon is not running:</para>
+
+	<programlisting>Target name                                     Target portal   State
+iqn.2012-06.com.example:target0                 10.10.10.10     Waiting for iscsid(8)</programlisting>
+
+	<para>The following message suggests a networking problem,
+	  such as a wrong <acronym>IP</acronym> address or
+	  port:</para>
+
+	<programlisting>Target name                                     Target portal   State
+iqn.2012-06.com.example:target0                 10.10.10.11     Connection refused</programlisting>
+
+	<para>This message means that the specified target name is
+	  wrong:</para>
+
+	<programlisting>Target name                                     Target portal   State
+iqn.2012-06.com.example:atrget0                 10.10.10.10     Not found</programlisting>
+
+	<para>This message means that the target requires
+	  authentication:</para>
+
+	<programlisting>Target name                                     Target portal   State
+iqn.2012-06.com.example:target0                 10.10.10.10     Authentication failed</programlisting>
+
+	<para>To specify a <acronym>CHAP</acronym> username and
+	  secret, use this syntax:</para>
+
+	<screen>&prompt.root; <userinput>iscsictl -A -p <replaceable>10.10.10.10</replaceable> -t <replaceable>iqn.2012-06.com.example:target0</replaceable> -u <replaceable>user</replaceable> -s <replaceable>secretsecret</replaceable></userinput></screen>
+      </sect3>
+
+      <sect3>
+	<title>Connecting to a Target with a Configuration
+	  File</title>
+
+	<para>To connect using a configuration file, create
+	  <filename>/etc/iscsi.conf</filename> with contents like
+	  this:</para>
+
+	<programlisting>t0 {
+	TargetAddress   = 10.10.10.10
+	TargetName      = iqn.2012-06.com.example:target0
+	AuthMethod      = CHAP
+	chapIName       = user
+	chapSecret      = secretsecret
+}</programlisting>
+
+	<para>The <literal>t0</literal> specifies a nickname for the
+	  configuration file section.  It will be used by the
+	  initiator to specify which configuration to use.  The other
+	  lines specify the parameters to use during connection.  The
+	  <literal>TargetAddress</literal> and
+	  <literal>TargetName</literal> are mandatory, whereas the
+	  other options are optional.  In this example, the
+	  <acronym>CHAP</acronym> username and secret are
+	  shown.</para>
+
+	<para>To connect to the defined target, specify the
+	  nickname:</para>
+
+	<screen>&prompt.root; <userinput>iscsictl -An <replaceable>t0</replaceable></userinput></screen>
+
+	<para>Alternately, to connect to all targets defined in the
+	  configuration file, use:</para>
+
+	<screen>&prompt.root; <userinput>iscsictl -Aa</userinput></screen>
+
+	<para>To make the initiator automatically connect to all
+	  targets in <filename>/etc/iscsi.conf</filename>, add the
+	  following to <filename>/etc/rc.conf</filename>:</para>
+
+	<programlisting>iscsictl_enable="YES"
+iscsictl_flags="-Aa"</programlisting>
+
+      </sect3>
     </sect2>
   </sect1>
 
Index: zh_TW.UTF-8/books/handbook/ports/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/ports/chapter.xml
+++ zh_TW.UTF-8/books/handbook/ports/chapter.xml
@@ -1,9 +1,10 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
      The FreeBSD Documentation Project
+     The FreeBSD Traditional Chinese Project
 
      $FreeBSD$
-     Original revision: 1.273
+     Original revision: r46064
 -->
 <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="ports">
   <title>軟體套件管理篇：Packages 及 Ports 機制</title>
@@ -300,6 +301,7 @@
     </itemizedlist>
   </sect1>
 
+    <!--
   <sect1 xml:id="packages-using">
     <info><title>使用 Packages 管理機制</title>
       <authorgroup>
@@ -500,227 +502,513 @@
       <para>以上面例子而言，將會移除所有以 <literal>xchat</literal>
 	開頭的軟體。</para>
     </sect2>
+  </sect1>
+    -->
 
-    <sect2>
-      <title>其他細節部份</title>
-      <para>所有已裝的 package 資訊都會存到 <filename>/var/db/pkg</filename>
-	目錄內，在該目錄下可以找到記載已裝的軟體檔案清單及該軟體簡介的檔案。
-      </para>
+  <sect1 xml:id="pkgng-intro">
+    <title>Using <application>pkg</application> for Binary Package
+      Management</title>
+
+    <para><application>pkg</application> is the next generation
+      replacement for the traditional &os; package management tools,
+      offering many features that make dealing with binary packages
+      faster and easier.</para>
+
+    <para><application>pkg</application> is not a replacement for
+      port management tools like
+      <package>ports-mgmt/portmaster</package> or
+      <package>ports-mgmt/portupgrade</package>.  These tools can be
+      used to install third-party software from both binary packages
+      and the Ports Collection, while
+      <application>pkg</application> installs only binary
+      packages.</para>
+
+    <sect2 xml:id="pkgng-initial-setup">
+      <title>Getting Started with
+	<application>pkg</application></title>
+
+      <para>&os;&nbsp;8.4 and later includes a bootstrap utility
+	which can be used to download and install
+	<application>pkg</application>, along with its manual
+	pages.</para>
+
+      <para>To bootstrap the system, run:</para>
+
+      <screen>&prompt.root; <userinput>/usr/sbin/pkg</userinput></screen>
+
+      <para>For earlier &os; versions,
+	<application>pkg</application> must instead be installed
+	from the Ports Collection or as a binary package.</para>
+
+      <para>To install the port, run:</para>
+
+      <screen>&prompt.root; <userinput>cd /usr/ports/ports-mgmt/pkg</userinput>
+&prompt.root; <userinput>make</userinput>
+&prompt.root; <userinput>make install clean</userinput></screen>
+
+      <para>When upgrading an existing system that originally used the
+	older package system, the database must be converted to the
+	new format, so that the new tools are aware of the already
+	installed packages.  Once <application>pkg</application> has
+	been installed, the
+	package database must be converted from the traditional format
+	to the new format by running this command:</para>
+
+      <screen>&prompt.root; <userinput>pkg2ng</userinput></screen>
+
+      <note><para>This step is not required for new installations that
+	do not yet have any third-party software
+	installed.</para></note>
+
+      <important>
+	<para>This step is not reversible.  Once the package database
+	  has been converted to the <application>pkg</application>
+	  format, the traditional <literal>pkg_*</literal> tools
+	  should no longer be used.</para>
+      </important>
+
+      <note>
+	<para>The package database conversion may emit errors as the
+	  contents are converted to the new version.  Generally, these
+	  errors can be safely ignored.  However, a list of
+	  third-party software that was not successfully converted
+	  will be listed after <command>pkg2ng</command> has finished
+	  and these applications must be manually reinstalled.</para>
+      </note>
+
+      <para>To ensure that the &os;&nbsp;Ports Collection registers
+	new software with <application>pkg</application>, and not
+	the traditional packages format, &os; versions earlier than
+	10.<replaceable>X</replaceable> require this line in
+	<filename>/etc/make.conf</filename>:</para>
+
+      <programlisting>WITH_PKGNG=	yes</programlisting>
+
+      <para>The <application>pkg</application> package management
+	system uses a package repository for most operations.  The
+	default package repository location is defined in
+	<filename>/usr/local/etc/pkg.conf</filename> or by the
+	<envar>PACKAGESITE</envar> environment variable, which
+	overrides the configuration file.</para>
+
+      <para>Additional <application>pkg</application>
+	configuration options are described in pkg.conf(5).</para>
+
+      <para>Usage information for <application>pkg</application> is
+	available in pkg(8) or by running
+	<command>pkg</command> without additional arguments.</para>
+
+      <para>Each <application>pkg</application> command argument is
+	documented in a command-specific manual page.  To read the
+	manual page for <command>pkg install</command>, for example,
+	run either of these commands:</para>
+
+      <screen>&prompt.root; <userinput>pkg help install</userinput></screen>
+
+      <screen>&prompt.root; <userinput>man pkg-install</userinput></screen>
+
+      <para>The rest of this section demonstrates common binary
+	package management tasks which can be performed using
+	<application>pkg</application>.  Each demonstrated command
+	provides many switches to customize its use.  Refer to a
+	command's help or man page for details and more
+	examples.</para>
+    </sect2>
+
+    <sect2 xml:id="pkgng-pkg-info">
+      <title>Obtaining Information About Installed Packages</title>
+
+      <para>Information about the packages installed on a system
+	can be viewed by running <command>pkg info</command> which,
+	when run without any switches, will list the package version
+	for either all installed packages or the specified
+	package.</para>
+
+      <para>For example, to see which version of
+	<application>pkg</application> is installed, run:</para>
+
+      <screen>&prompt.root; <userinput>pkg info pkg</userinput>
+pkg-1.1.4_1</screen>
+    </sect2>
+
+    <sect2 xml:id="pkgng-installing-deinstalling">
+      <title>Installing and Removing Packages</title>
+
+      <para>To install a binary package use the following command,
+	where <replaceable>packagename</replaceable> is the name of
+	the package to install:</para>
+
+      <screen>&prompt.root; <userinput>pkg install <replaceable>packagename</replaceable></userinput></screen>
+
+      <para>This command uses repository data to determine which
+	version of the software to install and if it has any
+	uninstalled dependencies.  For example, to install
+	<application>curl</application>:</para>
+
+      <screen>&prompt.root; <userinput>pkg install curl</userinput>
+Updating repository catalogue
+/usr/local/tmp/All/curl-7.31.0_1.txz          100% of 1181 kB 1380 kBps 00m01s
+
+/usr/local/tmp/All/ca_root_nss-3.15.1_1.txz   100% of  288 kB 1700 kBps 00m00s
+
+Updating repository catalogue
+The following 2 packages will be installed:
+
+        Installing ca_root_nss: 3.15.1_1
+        Installing curl: 7.31.0_1
+
+The installation will require 3 MB more space
+
+0 B to be downloaded
+
+Proceed with installing packages [y/N]: <userinput>y</userinput>
+Checking integrity... done
+[1/2] Installing ca_root_nss-3.15.5_1... done
+[2/2] Installing curl-7.31.0_1... done
+Cleaning up cache files...Done</screen>
+
+	<para>The new package and any additional packages that were
+	  installed as dependencies can be seen in the installed
+	  packages list:</para>
+
+	<screen>&prompt.root; <userinput>pkg info</userinput>
+ca_root_nss-3.15.5_1	The root certificate bundle from the Mozilla Project
+curl-7.31.0_1	Non-interactive tool to get files from FTP, GOPHER, HTTP(S) servers
+pkg-1.1.4_6	New generation package manager</screen>
+
+	<para>Packages that are no longer needed can be removed with
+	  <command>pkg delete</command>.  For example:</para>
+
+	<screen>&prompt.root; <userinput>pkg delete curl</userinput>
+The following packages will be deleted:
+
+	curl-7.31.0_1
+
+The deletion will free 3 MB
+
+Proceed with deleting packages [y/N]: <userinput>y</userinput>
+[1/1] Deleting curl-7.31.0_1... done</screen>
+    </sect2>
+
+    <sect2 xml:id="pkgng-upgrading">
+      <title>Upgrading Installed Packages</title>
+
+      <para>Packages that are outdated can be found with
+	<command>pkg version</command>.  If a local ports tree
+	does not exist, pkg-version(8) will use the remote
+	repository catalogue.  Otherwise, the local ports tree will
+	be used to identify package versions.</para>
+
+      <para>Installed packages can be upgraded to their latest
+	versions by typing <command>pkg upgrade</command>.  This
+	command will compare the installed versions with those
+	available in the repository catalogue.  When finished, it
+	will list the applications that have newer versions.  Type
+	<userinput>y</userinput> to proceed with the upgrade or
+	<userinput>n</userinput> to cancel the upgrade.</para>
+    </sect2>
+
+    <sect2 xml:id="pkgng-auditing">
+      <title>Auditing Installed Packages</title>
+
+      <para>Occasionally, software vulnerabilities may be discovered
+	in third-party applications.  To address this,
+	<application>pkg</application> includes a built-in auditing
+	mechanism.  To determine if there are any known
+	vulnerabilities for the software installed on the system,
+	run:</para>
+
+	<screen>&prompt.root; <userinput>pkg audit -F</userinput></screen>
+    </sect2>
+
+    <sect2 xml:id="pkgng-autoremove">
+      <title>Automatically Removing Leaf Dependencies</title>
+
+      <para>Removing a package may leave behind dependencies which
+	are no longer required.  Unneeded packages that were installed
+	as dependencies can be automatically detected and removed
+	using:</para>
+
+      <screen>&prompt.root; <userinput>pkg autoremove</userinput>
+Packages to be autoremoved:
+	ca_root_nss-3.13.5
+
+The autoremoval will free 723 kB
+
+Proceed with autoremoval of packages [y/N]: <userinput>y</userinput>
+Deinstalling ca_root_nss-3.15.1_1... done</screen>
+    </sect2>
+
+    <sect2 xml:id="pkgng-backup">
+      <title>Backing Up the Package Database</title>
+
+      <para>Unlike the traditional package management system,
+	<application>pkg</application> includes its own package
+	database backup mechanism.  To manually back up the contents
+	of the package database, run the following command, replacing
+	<replaceable>pkgng.db</replaceable> with a suitable file
+	name:</para>
+
+      <screen>&prompt.root; <userinput>pkg backup -d <replaceable>pkgng.db</replaceable></userinput></screen>
+
+      <para>Additionally, <application>pkg</application> includes
+	a &man.periodic.8; script to automatically perform a daily
+	back up of the package database.  This functionality is
+	enabled if <literal>daily_backup_pkgdb_enable</literal> is
+	set to <literal>YES</literal> in &man.periodic.conf.5;.</para>
+
+      <tip>
+	<para>To disable the periodic script from backing up the
+	  package database, set
+	  <literal>daily_backup_pkgdb_enable</literal> to
+	  <literal>NO</literal> in &man.periodic.conf.5;.</para>
+      </tip>
+
+      <para>To restore the contents of a previous package database
+	backup, run:</para>
+
+      <screen>&prompt.root; <userinput>pkg backup -r <replaceable>/path/to/pkgng.db</replaceable></userinput></screen>
+    </sect2>
+
+    <sect2 xml:id="pkgng-clean">
+      <title>Removing Stale Packages</title>
+
+      <para>By default, <application>pkg</application> stores
+	binary packages in a cache directory defined by
+	<envar>PKG_CACHEDIR</envar> in pkg.conf(5).  When upgrading
+	packages with <command>pkg upgrade</command>, old versions
+	of the upgraded packages are not automatically removed.</para>
+
+      <para>To remove these outdated binary packages, run:</para>
+
+      <screen>&prompt.root; <userinput>pkg clean</userinput></screen>
+    </sect2>
+
+    <sect2 xml:id="pkgng-set">
+      <title>Modifying Package Metadata</title>
+
+      <para>Software within the &os;&nbsp;Ports Collection can
+	undergo major version number changes.  To address this,
+	<application>pkg</application> has a built-in command to
+	update package origins.  This can be useful, for example, if
+	<package>lang/php5</package> is renamed to
+	<package>lang/php53</package> so that
+	<package>lang/php5</package> can now
+	represent version <literal>5.4</literal>.</para>
+
+      <para>To change the package origin for the above example,
+	run:</para>
+
+      <screen>&prompt.root; <userinput>pkg set -o lang/php5:lang/php53</userinput></screen>
+
+      <para>As another example, to update
+	<package>lang/ruby18</package> to
+	<package>lang/ruby19</package>, run:</para>
+
+      <screen>&prompt.root; <userinput>pkg set -o lang/ruby18:lang/ruby19</userinput></screen>
+
+      <para>As a final example, to change the origin of the
+	<filename>libglut</filename> shared libraries from
+	<package>graphics/libglut</package> to
+	<package>graphics/freeglut</package>, run:</para>
+
+      <screen>&prompt.root; <userinput>pkg set -o graphics/libglut:graphics/freeglut</userinput></screen>
+
+      <note>
+	<para>When changing package origins, it is important to
+	  reinstall packages that are dependent on the package with
+	  the modified origin.  To force a reinstallation of dependent
+	  packages, run:</para>
+
+	<screen>&prompt.root; <userinput>pkg install -Rf <replaceable>graphics/freeglut</replaceable></userinput></screen>
+      </note>
     </sect2>
   </sect1>
 
   <sect1 xml:id="ports-using">
     <title>使用 Ports 管理機制</title>
 
-    <para>下面我們會介紹如何使用 Ports Collection 來安裝、移除軟體的基本用法。
-      至於其他可用的 <command>make</command> 詳細用法與環境設定，可參閱
-      &man.ports.7;。</para>
+    <para>The Ports Collection is a set of
+      <filename>Makefiles</filename>, patches, and description files
+      stored in <filename>/usr/ports</filename>.  This set of files is
+      used to compile and install applications on &os;.  Before an
+      application can be compiled using a port, the Ports Collection
+      must first be installed.  If it was not installed during the
+      installation of &os;, use one of the following methods to
+      install it:</para>
+
+    <procedure xml:id="ports-using-portsnap-method">
+      <title>Portsnap 方式</title>
+
+      <para>The base system of &os; includes
+	<application>Portsnap</application>.  This is a fast and
+	user-friendly tool for retrieving the Ports Collection and
+	is the recommended choice for most users.  This utility
+	connects to a &os; site, verifies the secure key, and
+	downloads a new copy of the Ports Collection.  The key is used
+	to verify the integrity of all downloaded files.</para>
 
-    <sect2 xml:id="ports-tree">
-      <title>記得安裝 Ports Collection</title>
+      <step>
+	<para>To download a compressed snapshot of the Ports
+	  Collection into
+	  <filename>/var/db/portsnap</filename>:</para>
 
-      <para>在安裝任一 ports  之前，必須先裝上
-	Ports Collection —— 它主要是由 <filename>/usr/ports</filename> 內一堆
-	<filename>Makefiles</filename>, patches 以及一些軟體簡介檔所組成的。
-      </para>
+	<screen>&prompt.root; <userinput>portsnap fetch</userinput></screen>
+      </step>
 
-      <para>在裝 FreeBSD 時，若忘了在 <application>sysinstall</application>
-	內勾選要裝 Ports Collection 的話，
-        沒關係，可以照下列方式來安裝 ports collection：</para>
-
-      <procedure>
-	<title>CVSup 方式</title>
-
-	<para>使用 <application>CVSup</application> 是安裝、更新 Ports
-	  Collection 的快速方法之一。
-	  若想更瞭解 <application>CVSup</application> 用法的話，請參閱 <link linkend="cvsup">使用 CVSup</link>。</para>
+      <step>
+        <para>若是第一次跑 <application>Portsnap</application> 的話，
+	  則需要先解壓到 <filename>/usr/ports</filename>：</para>
 
-	<note>
-	  <para><application>csup</application> 是以 C 語言對
-	    <application>CVSup</application> 軟體的重寫，在 &os; 6.2
-	    及之後版本即有附在系統內。  可以直接用系統所附的
-	    <application>csup</application> 即可跳過步驟一的動作，
-	    並將本文相關提到 <command>cvsup</command> 之處，
-	    都改為 <command>csup</command> 即可。  此外， &os; 6.2
-	    之前的版本，則可裝 <package>net/csup</package>
-	    或者 package 來使用 <application>csup</application>。</para>
-	</note>
+	<screen>&prompt.root; <userinput>portsnap extract</userinput></screen>
+      </step>
 
-	<para>第一次跑 <application>CVSup</application> 之前，請先確認
-	  <filename>/usr/ports</filename>
-	  是乾淨的！ 若你已經裝了 Ports Collection ，但又自行加上其他 patch
-	  檔，那麼 <application>CVSup</application>
-	  並不會刪除你自行加上的 patch 檔，這樣可能會導致要安裝某些軟體時，
-	  發生 patch 失敗或編譯失敗。</para>
-
-	<step>
-	  <para>安裝 <package>net/cvsup-without-gui</package>
-	    package：</para>
-
-	  <screen>&prompt.root; <userinput>pkg_add -r cvsup-without-gui</userinput></screen>
-
-	  <para>細節用法請參閱 <link linkend="cvsup-install">安裝 CVSup</link>(<xref linkend="cvsup-install"/>)。</para>
-	</step>
-
-	<step>
-	  <para>執行 <command>cvsup</command>：</para>
-
-	  <screen>&prompt.root; <userinput>cvsup -L 2 -h cvsup.tw.FreeBSD.org /usr/share/examples/cvsup/ports-supfile</userinput></screen>
-
-	  <para>請把
-	    <replaceable>cvsup.tw.FreeBSD.org</replaceable> 請改成離你比較近
-	    (快)的 <application>CVSup</application> 主機。
-	    這部分可以參閱完整的 <link linkend="cvsup-mirrors">CVSup mirror
-	    </link> 站列表(<xref linkend="cvsup-mirrors"/>)。</para>
+      <step>
+	<para>After the first use of
+	  <application>Portsnap</application> has been completed as
+	  shown above, <filename>/usr/ports</filename> can be updated
+	  as needed by running:</para>
+
+	<screen>&prompt.root; <userinput>portsnap fetch</userinput>
+&prompt.root; <userinput>portsnap update</userinput></screen>
+
+	<para>When using <literal>fetch</literal>, the
+	  <literal>extract</literal> or the <literal>update</literal>
+	  operation may be run consecutively, like so:</para>
 
-	  <note>
-	    <para>若想改用自己設的
-	      <filename>ports-supfile</filename>，比如說，
-	      不想每次都得打指令來指定所使用的
-	      <application>CVSup</application> 主機。</para>
-
-	    <procedure>
-	      <step>
-		<para>這種情況下，請以 <systemitem class="username">root</systemitem> 權限把
-		  <filename>/usr/share/examples/cvsup/ports-supfile</filename>
-		  複製到其他位置，比如
-		  <filename>/root</filename> 或者自己帳號的家目錄。</para>
-	      </step>
-
-	      <step>
-		<para>修改新的 <filename>ports-supfile</filename> 檔。</para>
-	      </step>
-
-	      <step>
-		<para>把
-		  <replaceable>CHANGE_THIS.FreeBSD.org</replaceable>
-		  改為離你比較近(快)的 <application>CVSup</application> 主機。
-		  這部分可以參閱完整的 <link linkend="cvsup-mirrors">CVSup
-		  Mirrors</link> (<xref linkend="cvsup-mirrors"/>) 站列表</para>
-	      </step>
-
-	      <step>
-		<para>然後就開始以類似下列指令跑 <command>cvsup</command>：
-		  </para>
-
-		<screen>&prompt.root; <userinput>cvsup -L 2 /root/ports-supfile</userinput></screen>
-	      </step>
-	    </procedure>
-	  </note>
-	</step>
+	<screen>&prompt.root; <userinput>portsnap fetch update</userinput></screen>
+      </step>
+    </procedure>
 
-	<step>
-	  <para>執行 &man.cvsup.1; 之後，就會開始更新 Ports Collection。
-	    不過這動作只是『更新』並不是『升級』，不會把已裝的軟體重新編譯、升級。</para>
-	</step>
-      </procedure>
-
-      <procedure>
-	<title>Portsnap 方式</title>
-
-	<para>&man.portsnap.8; 也是更新 Ports Collection 的方式之一。
-	  &os;&nbsp;6.0 起開始內建 Portsnap 機制，而較舊的系統，則可透過
-	  <package>ports-mgmt/portsnap</package> port 來安裝：
-	  </para>
+    <procedure xml:id="ports-using-subversion-method">
+      <title>Subversion Method</title>
 
-	<screen>&prompt.root; <userinput>pkg_add -r portsnap</userinput></screen>
+      <para>If more control over the ports tree is needed or if local
+	changes need to be maintained,
+	<application>Subversion</application> can be used to obtain
+	the Ports Collection.  Refer to <link
+	  xlink:href="&url.articles.committers-guide;/subversion-primer.html">the
+	  Subversion Primer</link> for a detailed description of
+	<application>Subversion</application>.</para>
 
-	<para><application>Portsnap</application> 細節功能，請參閱
-	  <link linkend="portsnap">Portsnap 使用篇</link>。</para>
+      <step>
+	<para><application>Subversion</application> must be installed
+	  before it can be used to check out the ports tree.  If a
+	  copy of the ports tree is already present, install
+	  <application>Subversion</application> like this:</para>
 
-	<step>
-	  <para>若 <filename>/usr/ports</filename> 目錄不存在的話，
-	    就建立一下吧：</para>
+	<screen>&prompt.root; <userinput>cd /usr/ports/devel/subversion</userinput>
+&prompt.root; <userinput>make install clean</userinput></screen>
 
-	  <screen>&prompt.root; <userinput>mkdir /usr/ports</userinput></screen>
-	</step>
+	<para>If the ports tree is not available, or
+	  <application>pkg</application> is being used to manage
+	  packages, <application>Subversion</application> can be
+	  installed as a package:</para>
 
-	<step>
-	  <para>接下來，下載壓縮的 Ports Collection 定期更新檔到
-	    <filename>/var/db/portsnap</filename> 目錄。
-	    完成下載後，要斷線與否都可以。</para>
+	<screen>&prompt.root; <userinput>pkg install subversion</userinput></screen>
 
-	  <screen>&prompt.root; <userinput>portsnap fetch</userinput></screen>
-	</step>
+      </step>
 
-	<step>
-	  <para>若是第一次跑 <application>Portsnap</application> 的話，
-	    則需要先解壓到 <filename>/usr/ports</filename>：
-	  </para>
+      <step>
+	<para>Check out a copy of the ports tree.  For better
+	  performance, replace
+	  <replaceable>svn0.us-east.FreeBSD.org</replaceable> with a
+	  <link linkend="svn-mirrors">Subversion
+	    mirror</link> close to your geographic location:</para>
 
-	  <screen>&prompt.root; <userinput>portsnap extract</userinput></screen>
+	<screen>&prompt.root; <userinput>svn checkout https://<replaceable>svn0.us-east.FreeBSD.org</replaceable>/ports/head /usr/ports</userinput></screen>
+      </step>
 
-	  <para>若已有 <filename>/usr/ports</filename> 而且只是想更新而已，
-	    那麼就照下面作：</para>
+      <step>
+	<para>As needed, update <filename>/usr/ports</filename> after
+	  the initial <application>Subversion</application>
+	  checkout:</para>
 
-	  <screen>&prompt.root; <userinput>portsnap update</userinput></screen>
-	</step>
+	<screen>&prompt.root; <userinput>svn update /usr/ports</userinput></screen>
+      </step>
+    </procedure>
 
-      </procedure>
-
-      <procedure>
-	<title>Sysinstall 方式</title>
-
-	<para>這方式要用 <application>sysinstall</application>
-	  透過安裝來源來裝 Ports Collection。
-	  請注意：所安裝的 Ports Collection 版本只是該 release
-	  發佈時的版本而已，而非最新。
-	  若能上網(Internet)的話，請使用上述方式之一會比較好。</para>
-
-	<step>
-	  <para>以 <systemitem class="username">root</systemitem> 權限執行
-	    <command>sysinstall</command>
-	    (在 &os; 5.2 之前版本則是 <command>/stand/sysinstall</command>)
-	    ，方式如下：</para>
-
-	  <screen>&prompt.root; <userinput>sysinstall</userinput></screen>
-	</step>
-
-	<step>
-	  <para>請以方向鍵移動選擇項目，選擇
-	    <guimenuitem>Configure</guimenuitem>，然後按
-	    <keycap>Enter</keycap> 鍵。</para>
-	</step>
-
-	<step>
-	  <para>選擇
-	    <guimenuitem>Distributions</guimenuitem>，然後按
-	    <keycap>Enter</keycap> 鍵。</para>
-	</step>
-
-	<step>
-	  <para>選擇 <guimenuitem>ports</guimenuitem>，然後按
-	    <keycap>Space</keycap> 鍵。</para>
-	</step>
-
-	<step>
-	  <para>選 <guimenuitem>Exit</guimenuitem>，然後按
-	    <keycap>Enter</keycap> 鍵。</para>
-	</step>
-
-	<step>
-	  <para>選擇要用的安裝來源，比如：CDROM(光碟)、FTP 等方式。</para>
-	</step>
-
-	<step>
-	  <para>選 <guimenuitem>Exit</guimenuitem>，然後按
-	    <keycap>Enter</keycap> 鍵。</para>
-	</step>
-
-	<step>
-	  <para>按下 <keycap>X</keycap> 鍵就可離開
-	    <application>sysinstall</application> 程式。</para>
-	</step>
-      </procedure>
-    </sect2>
+    <para>The Ports Collection installs a series of directories
+      representing software categories with each category having
+      a subdirectory for each application.  Each subdirectory, also
+      referred to as a ports skeleton, contains a set of files that
+      tell &os; how to compile and install that program.  Each port
+      skeleton includes these files and directories:</para>
+
+    <itemizedlist>
+      <listitem>
+	<para><filename>Makefile</filename>: contains statements that
+	  specify how the application should be compiled and where
+	  its components should be installed.</para>
+      </listitem>
+
+      <listitem>
+	<para><filename>distinfo</filename>: contains the names and
+	  checksums of the files that must be downloaded to build the
+	  port.</para>
+      </listitem>
+
+      <listitem>
+	<para><filename>files/</filename>: this directory contains
+	  any patches needed for the program to compile and install
+	  on &os;.  This directory may also contain other files used
+	  to build the port.</para>
+      </listitem>
+
+      <listitem>
+	<para><filename>pkg-descr</filename>: provides a more detailed
+	  description of the program.</para>
+      </listitem>
+
+      <listitem>
+	<para><filename>pkg-plist</filename>:  a list of all the
+	  files that will be installed by the port.  It also tells
+	  the ports system which files to remove upon
+	  deinstallation.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Some ports include <filename>pkg-message</filename> or
+      other files to handle special situations.  For more details
+      on these files, and on ports in general, refer to the <link
+	xlink:href="&url.books.porters-handbook;/index.html">&os;
+	Porter's Handbook</link>.</para>
+
+    <para>The port does not include the actual source code, also
+      known as a <filename>distfile</filename>.  The extract portion
+      of building a port will automatically save the downloaded
+      source to <filename>/usr/ports/distfiles</filename>.</para>
 
     <sect2 xml:id="ports-skeleton">
       <title>Ports 的安裝方式</title>
 
       <indexterm>
-        <primary>ports</primary>
-        <secondary>installing</secondary>
+	<primary>ports</primary>
+	<secondary>installing</secondary>
       </indexterm>
+
+      <para>下面我們會介紹如何使用 Ports Collection 來安裝、移除軟體的基本用法。
+      至於其他可用的 <command>make</command> 詳細用法與環境設定，可參閱
+      &man.ports.7;。</para>
+
+      <warning>
+	<para>Before compiling any port, be sure to update the Ports
+	  Collection as described in the previous section.  Since
+	  the installation of any third-party software can introduce
+	  security vulnerabilities, it is recommended to first check
+	  <uri
+	    xlink:href="http://vuxml.freebsd.org/">http://vuxml.freebsd.org/</uri>
+	  for known security issues related to the port.  Alternately,
+	  if <package>ports-mgmt/portaudit</package> is installed, run
+	  <command>portaudit -F</command> before installing a new
+	  port.  This command can be configured to automatically
+	  perform a security audit and an update of the vulnerability
+	  database during the daily security system check.  For more
+	  information, refer to the manual page for
+	  <application>portaudit</application> and
+	  &man.periodic.8;.</para>
+      </warning>
+
       <para>提到 Ports Collection，首先要先說明的是：何謂
 	<quote>skeleton</quote>。
         簡單來講，port skeleton 就是讓軟體如何在 FreeBSD
@@ -1016,7 +1304,7 @@
         比如裝了一個 port 後才意識到裝錯 port 了。
         在此，我們將移除前面例子所裝的那個 port
 	(沒仔細注意的話，我們再提醒一下就是 <command>lsof</command>)。
-	跟移除 package 時相當類似(在 <link linkend="packages-using">Packages section</link> 有介紹)，都是使用
+	跟移除 package 時相當類似，都是使用
 	&man.pkg.delete.1; 指令：</para>
 
       <screen>&prompt.root; <userinput>pkg_delete lsof-4.57</userinput></screen>
Index: zh_TW.UTF-8/books/handbook/preface/preface.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/preface/preface.xml
+++ zh_TW.UTF-8/books/handbook/preface/preface.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
      $FreeBSD$
-     Original revision: 1.30
+     Original revision: r46055
 -->
 <preface xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="book-preface">
   <title>序</title>
@@ -42,11 +42,6 @@
       </listitem>
 
       <listitem>
-	<para><xref linkend="vinum-vinum"/>Vinum是本版所新增的章節。本章介紹：如何運用 Vinum 這種邏輯磁碟(device-independent)
-	，以及軟體 RAID-0, RAID-1 和 RAID-5 。</para>
-      </listitem>
-
-      <listitem>
 	<para><xref linkend="ppp-and-slip"/>PPP 及 SLIP 一章中增加了故障排除的說明。</para>
       </listitem>
 
@@ -244,83 +239,136 @@
 <!-- Part III - System Administration -->
 
     <varlistentry>
-      <term><emphasis><xref linkend="config-tuning"/>, Configuration and Tuning</emphasis></term>
+      <term><emphasis><xref
+	    linkend="config-tuning"/></emphasis></term>
+
       <listitem>
 	<para>Describes the parameters available for system
-	administrators to tune a FreeBSD system for optimum
-	performance.  Also describes the various configuration files
-	used in FreeBSD and where to find them.</para>
+	  administrators to tune a &os; system for optimum
+	  performance.  Also describes the various configuration files
+	  used in &os; and where to find them.</para>
+      </listitem>
+    </varlistentry>
+
+    <varlistentry>
+      <term><emphasis><xref linkend="boot"/></emphasis></term>
+
+      <listitem>
+	<para>Describes the &os; boot process and explains how to
+	  control this process with configuration options.</para>
       </listitem>
     </varlistentry>
+
     <varlistentry>
-      <term><emphasis><xref linkend="boot"/>, Booting Process</emphasis></term>
+      <term><emphasis><xref linkend="security"/></emphasis></term>
+
       <listitem>
-	<para>Describes the FreeBSD boot process and explains
-	how to control this process with configuration options.</para>
+	<para>Describes many different tools available to help keep
+	  your &os; system secure, including Kerberos, IPsec and
+	  OpenSSH.</para>
       </listitem>
     </varlistentry>
+
     <varlistentry>
-      <term><emphasis><xref linkend="users"/>, Users and Basic Account
-      Management</emphasis></term>
+      <term><emphasis><xref linkend="jails"/></emphasis></term>
+
       <listitem>
-	<para>Describes the creation and manipulation of user
-	  accounts.  Also discusses resource limitations that can be
-	  set on users and other account management tasks.</para>
+	<para>Describes the jails framework, and the improvements of
+	  jails over the traditional chroot support of &os;.</para>
       </listitem>
     </varlistentry>
+
     <varlistentry>
-      <term><emphasis><xref linkend="security"/>, Security</emphasis></term>
+      <term><emphasis><xref linkend="mac"/></emphasis></term>
+
       <listitem>
-	<para>Describes many different tools available to help keep your
-	FreeBSD system secure, including Kerberos, IPsec and OpenSSH.</para>
+	<para>Explains what Mandatory Access Control (MAC) is and
+	  how this mechanism can be used to secure a &os;
+	  system.</para>
       </listitem>
     </varlistentry>
+
     <varlistentry>
-      <term><emphasis><xref linkend="mac"/>, Mandatory Access Control</emphasis></term>
+      <term><emphasis><xref linkend="audit"/></emphasis></term>
+
       <listitem>
-	<para>Explains what Mandatory Access Control (MAC) is and how this
-	mechanism can be used to secure a FreeBSD system.</para>
+	<para>Describes what &os; Event Auditing is, how it can be
+	  installed, configured, and how audit trails can be inspected
+	  or monitored.</para>
       </listitem>
     </varlistentry>
+
     <varlistentry>
-      <term><emphasis><xref linkend="disks"/>, Storage</emphasis></term>
+      <term><emphasis><xref linkend="disks"/></emphasis></term>
+
       <listitem>
 	<para>Describes how to manage storage media and filesystems
-  	  with FreeBSD.  This includes physical disks, RAID arrays,
-  	  optical and tape media, memory-backed disks, and network
-  	  filesystems.</para>
+	  with &os;.  This includes physical disks, RAID arrays,
+	  optical and tape media, memory-backed disks, and network
+	  filesystems.</para>
       </listitem>
     </varlistentry>
+
     <varlistentry>
-      <term><emphasis><xref linkend="GEOM"/>, GEOM</emphasis></term>
+      <term><emphasis><xref linkend="geom"/></emphasis></term>
+
       <listitem>
-	<para>Describes what the GEOM framework in FreeBSD is and how
+	<para>Describes what the GEOM framework in &os; is and how
 	  to configure various supported RAID levels.</para>
       </listitem>
     </varlistentry>
+
+    <varlistentry>
+      <term><emphasis><xref linkend="filesystems"/></emphasis></term>
+
+      <listitem>
+	<para>Examines support of non-native file systems in &os;,
+	  like the Z File System from &sun;.</para>
+      </listitem>
+    </varlistentry>
+
+    <varlistentry>
+      <term><emphasis><xref
+	    linkend="virtualization"/></emphasis></term>
+
+      <listitem>
+	<para>Describes what virtualization systems offer, and how
+	  they can be used with &os;.</para>
+      </listitem>
+    </varlistentry>
+
     <varlistentry>
-      <term><emphasis><xref linkend="vinum-vinum"/>, Vinum</emphasis></term>
+      <term><emphasis><xref linkend="l10n"/></emphasis></term>
+
       <listitem>
-	<para>Describes how to use Vinum, a logical volume manager
-	  which provides device-independent logical disks, and
-	  software RAID-0, RAID-1 and RAID-5.</para>
+	<para>Describes how to use &os; in languages other than
+	  English.  Covers both system and application level
+	  localization.</para>
       </listitem>
     </varlistentry>
+
     <varlistentry>
-      <term><emphasis><xref linkend="l10n"/>, Localization</emphasis></term>
+      <term><emphasis><xref
+	    linkend="updating-upgrading"/></emphasis></term>
+
       <listitem>
-	<para>Describes how to use FreeBSD in languages other than
-	English.  Covers both system and application level
-	localization.</para>
+	<para>Explains the differences between &os;-STABLE,
+	  &os;-CURRENT, and &os; releases.  Describes which users
+	  would benefit from tracking a development system and
+	  outlines that process.  Covers the methods users may take
+	  to update their system to the latest security
+	  release.</para>
       </listitem>
     </varlistentry>
+
     <varlistentry>
-      <term><emphasis><xref linkend="cutting-edge"/>, The Cutting Edge</emphasis></term>
+      <term><emphasis><xref linkend="dtrace"/></emphasis></term>
+
       <listitem>
-	<para>Explains the differences between FreeBSD-STABLE,
-	FreeBSD-CURRENT, and FreeBSD releases.  Describes which users
-	would benefit from tracking a development system and outlines
-	that process.</para>
+	<para>Describes how to configure and use the &dtrace; tool
+	  from &sun; in &os;.  Dynamic tracing can help locate
+	  performance issues, by performing real time system
+	  analysis.</para>
       </listitem>
     </varlistentry>
 
Index: zh_TW.UTF-8/books/handbook/security/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/security/chapter.xml
+++ zh_TW.UTF-8/books/handbook/security/chapter.xml
@@ -1,18 +1,28 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
      The FreeBSD Documentation Project
+     The FreeBSD Traditional Chinese Project
 
      $FreeBSD$
-     Original revision: 1.285
+     Original revision: r46061
 -->
-<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="security">
-  <info><title>系統安全</title>
+<chapter xmlns="http://docbook.org/ns/docbook"
+  xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+  xml:id="security">
+
+  <info>
+    <title>系統安全</title>
+
     <authorgroup>
-      <author><personname><firstname>Matthew</firstname><surname>Dillon</surname></personname><contrib>Much of this chapter has been taken from the
-	security(7) manual page by </contrib></author>
+      <author>
+	<personname>
+	  <firstname>Tom</firstname>
+	  <surname>Rhodes</surname>
+	</personname>
+	<contrib>Rewritten by </contrib>
+      </author>
     </authorgroup>
   </info>
-
   
   <indexterm><primary>security</primary></indexterm>
 
@@ -96,1063 +106,619 @@
   </sect1>
 
   <sect1 xml:id="security-intro">
-    <title>介紹</title>
-
-    <para>安全，對系統管理者而言，是至始至終最基本的要求。由於所有的 BSD &unix; multi-user
-	系統都提供了與生俱來的基本安全，所以建立、維護額外的安全機制，以確保使用者的『可靠』，
-	可能也就是系統管理員最需要慎思的艱巨任務了。機器的安全性取決於您所建立的安全措施，
-	而許多安全方面的考量，則會與人們使用電腦時的便利相矛盾。一般來說， &unix;
-	系統可同時執行許多數目的程式 process ，並且其中許多 process 也同時以 Server 端來運作。
-	 ── 這意味著，外部實體機器能夠與它們互相連接，並產生互動。現在的一般桌機，
-	已經能夠達到以前小型主機甚至大型主機的性能，而隨著這些電腦的網路連接和在更大範圍內互相連接
-	，安全也成為了一個日益嚴峻的課題。</para>
-
-    <para>安全最好的方式，是能夠透過像『洋蔥』那樣的層層防護模式。
-	簡單講，應該儘可能的建立多層次安全防護，並小心地監視各類針對系統的入侵疑點。
-	You do not want to
-      overbuild your security or you will interfere with the detection
-      side, and detection is one of the single most important aspects of
-      any security mechanism.  For example, it makes little sense to set
-      the <literal>schg</literal> flag (see &man.chflags.1;) on every
-      system binary because
-      while this may temporarily protect the binaries, it prevents an
-      attacker who has broken in from making an easily detectable change
-      that may result in your security mechanisms not detecting the attacker
-      at all.</para>
-
-    <para>System security also pertains to dealing with various forms of
-      attack, including attacks that attempt to crash, or otherwise make a
-      system unusable, but do not attempt to compromise the
-      <systemitem class="username">root</systemitem> account (<quote>break root</quote>).
-      Security concerns
-      can be split up into several categories:</para>
-
-    <orderedlist>
-      <listitem>
-	<para>服務阻斷攻擊(DoS)</para>
-      </listitem>
-
-      <listitem>
-	<para>竊取其他使用者的帳號。</para>
-      </listitem>
-
-      <listitem>
-	<para>透過各式 Server 上所提供的 Service 來竊取 root 帳號。</para>
-      </listitem>
-
-      <listitem>
-	<para>透過使用者帳號竊取 root 帳號。</para>
-      </listitem>
-
-      <listitem>
-	<para>開後門。</para>
-      </listitem>
-    </orderedlist>
-
-    <indexterm>
-      <primary>DoS attacks</primary>
-      <see>Denial of Service (DoS)</see>
-    </indexterm>
-    <indexterm>
-      <primary>security</primary>
-      <secondary>DoS attacks</secondary>
-      <see>Denial of Service (DoS)</see>
-    </indexterm>
-    <indexterm><primary>Denial of Service (DoS)</primary></indexterm>
-
-    <para>A denial of service attack is an action that deprives the
-      machine of needed resources.  Typically, DoS attacks are
-      brute-force mechanisms that attempt to crash or otherwise make a
-      machine unusable by overwhelming its servers or network stack.  Some
-      DoS attacks try to take advantage of bugs in the networking
-      stack to crash a machine with a single packet.  The latter can only
-      be fixed by applying a bug fix to the kernel.  Attacks on servers
-      can often be fixed by properly specifying options to limit the load
-      the servers incur on the system under adverse conditions.
-      Brute-force network attacks are harder to deal with.  A
-      spoofed-packet attack, for example, is nearly impossible to stop,
-      short of cutting your system off from the Internet.  It may not be
-      able to take your machine down, but it can saturate your
-      Internet connection.</para>
-
-    <indexterm>
-      <primary>security</primary>
-      <secondary>account compromises</secondary>
-    </indexterm>
-
-    <para>A user account compromise is even more common than a DoS
-      attack.  Many sysadmins still run standard
-      <application>telnetd</application>, <application>rlogind</application>,
-      <application>rshd</application>,
-      and <application>ftpd</application> servers on their machines.
-      These servers, by default, do
-      not operate over encrypted connections.  The result is that if you
-      have any moderate-sized user base, one or more of your users logging
-      into your system from a remote location (which is the most common
-      and convenient way to login to a system) will have his or her
-      password sniffed.  The attentive system admin will analyze his
-      remote access logs looking for suspicious source addresses even for
-      successful logins.</para>
-
-    <para>One must always assume that once an attacker has access to a
-      user account, the attacker can break <systemitem class="username">root</systemitem>.
-      However, the reality is that in a well secured and maintained system,
-      access to a user account does not necessarily give the attacker
-      access to <systemitem class="username">root</systemitem>.  The distinction is important
-      because without access to <systemitem class="username">root</systemitem> the attacker
-      cannot generally hide his tracks and may, at best, be able to do
-      nothing more than mess with the user's files, or crash the machine.
-      User account compromises are very common because users tend not to
-      take the precautions that sysadmins take.</para>
-
-    <indexterm>
-      <primary>security</primary>
-      <secondary>backdoors</secondary>
-    </indexterm>
+    <title>Introduction</title>
 
-    <para>System administrators must keep in mind that there are
-      potentially many ways to break <systemitem class="username">root</systemitem> on a machine.
-      The attacker may know the <systemitem class="username">root</systemitem> password,
-      the attacker may find a bug in a root-run server and be able
-      to break <systemitem class="username">root</systemitem> over a network
-      connection to that server, or the attacker may know of a bug in
-      a suid-root program that allows the attacker to break
-      <systemitem class="username">root</systemitem> once he has broken into a user's account.
-      If an attacker has found a way to break <systemitem class="username">root</systemitem>
-      on a machine, the attacker may not have a need
-      to install a backdoor.  Many of the <systemitem class="username">root</systemitem> holes
-      found and closed to date involve a considerable amount of work
-      by the attacker to cleanup after himself, so most attackers install
-      backdoors.  A backdoor provides the attacker with a way to easily
-      regain <systemitem class="username">root</systemitem> access to the system, but it
-      also gives the smart system administrator a convenient way
-      to detect the intrusion.
-      Making it impossible for an attacker to install a backdoor may
-      actually be detrimental to your security, because it will not
-      close off the hole the attacker found to break in the first
-      place.</para>
-
-
-    <para>Security remedies should always be implemented with a
-      multi-layered <quote>onion peel</quote> approach and can be
-      categorized as follows:</para>
+    <para>Security is everyone's responsibility.  A weak entry point
+      in any system could allow intruders to gain access to critical
+      information and cause havoc on an entire network.  One of the
+      core principles of information security is the
+      <acronym>CIA</acronym> triad, which stands for the
+      Confidentiality, Integrity, and Availability of information
+      systems.</para>
+
+    <para>The <acronym>CIA</acronym> triad is a bedrock concept of
+      computer security as customers and users expect their data to be
+      protected.  For example, a customer expects that their credit
+      card information is securely stored (confidentiality), that
+      their orders are not changed behind the scenes (integrity), and
+      that they have access to their order information at all times
+      (availablility).</para>
+
+    <para>To provide <acronym>CIA</acronym>, security professionals
+      apply a defense in depth strategy.  The idea of defense in depth
+      is to add several layers of security to prevent one single layer
+      failing and the entire security system collapsing.  For example,
+      a system administrator cannot simply turn on a firewall and
+      consider the network or system secure.  One must also audit
+      accounts, check the integrity of binaries, and ensure malicious
+      tools are not installed.  To implement an effective security
+      strategy, one must understand threats and how to defend against
+      them.</para>
+
+    <para>What is a threat as it pertains to computer security?
+      Threats are not limited to remote attackers who attempt to
+      access a system without permission from a remote location.
+      Threats also include employees, malicious software, unauthorized
+      network devices, natural disasters, security vulnerabilities,
+      and even competing corporations.</para>
+
+    <para>Systems and networks can be accessed without permission,
+      sometimes by accident, or by remote attackers, and in some
+      cases, via corporate espionage or former employees.  As a user,
+      it is important to prepare for and admit when a mistake has lead
+      to a security breach and report possible issues to the security
+      team.  As an administrator, it is important to know of the
+      threats and be prepared to mitigate them.</para>
+
+    <para>When applying security to systems, it is recommended to
+      start by securing the basic accounts and system configuration,
+      and then to secure the network layer so that it adheres to the
+      system policy and the organization's security procedures.  Many
+      organizations already have a security policy that covers the
+      configuration of technology devices.  The policy should include
+      the security configuration of workstations, desktops, mobile
+      devices, phones, production servers, and development servers.
+      In many cases, standard operating procedures
+      (<acronym>SOP</acronym>s) already exist.  When in doubt, ask the
+      security team.</para>
+
+    <para>The rest of this introduction describes how some of these
+      basic security configurations are performed on a &os; system.
+      The rest of this chapter describes some specific tools which can
+      be used when implementing a security policy on a &os;
+      system.</para>
+
+    <sect2 xml:id="security-accounts">
+      <title>Preventing Logins</title>
+
+      <para>In securing a system, a good starting point is an audit of
+	accounts.  Ensure that <systemitem
+	  class="username">root</systemitem> has a strong password and
+	that this password is not shared.  Disable any accounts that
+	do not need login access.</para>
+
+      <para>To deny login access to accounts, two methods exist.  The
+	first is to lock the account.  This example locks the
+	<systemitem class="username">toor</systemitem> account:</para>
+
+      <screen>&prompt.root; <userinput>pw lock <replaceable>toor</replaceable></userinput></screen>
+
+      <para>The second method is to prevent login access by changing
+	the shell to <filename>/sbin/nologin</filename>.  Only the
+	superuser can change the shell for other users:</para>
+
+      <screen>&prompt.root; <userinput>chsh -s /usr/sbin/nologin <replaceable>toor</replaceable></userinput></screen>
+
+      <para>The <filename>/usr/sbin/nologin</filename> shell prevents
+	the system from assigning a shell to the user when they
+	attempt to login.</para>
+    </sect2>
+
+    <sect2 xml:id="security-sudo">
+      <title>Permitted Account Escalation</title>
+
+      <para>In some cases, system administration needs to be shared
+	with other users.  &os; has two methods to handle this.  The
+	first one, which is not recommended, is a shared root password
+	used by members of the <systemitem
+	  class="groupname">wheel</systemitem> group.  With this
+	method, a user types <command>su</command> and enters the
+	password for <systemitem class="groupname">wheel</systemitem>
+	whenever superuser access is needed.  The user should then
+	type <command>exit</command> to leave privileged access after
+	finishing the commands that required administrative access.
+	To add a user to this group, edit
+	<filename>/etc/group</filename> and add the user to the end of
+	the <literal>wheel</literal> entry.  The user must be
+	separated by a comma character with no space.</para>
+
+      <para>The second, and recommended, method to permit privilege
+	escalation is to install the <package>security/sudo</package>
+	package or port.  This software provides additional auditing,
+	more fine-grained user control, and can be configured to lock
+	users into running only the specified privileged
+	commands.</para>
+
+      <para>After installation, use <command>visudo</command> to edit
+	<filename>/usr/local/etc/sudoers</filename>.  This example
+	creates a new <systemitem
+	  class="groupname">webadmin</systemitem> group, adds the
+	<systemitem class="username">trhodes</systemitem> account to
+	that group, and configures that group access to restart
+	<package>apache24</package>:</para>
+
+      <screen>&prompt.root; <userinput>pw groupadd webadmin -M trhodes -g 6000</userinput>
+&prompt.root; <userinput>visudo</userinput>
+%webadmin ALL=(ALL) /usr/sbin/service apache24 *</screen>
+    </sect2>
+
+    <sect2 xml:id="security-passwords">
+      <title>Password Hashes</title>
+
+      <para>Passwords are a necessary evil of technology.  When they
+	must be used, they should be complex and a powerful hash
+	mechanism should be used to encrypt the version that is stored
+	in the password database.  &os; supports the
+	<acronym>DES</acronym>, <acronym>MD5</acronym>,
+	<acronym>SHA256</acronym>, <acronym>SHA512</acronym>, and
+	Blowfish hash algorithms in its <function>crypt()</function>
+	library.  The default of <acronym>SHA512</acronym> should not
+	be changed to a less secure hashing algorithm, but can be
+	changed to the more secure Blowfish algorithm.</para>
 
-    <orderedlist>
-      <listitem>
-	<para>Securing <systemitem class="username">root</systemitem> and staff accounts.</para>
-      </listitem>
+      <note>
+	<para>Blowfish is not part of <acronym>AES</acronym> and is
+	  not considered compliant with any Federal Information
+	  Processing Standards (<acronym>FIPS</acronym>).  Its use may
+	  not be permitted in some environments.</para>
+      </note>
 
-      <listitem>
-	<para>Securing <systemitem class="username">root</systemitem>&ndash;run servers
-	  and suid/sgid binaries.</para>
-      </listitem>
+      <para>To determine which hash algorithm is used to encrypt a
+	user's password, the superuser can view the hash for the user
+	in the &os; password database.  Each hash starts with a symbol
+	which indicates the type of hash mechanism used to encrypt the
+	password.  If <acronym>DES</acronym> is used, there is no
+	beginning symbol.  For <acronym>MD5</acronym>, the symbol is
+	<literal>$</literal>.  For <acronym>SHA256</acronym> and
+	<acronym>SHA512</acronym>, the symbol is
+	<literal>$6$</literal>.  For Blowfish, the symbol is
+	<literal>$2a$</literal>.  In this example, the password for
+	<systemitem class="username">dru</systemitem> is hashed using
+	the default <acronym>SHA512</acronym> algorithm as the hash
+	starts with <literal>$6$</literal>.  Note that the encrypted
+	hash, not the password itself, is stored in the password
+	database:</para>
+
+      <screen>&prompt.root; <userinput>grep dru /etc/master.passwd</userinput>
+dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBPuGME0:1001:1001::0:0:dru:/usr/home/dru:/bin/csh</screen>
+
+      <para>The hash mechanism is set in the user's login class.  For
+	this example, the user is in the <literal>default</literal>
+	login class and the hash algorithm is set with this line in
+	<filename>/etc/login.conf</filename>:</para>
+
+      <programlisting>        :passwd_format=sha512:\</programlisting>
+
+      <para>To change the algorithm to Blowfish, modify that line to
+	look like this:</para>
+
+      <programlisting>        :passwd_format=blf:\</programlisting>
+
+      <para>Then run <command>cap_mkdb /etc/login.conf</command> as
+	described in <xref linkend="users-limiting"/>.  Note that this
+	change will not affect any existing password hashes.  This
+	means that all passwords should be re-hashed by asking users
+	to run <command>passwd</command> in order to change their
+	password.</para>
+
+      <para>For remote logins, two-factor authentication should be
+	used.  An example of two-factor authentication is
+	<quote>something you have</quote>, such as a key, and
+	<quote>something you know</quote>, such as the passphrase for
+	that key.  Since <application>OpenSSH</application> is part of
+	the &os; base system, all network logins should be over an
+	encrypted connection and use key-based authentication instead
+	of passwords.  For more information, refer to <xref
+	  linkend="openssh"/>.  Kerberos users may need to make
+	additional changes to implement
+	<application>OpenSSH</application> in their network.  These
+	changes are described in <xref linkend="kerberos5"/>.</para>
+    </sect2>
+
+    <sect2 xml:id="security-pwpolicy">
+      <title>Password Policy Enforcement</title>
+
+      <para>Enforcing a strong password policy for local accounts is a
+	fundamental aspect of system security.  In &os;, password
+	length, password strength, and password complexity can be
+	implemented using built-in Pluggable Authentication Modules
+	(<acronym>PAM</acronym>).</para>
+
+      <para>This section demonstrates how to configure the minimum and
+	maximum password length and the enforcement of mixed
+	characters using the <filename>pam_passwdqc.so</filename>
+	module.  This module is enforced when a user changes their
+	password.</para>
+
+      <para>To configure this module, become the superuser and
+	uncomment the line containing
+	<literal>pam_passwdqc.so</literal> in
+	<filename>/etc/pam.d/passwd</filename>.  Then, edit that line
+	to match the password policy:</para>
+
+      <programlisting>password        requisite       pam_passwdqc.so         <replaceable>min=disabled,disabled,disabled,12,10 similar=deny retry=3</replaceable> enforce=users</programlisting>
+
+      <para>This example sets several requirements for new passwords.
+	The <literal>min</literal> setting controls the minimum
+	password length.  It has five values because this module
+	defines five different types of passwords based on their
+	complexity.  Complexity is defined by the type of characters
+	that must exist in a password, such as letters, numbers,
+	symbols, and case.  The types of passwords are described in
+	&man.pam.passwdqc.8;.  In this example, the first three types
+	of passwords are disabled, meaning that passwords that meet
+	those complexity requirements will not be accepted, regardless
+	of their length.    The <literal>12</literal> sets a minimum
+	password policy of at least twelve characters, if the password
+	also contains characters with three types of complexity.  The
+	<literal>10</literal> sets the password policy to also allow
+	passwords of at least ten characters, if the password contains
+	characters with four types of complexity.</para>
+
+      <para>The <literal>similar</literal> setting denies passwords
+	that are similar to the user's previous password.  The
+	<literal>retry</literal> setting provides a user with three
+	opportunities to enter a new password.</para>
 
-      <listitem>
-	<para>Securing user accounts.</para>
-      </listitem>
+      <para>Once this file is saved, a user changing their password
+	will see a message similar to the following:</para>
 
-      <listitem>
-	<para>Securing the password file.</para>
-      </listitem>
+      <screen>&prompt.user; <userinput>passwd</userinput>
+Changing local password for trhodes
+Old Password:
 
-      <listitem>
-	<para>Securing the kernel core, raw devices, and
-	  file systems.</para>
-      </listitem>
+You can now choose the new password.
+A valid password should be a mix of upper and lower case letters,
+digits and other characters.  You can use a 12 character long
+password with characters from at least 3 of these 4 classes, or
+a 10 character long password containing characters from all the
+classes.  Characters that form a common pattern are discarded by
+the check.
+Alternatively, if noone else can see your terminal now, you can
+pick this as your password: "trait-useful&amp;knob".
+Enter new password:</screen>
+
+      <para>If a password that does not match the policy is entered,
+	it will be rejected with a warning and the user will have an
+	opportunity to try again, up to the configured number of
+	retries.</para>
+
+      <para>Most password policies require passwords to expire after
+	so many days.  To set a password age time in &os;, set
+	<option>passwordtime</option> for the user's login class in
+	<filename>/etc/login.conf</filename>.  The
+	<literal>default</literal> login class contains an
+	example:</para>
+
+      <programlisting>#       :passwordtime=90d:\</programlisting>
+
+      <para>So, to set an expiry of 90 days for this login class,
+	remove the comment symbol (<literal>#</literal>), save the
+	edit, and run <command>cap_mkdb
+	  /etc/login.conf</command>.</para>
+
+      <para>To set the expiration on individual users, pass an
+	expiration date or the number of days to expiry and a username
+	to <command>pw</command>:</para>
+
+      <screen>&prompt.root; <userinput>pw usermod -p <replaceable>30-apr-2015</replaceable> -n <replaceable>trhodes</replaceable></userinput></screen>
+
+      <para>As seen here, an expiration date is set in the form of
+	day, month, and year.  For more information, see
+	&man.pw.8;.</para>
+    </sect2>
+
+    <sect2 xml:id="security-rkhunter">
+      <title>Detecting Rootkits</title>
+
+      <para>A <firstterm>rootkit</firstterm> is any unauthorized
+	software that attempts to gain <systemitem
+	  class="username">root</systemitem> access to a system.  Once
+	installed, this malicious software will normally open up
+	another avenue of entry for an attacker.  Realistically, once
+	a system has been compromised by a rootkit and an
+	investigation has been performed, the system should be
+	reinstalled from scratch.  There is tremendous risk that even
+	the most prudent security or systems engineer will miss
+	something an attacker left behind.</para>
+
+      <para>A rootkit does do one thing usefulfor administrators: once
+	detected, it is a sign that a compromise happened at some
+	point.  But, these types of applications tend to be very well
+	hidden.  This section demonstrates a tool that can be used to
+	detect rootkits, <package>security/rkhunter</package>.</para>
+
+      <para>After installation of this package or port, the system may
+	be checked using the following command.  It will produce a lot
+	of information and will require some manual pressing of
+	<keycap>ENTER</keycap>:</para>
+
+      <screen>&prompt.root; <userinput>rkhunter -c</userinput></screen>
+
+      <para>After the process completes, a status message will be
+	printed to the screen.  This message will include the amount
+	of files checked, suspect files, possible rootkits, and more.
+	During the check, some generic security warnings may
+	be produced about hidden files, the
+	<application>OpenSSH</application> protocol selection, and
+	known vulnerable versions of installed software.  These can be
+	handled now or after a more detailed analysis has been
+	performed.</para>
+
+      <para>Every administrator should know what is running on the
+	systems they are responsible for.  Third-party tools like
+	<application>rkhunter</application> and
+	<package>sysutils/lsof</package>, and native commands such
+	as <command>netstat</command> and <command>ps</command>, can
+	show a great deal of information on the system.  Take notes on
+	what is normal, ask questions when something seems out of
+	place, and be paranoid.  While preventing a compromise is
+	ideal, detecting a compromise is a must.</para>
+    </sect2>
+
+    <sect2 xml:id="security-ids">
+      <title>Binary Verification</title>
+
+      <para>Verification of system files and binaries is important
+	because it provides the system administration and security
+	teams information about system changes.  A software
+	application that monitors the system for changes is called an
+	Intrusion Detection System (<acronym>IDS</acronym>).</para>
+
+      <para>&os; provides native support for a basic
+	<acronym>IDS</acronym> system.  While the nightly security
+	emails will notify an administrator of changes, the
+	information is stored locally and there is a chance that a
+	malicious user could modify this information in order to hide
+	their changes to the system.  As such, it is recommended to
+	create a separate set of binary signatures and store them on a
+	read-only, root-owned directory or, preferably, on a removable
+	<acronym>USB</acronym> disk or remote
+	<application>rsync</application> server.</para>
+
+      <para>The built-in <command>mtree</command> utility can be used
+	to generate a specification of the contents of a directory.  A
+	seed, or a numeric constant, is used to generate the
+	specification and is required to check that the specification
+	has not changed.  This makes it possible to determine if a
+	file or binary has been modified.  Since the seed value is
+	unknown by an attacker, faking or checking the checksum values
+	of files will be difficult to impossible.  The following
+	example generates a set of <acronym>SHA256</acronym> hashes,
+	one for each system binary in <filename>/bin</filename>, and
+	saves those values to a hidden file in <systemitem
+	  class="username">root</systemitem>'s home directory,
+	<filename>/root/.bin_chksum_mtree</filename>:</para>
+
+      <screen>&prompt.root; <userinput>mtree -s <replaceable>3483151339707503</replaceable> -c -K cksum,sha256digest -p <replaceable>/bin</replaceable> &gt; <replaceable>/root/.bin_chksum_mtree</replaceable></userinput>
+&prompt.root; mtree: /bin checksum: 3427012225</screen>
+
+      <para>The <replaceable>3483151339707503</replaceable> represents
+	the seed.  This value should be remembered, but not
+	shared.</para>
+
+      <para>Viewing <filename>/root/.bin_cksum_mtree</filename> should
+	yield output similar to the following:</para>
+
+      <programlisting>#          user: root
+#       machine: dreadnaught
+#          tree: /bin
+#          date: Mon Feb  3 10:19:53 2014
+
+# .
+/set type=file uid=0 gid=0 mode=0555 nlink=1 flags=none
+.               type=dir mode=0755 nlink=2 size=1024 \
+                time=1380277977.000000000
+    \133        nlink=2 size=11704 time=1380277977.000000000 \
+                cksum=484492447 \
+                sha256digest=6207490fbdb5ed1904441fbfa941279055c3e24d3a4049aeb45094596400662a
+    cat         size=12096 time=1380277975.000000000 cksum=3909216944 \
+                sha256digest=65ea347b9418760b247ab10244f47a7ca2a569c9836d77f074e7a306900c1e69
+    chflags     size=8168 time=1380277975.000000000 cksum=3949425175 \
+                sha256digest=c99eb6fc1c92cac335c08be004a0a5b4c24a0c0ef3712017b12c89a978b2dac3
+    chio        size=18520 time=1380277975.000000000 cksum=2208263309 \
+                sha256digest=ddf7c8cb92a58750a675328345560d8cc7fe14fb3ccd3690c34954cbe69fc964
+    chmod       size=8640 time=1380277975.000000000 cksum=2214429708 \
+                sha256digest=a435972263bf814ad8df082c0752aa2a7bdd8b74ff01431ccbd52ed1e490bbe7</programlisting>
+
+      <para>The machine's hostname, the date and time the
+	specification was created, and the name of the user who
+	created the specification are included in this report.  There
+	is a checksum, size, time, and <acronym>SHA</acronym>256
+	digest for each binary in the directory.</para>
+
+      <para>To verify that the binary signatures have not changed,
+	compare the current contents of the directory to the
+	previously generated specification, and save the results to a
+	file.  This command requires the seed that was used to
+	generate the original specification:</para>
+
+      <screen>&prompt.root; <userinput>mtree -s <replaceable>3483151339707503</replaceable> -p <replaceable>/bin</replaceable> &lt; <replaceable>/root/.bin_chksum_mtree</replaceable> &gt;&gt; <replaceable>/root/.bin_chksum_output</replaceable></userinput>
+&prompt.root; mtree: /bin checksum: 3427012225</screen>
+
+      <para>This should produce the same checksum for
+	<filename>/bin</filename> that was produced when the
+	specification was created.  If no changes have occurred to the
+	binaries in this directory, the
+	<filename>/root/.bin_chksum_output</filename> output file will
+	be empty.  To simulate a change, change the date on
+	<filename>/bin/cat</filename> using <command>touch</command>
+	and run the verification command again:</para>
+
+      <screen>&prompt.root; <userinput>touch /bin/cat</userinput>
+&prompt.root; <userinput>mtree -s <replaceable>3483151339707503</replaceable> -p <replaceable>/bin</replaceable> &lt; <replaceable>/root/.bin_chksum_mtree</replaceable> &gt;&gt; <replaceable>/root/.bin_chksum_output</replaceable></userinput>
+&prompt.root; <userinput>more /root/.bin_chksum_output</userinput>
+cat changed
+	modification time expected Fri Sep 27 06:32:55 2013 found Mon Feb  3 10:28:43 2014</screen>
+
+      <para>It is recommended to create specifications for the
+	directories which contain binaries and configuration files, as
+	well as any directories containing sensitive data.  Typically,
+	specifications are created for <filename>/bin</filename>,
+	<filename>/sbin</filename>, <filename>/usr/bin</filename>,
+	<filename>/usr/sbin</filename>,
+	<filename>/usr/local/bin</filename>,
+	<filename>/etc</filename>, and
+	<filename>/usr/local/etc</filename>.</para>
+
+      <para>More advanced <acronym>IDS</acronym> systems exist, such
+	as <package>security/aide</package>.  In most cases,
+	<command>mtree</command> provides the functionality
+	administrators need.  It is important to keep the seed value
+	and the checksum output hidden from malicious users.  More
+	information about <command>mtree</command> can be found in
+	&man.mtree.8;.</para>
+    </sect2>
+
+    <sect2 xml:id="security-tuning">
+      <title>System Tuning for Security</title>
+
+      <para>In &os;, many system features can be tuned using
+	<command>sysctl</command>.  A few of the security features
+	which can be tuned to prevent Denial of Service
+	(<acronym>DoS</acronym>) attacks will be covered in this
+	section.  More information about using
+	<command>sysctl</command>, including how to temporarily change
+	values and how to make the changes permanent after testing,
+	can be found in <xref
+	  linkend="configtuning-sysctl"/>.</para>
 
-      <listitem>
-	<para>Quick detection of inappropriate changes made to the
+      <note>
+	<para>Any time a setting is changed with
+	  <command>sysctl</command>, the chance to cause undesired
+	  harm is increased, affecting the availability of the system.
+	  All changes should be monitored and, if possible, tried on a
+	  testing system before being used on a production
 	  system.</para>
-      </listitem>
-
-      <listitem>
-	<para>Paranoia.</para>
-      </listitem>
-    </orderedlist>
-
-    <para>The next section of this chapter will cover the above bullet
-      items in greater depth.</para>
-  </sect1>
-
-  <sect1 xml:id="securing-freebsd">
-    <title>&os; 的系統安全</title>
-    <indexterm>
-      <primary>security</primary>
-      <secondary>securing &os;</secondary>
-    </indexterm>
-
-    <note>
-      <title>Command vs. Protocol</title>
-      <para>Throughout this document, we will use
-       <application>bold</application> text to refer to an
-       application, and a <command>monospaced</command> font to refer
-       to specific commands.  Protocols will use a normal font.  This
-       typographical distinction is useful for instances such as ssh,
-       since it is
-       a protocol as well as command.</para>
-    </note>
-
-    <para>The sections that follow will cover the methods of securing your
-      &os; system that were mentioned in the <link linkend="security-intro">last section</link> of this chapter.</para>
-
-    <sect2 xml:id="securing-root-and-staff">
-      <title>Securing the <systemitem class="username">root</systemitem> Account and
-	Staff Accounts</title>
-      <indexterm>
-        <primary><command>su</command></primary>
-      </indexterm>
-
-      <para>First off, do not bother securing staff accounts if you have
-	not secured the <systemitem class="username">root</systemitem> account.
-	Most systems have a password assigned to the <systemitem class="username">root</systemitem>
-	account.  The first thing you do is assume
-	that the password is <emphasis>always</emphasis> compromised.
-	This does not mean that you should remove the password.  The
-	password is almost always necessary for console access to the
-	machine.  What it does mean is that you should not make it
-	possible to use the password outside of the console or possibly
-	even with the &man.su.1; command.  For example, make sure that
-	your ptys are specified as being insecure in the
-	<filename>/etc/ttys</filename> file so that direct
-	<systemitem class="username">root</systemitem> logins
-	via <command>telnet</command> or <command>rlogin</command> are
-	disallowed.  If using other login services such as
-        <application>sshd</application>, make sure that direct
-	<systemitem class="username">root</systemitem> logins are disabled there as well.
-	You can do this by editing
-        your <filename>/etc/ssh/sshd_config</filename> file, and making
-        sure that <literal>PermitRootLogin</literal> is set to
-        <literal>NO</literal>.  Consider every access method &mdash;
-        services such as FTP often fall through the cracks.
-	Direct <systemitem class="username">root</systemitem> logins should only be allowed
-	via the system console.</para>
-      <indexterm>
-        <primary><systemitem class="groupname">wheel</systemitem></primary>
-      </indexterm>
-
-      <para>Of course, as a sysadmin you have to be able to get to
-	<systemitem class="username">root</systemitem>, so we open up a few holes.
-	But we make sure these holes require additional password
-	verification to operate.  One way to make <systemitem class="username">root</systemitem>
-	accessible is to add appropriate staff accounts to the
-	<systemitem class="groupname">wheel</systemitem> group (in
-	<filename>/etc/group</filename>).  The staff members placed in the
-	<systemitem class="groupname">wheel</systemitem> group are allowed to
-	<command>su</command> to <systemitem class="username">root</systemitem>.
-	You should never give staff
-	members native <systemitem class="groupname">wheel</systemitem> access by putting them in the
-	<systemitem class="groupname">wheel</systemitem> group in their password entry.  Staff
-	accounts should be placed in a <systemitem class="groupname">staff</systemitem> group, and
-	then added to the <systemitem class="groupname">wheel</systemitem> group via the
-	<filename>/etc/group</filename> file.  Only those staff members
-	who actually need to have <systemitem class="username">root</systemitem> access
-	should be placed in the
-	<systemitem class="groupname">wheel</systemitem> group.  It is also possible, when using
-	an authentication method such as Kerberos, to use Kerberos'
-	<filename>.k5login</filename> file in the <systemitem class="username">root</systemitem>
-	account to allow a &man.ksu.1; to <systemitem class="username">root</systemitem>
-	without having to place anyone at all in the
-	<systemitem class="groupname">wheel</systemitem> group.  This may be the better solution
-	since the <systemitem class="groupname">wheel</systemitem> mechanism still allows an
-	intruder to break <systemitem class="username">root</systemitem> if the intruder
-	has gotten hold of your
-	password file and can break into a staff account.  While having
-	the <systemitem class="groupname">wheel</systemitem> mechanism is better than having
-	nothing at all, it is not necessarily the safest option.</para>
-
-      <!-- XXX:
-	This will need updating depending on the outcome of PR bin/71147.
-	Personally I know what I'd like to see, which puts this in definite
-	need of a rewrite, but we'll have to wait and see.  ceri@
-      -->
-
-      <para>An indirect way to secure staff accounts, and ultimately
-        <systemitem class="username">root</systemitem> access is to use an alternative
-	login access method and
-        do what is known as <quote>starring</quote> out the encrypted
-        password for the staff accounts.  Using the &man.vipw.8;
-        command, one can replace each instance of an encrypted password
-        with a single <quote><literal>*</literal></quote> character.
-	This command will update the <filename>/etc/master.passwd</filename>
-	file and user/password database to disable password-authenticated
-        logins.</para>
-
-      <para>A staff account entry such as:</para>
-
-      <programlisting>foobar:R9DT/Fa1/LV9U:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh</programlisting>
-
-      <para>Should be changed to this:</para>
-
-      <programlisting>foobar:*:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh</programlisting>
-
-      <para>This change will prevent normal logins from occurring,
-        since the encrypted password will never match
-        <quote><literal>*</literal></quote>.  With this done,
-	staff members must use
-        another mechanism to authenticate themselves such as
-        &man.kerberos.1; or &man.ssh.1; using a public/private key
-        pair.  When using something like Kerberos, one generally must
-        secure the machines which run the Kerberos servers and your
-        desktop workstation.  When using a public/private key pair
-        with ssh, one must generally secure
-        the machine used to login <emphasis>from</emphasis> (typically
-        one's workstation).  An additional layer of protection can be
-        added to the key pair by password protecting the key pair when
-        creating it with &man.ssh-keygen.1;.  Being able to
-        <quote>star</quote> out the passwords for staff accounts also
-        guarantees that staff members can only login through secure
-        access methods that you have set up.  This forces all staff
-        members to use secure, encrypted connections for all of their
-        sessions, which closes an important hole used by many
-        intruders: sniffing the network from an unrelated,
-        less secure machine.</para>
-
-      <para>The more indirect security mechanisms also assume that you are
-	logging in from a more restrictive server to a less restrictive
-	server.  For example, if your main box is running all sorts of
-	servers, your workstation should not be running any.  In order for
-	your workstation to be reasonably secure you should run as few
-	servers as possible, up to and including no servers at all, and
-	you should run a password-protected screen blanker.  Of course,
-	given physical access to a workstation an attacker can break any
-	sort of security you put on it.  This is definitely a problem that
-	you should consider, but you should also consider the fact that the
-	vast majority of break-ins occur remotely, over a network, from
-	people who do not have physical access to your workstation or
-	servers.</para>
-      <indexterm><primary>KerberosIV</primary></indexterm>
-
-      <para>Using something like Kerberos also gives you the ability to
-	disable or change the password for a staff account in one place,
-	and have it immediately affect all the machines on which the staff
-	member may have an account.  If a staff member's account gets
-	compromised, the ability to instantly change his password on all
-	machines should not be underrated.  With discrete passwords,
-	changing a password on N machines can be a mess.  You can also
-	impose re-passwording restrictions with Kerberos:  not only can a
-	Kerberos ticket be made to timeout after a while, but the Kerberos
-	system can require that the user choose a new password after a
-	certain period of time (say, once a month).</para>
-    </sect2>
-
-    <sect2>
-      <title>Securing Root-run Servers and SUID/SGID Binaries</title>
-
-      <indexterm>
-        <primary><command>ntalk</command></primary>
-      </indexterm>
-      <indexterm>
-        <primary><command>comsat</command></primary>
-      </indexterm>
-      <indexterm>
-        <primary><command>finger</command></primary>
-      </indexterm>
-      <indexterm>
-        <primary>sandboxes</primary>
-      </indexterm>
-      <indexterm>
-        <primary><application>sshd</application></primary>
-      </indexterm>
-      <indexterm>
-        <primary><application>telnetd</application></primary>
-      </indexterm>
-      <indexterm>
-        <primary><application>rshd</application></primary>
-      </indexterm>
-      <indexterm>
-        <primary><application>rlogind</application></primary>
-      </indexterm>
-
-      <para>The prudent sysadmin only runs the servers he needs to, no
-	more, no less.  Be aware that third party servers are often the
-	most bug-prone.  For example, running an old version of
-	<application>imapd</application> or
-	<application>popper</application> is like giving a universal
-	<systemitem class="username">root</systemitem> ticket out to the entire world.
-	Never run a server that you have not checked out carefully.
-	Many servers do not need to be run as <systemitem class="username">root</systemitem>.
-	For example, the <application>ntalk</application>,
-	<application>comsat</application>, and
-	<application>finger</application> daemons can be run in special
-	user <firstterm>sandboxes</firstterm>.  A sandbox is not perfect,
-	unless you go through a large amount of trouble, but the onion
-	approach to security still stands: If someone is able to break
-	in through a server running in a sandbox, they still have to
-	break out of the sandbox.  The more layers the attacker must
-	break through, the lower the likelihood of his success.  Root
-	holes have historically been found in virtually every server
-	ever run as <systemitem class="username">root</systemitem>, including basic system servers.
-	If you are running a machine through which people only login via
-	<application>sshd</application> and never login via
-	<application>telnetd</application> or
-	<application>rshd</application> or
-	<application>rlogind</application>, then turn off those
-	services!</para>
-
-      <para>&os; now defaults to running
-	<application>ntalkd</application>,
-	<application>comsat</application>, and
-	<application>finger</application> in a sandbox.  Another program
-	which may be a candidate for running in a sandbox is &man.named.8;.
-	<filename>/etc/defaults/rc.conf</filename> includes the arguments
-	necessary to run <application>named</application> in a sandbox in a
-	commented-out form.  Depending on whether you are installing a new
-	system or upgrading an existing system, the special user accounts
-	used by these sandboxes may not be installed.  The prudent
-	sysadmin would research and implement sandboxes for servers
-	whenever possible.</para>
-      <indexterm>
-        <primary><application>sendmail</application></primary>
-      </indexterm>
-
-      <para>There are a number of other servers that typically do not run
-	in sandboxes: <application>sendmail</application>,
-	<application>popper</application>,
-	<application>imapd</application>, <application>ftpd</application>,
-	and others.  There are alternatives to some of these, but
-	installing them may require more work than you are willing to
-	perform (the convenience factor strikes again).  You may have to
-	run these servers as <systemitem class="username">root</systemitem> and rely on other
-	mechanisms to detect break-ins that might occur through them.</para>
-
-      <para>The other big potential <systemitem class="username">root</systemitem> holes in a
-	system are the
-	suid-root and sgid binaries installed on the system.  Most of
-	these binaries, such as <application>rlogin</application>, reside
-	in <filename>/bin</filename>, <filename>/sbin</filename>,
-	<filename>/usr/bin</filename>, or <filename>/usr/sbin</filename>.
-	While nothing is 100% safe, the system-default suid and sgid
-	binaries can be considered reasonably safe.  Still,
-	<systemitem class="username">root</systemitem> holes are occasionally found in these
-	binaries.  A <systemitem class="username">root</systemitem> hole was found in
-	<literal>Xlib</literal> in 1998 that made
-	<application>xterm</application> (which is typically suid)
-	vulnerable.  It is better to be safe than sorry and the prudent
-	sysadmin will restrict suid binaries, that only staff should run,
-	to a special group that only staff can access, and get rid of
-	(<command>chmod 000</command>) any suid binaries that nobody uses.
-	A server with no display generally does not need an
-	<application>xterm</application> binary.  Sgid binaries can be
-	almost as dangerous.  If an intruder can break an sgid-kmem binary,
-	the intruder might be able to read <filename>/dev/kmem</filename>
-	and thus read the encrypted password file, potentially compromising
-	any passworded account.  Alternatively an intruder who breaks
-	group <literal>kmem</literal> can monitor keystrokes sent through
-	ptys, including ptys used by users who login through secure
-	methods.  An intruder that breaks the <systemitem class="groupname">tty</systemitem>
-	group can write to
-	almost any user's tty.  If a user is running a terminal program or
-	emulator with a keyboard-simulation feature, the intruder can
-	potentially generate a data stream that causes the user's terminal
-	to echo a command, which is then run as that user.</para>
-    </sect2>
-
-    <sect2 xml:id="secure-users">
-      <title>Securing User Accounts</title>
-
-      <para>User accounts are usually the most difficult to secure.  While
-	you can impose Draconian access restrictions on your staff and
-	<quote>star</quote> out their passwords, you may not be able to
-	do so with any general user accounts you might have.  If you do
-	have sufficient control, then you may win out and be able to secure
-	the user accounts properly.  If not, you simply have to be more
-	vigilant in your monitoring of those accounts.  Use of
-	ssh and Kerberos for user accounts is
-	more problematic, due to the extra administration and technical
-	support required, but still a very good solution compared to a
-	crypted password file.</para>
-    </sect2>
-
-    <sect2>
-      <title>Securing the Password File</title>
-
-      <para>The only sure fire way is to <literal>*</literal> out as many
-	passwords as you can and use ssh or
-	Kerberos for access to those accounts.  Even though the encrypted
-	password file (<filename>/etc/spwd.db</filename>) can only be read
-	by <systemitem class="username">root</systemitem>, it may be possible for an intruder
-	to obtain read access to that file even if the attacker cannot
-	obtain root-write access.</para>
-
-      <para>Your security scripts should always check for and report
-	changes to the password file (see the <link linkend="security-integrity">Checking file integrity</link> section
-	below).</para>
-    </sect2>
-
-    <sect2>
-      <title>Securing the Kernel Core, Raw Devices, and
-	File systems</title>
-
-      <para>If an attacker breaks <systemitem class="username">root</systemitem> he can do
-        just about anything, but
-	there are certain conveniences.  For example, most modern kernels
-	have a packet sniffing device driver built in.  Under &os; it
-	is called the <filename>bpf</filename> device.  An intruder
-	will commonly attempt to run a packet sniffer on a compromised
-	machine.  You do not need to give the intruder the capability and
-	most systems do not have the need for the
-	<filename>bpf</filename> device compiled in.</para>
-
-      <indexterm>
-        <primary><command>sysctl</command></primary>
-      </indexterm>
-      <para>But even if you turn off the <filename>bpf</filename>
-	device, you still have
-	<filename>/dev/mem</filename> and
-	<filename>/dev/kmem</filename>
-	to worry about.  For that matter, the intruder can still write to
-	raw disk devices.  Also, there is another kernel feature called
-	the module loader, &man.kldload.8;.  An enterprising intruder can
-	use a KLD module to install his own <filename>bpf</filename>
-	device, or other sniffing
-	device, on a running kernel.  To avoid these problems you have to
-	run the kernel at a higher secure level, at least securelevel 1.
-	The securelevel can be set with a <command>sysctl</command> on
-	the <varname>kern.securelevel</varname> variable.  Once you have
-	set the securelevel to 1, write access to raw devices will be
-	denied and special <command>chflags</command> flags,
-	such as <literal>schg</literal>,
-	will be enforced.  You must also ensure that the
-	<literal>schg</literal> flag is set on critical startup binaries,
-	directories, and script files &mdash; everything that gets run up
-	to the point where the securelevel is set.  This might be overdoing
-	it, and upgrading the system is much more difficult when you
-	operate at a higher secure level.  You may compromise and run the
-	system at a higher secure level but not set the
-	<literal>schg</literal> flag for every system file and directory
-	under the sun.  Another possibility is to simply mount
-	<filename>/</filename> and <filename>/usr</filename> read-only.
-	It should be noted that being too Draconian in what you attempt to
-	protect may prevent the all-important detection of an
-	intrusion.</para>
-    </sect2>
-
-    <sect2 xml:id="security-integrity">
-      <title>Checking File Integrity: Binaries, Configuration Files,
-	Etc.</title>
-
-      <para>When it comes right down to it, you can only protect your core
-	system configuration and control files so much before the
-	convenience factor rears its ugly head.  For example, using
-	<command>chflags</command> to set the <literal>schg</literal> bit
-	on most of the files in <filename>/</filename> and
-	<filename>/usr</filename> is probably counterproductive, because
-	while it may protect the files, it also closes a detection window.
-	The last layer of your security onion is perhaps the most
-	important &mdash; detection.  The rest of your security is pretty
-	much useless (or, worse, presents you with a false sense of
-	safety) if you cannot detect potential incursions.  Half the job
-	of the onion is to slow down the attacker, rather than stop him, in
-	order to give the detection side of the equation a chance to catch
-	him in the act.</para>
-
-      <para>The best way to detect an incursion is to look for modified,
-	missing, or unexpected files.  The best way to look for modified
-	files is from another (often centralized) limited-access system.
-	Writing your security scripts on the extra-secure limited-access
-	system makes them mostly invisible to potential attackers, and this
-	is important.  In order to take maximum advantage you generally
-	have to give the limited-access box significant access to the
-	other machines in the business, usually either by doing a
-	read-only NFS export of the other machines to the limited-access
-	box, or by setting up ssh key-pairs to
-	allow the limited-access box to ssh to
-	the other machines.  Except for its network traffic, NFS is the
-	least visible method &mdash; allowing you to monitor the
-	file systems on each client box virtually undetected.  If your
-	limited-access server is connected to the client boxes through a
-	switch, the NFS method is often the better choice.  If your
-	limited-access server is connected to the client boxes through a
-	hub, or through several layers of routing, the NFS method may be
-	too insecure (network-wise) and using
-	ssh may be the better choice even with
-	the audit-trail tracks that ssh
-	lays.</para>
-
-      <para>Once you give a limited-access box, at least read access to the
-	client systems it is supposed to monitor, you must write scripts
-	to do the actual monitoring.  Given an NFS mount, you can write
-	scripts out of simple system utilities such as &man.find.1; and
-	&man.md5.1;.  It is best to physically md5 the client-box files
-	at least once a day, and to test control files such as those
-	found in <filename>/etc</filename> and
-	<filename>/usr/local/etc</filename> even more often.  When
-	mismatches are found, relative to the base md5 information the
-	limited-access machine knows is valid, it should scream at a
-	sysadmin to go check it out.  A good security script will also
-	check for inappropriate suid binaries and for new or deleted files
-	on system partitions such as <filename>/</filename> and
-	<filename>/usr</filename>.</para>
-
-      <para>When using ssh rather than NFS,
-	writing the security script is much more difficult.   You
-	essentially have to <command>scp</command> the scripts to the client
-	box in order to
-	run them, making them visible, and for safety you also need to
-	<command>scp</command> the binaries (such as find) that those
-	scripts use.  The <application>ssh</application> client on the
-	client box may already be compromised.  All in all, using
-	ssh may be necessary when running over
-	insecure links, but it is also a lot harder to deal with.</para>
-
-      <para>A good security script will also check for changes to user and
-	staff members access configuration files:
-	<filename>.rhosts</filename>, <filename>.shosts</filename>,
-	<filename>.ssh/authorized_keys</filename> and so forth&hellip;
-	files that might fall outside the purview of the
-	<literal>MD5</literal> check.</para>
-
-      <para>If you have a huge amount of user disk space, it may take too
-	long to run through every file on those partitions.  In this case,
-	setting mount flags to disallow suid binaries and devices on those
-	partitions is a good idea.  The <literal>nodev</literal> and
-	<literal>nosuid</literal> options (see &man.mount.8;) are what you
-	want to look into.  You should probably scan them anyway, at least
-	once a week, since the object of this layer is to detect a break-in
-	whether or not the break-in is effective.</para>
-
-      <para>Process accounting (see &man.accton.8;) is a relatively
-	low-overhead feature of the operating system which might help
-	as a post-break-in evaluation mechanism.  It is especially
-	useful in tracking down how an intruder has actually broken into
-	a system, assuming the file is still intact after the break-in
-	occurs.</para>
-
-      <para>Finally, security scripts should process the log files, and the
-	logs themselves should be generated in as secure a manner as
-	possible &mdash; remote syslog can be very useful.  An intruder
-	tries to cover his tracks, and log files are critical to the
-	sysadmin trying to track down the time and method of the initial
-	break-in.  One way to keep a permanent record of the log files is
-	to run the system console to a serial port and collect the
-	information on a continuing basis through a secure machine
-	monitoring the consoles.</para>
-    </sect2>
-
-    <sect2>
-      <title>Paranoia</title>
-
-      <para>A little paranoia never hurts.  As a rule, a sysadmin can add
-	any number of security features, as long as they do not affect
-	convenience, and can add security features that
-	<emphasis>do</emphasis> affect convenience with some added thought.
-	Even more importantly, a security administrator should mix it up a
-	bit &mdash; if you use recommendations such as those given by this
-	document verbatim, you give away your methodologies to the
-	prospective attacker who also has access to this document.</para>
-    </sect2>
-
-    <sect2>
-      <title>DoS(Denial of Service)服務阻斷攻擊</title>
-      <indexterm><primary>Denial of Service (DoS)</primary></indexterm>
-
-      <para>這一節將介紹服務阻斷攻擊。 DoS 攻擊通常是以封包的方式進行攻擊，
-	儘管幾乎沒有任何辦法來阻止大量的偽造封包耗盡網路資源，
-	但通常可以透過一些方式來降低這類攻擊的損害，使它們無法擊垮伺服器。</para>
-
-      <orderedlist>
-	<listitem>
-	  <para>Limiting server forks.</para>
-	</listitem>
-
-	<listitem>
-	  <para>Limiting springboard attacks (ICMP response 攻擊，ping
-	    broadcast等等)</para>
-	</listitem>
-
-	<listitem>
-	  <para>Kernel Route Cache.</para>
-	</listitem>
-      </orderedlist>
-
-      <para>A common DoS attack is against a forking server that attempts
-	to cause the server to eat processes, file descriptors, and memory,
-	until the machine dies.  <application>inetd</application>
-	(see &man.inetd.8;) has several
-	options to limit this sort of attack.  It should be noted that
-	while it is possible to prevent a machine from going down, it is
-	not generally possible to prevent a service from being disrupted
-	by the attack.  Read the <application>inetd</application> manual
-	page carefully and pay
-	specific attention to the <option>-c</option>, <option>-C</option>,
-	and <option>-R</option> options.  Note that spoofed-IP attacks
-	will circumvent the <option>-C</option> option to
-	<application>inetd</application>, so
-	typically a combination of options must be used.  Some standalone
-	servers have self-fork-limitation parameters.</para>
-
-      <para><application>Sendmail</application> has its
-	<option>-OMaxDaemonChildren</option> option, which tends to work
-	much better than trying to use sendmail's load limiting options
-	due to the load lag.  You should specify a
-	<literal>MaxDaemonChildren</literal> parameter, when you start
-	<application>sendmail</application>, high enough to handle your
-	expected load, but not so high that the computer cannot handle that
-	number of <application>sendmails</application> without falling on
-	its face.  It is also prudent to run sendmail in queued mode
-	(<option>-ODeliveryMode=queued</option>) and to run the daemon
-	(<command>sendmail -bd</command>) separate from the queue-runs
-	(<command>sendmail -q15m</command>).  If you still want real-time
-	delivery you can run the queue at a much lower interval, such as
-	<option>-q1m</option>, but be sure to specify a reasonable
-	<literal>MaxDaemonChildren</literal> option for
-	<emphasis>that</emphasis> sendmail to prevent cascade failures.</para>
-
-      <para><application>Syslogd</application> can be attacked directly
-	and it is strongly recommended that you use the <option>-s</option>
-	option whenever possible, and the <option>-a</option> option
-	otherwise.</para>
-
-      <para>You should also be fairly careful with connect-back services
-	such as <application>TCP Wrapper</application>'s reverse-identd,
-	which can be attacked directly.  You generally do not want to use
-	the reverse-ident feature of
-	<application>TCP Wrapper</application> for this reason.</para>
-
-      <para>It is a very good idea to protect internal services from
-	external access by firewalling them off at your border routers.
-	The idea here is to prevent saturation attacks from outside your
-	LAN, not so much to protect internal services from network-based
-	<systemitem class="username">root</systemitem> compromise.
-	Always configure an exclusive firewall, i.e.,
-	<quote>firewall everything <emphasis>except</emphasis> ports A, B,
-	C, D, and M-Z</quote>.  This way you can firewall off all of your
-	low ports except for certain specific services such as
-	<application>named</application> (if you are primary for a zone),
-	<application>ntalkd</application>,
-	<application>sendmail</application>, and other Internet-accessible
-	services.  If you try to configure the firewall the other way
-	&mdash; as an inclusive or permissive firewall, there is a good
-	chance that you will forget to <quote>close</quote> a couple of
-	services, or that you will add a new internal service and forget
-	to update the firewall.  You can still open up the high-numbered
-	port range on the firewall, to allow permissive-like operation,
-	without compromising your low ports.  Also take note that &os;
-	allows you to control the range of port numbers used for dynamic
-	binding, via the various <varname>net.inet.ip.portrange</varname>
-	<command>sysctl</command>'s (<command>sysctl -a | fgrep
-	portrange</command>), which can also ease the complexity of your
-	firewall's configuration.  For example, you might use a normal
-	first/last range of 4000 to 5000, and a hiport range of 49152 to
-	65535, then block off everything under 4000 in your firewall
-	(except for certain specific Internet-accessible ports, of
-	course).</para>
-
-      <para>Another common DoS attack is called a springboard attack
-	&mdash; to attack a server in a manner that causes the server to
-	generate responses which overloads the server, the local
-	network, or some other machine.  The most common attack of this
-	nature is the <emphasis>ICMP ping broadcast attack</emphasis>.
-	The attacker spoofs ping packets sent to your LAN's broadcast
-	address with the source IP address set to the actual machine they
-	wish to attack.  If your border routers are not configured to
-	stomp on ping's to broadcast addresses, your LAN winds up
-	generating sufficient responses to the spoofed source address to
-	saturate the victim, especially when the attacker uses the same
-	trick on several dozen broadcast addresses over several dozen
-	different networks at once.  Broadcast attacks of over a hundred
-	and twenty megabits have been measured.  A second common
-	springboard attack is against the ICMP error reporting system.
-	By constructing packets that generate ICMP error responses, an
-	attacker can saturate a server's incoming network and cause the
-	server to saturate its outgoing network with ICMP responses.  This
-	type of attack can also crash the server by running it out of
-	mbuf's, especially if the server cannot drain the ICMP responses
-	it generates fast enough.  &os; 4.X kernels have a kernel
-	compile option called <option>ICMP_BANDLIM</option>
-	which limits the effectiveness
-	of these sorts of attacks.
-	Later kernels use the <application>sysctl</application>
-	variable <literal>net.inet.icmp.icmplim</literal>.
-	The last major class of springboard
-	attacks is related to certain internal
-	<application>inetd</application> services such as the
-	udp echo service.  An attacker simply spoofs a UDP packet with the
-	source address being server A's echo port, and the destination
-	address being server B's echo port, where server A and B are both
-	on your LAN.  The two servers then bounce this one packet back and
-	forth between each other.  The attacker can overload both servers
-	and their LANs simply by injecting a few packets in this manner.
-	Similar problems exist with the internal
-	<application>chargen</application> port.  A
-	competent sysadmin will turn off all of these inetd-internal test
-	services.</para>
-
-      <para>Spoofed packet attacks may also be used to overload the kernel
-	route cache.  Refer to the <varname>net.inet.ip.rtexpire</varname>,
-	<varname>rtminexpire</varname>, and <varname>rtmaxcache</varname>
-	<command>sysctl</command> parameters.  A spoofed packet attack
-	that uses a random source IP will cause the kernel to generate a
-	temporary cached route in the route table, viewable with
-	<command>netstat -rna | fgrep W3</command>.  These routes
-	typically timeout in 1600 seconds or so.  If the kernel detects
-	that the cached route table has gotten too big it will dynamically
-	reduce the <varname>rtexpire</varname> but will never decrease it
-	to less than <varname>rtminexpire</varname>.  There are two
-	problems:</para>
-
-      <orderedlist>
-	<listitem>
-	  <para>The kernel does not react quickly enough when a lightly
-	    loaded server is suddenly attacked.</para>
-	</listitem>
-
-	<listitem>
-	  <para>The <varname>rtminexpire</varname> is not low enough for
-	    the kernel to survive a sustained attack.</para>
-	</listitem>
-      </orderedlist>
-
-      <para>If your servers are connected to the Internet via a T3 or
-        better, it may be prudent to manually override both
-	<varname>rtexpire</varname> and <varname>rtminexpire</varname>
-	via &man.sysctl.8;.  Never set either parameter to zero (unless
-	you want to crash the machine).  Setting both
-	parameters to 2 seconds should be sufficient to protect the route
-	table from attack.</para>
-    </sect2>
-
-    <sect2>
-      <title>Access Issues with Kerberos and SSH</title>
-      <indexterm><primary><command>ssh</command></primary></indexterm>
-      <indexterm><primary>KerberosIV</primary></indexterm>
-
-      <para>There are a few issues with both Kerberos and
-	ssh that need to be addressed if
-	you intend to use them.  Kerberos V is an excellent
-	authentication protocol, but there are bugs in the kerberized
-	<application>telnet</application> and
-	<application>rlogin</application> applications that make them
-	unsuitable for dealing with binary streams.  Also, by default
-	Kerberos does not encrypt a session unless you use the
-	<option>-x</option> option.  <application>ssh</application>
-	encrypts everything by default.</para>
-
-      <para>ssh works quite well in every
-	respect except that it forwards encryption keys by default.  What
-	this means is that if you have a secure workstation holding keys
-	that give you access to the rest of the system, and you
-	ssh to an insecure machine, your keys
-	are usable.  The actual keys themselves are not exposed, but
-	ssh installs a forwarding port for the
-	duration of your login, and if an attacker has broken
-	<systemitem class="username">root</systemitem> on the
-	insecure machine he can utilize that port to use your keys to gain
-	access to any other machine that your keys unlock.</para>
-
-      <para>We recommend that you use ssh in
-	combination with Kerberos whenever possible for staff logins.
-	<application>ssh</application> can be compiled with Kerberos
-	support.  This reduces your reliance on potentially exposed
-	ssh keys while at the same time
-	protecting passwords via Kerberos.  ssh
-	keys should only be used for automated tasks from secure machines
-	(something that Kerberos is unsuited to do).  We also recommend that
-	you either turn off key-forwarding in the
-	ssh configuration, or that you make use
-	of the <literal>from=IP/DOMAIN</literal> option that
-	ssh allows in its
-	<filename>authorized_keys</filename> file to make the key only
-	usable to entities logging in from specific machines.</para>
-    </sect2>
-  </sect1>
-
-  <sect1 xml:id="crypt">
-    <info><title>DES, MD5, and Crypt</title>
-      <authorgroup>
-	<author><personname><firstname>Bill</firstname><surname>Swingle</surname></personname><contrib>Parts rewritten and updated by </contrib></author>
-      </authorgroup>
-      
-    </info>
-
-    
-    <indexterm>
-      <primary>security</primary>
-      <secondary>crypt</secondary>
-    </indexterm>
-
-    <indexterm><primary>crypt</primary></indexterm>
-    <indexterm><primary>DES</primary></indexterm>
-    <indexterm><primary>MD5</primary></indexterm>
-
-    <para>Every user on a &unix; system has a password associated with
-      their account.  It seems obvious that these passwords need to be
-      known only to the user and the actual operating system.  In
-      order to keep these passwords secret, they are encrypted with
-      what is known as a <quote>one-way hash</quote>, that is, they can
-      only be easily encrypted but not decrypted.  In other words, what
-      we told you a moment ago was obvious is not even true:  the
-      operating system itself does not <emphasis>really</emphasis> know
-      the password.  It only knows the <emphasis>encrypted</emphasis>
-      form of the password.  The only way to get the
-      <quote>plain-text</quote> password is by a brute force search of the
-      space of possible passwords.</para>
-
-    <para>Unfortunately the only secure way to encrypt passwords when
-      &unix; came into being was based on DES, the Data Encryption
-      Standard.  This was not such a problem for users resident in
-      the US, but since the source code for DES could not be exported
-      outside the US, &os; had to find a way to both comply with
-      US law and retain compatibility with all the other &unix;
-      variants that still used DES.</para>
-
-    <para>The solution was to divide up the encryption libraries
-      so that US users could install the DES libraries and use
-      DES but international users still had an encryption method
-      that could be exported abroad.  This is how &os; came to
-      use MD5 as its default encryption method.  MD5 is believed to
-      be more secure than DES, so installing DES is offered primarily
-      for compatibility reasons.</para>
-
-    <sect2>
-      <title>Recognizing Your Crypt Mechanism</title>
+      </note>
 
-      <para>Before &os;&nbsp;4.4 <filename>libcrypt.a</filename> was a
-	symbolic link pointing to the library which was used for
-	encryption. &os;&nbsp;4.4 changed <filename>libcrypt.a</filename> to
-	provide a configurable password authentication hash library.
-	Currently the library supports DES, MD5 and Blowfish hash
-	functions.  By default &os; uses MD5 to encrypt
-	passwords.</para>
-
-      <para>It is pretty easy to identify which encryption method
-	&os; is set up to use.  Examining the encrypted passwords in
-	the <filename>/etc/master.passwd</filename> file is one way.
-	Passwords encrypted with the MD5 hash are longer than those
-	encrypted with the DES hash and also begin with the characters
-	<literal>&dollar;1&dollar;</literal>.  Passwords starting with
-	<literal>&dollar;2a&dollar;</literal> are encrypted with the
-	Blowfish hash function.  DES password strings do not
-	have any particular identifying characteristics, but they are
-	shorter than MD5 passwords, and are coded in a 64-character
-	alphabet which does not include the <literal>&dollar;</literal>
-	character, so a relatively short string which does not begin with
-	a dollar sign is very likely a DES password.</para>
-
-      <para>The password format used for new passwords is controlled
-	by the <literal>passwd_format</literal> login capability in
-	<filename>/etc/login.conf</filename>, which takes values of
-	<literal>des</literal>, <literal>md5</literal> or
-	<literal>blf</literal>.  See the &man.login.conf.5; manual page
-	for more information about login capabilities.</para>
+      <para>By default, the &os; kernel boots with a security level of
+	<literal>-1</literal>.  This is called <quote>insecure
+	  mode</quote> because immutable file flags may be turned off
+	and all devices may be read from or written to.  The security
+	level will remain at <literal>-1</literal> unless it is
+	altered through <command>sysctl</command> or by a setting in
+	the startup scripts.  The security level may be increased
+	during system startup by setting
+	<varname>kern_securelevel_enable</varname> to
+	<literal>YES</literal> in <filename>/etc/rc.conf</filename>,
+	and the value of <varname>kern_securelevel</varname> to the
+	desired security level.  See &man.security.7; and &man.init.8;
+	for more information on these settings and the available
+	security levels.</para>
+
+      <warning>
+	<para>Increasing the <varname>securelevel</varname> can break
+	  <application>Xorg</application> and cause other issues.  Be
+	  prepared to do some debugging.</para>
+      </warning>
+
+      <para>The <varname>net.inet.tcp.blackhole</varname> and
+	<varname>net.inet.udp.blackhole</varname> settings can be used
+	to drop incoming <acronym>SYN</acronym> packets on closed
+	ports without sending a return <acronym>RST</acronym>
+	response.  The default behavior is to return an
+	<acronym>RST</acronym> to show a port is closed.  Changing the
+	default provides some level of protection against ports scans,
+	which are used to determine which applications are running on
+	a system.  Set <varname>net.inet.tcp.blackhole</varname> to
+	<literal>2</literal> and
+	<varname>net.inet.udp.blackhole</varname> to
+	<literal>1</literal>.  Refer to &man.blackhole.4; for more
+	information about these settings.</para>
+
+      <para>The <varname>net.inet.icmp.drop_redirect</varname> and
+	<varname>net.inet.ip.redirect</varname> settings help prevent
+	against <firstterm>redirect attacks</firstterm>.  A redirect
+	attack is a type of <acronym>DoS</acronym> which sends mass
+	numbers of <acronym>ICMP</acronym> type 5 packets.  Since
+	these packets are not required, set
+	<varname>net.inet.icmp.drop_redirect</varname> to
+	<literal>1</literal> and set
+	<varname>net.inet.ip.redirect</varname> to
+	<literal>0</literal>.</para>
+
+      <para>Source routing is a method for detecting and accessing
+	non-routable addresses on the internal network.  This should
+	be disabled as non-routable addresses are normally not
+	routable on purpose.  To disable this feature, set
+	<varname>net.inet.ip.sourceroute</varname> and
+	<varname>net.inet.ip.accept_sourceroute</varname> to
+	<literal>0</literal>.</para>
+
+      <para>When a machine on the network needs to send messages to
+	all hosts on a subnet, an <acronym>ICMP</acronym> echo request
+	message is sent to the broadcast address.  However, there is
+	no reason for an external host to perform such an action.  To
+	reject all external broadcast requests, set
+	<varname>net.inet.icmp.bmcastecho </varname> to
+	<literal>0</literal>.</para>
 
+      <para>Some additional settings are documented in
+	&man.security.7;.</para>
     </sect2>
   </sect1>
 
   <sect1 xml:id="one-time-passwords">
     <title>One-time Passwords</title>
+
     <indexterm><primary>one-time passwords</primary></indexterm>
     <indexterm>
       <primary>security</primary>
       <secondary>one-time passwords</secondary>
     </indexterm>
 
-    <para>S/Key is a one-time password scheme based on a one-way hash
-      function.  &os; uses the MD4 hash for compatibility but other
-      systems have used MD5 and DES-MAC.  S/Key has been part of the
-      &os; base system since version 1.1.5 and is also used on a
-      growing number of other operating systems.  S/Key is a registered
-      trademark of Bell Communications Research, Inc.</para>
-
-    <para>From version 5.0 of &os;, S/Key has been replaced with
-      the functionally equivalent OPIE (One-time Passwords In
-      Everything).  OPIE uses the MD5 hash by default.</para>
-
-    <para>There are three different sorts of passwords which we will discuss
-      below.  The first is your usual &unix; style or
-      Kerberos password; we will call this a <quote>&unix; password</quote>.
-      The second sort is the one-time password which is generated by the
-      S/Key <command>key</command> program or the OPIE
-      &man.opiekey.1; program and accepted by the
-      <command>keyinit</command> or &man.opiepasswd.1; programs
-      and the login prompt; we will
-      call this a <quote>one-time password</quote>.  The final sort of
-      password is the secret password which you give to the
-      <command>key</command>/<command>opiekey</command> programs (and
-      sometimes the
-      <command>keyinit</command>/<command>opiepasswd</command> programs)
-      which it uses to generate
-      one-time passwords; we will call it a <quote>secret password</quote>
-      or just unqualified <quote>password</quote>.</para>
-
-    <para>The secret password does not have anything to do with your &unix;
-      password; they can be the same but this is not recommended.  S/Key
-      and OPIE secret passwords are not limited to 8 characters like old
-      &unix; passwords<footnote><para>Under &os; the standard login
-      password may be up to 128 characters in length.</para></footnote>,
-      they can be as long as you like.  Passwords of six or
-      seven word long phrases are fairly common.  For the most part, the
-      S/Key or OPIE system operates completely independently of the &unix;
-      password system.</para>
-
-    <para>Besides the password, there are two other pieces of data that
-      are important to S/Key and OPIE.  One is what is known as the
-      <quote>seed</quote> or <quote>key</quote>, consisting of two letters
-      and five digits.  The other is what is called the <quote>iteration
-      count</quote>, a number between 1 and 100.  S/Key creates the
-      one-time password by concatenating the seed and the secret password,
-      then applying the MD4/MD5 hash as many times as specified by the
-      iteration count and turning the result into six short English words.
-      These six English words are your one-time password.  The
-      authentication system (primarily PAM) keeps
-      track of the last one-time password used, and the user is
-      authenticated if the hash of the user-provided password is equal to
-      the previous password.  Because a one-way hash is used it is
-      impossible to generate future one-time passwords if a successfully
-      used password is captured; the iteration count is decremented after
-      each successful login to keep the user and the login program in
-      sync.  When the iteration count gets down to 1, S/Key and OPIE must be
-      reinitialized.</para>
-
-    <para>There are three programs involved in each system
-      which we will discuss below.  The <command>key</command> and
-      <command>opiekey</command> programs accept an iteration
-      count, a seed, and a secret password, and generate a one-time
-      password or a consecutive list of one-time passwords.  The
-      <command>keyinit</command> and <command>opiepasswd</command>
-      programs are used to initialize S/Key and OPIE respectively,
-      and to change passwords, iteration counts, or seeds; they
-      take either a secret passphrase, or an iteration count,
-      seed, and one-time password.  The <command>keyinfo</command>
-      and <command>opieinfo</command> programs examine the
-      relevant credentials files (<filename>/etc/skeykeys</filename> or
-      <filename>/etc/opiekeys</filename>) and print out the invoking user's
-      current iteration count and seed.</para>
-
-    <para>There are four different sorts of operations we will cover.  The
-      first is using <command>keyinit</command> or
-      <command>opiepasswd</command> over a secure connection to set up
-      one-time-passwords for the first time,  or to change your password
-      or seed.  The second operation is using <command>keyinit</command>
-      or <command>opiepasswd</command> over an insecure connection, in
-      conjunction with <command>key</command> or <command>opiekey</command>
-      over a secure connection,  to do the same.  The third is using
-      <command>key</command>/<command>opiekey</command> to log in over
-      an insecure connection.  The fourth is using <command>key</command>
-      or <command>opiekey</command> to generate a number of keys which
-      can be written down or printed out to carry with you when going to
-      some location without secure connections to anywhere.</para>
+    <para>By default, &os; includes support for One-time Passwords In
+      Everything (<acronym>OPIE</acronym>).  <acronym>OPIE</acronym>
+      is designed to prevent replay attacks, in which an attacker
+      discovers a user's password and uses it to access a system.
+      Since a password is only used once in <acronym>OPIE</acronym>, a
+      discovered password is of little use to an attacker.
+      <acronym>OPIE</acronym> uses a secure hash and a
+      challenge/response system to manage passwords.  The &os;
+      implementation uses the <acronym>MD5</acronym> hash by
+      default.</para>
+
+    <para><acronym>OPIE</acronym> uses three different types of
+      passwords.  The first is the usual &unix; or Kerberos password.
+      The second is the one-time password which is generated by
+      <command>opiekey</command>.  The third type of password is the
+      <quote>secret password</quote> which is used to generate
+      one-time passwords.  The secret password has nothing to do with,
+      and should be different from, the &unix; password.</para>
+
+    <para>There are two other pieces of data that are important to
+      <acronym>OPIE</acronym>.  One is the <quote>seed</quote> or
+      <quote>key</quote>, consisting of two letters and five digits.
+      The other is the <quote>iteration count</quote>, a number
+      between 1 and 100.  <acronym>OPIE</acronym> creates the one-time
+      password by concatenating the seed and the secret password,
+      applying the <acronym>MD5</acronym> hash as many times as
+      specified by the iteration count, and turning the result into
+      six short English words which represent the one-time password.
+      The authentication system keeps track of the last one-time
+      password used, and the user is authenticated if the hash of the
+      user-provided password is equal to the previous password.
+      Because a one-way hash is used, it is impossible to generate
+      future one-time passwords if a successfully used password is
+      captured.  The iteration count is decremented after each
+      successful login to keep the user and the login program in sync.
+      When the iteration count gets down to <literal>1</literal>,
+      <acronym>OPIE</acronym> must be reinitialized.</para>
+
+    <para>There are a few programs involved in this process.  A
+      one-time password, or a consecutive list of one-time passwords,
+      is generated by passing an iteration count, a seed, and a secret
+      password to &man.opiekey.1;.  In addition to initializing
+      <acronym>OPIE</acronym>, &man.opiepasswd.1; is used to change
+      passwords, iteration counts, or seeds.  The relevant credential
+      files in <filename>/etc/opiekeys</filename> are examined by
+      &man.opieinfo.1; which prints out the invoking user's current
+      iteration count and seed.</para>
+
+    <para>This section describes four different sorts of operations.
+      The first is how to set up one-time-passwords for the first time
+      over a secure connection.  The second is how to use
+      <command>opiepasswd</command> over an insecure connection.  The
+      third is how to log in over an insecure connection.  The fourth
+      is how to generate a number of keys which can be written down or
+      printed out to use at insecure locations.</para>
 
     <sect2>
-      <title>Secure Connection Initialization</title>
-
-      <para>To initialize S/Key for the first time, change your password,
-	or change your seed while logged in over a secure connection
-	(e.g. on the console of a machine or via <application>ssh</application>), use the
-	<command>keyinit</command> command without any parameters while
-	logged in as yourself:</para>
-
-      <screen>&prompt.user; <userinput>keyinit</userinput>
-Adding unfurl:
-Reminder - Only use this method if you are directly connected.
-If you are using telnet or rlogin exit with no password and use keyinit -s.
-Enter secret password:
-Again secret password:
-
-ID unfurl s/key is 99 to17757
-DEFY CLUB PRO NASH LACE SOFT</screen>
+      <title>Initializing <acronym>OPIE</acronym></title>
 
-      <para>For OPIE, <command>opiepasswd</command> is used instead:</para>
+      <para>To initialize <acronym>OPIE</acronym> for the first time,
+	run this command from a secure location:</para>
 
       <screen>&prompt.user; <userinput>opiepasswd -c</userinput>
 [grimreaper] ~ $ opiepasswd -f -c
@@ -1163,111 +729,82 @@
 Using MD5 to compute responses.
 Enter new secret pass phrase:
 Again new secret pass phrase:
+
 ID unfurl OTP key is 499 to4268
-MOS MALL GOAT ARM AVID COED
-</screen>
+MOS MALL GOAT ARM AVID COED</screen>
 
-      <para>At the <prompt>Enter new secret pass phrase:</prompt> or
-        <prompt>Enter secret password:</prompt> prompts, you
-	should enter a password or phrase.  Remember, this is not the
-	password that you will use to login with, this is used to generate
-	your one-time login keys.  The <quote>ID</quote> line gives the
-	parameters of your particular instance: your login name, the
-        iteration count, and seed.  When logging in the system
-	will remember these parameters and present them back to you so you
-	do not have to remember them.  The last line gives the particular
-	one-time password which corresponds to those parameters and your
-	secret password; if you were to re-login immediately, this
-	one-time password is the one you would use.</para>
+      <para>The <option>-c</option> sets console mode which assumes
+	that the command is being run from a secure location, such as
+	a computer under the user's control or a
+	<acronym>SSH</acronym> session to a computer under the user's
+	control.</para>
+
+      <para>When prompted, enter the secret password which will be
+	used to generate the one-time login keys.  This password
+	should be difficult to guess and should be different than the
+	password which is associated with the user's login account.
+	It must be between 10 and 127 characters long.  Remember this
+	password.</para>
+
+      <para>The <literal>ID</literal> line lists the login name
+	(<literal>unfurl</literal>), default iteration count
+	(<literal>499</literal>), and default seed
+	(<literal>to4268</literal>).  When logging in, the system will
+	remember these parameters and display them, meaning that they
+	do not have to be memorized.  The last line lists the
+	generated one-time password which corresponds to those
+	parameters and the secret password.  At the next login, use
+	this one-time password.</para>
     </sect2>
 
     <sect2>
       <title>Insecure Connection Initialization</title>
 
-      <para>To initialize or change your secret password over an
-	insecure connection, you will need to already have a secure
-	connection to some place where you can run <command>key</command>
-        or <command>opiekey</command>; this might be in the form of a
-	desk accessory on a &macintosh;, or a shell prompt on a machine you
-	trust.  You will also need to make up an iteration count (100 is
-	probably a good value), and you may make up your own seed or use a
-	randomly-generated one.  Over on the insecure connection (to the
-	machine you are initializing), use the <command>keyinit
-	-s</command> command:</para>
-
-      <screen>&prompt.user; <userinput>keyinit -s</userinput>
-Updating unfurl:
-Old key: to17758
-Reminder you need the 6 English words from the key command.
-Enter sequence count from 1 to 9999: <userinput>100</userinput>
-Enter new key [default to17759]:
-s/key 100 to 17759
-s/key access password:
-s/key access password:<userinput>CURE MIKE BANE HIM RACY GORE</userinput>
-</screen>
-
-      <para>For OPIE, you need to use <command>opiepasswd</command>:</para>
+      <para>To initialize or change the secret password on an
+	insecure system, a secure connection is needed to some place
+	where <command>opiekey</command> can be run.  This might be a
+	shell prompt on a trusted machine.  An iteration count is
+	needed, where 100 is probably a good value, and the seed can
+	either be specified or the randomly-generated one used.  On
+	the insecure connection, the machine being initialized, use
+	&man.opiepasswd.1;:</para>
 
       <screen>&prompt.user; <userinput>opiepasswd</userinput>
 
 Updating unfurl:
 You need the response from an OTP generator.
 Old secret pass phrase:
-        otp-md5 498 to4268 ext
-        Response: GAME GAG WELT OUT DOWN CHAT
+	otp-md5 498 to4268 ext
+	Response: GAME GAG WELT OUT DOWN CHAT
 New secret pass phrase:
-        otp-md5 499 to4269
-        Response: LINE PAP MILK NELL BUOY TROY
+	otp-md5 499 to4269
+	Response: LINE PAP MILK NELL BUOY TROY
 
 ID mark OTP key is 499 gr4269
-LINE PAP MILK NELL BUOY TROY
-</screen>
+LINE PAP MILK NELL BUOY TROY</screen>
 
-      <para>To accept the default seed (which the
-	<command>keyinit</command> program confusingly calls a
-	<literal>key</literal>), press <keycap>Return</keycap>.
-	Then before entering an
-	access password, move over to your secure connection or S/Key desk
-	accessory, and give it the same parameters:</para>
-
-      <screen>&prompt.user; <userinput>key 100 to17759</userinput>
-Reminder - Do not use this program while logged in via telnet or rlogin.
-Enter secret password: <userinput>&lt;secret password&gt;</userinput>
-CURE MIKE BANE HIM RACY GORE</screen>
-
-      <para>Or for OPIE:</para>
+      <para>To accept the default seed, press <keycap>Return</keycap>.
+	Before entering an access password, move over to the secure
+	connection and give it the same parameters:</para>
 
       <screen>&prompt.user; <userinput>opiekey 498 to4268</userinput>
 Using the MD5 algorithm to compute response.
-Reminder: Don't use opiekey from telnet or dial-in sessions.
+Reminder: Do not use opiekey from telnet or dial-in sessions.
 Enter secret pass phrase:
-GAME GAG WELT OUT DOWN CHAT
-</screen>
+GAME GAG WELT OUT DOWN CHAT</screen>
 
-      <para>Now switch back over to the insecure connection, and copy the
-	one-time password generated over to the relevant program.</para>
+      <para>Switch back over to the insecure connection, and copy the
+	generated one-time password over to the relevant
+	program.</para>
     </sect2>
 
     <sect2>
       <title>Generating a Single One-time Password</title>
 
-      <para>Once you have initialized S/Key or OPIE, when you login you will be
-	presented with a prompt like this:</para>
-
-<screen>&prompt.user; <userinput>telnet example.com</userinput>
-Trying 10.0.0.1...
-Connected to example.com
-Escape character is '^]'.
-
-FreeBSD/i386 (example.com) (ttypa)
-
-login: <userinput>&lt;username&gt;</userinput>
-s/key 97 fw13894
-Password: </screen>
-
-      <para>Or for OPIE:</para>
+      <para>After initializing <acronym>OPIE</acronym> and logging in,
+	a prompt like this will be displayed:</para>
 
-<screen>&prompt.user; <userinput>telnet example.com</userinput>
+      <screen>&prompt.user; <userinput>telnet example.com</userinput>
 Trying 10.0.0.1...
 Connected to example.com
 Escape character is '^]'.
@@ -1278,77 +815,47 @@
 otp-md5 498 gr4269 ext
 Password: </screen>
 
-      <para>As a side note, the S/Key and OPIE prompts have a useful feature
-	(not shown here): if you press <keycap>Return</keycap>
-	at the password prompt, the
-	prompter will turn echo on, so you can see what you are
-	typing.  This can be extremely useful if you are attempting to
-	type in a password by hand, such as from a printout.</para>
+      <para>The <acronym>OPIE</acronym> prompts provides a useful
+	feature.  If <keycap>Return</keycap> is pressed at the
+	password prompt, the prompt will turn echo on and display
+	what is typed.  This can be useful when attempting to type in
+	a password by hand from a printout.</para>
 
       <indexterm><primary>MS-DOS</primary></indexterm>
       <indexterm><primary>Windows</primary></indexterm>
       <indexterm><primary>MacOS</primary></indexterm>
 
-      <para>At this point you need to generate your one-time password to
-	answer this login prompt.  This must be done on a trusted system
-	that you can run <command>key</command> or
-        <command>opiekey</command> on.  (There are versions of these for DOS,
-	&windows; and &macos; as well.) They need both the iteration count and
-	the seed as command line options.  You can cut-and-paste these
-        right from the login prompt on the machine that you are logging
-        in to.</para>
+      <para>At this point, generate the one-time password to answer
+	this login prompt.  This must be done on a trusted system
+	where it is safe to run &man.opiekey.1;.  There are versions
+	of this command for &windows;, &macos; and &os;.  This command
+	needs the iteration count and the seed as command line
+	options.  Use cut-and-paste from the login prompt on the
+	machine being logged in to.</para>
 
       <para>On the trusted system:</para>
 
-      <screen>&prompt.user; <userinput>key 97 fw13894</userinput>
-Reminder - Do not use this program while logged in via telnet or rlogin.
-Enter secret password:
-WELD LIP ACTS ENDS ME HAAG</screen>
-
-      <para>For OPIE:</para>
-
       <screen>&prompt.user; <userinput>opiekey 498 to4268</userinput>
 Using the MD5 algorithm to compute response.
-Reminder: Don't use opiekey from telnet or dial-in sessions.
+Reminder: Do not use opiekey from telnet or dial-in sessions.
 Enter secret pass phrase:
 GAME GAG WELT OUT DOWN CHAT</screen>
 
-      <para>Now that you have your one-time password you can continue
-	logging in:</para>
-
-      <screen>login: <userinput>&lt;username&gt;</userinput>
-s/key 97 fw13894
-Password: <userinput>&lt;return to enable echo&gt;</userinput>
-s/key 97 fw13894
-Password [echo on]: WELD LIP ACTS ENDS ME HAAG
-Last login: Tue Mar 21 11:56:41 from 10.0.0.2 ... </screen>
-
+      <para>Once the one-time password is generated, continue to log
+	in.</para>
     </sect2>
 
     <sect2>
       <title>Generating Multiple One-time Passwords</title>
 
-      <para>Sometimes you have to go places where you do not have
-	access to a trusted machine or secure connection.  In this case,
-	it is possible to use the <command>key</command> and
-	<command>opiekey</command> commands to
-	generate a number of one-time passwords beforehand to be printed
-	out and taken with you.  For example:</para>
-
-      <screen>&prompt.user; <userinput>key -n 5 30 zz99999</userinput>
-Reminder - Do not use this program while logged in via telnet or rlogin.
-Enter secret password: <userinput>&lt;secret password&gt;</userinput>
-26: SODA RUDE LEA LIND BUDD SILT
-27: JILT SPY DUTY GLOW COWL ROT
-28: THEM OW COLA RUNT BONG SCOT
-29: COT MASH BARR BRIM NAN FLAG
-30: CAN KNEE CAST NAME FOLK BILK</screen>
-
-      <para>Or for OPIE:</para>
+      <para>Sometimes there is no access to a trusted machine or
+	secure connection.  In this case, it is possible to use
+	&man.opiekey.1; to generate a number of one-time passwords
+	beforehand.  For example:</para>
 
       <screen>&prompt.user; <userinput>opiekey -n 5 30 zz99999</userinput>
 Using the MD5 algorithm to compute response.
-Reminder: Don't use opiekey from telnet or dial-in sessions.
+Reminder: Do not use opiekey from telnet or dial-in sessions.
 Enter secret pass phrase: <userinput>&lt;secret password&gt;</userinput>
 26: JOAN BORE FOSS DES NAY QUIT
 27: LATE BIAS SLAY FOLK MUCH TRIG
@@ -1356,70 +863,27 @@
 29: RIO ODIN GO BYE FURY TIC
 30: GREW JIVE SAN GIRD BOIL PHI</screen>
 
-      <para>The <option>-n 5</option> requests five keys in sequence, the
-	<option>30</option> specifies what the last iteration number
-	should be.  Note that these are printed out in
-	<emphasis>reverse</emphasis> order of eventual use.  If you are
-	really paranoid, you might want to write the results down by hand;
-	otherwise you can cut-and-paste into <command>lpr</command>.  Note
-	that each line shows both the iteration count and the one-time
-	password; you may still find it handy to scratch off passwords as
-	you use them.</para>
+      <para>The <option>-n 5</option> requests five keys in sequence,
+	and <option>30</option> specifies what the last iteration
+	number should be.  Note that these are printed out in
+	<emphasis>reverse</emphasis> order of use.  The really
+	paranoid might want to write the results down by hand;
+	otherwise, print the list.  Each line shows both the iteration
+	count and the one-time password.  Scratch off the passwords as
+	they are used.</para>
     </sect2>
 
     <sect2>
       <title>Restricting Use of &unix; Passwords</title>
 
-      <para>S/Key can place restrictions on the use of &unix; passwords based
-	on the host name, user name, terminal port, or IP address of a
-	login session.  These restrictions can be found in the
-	configuration file <filename>/etc/skey.access</filename>.  The
-	&man.skey.access.5; manual page has more information on the complete
-	format of the file and also details some security cautions to be
-	aware of before depending on this file for security.</para>
-
-      <para>If there is no <filename>/etc/skey.access</filename> file
-	(this is the default on &os;&nbsp;4.X systems), then all users will
-	be allowed to use &unix; passwords.  If the file exists, however,
-	then all users will be required to use S/Key unless explicitly
-	permitted to do otherwise by configuration statements in the
-	<filename>skey.access</filename> file.  In all cases, &unix;
-	passwords are permitted on the console.</para>
-
-      <para>Here is a sample <filename>skey.access</filename> configuration
-	file which illustrates the three most common sorts of configuration
-	statements:</para>
-
-      <programlisting>permit internet 192.168.0.0 255.255.0.0
-permit user fnord
-permit port ttyd0</programlisting>
-
-      <para>The first line (<literal>permit internet</literal>) allows
-	users whose IP source address (which is vulnerable to spoofing)
-	matches the specified value and mask, to use &unix; passwords.  This
-	should not be considered a security mechanism, but rather, a means
-	to remind authorized users that they are using an insecure network
-	and need to use S/Key for authentication.</para>
-
-      <para>The second line (<literal>permit user</literal>) allows the
-	specified username, in this case <systemitem class="username">fnord</systemitem>, to use
-	&unix; passwords at any time.  Generally speaking, this should only
-	be used for people who are either unable to use the
-	<command>key</command> program, like those with dumb terminals, or
-	those who are ineducable.</para>
-
-      <para>The third line (<literal>permit port</literal>) allows all
-	users logging in on the specified terminal line to use &unix;
-	passwords; this would be used for dial-ups.</para>
-
-      <para>OPIE can restrict the use of &unix; passwords based on the IP
-	address of a login session just like S/Key does.  The relevant file
-	is <filename>/etc/opieaccess</filename>, which is present by default
-	on &os;&nbsp;5.0 and newer systems.  Please check &man.opieaccess.5;
-	for more information on this file and which security considerations
-	you should be aware of when using it.</para>
+      <para><acronym>OPIE</acronym> can restrict the use of &unix;
+	passwords based on the IP address of a login session.  The
+	relevant file is <filename>/etc/opieaccess</filename>, which
+	is present by default.  Refer to &man.opieaccess.5; for more
+	information on this file and which security considerations to
+	be aware of when using it.</para>
 
-      <para>Here is a sample <filename>opieaccess</filename> file:</para>
+      <para>Here is a sample <filename>opieaccess</filename>:</para>
 
       <programlisting>permit 192.168.0.0 255.255.0.0</programlisting>
 
@@ -1427,21 +891,22 @@
 	vulnerable to spoofing) matches the specified value and mask,
 	to use &unix; passwords at any time.</para>
 
-      <para>If no rules in <filename>opieaccess</filename> are matched,
-	the default is to deny non-OPIE logins.</para>
-
+      <para>If no rules in <filename>opieaccess</filename> are
+	matched, the default is to deny non-<acronym>OPIE</acronym>
+	logins.</para>
     </sect2>
   </sect1>
 
   <sect1 xml:id="tcpwrappers">
-    <info><title>TCP Wrappers</title>
+    <info>
+      <title>TCP Wrapper</title>
+
       <authorgroup>
-	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by: </contrib></author>
+	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written
+	  by </contrib></author>
       </authorgroup>
     </info>
 
-    
-
     <indexterm><primary>TCP Wrappers</primary></indexterm>
 
     <para>每個熟 &man.inetd.8; 的人幾乎都會聽過 <acronym>TCP</acronym>
@@ -1642,1318 +1107,764 @@
     </sect2>
   </sect1>
 
-  <sect1 xml:id="kerberosIV">
-    <info><title><application>KerberosIV</application></title>
+  <sect1 xml:id="kerberos5">
+    <info>
+      <title><application>Kerberos</application></title>
+
       <authorgroup>
-	<author><personname><firstname>Mark</firstname><surname>Murray</surname></personname><contrib>Contributed by </contrib></author>
+	<author>
+	  <personname>
+	    <firstname>Tillman</firstname>
+	    <surname>Hodgson</surname>
+	  </personname>
+	  <contrib>Contributed by </contrib>
+	</author>
       </authorgroup>
+
       <authorgroup>
-	<author><personname><firstname>Mark</firstname><surname>Dapoz</surname></personname><contrib>Based on a contribution by </contrib></author>
+	<author>
+	  <personname>
+	    <firstname>Mark</firstname>
+	    <surname>Murray</surname>
+	  </personname>
+	  <contrib>Based on a contribution by </contrib>
+	</author>
       </authorgroup>
     </info>
 
-    
-
-    <para>Kerberos is a network add-on system/protocol that allows users to
-      authenticate themselves through the services of a secure server.
-      Services such as remote login, remote copy, secure inter-system file
-      copying and other high-risk tasks are made considerably safer and more
-      controllable.</para>
-
-    <para>The following instructions can be used as a guide on how to set up
-      Kerberos as distributed for &os;. However, you should refer to the
-      relevant manual pages for a complete description.</para>
-
-    <sect2>
-      <title>Installing <application>KerberosIV</application></title>
-
-      <indexterm><primary>MIT</primary></indexterm>
-      <indexterm>
-	<primary>KerberosIV</primary>
-	<secondary>installing</secondary>
-      </indexterm>
-      <para>Kerberos is an optional component of &os;.  The easiest
-        way to install this software is by selecting the <literal>krb4</literal> or
-        <literal>krb5</literal> distribution in <application>sysinstall</application>
-        during the initial installation of &os;. This will install
-        the <quote>eBones</quote> (KerberosIV) or <quote>Heimdal</quote> (Kerberos5)
-        implementation of Kerberos.  These implementations are
-        included because they are developed outside the USA/Canada and
-        were thus available to system owners outside those countries
-        during the era of restrictive export controls on cryptographic
-        code from the USA.</para>
-
-      <para>Alternatively, the MIT implementation of Kerberos is
-        available from the Ports Collection as
-        <package>security/krb5</package>.</para>
-    </sect2>
-
-    <sect2>
-      <title>Creating the Initial Database</title>
-
-      <para>This is done on the Kerberos server only.  First make sure that
-	you do not have any old Kerberos databases around.  You should change
-	to the directory <filename>/etc/kerberosIV</filename> and check that
-	only the following files are present:</para>
-
-      <screen>&prompt.root; <userinput>cd /etc/kerberosIV</userinput>
-&prompt.root; <userinput>ls</userinput>
-README		krb.conf        krb.realms</screen>
-
-      <para>If any additional files (such as <filename>principal.*</filename>
-	or <filename>master_key</filename>) exist, then use the
-	<command>kdb_destroy</command> command to destroy the old Kerberos
-	database, or if Kerberos is not running, simply delete the extra
-	files.</para>
-
-      <para>You should now edit the <filename>krb.conf</filename> and
-	<filename>krb.realms</filename> files to define your Kerberos realm.
-	In this case the realm will be <literal>EXAMPLE.COM</literal> and the
-	server is <systemitem class="fqdomainname">grunt.example.com</systemitem>.  We edit
-	or create the <filename>krb.conf</filename> file:</para>
-
-      <screen>&prompt.root; <userinput>cat krb.conf</userinput>
-EXAMPLE.COM
-EXAMPLE.COM grunt.example.com admin server
-CS.BERKELEY.EDU okeeffe.berkeley.edu
-ATHENA.MIT.EDU kerberos.mit.edu
-ATHENA.MIT.EDU kerberos-1.mit.edu
-ATHENA.MIT.EDU kerberos-2.mit.edu
-ATHENA.MIT.EDU kerberos-3.mit.edu
-LCS.MIT.EDU kerberos.lcs.mit.edu
-TELECOM.MIT.EDU bitsy.mit.edu
-ARC.NASA.GOV trident.arc.nasa.gov</screen>
-
-      <para>In this case, the other realms do not need to be there.  They are
-	here as an example of how a machine may be made aware of multiple
-	realms.  You may wish to not include them for simplicity.</para>
-
-      <para>The first line names the realm in which this system works.  The
-	other lines contain realm/host entries.  The first item on a line is a
-	realm, and the second is a host in that realm that is acting as a
-	<quote>key distribution center</quote>.  The words <literal>admin
-	  server</literal> following a host's name means that host also
-	provides an administrative database server.  For further explanation
-	of these terms, please consult the Kerberos manual pages.</para>
-
-      <para>Now we have to add <systemitem class="fqdomainname">grunt.example.com</systemitem>
-	to the <literal>EXAMPLE.COM</literal> realm and also add an entry to
-	put all hosts in the <systemitem class="fqdomainname">.example.com</systemitem>
-	domain in the <literal>EXAMPLE.COM</literal> realm.  The
-	<filename>krb.realms</filename> file would be updated as
-	follows:</para>
-
-      <screen>&prompt.root; <userinput>cat krb.realms</userinput>
-grunt.example.com EXAMPLE.COM
-.example.com EXAMPLE.COM
-.berkeley.edu CS.BERKELEY.EDU
-.MIT.EDU ATHENA.MIT.EDU
-.mit.edu ATHENA.MIT.EDU</screen>
-
-      <para>Again, the other realms do not need to be there.  They are here as
-	an example of how a machine may be made aware of multiple realms.  You
-	may wish to remove them to simplify things.</para>
-
-      <para>The first line puts the <emphasis>specific</emphasis> system into
-	the named realm.  The rest of the lines show how to default systems of
-	a particular subdomain to a named realm.</para>
-
-      <para>Now we are ready to create the database.  This only needs to run
-	on the Kerberos server (or Key Distribution Center).  Issue the
-	<command>kdb_init</command> command to do this:</para>
-
-      <screen>&prompt.root; <userinput>kdb_init</userinput>
-<prompt>Realm name [default  ATHENA.MIT.EDU ]:</prompt> <userinput>EXAMPLE.COM</userinput>
-You will be prompted for the database Master Password.
-It is important that you NOT FORGET this password.
-
-<prompt>Enter Kerberos master key:</prompt> </screen>
-
-      <para>Now we have to save the key so that servers on the local machine
-	can pick it up.  Use the <command>kstash</command> command to do
-	this:</para>
-
-      <screen>&prompt.root; <userinput>kstash</userinput>
+    <para><application>Kerberos</application> is a network
+      authentication protocol which was originally created by the
+      Massachusetts Institute of Technology (<acronym>MIT</acronym>)
+      as a way to securely provide authentication across a potentially
+      hostile network.  The <application>Kerberos</application>
+      protocol uses strong cryptography so that both a client and
+      server can prove their identity without sending any unencrypted
+      secrets over the network.  <application>Kerberos</application>
+      can be described as an identity-verifying proxy system and as a
+      trusted third-party authentication system.  After a user
+      authenticates with <application>Kerberos</application>, their
+      communications can be encrypted to assure privacy and data
+      integrity.</para>
+
+    <para>The only function of <application>Kerberos</application> is
+      to provide the secure authentication of users and servers on the
+      network.  It does not provide authorization or auditing
+      functions.  It is recommended that
+      <application>Kerberos</application> be used with other security
+      methods which provide authorization and audit services.</para>
 
-<prompt>Enter Kerberos master key:</prompt>
+    <para>The current version of the protocol is version 5, described
+      in <acronym>RFC</acronym>&nbsp;4120.  Several free
+      implementations of this protocol are available, covering a wide
+      range of operating systems.  <acronym>MIT</acronym> continues to
+      develop their <application>Kerberos</application> package.  It
+      is commonly used in the <acronym>US</acronym> as a cryptography
+      product, and has historically been subject to
+      <acronym>US</acronym> export regulations.  In &os;,
+      <acronym>MIT</acronym> <application>Kerberos</application> is
+      available as the <package>security/krb5</package> package or
+      port.  The Heimdal <application>Kerberos</application>
+      implementation was explicitly developed outside of the
+      <acronym>US</acronym> to avoid export regulations.  The Heimdal
+      <application>Kerberos</application> distribution is included in
+      the base &os; installation, and another distribution with more
+      configurable options is available as
+      <package>security/heimdal</package> in the Ports
+      Collection.</para>
+
+    <para>In <application>Kerberos</application> users and services
+      are identified as <quote>principals</quote> which are contained
+      within an administrative grouping, called a
+      <quote>realm</quote>.  A typical user principal would be of the
+      form
+      <literal><replaceable>user</replaceable>@<replaceable>REALM</replaceable></literal>
+      (realms are traditionally uppercase).</para>
+
+    <para>This section provides a guide on how to set up
+      <application>Kerberos</application> using the Heimdal
+      distribution included in &os;.</para>
+
+    <para>For purposes of demonstrating a
+      <application>Kerberos</application> installation, the name
+      spaces will be as follows:</para>
 
-Current Kerberos master key version is 1.
+    <itemizedlist>
+      <listitem>
+	<para>The <acronym>DNS</acronym> domain (zone) will be
+	  <systemitem
+	    class="fqdomainname">example.org</systemitem>.</para>
+      </listitem>
 
-Master key entered. BEWARE!</screen>
+      <listitem>
+	<para>The <application>Kerberos</application> realm will be
+	  <literal>EXAMPLE.ORG</literal>.</para>
+      </listitem>
+    </itemizedlist>
 
-      <para>This saves the encrypted master password in
-	<filename>/etc/kerberosIV/master_key</filename>.</para>
-    </sect2>
+    <note>
+      <para>Use real domain names when setting up
+	<application>Kerberos</application>, even if it will run
+	internally.  This avoids <acronym>DNS</acronym> problems and
+	assures inter-operation with other
+	<application>Kerberos</application> realms.</para>
+    </note>
 
     <sect2>
-      <title>Making It All Run</title>
+      <title>Setting up a Heimdal <acronym>KDC</acronym></title>
 
       <indexterm>
-	<primary>KerberosIV</primary>
-	<secondary>initial startup</secondary>
+	<primary>Kerberos5</primary>
+	<secondary>Key Distribution Center</secondary>
       </indexterm>
 
-      <para>Two principals need to be added to the database for
-	<emphasis>each</emphasis> system that will be secured with Kerberos.
-	Their names are <literal>kpasswd</literal> and <literal>rcmd</literal>.
-	These two principals are made for each system, with the instance being
-	the name of the individual system.</para>
-
-      <para>These daemons, <application>kpasswd</application> and
-	<application>rcmd</application> allow other systems to change Kerberos
-	passwords and run commands like &man.rcp.1;,
-	&man.rlogin.1; and &man.rsh.1;.</para>
+      <para>The Key Distribution Center (<acronym>KDC</acronym>) is
+	the centralized authentication service that
+	<application>Kerberos</application> provides, the
+	<quote>trusted third party</quote> of the system.  It is the
+	computer that issues <application>Kerberos</application>
+	tickets, which are used for clients to authenticate to
+	servers.  Because the <acronym>KDC</acronym> is considered
+	trusted by all other computers in the
+	<application>Kerberos</application> realm, it has heightened
+	security concerns.  Direct access to the KDC should be
+	limited.</para>
+
+      <para>While running a <acronym>KDC</acronym> requires few
+	computing resources, a dedicated machine acting only as a
+	<acronym>KDC</acronym> is recommended for security
+	reasons.</para>
 
-      <para>Now let us add these entries:</para>
+      <para>To begin setting up a <acronym>KDC</acronym>, add these
+	lines to <filename>/etc/rc.conf</filename>:</para>
 
-      <screen>&prompt.root; <userinput>kdb_edit</userinput>
-Opening database...
+      <programlisting>kerberos5_server_enable="YES"
+kadmind5_server_enable="YES"</programlisting>
 
-<prompt>Enter Kerberos master key:</prompt>
+      <para>Next, edit <filename>/etc/krb5.conf</filename> as
+	follows:</para>
 
-Current Kerberos master key version is 1.
+      <programlisting>[libdefaults]
+    default_realm = <replaceable>EXAMPLE.ORG</replaceable>
+[realms]
+    <replaceable>EXAMPLE.ORG</replaceable> = {
+	kdc = <replaceable>kerberos.example.org</replaceable>
+	admin_server = <replaceable>kerberos.example.org</replaceable>
+    }
+[domain_realm]
+    <replaceable>.example.org</replaceable> = <replaceable>EXAMPLE.ORG</replaceable></programlisting>
 
-Master key entered.  BEWARE!
-Previous or default values are in [brackets] ,
-enter return to leave the same, or new value.
+      <para>In this example, the <acronym>KDC</acronym> will use the
+	fully-qualified hostname <systemitem
+	  class="fqdomainname">kerberos.example.org</systemitem>.  The
+	hostname of the KDC must be resolvable in the
+	<acronym>DNS</acronym>.</para>
+
+      <para><application>Kerberos</application> can also use the
+	<acronym>DNS</acronym> to locate KDCs, instead of a
+	<literal>[realms]</literal> section in
+	<filename>/etc/krb5.conf</filename>.  For large organizations
+	that have their own <acronym>DNS</acronym> servers, the above
+	example could be trimmed to:</para>
 
-<prompt>Principal name:</prompt> <userinput>passwd</userinput>
-<prompt>Instance:</prompt> <userinput>grunt</userinput>
+      <programlisting>[libdefaults]
+      default_realm = <replaceable>EXAMPLE.ORG</replaceable>
+[domain_realm]
+    <replaceable>.example.org</replaceable> = <replaceable>EXAMPLE.ORG</replaceable></programlisting>
 
-&lt;Not found&gt;, <prompt>Create [y] ?</prompt> <userinput>y</userinput>
+      <para>With the following lines being included in the
+	<systemitem class="fqdomainname">example.org</systemitem> zone
+	file:</para>
+
+      <programlisting>_kerberos._udp      IN  SRV     01 00 88 <replaceable>kerberos.example.org</replaceable>.
+_kerberos._tcp      IN  SRV     01 00 88 <replaceable>kerberos.example.org</replaceable>.
+_kpasswd._udp       IN  SRV     01 00 464 <replaceable>kerberos.example.org</replaceable>.
+_kerberos-adm._tcp  IN  SRV     01 00 749 <replaceable>kerberos.example.org</replaceable>.
+_kerberos           IN  TXT     <replaceable>EXAMPLE.ORG</replaceable></programlisting>
 
-Principal: passwd, Instance: grunt, kdc_key_ver: 1
-<prompt>New Password:</prompt>                    &lt;---- enter RANDOM here
-Verifying password
+      <note>
+	<para>In order for clients to be able to find the
+	  <application>Kerberos</application> services, they
+	  <emphasis>must</emphasis> have either
+	  a fully configured <filename>/etc/krb5.conf</filename> or a
+	  minimally configured <filename>/etc/krb5.conf</filename>
+	  <emphasis>and</emphasis> a properly configured
+	  <acronym>DNS</acronym> server.</para>
+      </note>
 
-<prompt>New Password:</prompt> &lt;---- enter RANDOM here
+      <para>Next, create the <application>Kerberos</application>
+	database which contains the keys of all principals (users and
+	hosts) encrypted with a master password.  It is not required
+	to remember this password as it will be stored in
+	<filename>/var/heimdal/m-key</filename>; it would be
+	reasonable to use a 45-character random password for this
+	purpose.  To create the master key, run
+	<command>kstash</command> and enter a password:</para>
 
-<prompt>Random password [y] ?</prompt> <userinput>y</userinput>
+      <screen>&prompt.root; <userinput>kstash</userinput>
+Master key: <userinput><replaceable>xxxxxxxxxxxxxxxxxxxxxxx</replaceable></userinput>
+Verifying password - Master key: <userinput><replaceable>xxxxxxxxxxxxxxxxxxxxxxx</replaceable></userinput></screen>
 
-Principal's new key version = 1
-<prompt>Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?</prompt>
-<prompt>Max ticket lifetime (*5 minutes) [ 255 ] ?</prompt>
-<prompt>Attributes [ 0 ] ?</prompt>
-Edit O.K.
-<prompt>Principal name:</prompt> <userinput>rcmd</userinput>
-<prompt>Instance:</prompt> <userinput>grunt</userinput>
+      <para>Once the master key has been created, the database should
+	be initialized.  The <application>Kerberos</application>
+	administrative tool &man.kadmin.8; can be used on the KDC in a
+	mode that operates directly on the database, without using the
+	&man.kadmind.8; network service, as
+	<command>kadmin -l</command>.  This resolves the
+	chicken-and-egg problem of trying to connect to the database
+	before it is created.  At the <command>kadmin</command>
+	prompt, use <command>init</command> to create the realm's
+	initial database:</para>
+
+      <screen>&prompt.root; <userinput>kadmin -l</userinput>
+kadmin&gt; <userinput>init <replaceable>EXAMPLE.ORG</replaceable></userinput>
+Realm max ticket life [unlimited]:</screen>
+
+      <para>Lastly, while still in <command>kadmin</command>, create
+	the first principal using <command>add</command>.  Stick to
+	the default options for the principal for now, as these can be
+	changed later with <command>modify</command>.  Type
+	<literal>?</literal> at the prompt to see the available
+	options.</para>
 
-&lt;Not found&gt;, <prompt>Create [y] ?</prompt>
+      <screen>kadmin&gt; <userinput>add <replaceable>tillman</replaceable></userinput>
+Max ticket life [unlimited]:
+Max renewable life [unlimited]:
+Attributes []:
+Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput>
+Verifying password - Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput></screen>
 
-Principal: rcmd, Instance: grunt, kdc_key_ver: 1
-<prompt>New Password:</prompt>		&lt;---- enter RANDOM here
-Verifying password
+      <para>Next, start the <acronym>KDC</acronym> services by running
+	<command>service kerberos start</command> and
+	<command>service kadmind start</command>.  While there will
+	not be any kerberized daemons running at this point, it is
+	possible to confirm that the <acronym>KDC</acronym> is
+	functioning by obtaining a ticket for the
+	principal that was just created:</para>
 
-<prompt>New Password:</prompt>           &lt;---- enter RANDOM here
+      <screen>&prompt.user; <userinput>kinit <replaceable>tillman</replaceable></userinput>
+tillman@EXAMPLE.ORG's Password:</screen>
 
-<prompt>Random password [y] ?</prompt>
+      <para>Confirm that a ticket was successfully obtained using
+	<command>klist</command>:</para>
 
-Principal's new key version = 1
-<prompt>Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?</prompt>
-<prompt>Max ticket lifetime (*5 minutes) [ 255 ] ?</prompt>
-<prompt>Attributes [ 0 ] ?</prompt>
-Edit O.K.
-<prompt>Principal name:</prompt>         &lt;---- null entry here will cause an exit</screen>
-    </sect2>
+      <screen>&prompt.user; <userinput>klist</userinput>
+Credentials cache: FILE:/tmp/krb5cc_1001
+	Principal: tillman@EXAMPLE.ORG
 
-    <sect2>
-      <title>Creating the Server File</title>
+  Issued                Expires               Principal
+Aug 27 15:37:58 2013  Aug 28 01:37:58 2013  krbtgt/EXAMPLE.ORG@EXAMPLE.ORG</screen>
 
-      <para>We now have to extract all the instances which define the
-	services on each machine.  For this we use the
-	<command>ext_srvtab</command> command.  This will create a file
-	which must be copied or moved <emphasis>by secure
-	  means</emphasis> to each Kerberos client's
-	<filename>/etc/kerberosIV</filename> directory.  This file must
-	be present on each server and client, and is crucial to the
-	operation of Kerberos.</para>
-
-
-      <screen>&prompt.root; <userinput>ext_srvtab grunt</userinput>
-<prompt>Enter Kerberos master key:</prompt>
-
-Current Kerberos master key version is 1.
-
-Master key entered. BEWARE!
-Generating 'grunt-new-srvtab'....</screen>
-
-      <para>Now, this command only generates a temporary file which must be
-	renamed to <filename>srvtab</filename> so that all the servers can pick
-	it up.  Use the &man.mv.1; command to move it into place on
-	the original system:</para>
-
-      <screen>&prompt.root; <userinput>mv grunt-new-srvtab srvtab</userinput></screen>
-
-      <para>If the file is for a client system, and the network is not deemed
-	safe, then copy the
-	<filename>client-new-srvtab</filename> to
-	removable media and transport it by secure physical means.  Be sure to
-	rename it to <filename>srvtab</filename> in the client's
-	<filename>/etc/kerberosIV</filename> directory, and make sure it is
-	mode 600:</para>
+      <para>The temporary ticket can be destroyed when the test is
+	finished:</para>
 
-      <screen>&prompt.root; <userinput>mv grumble-new-srvtab srvtab</userinput>
-&prompt.root; <userinput>chmod 600 srvtab</userinput></screen>
+      <screen>&prompt.user; <userinput>kdestroy</userinput></screen>
     </sect2>
 
     <sect2>
-      <title>Populating the Database</title>
-
-      <para>We now have to add some user entries into the database.  First
-	let us create an entry for the user <systemitem class="username">jane</systemitem>.  Use the
-	<command>kdb_edit</command> command to do this:</para>
+      <title>Configuring a Server to Use
+	<application>Kerberos</application></title>
 
-      <screen>&prompt.root; <userinput>kdb_edit</userinput>
-Opening database...
-
-<prompt>Enter Kerberos master key:</prompt>
-
-Current Kerberos master key version is 1.
+      <indexterm>
+	<primary>Kerberos5</primary>
+	<secondary>enabling services</secondary>
+      </indexterm>
 
-Master key entered.  BEWARE!
-Previous or default values are in [brackets] ,
-enter return to leave the same, or new value.
+      <para>The first step in configuring a server to use
+	<application>Kerberos</application> authentication is to
+	ensure that it has the correct configuration in
+	<filename>/etc/krb5.conf</filename>.  The version from the
+	<acronym>KDC</acronym> can be used as-is, or it can be
+	regenerated on the new system.</para>
+
+      <para>Next, create <filename>/etc/krb5.keytab</filename> on the
+	server.  This is the main part of <quote>Kerberizing</quote> a
+	service &mdash; it corresponds to generating a secret shared
+	between the service and the <acronym>KDC</acronym>.  The
+	secret is a cryptographic key, stored in a
+	<quote>keytab</quote>.  The keytab contains the server's host
+	key, which allows it and the <acronym>KDC</acronym> to verify
+	each others' identity.  It must be transmitted to the server
+	in a secure fashion, as the security of the server can be
+	broken if the key is made public.  Typically, the
+	<filename>keytab</filename> is generated on an administrator's
+	trusted machine using <command>kadmin</command>, then securely
+	transferred to the server, e.g., with &man.scp.1;; it can also
+	be created directly on the server if that is consistent with
+	the desired security policy.  It is very important that the
+	keytab is transmitted to the server in a secure fashion: if
+	the key is known by some other party, that party can
+	impersonate any user to the server!  Using
+	<command>kadmin</command> on the server directly is
+	convenient, because the entry for the host principal in the
+	<acronym>KDC</acronym> database is also created using
+	<command>kadmin</command>.</para>
+
+      <para>Of course, <command>kadmin</command> is a kerberized
+	service; a <application>Kerberos</application> ticket is
+	needed to authenticate to the network service, but to ensure
+	that the user running <command>kadmin</command> is actually
+	present (and their session has not been hijacked),
+	<command>kadmin</command> will prompt for the password to get
+	a fresh ticket.  The principal authenticating to the kadmin
+	service must be permitted to use the <command>kadmin</command>
+	interface, as specified in <filename>kadmind.acl</filename>.
+	See the section titled <quote>Remote administration</quote> in
+	<command>info heimdal</command> for details on designing
+	access control lists.  Instead of enabling remote
+	<command>kadmin</command> access, the administrator could
+	securely connect to the <acronym>KDC</acronym> via the local
+	console or &man.ssh.1;, and perform administration locally
+	using <command>kadmin -l</command>.</para>
+
+      <para>After installing <filename>/etc/krb5.conf</filename>,
+	use <command>add --random-key</command> in
+	<command>kadmin</command>.  This adds the server's host
+	principal to the database, but does not extract a copy of the
+	host principal key to a keytab.  To generate the keytab, use
+	<command>ext</command> to extract the server's host principal
+	key to its own keytab:</para>
 
-<prompt>Principal name:</prompt> <userinput>jane</userinput>
-<prompt>Instance:</prompt>
+      <screen>&prompt.root; <userinput>kadmin</userinput>
+kadmin&gt;<userinput> add --random-key host/myserver.example.org</userinput>
+Max ticket life [unlimited]:
+Max renewable life [unlimited]:
+Principal expiration time [never]:
+Password expiration time [never]:
+Attributes []:
+kadmin&gt;<userinput> ext_keytab <replaceable>host/myserver.example.org</replaceable></userinput>
+kadmin&gt;<userinput> exit</userinput></screen>
 
-&lt;Not found&gt;, <prompt>Create [y] ?</prompt> <userinput>y</userinput>
+      <para>Note that <command>ext_keytab</command> stores the
+	extracted key in <filename>/etc/krb5.keytab</filename> by
+	default.  This is good when being run on the server being
+	kerberized, but the <command>--keytab
+	  <replaceable>path/to/file</replaceable></command> argument
+	should be used when the keytab is being extracted
+	elsewhere:</para>
 
-Principal: jane, Instance: , kdc_key_ver: 1
-<prompt>New Password:</prompt>                &lt;---- enter a secure password here
-Verifying password
+      <screen>&prompt.root; <userinput>kadmin</userinput>
+kadmin&gt;<userinput> ext_keytab --keytab=/tmp/example.keytab <replaceable>host/myserver.example.org</replaceable></userinput>
+kadmin&gt;<userinput> exit</userinput></screen>
 
-<prompt>New Password:</prompt>                &lt;---- re-enter the password here
-Principal's new key version = 1
-<prompt>Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?</prompt>
-<prompt>Max ticket lifetime (*5 minutes) [ 255 ] ?</prompt>
-<prompt>Attributes [ 0 ] ?</prompt>
-Edit O.K.
-<prompt>Principal name:</prompt>		   &lt;---- null entry here will cause an exit</screen>
+      <para>The keytab can then be securely copied to the server
+	using &man.scp.1; or a removable media.  Be sure to specify a
+	non-default keytab name to avoid inserting unneeded keys into
+	the system's keytab.</para>
+
+      <para>At this point, the server can read encrypted messages from
+	the <acronym>KDC</acronym> using its shared key, stored in
+	<filename>krb5.keytab</filename>.  It is now ready for the
+	<application>Kerberos</application>-using services to be
+	enabled.  One of the most common such services is
+	&man.sshd.8;, which supports
+	<application>Kerberos</application> via the
+	<acronym>GSS-API</acronym>.  In
+	<filename>/etc/ssh/sshd_config</filename>, add the
+	line:</para>
+
+      <programlisting>GSSAPIAuthentication yes</programlisting>
+
+      <para>After making this change, &man.sshd.8; must be restared
+	for the new configuration to take effect:
+	<command>service sshd restart</command>.</para>
     </sect2>
 
     <sect2>
-      <title>Testing It All Out</title>
-
-      <para>First we have to start the Kerberos daemons.  Note that if you
-	have correctly edited your <filename>/etc/rc.conf</filename> then this
-	will happen automatically when you reboot.  This is only necessary on
-	the Kerberos server.  Kerberos clients will automatically get what
-	they need from the <filename>/etc/kerberosIV</filename>
-	directory.</para>
-
-      <screen>&prompt.root; <userinput>kerberos &amp;</userinput>
-Kerberos server starting
-Sleep forever on error
-Log file is /var/log/kerberos.log
-Current Kerberos master key version is 1.
-
-Master key entered. BEWARE!
-
-Current Kerberos master key version is 1
-Local realm: EXAMPLE.COM
-&prompt.root; <userinput>kadmind -n &amp;</userinput>
-KADM Server KADM0.0A initializing
-Please do not use 'kill -9' to kill this job, use a
-regular kill instead
-
-Current Kerberos master key version is 1.
-
-Master key entered.  BEWARE!</screen>
-
-      <para>Now we can try using the <command>kinit</command> command to get a
-	ticket for the ID <systemitem class="username">jane</systemitem> that we created
-	above:</para>
-
-      <screen>&prompt.user; <userinput>kinit jane</userinput>
-MIT Project Athena (grunt.example.com)
-Kerberos Initialization for "jane"
-<prompt>Password:</prompt> </screen>
+      <title>Configuring a Client to Use
+	<application>Kerberos</application></title>
 
-      <para>Try listing the tokens using <command>klist</command> to see if we
-	really have them:</para>
+      <indexterm>
+	<primary>Kerberos5</primary>
+	<secondary>configure clients</secondary>
+      </indexterm>
 
-      <screen>&prompt.user; <userinput>klist</userinput>
-Ticket file:    /tmp/tkt245
-Principal:      jane@EXAMPLE.COM
+      <para>As it was for the server, the client requires
+	configuration in <filename>/etc/krb5.conf</filename>.  Copy
+	the file in place (securely) or re-enter it as needed.</para>
+
+      <para>Test the client by using <command>kinit</command>,
+	<command>klist</command>, and <command>kdestroy</command> from
+	the client to obtain, show, and then delete a ticket for an
+	existing principal.  <application>Kerberos</application>
+	applications should also be able to connect to
+	<application>Kerberos</application> enabled servers.  If that
+	does not work but obtaining a ticket does, the problem is
+	likely with the server and not with the client or the
+	<acronym>KDC</acronym>.  In the case of kerberized
+	&man.ssh.1;, <acronym>GSS-API</acronym> is disabled by
+	default, so test using <command>ssh -o
+	  GSSAPIAuthentication=yes
+	  <replaceable>hostname</replaceable></command>.</para>
+
+      <para>When testing a Kerberized application, try using a packet
+	sniffer such as <command>tcpdump</command> to confirm that no
+	sensitive information is sent in the clear.</para>
+
+      <para>Various <application>Kerberos</application> client
+	applications are available.  With the advent of a bridge so
+	that applications using <acronym>SASL</acronym> for
+	authentication can use <acronym>GSS-API</acronym> mechanisms
+	as well, large classes of client applications can use
+	<application>Kerberos</application> for authentication, from
+	Jabber clients to <acronym>IMAP</acronym> clients.</para>
+
+      <indexterm>
+	<primary><filename>.k5login</filename></primary>
+      </indexterm>
 
-  Issued           Expires          Principal
-Apr 30 11:23:22  Apr 30 19:23:22  krbtgt.EXAMPLE.COM@EXAMPLE.COM</screen>
+      <indexterm>
+	<primary><filename>.k5users</filename></primary>
+      </indexterm>
+
+      <para>Users within a realm typically have their
+	<application>Kerberos</application> principal mapped to a
+	local user account.  Occasionally, one needs to grant access
+	to a local user account to someone who does not have a
+	matching <application>Kerberos</application> principal.  For
+	example, <systemitem
+	  class="username">tillman@EXAMPLE.ORG</systemitem> may need
+	access to the local user account <systemitem
+	  class="username">webdevelopers</systemitem>.  Other
+	principals may also need access to that local account.</para>
+
+      <para>The <filename>.k5login</filename> and
+	<filename>.k5users</filename> files, placed in a user's home
+	directory, can be used to solve this problem.  For example, if
+	the following <filename>.k5login</filename> is placed in the
+	home directory of <systemitem
+	  class="username">webdevelopers</systemitem>, both principals
+	listed will have access to that account without requiring a
+	shared password.:</para>
 
-      <para>Now try changing the password using &man.passwd.1; to
-	check if the <application>kpasswd</application> daemon can get
-	authorization to the Kerberos database:</para>
+      <screen>tillman@example.org
+jdoe@example.org</screen>
 
-      <screen>&prompt.user; <userinput>passwd</userinput>
-realm EXAMPLE.COM
-<prompt>Old password for jane:</prompt>
-<prompt>New Password for jane:</prompt>
-Verifying password
-<prompt>New Password for jane:</prompt>
-Password changed.</screen>
+      <para>Refer to &man.ksu.1; for more information about
+	<filename>.k5users</filename>.</para>
     </sect2>
 
     <sect2>
-      <title>Adding <command>su</command> Privileges</title>
+      <title><acronym>MIT</acronym> Differences</title>
 
-      <para>Kerberos allows us to give <emphasis>each</emphasis> user
-	who needs <systemitem class="username">root</systemitem> privileges their own
-	<emphasis>separate</emphasis> &man.su.1; password.
-	We could now add an ID which is authorized to
-	&man.su.1; to <systemitem class="username">root</systemitem>.  This is
-	controlled by having an instance of <systemitem class="username">root</systemitem>
-	associated with a principal.  Using <command>kdb_edit</command>
-	we can create the entry <literal>jane.root</literal> in the
-	Kerberos database:</para>
-
-      <screen>&prompt.root; <userinput>kdb_edit</userinput>
-Opening database...
-
-<prompt>Enter Kerberos master key:</prompt>
-
-Current Kerberos master key version is 1.
-
-Master key entered.  BEWARE!
-Previous or default values are in [brackets] ,
-enter return to leave the same, or new value.
-
-<prompt>Principal name:</prompt> <userinput>jane</userinput>
-<prompt>Instance:</prompt> <userinput>root</userinput>
-
-&lt;Not found&gt;, Create [y] ? y
-
-Principal: jane, Instance: root, kdc_key_ver: 1
-<prompt>New Password:</prompt>                    &lt;---- enter a SECURE password here
-Verifying password
-
-<prompt>New Password:</prompt>    	 	 &lt;---- re-enter the password here
-
-Principal's new key version = 1
-<prompt>Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?</prompt>
-<prompt>Max ticket lifetime (*5 minutes) [ 255 ] ?</prompt> <userinput>12</userinput> &lt;--- Keep this short!
-<prompt>Attributes [ 0 ] ?</prompt>
-Edit O.K.
-<prompt>Principal name:</prompt>		         &lt;---- null entry here will cause an exit</screen>
-
-      <para>Now try getting tokens for it to make sure it works:</para>
-
-      <screen>&prompt.root; <userinput>kinit jane.root</userinput>
-MIT Project Athena (grunt.example.com)
-Kerberos Initialization for "jane.root"
-<prompt>Password:</prompt></screen>
-
-      <para>Now we need to add the user to <systemitem class="username">root</systemitem>'s
-	  <filename>.klogin</filename> file:</para>
-
-      <screen>&prompt.root; <userinput>cat /root/.klogin</userinput>
-jane.root@EXAMPLE.COM</screen>
-
-      <para>Now try doing the &man.su.1;:</para>
-
-      <screen>&prompt.user; <userinput>su</userinput>
-<prompt>Password:</prompt></screen>
-
-      <para>and take a look at what tokens we have:</para>
-
-      <screen>&prompt.root; <userinput>klist</userinput>
-Ticket file:	/tmp/tkt_root_245
-Principal:      jane.root@EXAMPLE.COM
-
-  Issued           Expires          Principal
-May  2 20:43:12  May  3 04:43:12  krbtgt.EXAMPLE.COM@EXAMPLE.COM</screen>
+      <para>The major difference between the <acronym>MIT</acronym>
+	and Heimdal implementations is that <command>kadmin</command>
+	has a different, but equivalent, set of commands and uses a
+	different protocol.  If the <acronym>KDC</acronym> is
+	<acronym>MIT</acronym>, the Heimdal version of
+	<command>kadmin</command> cannot be used to administer the
+	<acronym>KDC</acronym> remotely, and vice versa.</para>
+
+      <para>Client applications may also use slightly different
+	command line options to accomplish the same tasks.  Following
+	the instructions at <link
+	  xlink:href="http://web.mit.edu/Kerberos/www/">http://web.mit.edu/Kerberos/www/</link>
+	is recommended.  Be careful of path issues: the
+	<acronym>MIT</acronym> port installs into
+	<filename>/usr/local/</filename> by default, and the &os;
+	system applications run instead of the
+	<acronym>MIT</acronym> versions if <envar>PATH</envar> lists
+	the system directories first.</para>
+
+      <para>When using MIT Kerberos as a <acronym>KDC</acronym> on
+	&os;, the following edits should also be made to
+	<filename>rc.conf</filename>:</para>
+
+      <programlisting>kerberos5_server="/usr/local/sbin/krb5kdc"
+kadmind5_server="/usr/local/sbin/kadmind"
+kerberos5_server_flags=""
+kerberos5_server_enable="YES"
+kadmind5_server_enable="YES"</programlisting>
     </sect2>
 
     <sect2>
-      <title>Using Other Commands</title>
+      <title><application>Kerberos</application> Tips, Tricks, and
+	Troubleshooting</title>
+
+      <para>When configuring and troubleshooting
+	<application>Kerberos</application>, keep the following points
+	in mind:</para>
 
-      <para>In an earlier example, we created a principal called
-	<literal>jane</literal> with an instance <literal>root</literal>.
-	This was based on a user with the same name as the principal, and this
-	is a Kerberos default; that a
-	<literal>&lt;principal&gt;.&lt;instance&gt;</literal> of the form
-	<literal>&lt;username&gt;.</literal><systemitem class="username">root</systemitem> will allow
-	that <literal>&lt;username&gt;</literal> to &man.su.1; to
-	<systemitem class="username">root</systemitem> if the necessary entries are in the
-	<filename>.klogin</filename> file in <systemitem class="username">root</systemitem>'s
-	home directory:</para>
-
-      <screen>&prompt.root; <userinput>cat /root/.klogin</userinput>
-jane.root@EXAMPLE.COM</screen>
-
-      <para>Likewise, if a user has in their own home directory lines of the
-	form:</para>
-
-      <screen>&prompt.user; <userinput>cat ~/.klogin</userinput>
-jane@EXAMPLE.COM
-jack@EXAMPLE.COM</screen>
-
-      <para>This allows anyone in the <literal>EXAMPLE.COM</literal> realm
-	who has authenticated themselves as <systemitem class="username">jane</systemitem> or
-	<systemitem class="username">jack</systemitem> (via <command>kinit</command>, see above)
-	to access to <systemitem class="username">jane</systemitem>'s
-	account or files on this system (<systemitem>grunt</systemitem>) via
-	&man.rlogin.1;, &man.rsh.1; or
-	&man.rcp.1;.</para>
-
-      <para>For example, <systemitem class="username">jane</systemitem> now logs into another system using
-	Kerberos:</para>
-
-	    <screen>&prompt.user; <userinput>kinit</userinput>
-MIT Project Athena (grunt.example.com)
-<prompt>Password:</prompt>
-&prompt.user; <userinput>rlogin grunt</userinput>
-Last login: Mon May  1 21:14:47 from grumble
-Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
-        The Regents of the University of California.   All rights reserved.
-
-FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
-
-      <para>Or <systemitem class="username">jack</systemitem> logs into <systemitem class="username">jane</systemitem>'s account on the same machine
-	(<systemitem class="username">jane</systemitem> having
-	set up the <filename>.klogin</filename> file as above, and the person
-	in charge of Kerberos having set up principal
-	<emphasis>jack</emphasis> with a null instance):</para>
-
-      <screen>&prompt.user; <userinput>kinit</userinput>
-&prompt.user; <userinput>rlogin grunt -l jane</userinput>
-MIT Project Athena (grunt.example.com)
-<prompt>Password:</prompt>
-Last login: Mon May  1 21:16:55 from grumble
-Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
-        The Regents of the University of California.   All rights reserved.
-FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
-    </sect2>
-  </sect1>
-
-  <sect1 xml:id="kerberos5">
-    <info><title><application>Kerberos5</application></title>
-      <authorgroup>
-	<author><personname><firstname>Tillman</firstname><surname>Hodgson</surname></personname><contrib>Contributed by </contrib></author>
-      </authorgroup>
-      <authorgroup>
-	<author><personname><firstname>Mark</firstname><surname>Murray</surname></personname><contrib>Based on a contribution by </contrib></author>
-      </authorgroup>
-    </info>
+      <itemizedlist>
+	<listitem>
+	  <para>When using either Heimdal or <acronym>MIT</acronym>
+	    <application>Kerberos</application> from ports, ensure
+	    that the <envar>PATH</envar> lists the port's versions of
+	    the client applications before the system versions.</para>
+	</listitem>
 
-    
+	<listitem>
+	  <para>If all the computers in the realm do not have
+	    synchronized time settings, authentication may fail.
+	    <xref linkend="network-ntp"/> describes how to synchronize
+	    clocks using <acronym>NTP</acronym>.</para>
+	</listitem>
 
-    <para>Every &os; release beyond &os;-5.1 includes support
-      only for <application>Kerberos5</application>.  Hence
-      <application>Kerberos5</application> is the only version
-      included, and its configuration is similar in many aspects
-      to that of <application>KerberosIV</application>.  The following
-      information only applies to
-      <application>Kerberos5</application> in post &os;-5.0
-      releases.  Users who wish to use the
-      <application>KerberosIV</application> package may install the
-      <package>security/krb4</package> port.</para>
-
-    <para><application>Kerberos</application> is a network add-on
-      system/protocol that allows users to authenticate themselves
-      through the services of a secure server.  Services such as remote
-      login, remote copy, secure inter-system file copying and other
-      high-risk tasks are made considerably safer and more
-      controllable.</para>
-
-    <para><application>Kerberos</application> can be described as an
-      identity-verifying proxy system.  It can also be described as a
-      trusted third-party authentication system.
-      <application>Kerberos</application> provides only one
-      function &mdash; the secure authentication of users on the network.
-      It does not provide authorization functions (what users are
-      allowed to do) or auditing functions (what those users did).
-      After a client and server have used
-      <application>Kerberos</application> to prove their identity, they
-      can also encrypt all of their communications to assure privacy
-      and data integrity as they go about their business.</para>
+	<listitem>
+	  <para>If the hostname is changed, the <systemitem
+	      class="username">host/</systemitem> principal must be
+	    changed and the keytab updated.  This also applies to
+	    special keytab entries like the <systemitem
+	      class="username">HTTP/</systemitem> principal used for
+	    Apache's <package>www/mod_auth_kerb</package>.</para>
+	</listitem>
 
-    <para>Therefore it is highly recommended that
-      <application>Kerberos</application> be used with other security
-      methods which provide authorization and audit services.</para>
+	<listitem>
+	  <para>All hosts in the realm must be both forward and
+	    reverse resolvable in <acronym>DNS</acronym> or, at a
+	    minimum, exist in <filename>/etc/hosts</filename>.  CNAMEs
+	    will work, but the A and PTR records must be correct and
+	    in place.  The error message for unresolvable hosts is not
+	    intuitive: <errorname>Kerberos5 refuses authentication
+	      because Read req failed: Key table entry not
+	      found</errorname>.</para>
+	</listitem>
 
-    <para>The following instructions can be used as a guide on how to set
-      up <application>Kerberos</application> as distributed for &os;.
-      However, you should refer to the relevant manual pages for a complete
-      description.</para>
+	<listitem>
+	  <para>Some operating systems that act as clients to the
+	    <acronym>KDC</acronym> do not set the permissions for
+	    <command>ksu</command> to be setuid <systemitem
+	      class="username">root</systemitem>.  This means that
+	    <command>ksu</command> does not work.  This is a
+	    permissions problem, not a <acronym>KDC</acronym>
+	    error.</para>
+	</listitem>
 
-    <para>For purposes of demonstrating a <application>Kerberos</application>
-      installation, the various name spaces will be handled as follows:</para>
+	<listitem>
+	  <para>With <acronym>MIT</acronym>
+	    <application>Kerberos</application>, to allow a principal
+	    to have a ticket life longer than the default lifetime of
+	    ten hours, use <command>modify_principal</command> at the
+	    &man.kadmin.8; prompt to change the
+	    <literal>maxlife</literal> of both the principal in
+	    question and the
+	    <systemitem class="username">krbtgt</systemitem>
+	    principal.  The principal can then use
+	    <command>kinit -l</command> to request a ticket with a
+	    longer lifetime.</para>
+	</listitem>
 
-    <itemizedlist>
-      <listitem>
-	<para>The <acronym>DNS</acronym> domain (<quote>zone</quote>)
-	  will be example.org.</para>
-      </listitem>
+	<listitem>
+	  <para>When running a packet sniffer on the
+	    <acronym>KDC</acronym> to aid in troubleshooting while
+	    running <command>kinit</command> from a workstation, the
+	    Ticket Granting Ticket (<acronym>TGT</acronym>) is sent
+	    immediately, even before the password is typed.  This is
+	    because the <application>Kerberos</application> server
+	    freely transmits a <acronym>TGT</acronym> to any
+	    unauthorized request.  However, every
+	    <acronym>TGT</acronym> is encrypted in a key derived from
+	    the user's password.  When a user types their password, it
+	    is not sent to the <acronym>KDC</acronym>, it is instead
+	    used to decrypt the <acronym>TGT</acronym> that
+	    <command>kinit</command> already obtained.  If the
+	    decryption process results in a valid ticket with a valid
+	    time stamp, the user has valid
+	    <application>Kerberos</application> credentials.  These
+	    credentials include a session key for establishing secure
+	    communications with the
+	    <application>Kerberos</application> server in the future,
+	    as well as the actual <acronym>TGT</acronym>, which is
+	    encrypted with the <application>Kerberos</application>
+	    server's own key.  This second layer of encryption allows
+	    the <application>Kerberos</application> server to verify
+	    the authenticity of each <acronym>TGT</acronym>.</para>
+	</listitem>
 
-      <listitem>
-	<para>The <application>Kerberos</application> realm will be
-	  EXAMPLE.ORG.</para>
-      </listitem>
-    </itemizedlist>
+	<listitem>
+	  <para>Host principals can have a longer ticket lifetime.  If
+	    the user principal has a lifetime of a week but the host
+	    being connected to has a lifetime of nine hours, the user
+	    cache will have an expired host principal and the ticket
+	    cache will not work as expected.</para>
+	</listitem>
 
-    <note>
-      <para>Please use real domain names when setting up
-	<application>Kerberos</application> even if you intend to run
-	it internally.  This avoids <acronym>DNS</acronym> problems
-	and assures inter-operation with other
-	<application>Kerberos</application> realms.</para>
-    </note>
+	<listitem>
+	  <para>When setting up <filename>krb5.dict</filename> to
+	    prevent specific bad passwords from being used as
+	    described in &man.kadmind.8;, remember that it only
+	    applies to principals that have a password policy assigned
+	    to them.  The format used in
+	    <filename>krb5.dict</filename> is one string per line.
+	    Creating a symbolic link to
+	    <filename>/usr/share/dict/words</filename> might be
+	    useful.</para>
+	</listitem>
+      </itemizedlist>
+    </sect2>
 
     <sect2>
-      <title>History</title>
+      <title>Mitigating <application>Kerberos</application>
+	Limitations</title>
+
       <indexterm>
 	<primary>Kerberos5</primary>
-	<secondary>history</secondary>
+	<secondary>limitations and shortcomings</secondary>
       </indexterm>
 
-      <para><application>Kerberos</application> was created by
-	<acronym>MIT</acronym> as a solution to network security problems.
-	The <application>Kerberos</application> protocol uses strong
-	cryptography so that a client can prove its identity to a server
-	(and vice versa) across an insecure network connection.</para>
-
-      <para><application>Kerberos</application> is both the name of a
-	network authentication protocol and an adjective to describe
-	programs that implement the program
-	(<application>Kerberos</application> telnet, for example).  The
-	current version of the protocol is version 5, described in
-	<acronym>RFC</acronym>&nbsp;1510.</para>
-
-      <para>Several free implementations of this protocol are available,
-	covering a wide range of operating systems.  The Massachusetts
-	Institute of Technology (<acronym>MIT</acronym>), where
-	<application>Kerberos</application> was originally developed,
-	continues to develop their <application>Kerberos</application>
-	package.  It is commonly used in the <acronym>US</acronym>
-	as a cryptography product, as such it
-	has historically been affected by <acronym>US</acronym> export
-	regulations.  The <acronym>MIT</acronym>
-	<application>Kerberos</application> is available as a port
-	(<package>security/krb5</package>).  Heimdal
-	<application>Kerberos</application> is another version 5
-	implementation, and was explicitly developed outside of the
-	<acronym>US</acronym> to avoid export
-	regulations (and is thus often included in non-commercial &unix;
-	variants).  The Heimdal <application>Kerberos</application>
-	distribution is available as a port
-	(<package>security/heimdal</package>), and a
-	minimal installation of it is included in the base &os;
-	install.</para>
-
-    <para>In order to reach the widest audience, these instructions assume
-	the use of the Heimdal distribution included in &os;.</para>
-
+      <para>Since <application>Kerberos</application> is an all or
+	nothing approach, every service enabled on the network must
+	either be modified to work with
+	<application>Kerberos</application> or be otherwise secured
+	against network attacks.  This is to prevent user credentials
+	from being stolen and re-used.  An example is when
+	<application>Kerberos</application> is enabled on all remote
+	shells but the non-Kerberized <acronym>POP3</acronym> mail
+	server sends passwords in plain text.</para>
+
+      <para>The <acronym>KDC</acronym> is a single point of failure.
+	By design, the <acronym>KDC</acronym> must be as secure as its
+	master password database.  The <acronym>KDC</acronym> should
+	have absolutely no other services running on it and should be
+	physically secure.  The danger is high because
+	<application>Kerberos</application> stores all passwords
+	encrypted with the same master key which is stored as a file
+	on the <acronym>KDC</acronym>.</para>
+
+      <para>A compromised master key is not quite as bad as one might
+	fear.  The master key is only used to encrypt the
+	<application>Kerberos</application> database and as a seed for
+	the random number generator.  As long as access to the
+	<acronym>KDC</acronym> is secure, an attacker cannot do much
+	with the master key.</para>
+
+      <para>If the <acronym>KDC</acronym> is unavailable, network
+	services are unusable as authentication cannot be performed.
+	This can be alleviated with a single master
+	<acronym>KDC</acronym> and one or more slaves, and with
+	careful implementation of secondary or fall-back
+	authentication using <acronym>PAM</acronym>.</para>
+
+      <para><application>Kerberos</application> allows users, hosts
+	and services to authenticate between themselves.  It does not
+	have a mechanism to authenticate the
+	<acronym>KDC</acronym> to the users, hosts, or services.  This
+	means that a trojanned <command>kinit</command> could record
+	all user names and passwords.  File system integrity checking
+	tools like <package>security/tripwire</package> can
+	alleviate this.</para>
     </sect2>
 
     <sect2>
-      <title>Setting up a Heimdal <acronym>KDC</acronym></title>
+      <title>Resources and Further Information</title>
+
       <indexterm>
 	<primary>Kerberos5</primary>
-	<secondary>Key Distribution Center</secondary>
+	<secondary>external resources</secondary>
       </indexterm>
 
-      <para>The Key Distribution Center (<acronym>KDC</acronym>) is the
-	centralized authentication service that
-	<application>Kerberos</application> provides &mdash; it is the
-	computer that issues <application>Kerberos</application> tickets.
-	The <acronym>KDC</acronym> is considered <quote>trusted</quote> by
-	all other computers in the <application>Kerberos</application>
-	realm, and thus has heightened security concerns.</para>
-
-    <para>Note that while running the <application>Kerberos</application>
-	server requires very few computing resources, a dedicated machine
-	acting only as a <acronym>KDC</acronym> is recommended for security
-	reasons.</para>
-
-    <para>To begin setting up a <acronym>KDC</acronym>, ensure that your
-	<filename>/etc/rc.conf</filename> file contains the correct
-	settings to act as a <acronym>KDC</acronym> (you may need to adjust
-	paths to reflect your own system):</para>
-
-    <programlisting>kerberos5_server_enable="YES"
-kadmind5_server_enable="YES"
-kerberos_stash="YES"</programlisting>
-
-      <note>
-	<para>The <option>kerberos_stash</option> is only available in
-	  &os;&nbsp;4.X.</para>
-      </note>
-
-      <para>Next we will set up your <application>Kerberos</application>
-	config file, <filename>/etc/krb5.conf</filename>:</para>
-
-      <programlisting>[libdefaults]
-    default_realm = EXAMPLE.ORG
-[realms]
-    EXAMPLE.ORG = {
-        kdc = kerberos.example.org
-        admin_server = kerberos.example.org
-    }
-[domain_realm]
-    .example.org = EXAMPLE.ORG</programlisting>
-
-      <para>Note that this <filename>/etc/krb5.conf</filename> file implies
-	that your <acronym>KDC</acronym> will have the fully-qualified
-	hostname of <systemitem class="fqdomainname">kerberos.example.org</systemitem>.
-	You will need to add a CNAME (alias) entry to your zone file to
-	accomplish this if your <acronym>KDC</acronym> has a different
-	hostname.</para>
-
-      <note>
-	<para>For large networks with a properly configured
-	  <acronym>BIND</acronym> <acronym>DNS</acronym> server, the
-	  above example could be trimmed to:</para>
-
-	<programlisting>[libdefaults]
-      default_realm = EXAMPLE.ORG</programlisting>
-
-	<para>With the following lines being appended to the
-	  <systemitem class="fqdomainname">example.org</systemitem> zonefile:</para>
-
-	<programlisting>_kerberos._udp      IN  SRV     01 00 88 kerberos.example.org.
-_kerberos._tcp      IN  SRV     01 00 88 kerberos.example.org.
-_kpasswd._udp       IN  SRV     01 00 464 kerberos.example.org.
-_kerberos-adm._tcp  IN  SRV     01 00 749 kerberos.example.org.
-_kerberos           IN  TXT     EXAMPLE.ORG</programlisting></note>
-
-      <note>
-        <para>For clients to be able to find the
-          <application>Kerberos</application> services, you
-          <emphasis>must</emphasis> have either a fully configured
-          <filename>/etc/krb5.conf</filename> or a miminally configured
-          <filename>/etc/krb5.conf</filename> <emphasis>and</emphasis> a
-          properly configured DNS server.</para>
-      </note>
-
-      <para>Next we will create the <application>Kerberos</application>
-	database.  This database contains the keys of all principals encrypted
-	with a master password.  You are not
-	required to remember this password, it will be stored in a file
-	(<filename>/var/heimdal/m-key</filename>).  To create the master
-	key, run <command>kstash</command> and enter a password.</para>
-
-      <para>Once the master key has been created, you can initialize the
-	database using the <command>kadmin</command> program with the
-	<literal>-l</literal> option (standing for <quote>local</quote>).
-	This option instructs <command>kadmin</command> to modify the
-	database files directly rather than going through the
-	<command>kadmind</command> network service.  This handles the
-	chicken-and-egg problem of trying to connect to the database
-	before it is created.  Once you have the <command>kadmin</command>
-	prompt, use the <command>init</command> command to create your
-	realms initial database.</para>
-
-      <para>Lastly, while still in <command>kadmin</command>, create your
-	first principal using the <command>add</command> command.  Stick
-	to the defaults options for the principal for now, you can always
-	change them later with the <command>modify</command> command.
-	Note that you can use the <literal>?</literal> command at any
-	prompt to see the available options.</para>
-
-      <para>A sample database creation session is shown below:</para>
-
-      <screen>&prompt.root; <userinput>kstash</userinput>
-Master key: <userinput>xxxxxxxx</userinput>
-Verifying password - Master key: <userinput>xxxxxxxx</userinput>
-
-&prompt.root; <userinput>kadmin -l</userinput>
-kadmin&gt; <userinput>init EXAMPLE.ORG</userinput>
-Realm max ticket life [unlimited]:
-kadmin&gt; <userinput>add tillman</userinput>
-Max ticket life [unlimited]:
-Max renewable life [unlimited]:
-Attributes []:
-Password: <userinput>xxxxxxxx</userinput>
-Verifying password - Password: <userinput>xxxxxxxx</userinput></screen>
-
-      <para>Now it is time to start up the <acronym>KDC</acronym> services.
-	Run <command>/etc/rc.d/kerberos start</command> and
-	<command>/etc/rc.d/kadmind start</command> to bring up the
-	services.  Note that you will not have any kerberized daemons running
-	at this point but you should be able to confirm the that the
-	<acronym>KDC</acronym> is functioning by obtaining and listing a
-	ticket for the principal (user) that you just created from the
-	command-line of the <acronym>KDC</acronym> itself:</para>
-
-      <screen>&prompt.user; <userinput>k5init tillman</userinput>
-tillman@EXAMPLE.ORG's Password:
-
-&prompt.user; <userinput>k5list</userinput>
-Credentials cache: FILE:<filename>/tmp/krb5cc_500</filename>
-	Principal: tillman@EXAMPLE.ORG
-
-  Issued           Expires          Principal
-Aug 27 15:37:58  Aug 28 01:37:58  krbtgt/EXAMPLE.ORG@EXAMPLE.ORG</screen>
-
-      </sect2>
-
-      <sect2>
-	<title><application>Kerberos</application> enabling a server with
-	  Heimdal services</title>
-
-        <indexterm>
-	  <primary>Kerberos5</primary>
-	  <secondary>enabling services</secondary>
-        </indexterm>
-
-	<para>First, we need a copy of the <application>Kerberos</application>
-	  configuration file, <filename>/etc/krb5.conf</filename>.  To do
-	  so, simply copy it over to the client computer from the
-	  <acronym>KDC</acronym> in a secure fashion (using network utilities,
-	  such as &man.scp.1;, or physically via a
-	  floppy disk).</para>
-
-	<para>Next you need a <filename>/etc/krb5.keytab</filename> file.
-	  This is the major difference between a server providing
-	  <application>Kerberos</application> enabled daemons and a
-	  workstation &mdash; the server must have a
-	  <filename>keytab</filename> file.  This file
-	  contains the servers host key, which allows it and the
-	  <acronym>KDC</acronym> to verify each others identity.  It
-	  must be transmitted to the server in a secure fashion, as the
-	  security of the server can be broken if the key is made public.
-	  This explicitly means that transferring it via a clear text
-	  channel, such as <acronym>FTP</acronym>, is a very bad idea.</para>
-
-	<para>Typically, you transfer to the <filename>keytab</filename>
-	  to the server using the <command>kadmin</command> program.
-	  This is handy because you also need to create the host principal
-	  (the <acronym>KDC</acronym> end of the
-	  <filename>krb5.keytab</filename>) using
-	  <command>kadmin</command>.</para>
-
-	<para>Note that you must have already obtained a ticket and that this
-	  ticket must be allowed to use the <command>kadmin</command>
-	  interface in the <filename>kadmind.acl</filename>.  See the section
-	  titled <quote>Remote administration</quote> in the Heimdal info
-	  pages (<command>info heimdal</command>) for details on designing
-	  access control lists.  If you do not want to enable remote
-	  <command>kadmin</command> access, you can simply securely connect
-	  to the <acronym>KDC</acronym> (via local console,
-	  &man.ssh.1; or <application>Kerberos</application>
-	  &man.telnet.1;) and perform administration locally
-	  using <command>kadmin -l</command>.</para>
-
-	<para>After installing the <filename>/etc/krb5.conf</filename> file,
-	  you can use <command>kadmin</command> from the
-	  <application>Kerberos</application> server.  The
-	  <command>add --random-key</command> command will let you add the
-	  servers host principal, and the <command>ext</command> command
-	  will allow you to extract the servers host principal to its own
-	  keytab.  For example:</para>
-
-	<screen>&prompt.root; <userinput>kadmin</userinput>
-kadmin&gt;<userinput> add --random-key host/myserver.example.org</userinput>
-Max ticket life [unlimited]:
-Max renewable life [unlimited]:
-Attributes []:
-kadmin&gt;<userinput> ext host/myserver.example.org</userinput>
-kadmin&gt;<userinput> exit</userinput></screen>
-
-	<para>Note that the <command>ext</command> command (short for
-	  <quote>extract</quote>) stores the extracted key in
-	  <filename>/etc/krb5.keytab</filename> by default.</para>
-
-	<para>If you do not have <command>kadmind</command> running on the
-	  <acronym>KDC</acronym> (possibly for security reasons) and thus
-	  do not have access to <command>kadmin</command> remotely, you
-	  can add the host principal
-	  (<systemitem class="username">host/myserver.EXAMPLE.ORG</systemitem>) directly on the
-	  <acronym>KDC</acronym> and then extract it to a temporary file
-	  (to avoid over-writing the <filename>/etc/krb5.keytab</filename>
-	  on the <acronym>KDC</acronym>) using something like this:</para>
-
-	<screen>&prompt.root; <userinput>kadmin</userinput>
-kadmin&gt;<userinput> ext --keytab=/tmp/example.keytab host/myserver.example.org</userinput>
-kadmin&gt;<userinput> exit</userinput></screen>
-
-	<para>You can then securely copy the keytab to the server
-	  computer (using <command>scp</command> or a floppy, for
-	  example).  Be sure to specify a non-default keytab name
-	  to avoid over-writing the keytab on the
-	  <acronym>KDC</acronym>.</para>
-
-	<para>At this point your server can communicate with the
-	  <acronym>KDC</acronym> (due to its <filename>krb5.conf</filename>
-	  file) and it can prove its own identity (due to the
-	  <filename>krb5.keytab</filename> file).  It is now ready for
-	  you to enable some <application>Kerberos</application> services.
-	  For this example we will enable the <command>telnet</command>
-	  service by putting a line like this into your
-	  <filename>/etc/inetd.conf</filename> and then restarting the
-	  &man.inetd.8; service with
-	  <command>/etc/rc.d/inetd restart</command>:</para>
-
-	<programlisting>telnet    stream  tcp     nowait  root    /usr/libexec/telnetd  telnetd -a user</programlisting>
-
-	<para>The critical bit is that the <command>-a</command>
-	  (for authentication) type is set to user.  Consult the
-	  &man.telnetd.8; manual page for more details.</para>
-
-      </sect2>
-
-      <sect2>
-	<title><application>Kerberos</application> enabling a client with Heimdal</title>
-
-	<indexterm>
-	  <primary>Kerberos5</primary>
-	  <secondary>configure clients</secondary>
-	</indexterm>
-
-	<para>Setting up a client computer is almost trivially easy.  As
-	  far as <application>Kerberos</application> configuration goes,
-	  you only need the <application>Kerberos</application>
-	  configuration file, located at <filename>/etc/krb5.conf</filename>.
-	  Simply securely copy it over to the client computer from the
-	  <acronym>KDC</acronym>.</para>
-
-	<para>Test your client computer by attempting to use
-	  <command>kinit</command>, <command>klist</command>, and
-	  <command>kdestroy</command> from the client to obtain, show, and
-	  then delete a ticket for the principal you created above.  You
-	  should also be able to use <application>Kerberos</application>
-	  applications to connect to <application>Kerberos</application>
-	  enabled servers, though if that does not work and obtaining a
-	  ticket does the problem is likely with the server and not with
-	  the client or the <acronym>KDC</acronym>.</para>
-
-	<para>When testing an application like <command>telnet</command>,
-	  try using a packet sniffer (such as &man.tcpdump.1;)
-	  to confirm that your password is not sent in the clear.  Try
-	  using <command>telnet</command> with the <literal>-x</literal>
-	  option, which encrypts the entire data stream (similar to
-	  <command>ssh</command>).</para>
-
-	<para>The core <application>Kerberos</application> client applications
-	  (traditionally named <command>kinit</command>,
-	  <command>klist</command>, <command>kdestroy</command>, and
-	  <command>kpasswd</command>) are installed in
-	  the base &os; install. Note that &os; versions prior to 5.0
-	  renamed them to <command>k5init</command>,
-	  <command>k5list</command>, <command>k5destroy</command>,
-	  <command>k5passwd</command>, and <command>k5stash</command>
-	  (though it is typically only used once).</para>
-
-	<para>Various non-core <application>Kerberos</application> client
-	  applications are also installed by default.  This is where the
-	  <quote>minimal</quote> nature of the base Heimdal installation is
-	  felt: <command>telnet</command> is the only
-	  <application>Kerberos</application> enabled service.</para>
-
-	<para>The Heimdal port adds some of the missing client applications:
-	  <application>Kerberos</application> enabled versions of
-	  <command>ftp</command>, <command>rsh</command>,
-	  <command>rcp</command>, <command>rlogin</command>, and a few
-	  other less common programs. The <acronym>MIT</acronym> port also
-	  contains a full suite of <application>Kerberos</application>
-	  client applications.</para>
-
-      </sect2>
-
-      <sect2>
-	<title>User configuration files: <filename>.k5login</filename> and <filename>.k5users</filename></title>
-
-	<indexterm>
-	  <primary><filename>.k5login</filename></primary>
-	</indexterm>
-
-	<indexterm>
-	  <primary><filename>.k5users</filename></primary>
-	</indexterm>
-
-	<para>Users within a realm typically have their
-	  <application>Kerberos</application> principal (such as
-	  <systemitem class="username">tillman@EXAMPLE.ORG</systemitem>) mapped to a local
-	  user account (such as a local account named
-	  <systemitem class="username">tillman</systemitem>).  Client applications such as
-	  <command>telnet</command> usually do not require a user name
-	  or a principal.</para>
-
-	<para>Occasionally, however, you want to grant access to a local
-	  user account to someone who does not have a matching
-	  <application>Kerberos</application> principal.  For example,
-	  <systemitem class="username">tillman@EXAMPLE.ORG</systemitem> may need access to the
-	  local user account <systemitem class="username">webdevelopers</systemitem>.  Other
-	  principals may also need access to that local account.</para>
-
-	<para>The <filename>.k5login</filename> and
-	  <filename>.k5users</filename> files, placed in a users home
-	  directory, can be used similar to a powerful combination of
-	  <filename>.hosts</filename> and <filename>.rhosts</filename>,
-	  solving this problem. For example, if a
-	  <filename>.k5login</filename> with the following
-	  contents:</para>
-
-	<screen>tillman@example.org
-jdoe@example.org</screen>
-
-	<para>Were to be placed into the home directory of the local user
-	  <systemitem class="username">webdevelopers</systemitem> then both principals listed
-	  would have access to that account without requiring a shared
-	  password.</para>
-
-	<para>Reading the manual pages for these commands is recommended.
-	  Note that the <command>ksu</command> manual page covers
-	  <filename>.k5users</filename>.</para>
-
-      </sect2>
-
-      <sect2>
-	<title><application>Kerberos</application> Tips, Tricks, and Troubleshooting</title>
-
-	<indexterm>
-	  <primary>Kerberos5</primary>
-	  <secondary>troubleshooting</secondary>
-	</indexterm>
-
-	<itemizedlist>
-	  <listitem>
-	    <para>When using either the Heimdal or <acronym>MIT</acronym>
-	      <application>Kerberos</application> ports ensure that your
-	      <envar>PATH</envar> environment variable lists the
-	      <application>Kerberos</application> versions of the client
-	      applications before the system versions.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>Do all the computers in your realm have synchronized
-	      time settings?  If not, authentication may fail.
-	      <xref linkend="network-ntp"/> describes how to synchronize
-	      clocks using <acronym>NTP</acronym>.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para><acronym>MIT</acronym> and Heimdal inter-operate nicely.
-	      Except for <command>kadmin</command>, the protocol for
-	      which is not standardized.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>If you change your hostname, you also need to change your
-	      <systemitem class="username">host/</systemitem> principal and update your keytab.
-	      This also applies to special keytab entries like the
-	      <systemitem class="username">www/</systemitem> principal used for Apache's
-	      <package>www/mod_auth_kerb</package>.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>All hosts in your realm must be resolvable (both forwards
-	      and reverse) in <acronym>DNS</acronym> (or
-	      <filename>/etc/hosts</filename> as a minimum).  CNAMEs
-	      will work, but the A and PTR records must be correct and in
-	      place. The error message is not very intuitive:
-	      <errorname>Kerberos5 refuses authentication because Read req
-	      failed: Key table entry not found</errorname>.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>Some operating systems that may being acting as clients
-	      to your <acronym>KDC</acronym> do not set the permissions
-	      for <command>ksu</command> to be setuid
-	      <systemitem class="username">root</systemitem>.  This means that
-	      <command>ksu</command> does not work, which is a good
-	      security idea but annoying. This is not a
-	      <acronym>KDC</acronym> error.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>With <acronym>MIT</acronym>
-	      <application>Kerberos</application>, if you want to allow a
-	      principal to have a ticket life longer than the default ten
-	      hours, you must use <command>modify_principal</command> in
-	      <command>kadmin</command> to change the maxlife of both the
-	      principal in question and the <systemitem class="username">krbtgt</systemitem>
-	      principal.  Then the principal can use the
-	      <literal>-l</literal> option with <command>kinit</command>
-	      to request a ticket with a longer lifetime.</para>
-	  </listitem>
-
-	  <listitem>
-	    <note><para>If you run a packet sniffer on your
-	      <acronym>KDC</acronym> to add in troubleshooting and then
-	      run <command>kinit</command> from a workstation, you will
-	      notice that your <acronym>TGT</acronym> is sent
-	      immediately upon running <command>kinit</command> &mdash;
-	      even before you type your password!  The explanation is
-	      that the <application>Kerberos</application> server freely
-	      transmits a <acronym>TGT</acronym> (Ticket Granting
-	      Ticket) to any unauthorized request;  however, every
-	      <acronym>TGT</acronym> is encrypted in a key derived from
-	      the user's password.  Therefore, when a user types their
-	      password it is not being sent to the <acronym>KDC</acronym>,
-	      it is being used to decrypt the <acronym>TGT</acronym> that
-	      <command>kinit</command> already obtained. If the decryption
-	      process results in a valid ticket with a valid time stamp,
-	      the user has valid <application>Kerberos</application>
-	      credentials.  These credentials include a session key for
-	      establishing secure communications with the
-	      <application>Kerberos</application> server in the future, as
-	      well as the actual ticket-granting ticket, which is actually
-	      encrypted with the <application>Kerberos</application>
-	      server's own key.  This second layer of encryption is
-	      unknown to the user, but it is what allows the
-	      <application>Kerberos</application> server to verify
-	      the authenticity of each <acronym>TGT</acronym>.</para></note>
-	  </listitem>
-
-	  <listitem>
-	    <para>If you want to use long ticket lifetimes (a week, for
-	      example) and you are using <application>OpenSSH</application>
-	      to connect to the machine where your ticket is stored, make
-	      sure that <application>Kerberos</application>
-	      <option>TicketCleanup</option> is set to <literal>no</literal>
-	      in your <filename>sshd_config</filename> or else your tickets
-	      will be deleted when you log out.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>Remember that host principals can have a longer ticket
-	      lifetime as well.  If your user principal has a lifetime of a
-	      week but the host you are connecting to has a lifetime of nine
-	      hours, you will have an expired host principal in your cache
-	      and the ticket cache will not work as expected.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>When setting up a <filename>krb5.dict</filename> file to
-	    prevent specific bad passwords from being used (the manual page
-	    for <command>kadmind</command> covers this briefly), remember
-	    that it only applies to principals that have a password policy
-	    assigned to them.  The <filename>krb5.dict</filename> files
-	    format is simple: one string per line.  Creating a symbolic
-	    link to <filename>/usr/share/dict/words</filename> might be
-	    useful.</para>
-	  </listitem>
-        </itemizedlist>
-
-      </sect2>
-
-      <sect2>
-	<title>Differences with the <acronym>MIT</acronym> port</title>
-
-	<para>The major difference between the <acronym>MIT</acronym>
-	  and Heimdal installs relates to the <command>kadmin</command>
-	  program which has a different (but equivalent) set of commands
-	  and uses a different protocol.  This has a large implications
-	  if your <acronym>KDC</acronym> is <acronym>MIT</acronym> as you
-	  will not be able to use the Heimdal <command>kadmin</command>
-	  program to administer your <acronym>KDC</acronym> remotely
-	  (or vice versa, for that matter).</para>
-
-	<para>The client applications may also take slightly different
-	  command line options to accomplish the same tasks.  Following
-	  the instructions on the <acronym>MIT</acronym>
-	  <application>Kerberos</application> web site
-	  (<uri xlink:href="http://web.mit.edu/Kerberos/www/">http://web.mit.edu/Kerberos/www/</uri>)
-	  is recommended. Be careful of path issues: the
-	  <acronym>MIT</acronym> port installs into
-	  <filename>/usr/local/</filename> by default, and the
-	  <quote>normal</quote> system applications may be run instead
-	  of <acronym>MIT</acronym> if your <envar>PATH</envar>
-	  environment variable lists the system directories first.</para>
-
-	<note><para>With the <acronym>MIT</acronym>
-	  <package>security/krb5</package> port
-	  that is provided by &os;, be sure to read the
-	  <filename>/usr/local/share/doc/krb5/README.FreeBSD</filename>
-	  file installed by the port if you want to understand why logins
-	  via <command>telnetd</command> and <command>klogind</command>
-	  behave somewhat oddly.  Most importantly, correcting the
-	  <quote>incorrect permissions on cache file</quote> behavior
-	  requires that the <command>login.krb5</command> binary be used
-	  for authentication so that it can properly change ownership for
-	  the forwarded credentials.</para></note>
-
-      </sect2>
-
-      <sect2>
-	<title>Mitigating limitations found in <application>Kerberos</application></title>
-
-	<indexterm>
-	  <primary>Kerberos5</primary>
-	  <secondary>limitations and shortcomings</secondary>
-	</indexterm>
-
-	<sect3>
-	 <title><application>Kerberos</application> is an all-or-nothing approach</title>
-
-	  <para>Every service enabled on the network must be modified to
-	    work with <application>Kerberos</application> (or be otherwise
-	    secured against network attacks) or else the users credentials
-	    could be stolen and re-used.  An example of this would be
-	    <application>Kerberos</application> enabling all remote shells
-	    (via <command>rsh</command> and <command>telnet</command>, for
-	    example) but not converting the <acronym>POP3</acronym> mail
-	    server which sends passwords in plain text.</para>
-
-	</sect3>
-
-	<sect3>
-	  <title><application>Kerberos</application> is intended for single-user workstations</title>
-
-	  <para>In a multi-user environment,
-	    <application>Kerberos</application> is less secure.
-	    This is because it stores the tickets in the
-	    <filename>/tmp</filename> directory, which is readable by all
-	    users.  If a user is sharing a computer with several other
-	    people simultaneously (i.e. multi-user), it is possible that
-	    the user's tickets can be stolen (copied) by another
-	    user.</para>
-
-	  <para>This can be overcome with the <literal>-c</literal>
-	    filename command-line option or (preferably) the
-	    <envar>KRB5CCNAME</envar> environment variable, but this
-	    is rarely done. In principal, storing the ticket in the users
-	    home directory and using simple file permissions can mitigate
-	    this problem.</para>
-
-	</sect3>
-
-	<sect3>
-	  <title>The KDC is a single point of failure</title>
-
-	  <para>By design, the <acronym>KDC</acronym> must be as secure as
-	    the master password database is contained on it.  The
-	    <acronym>KDC</acronym> should have absolutely no other
-	    services running on it and should be physically secured.  The
-	    danger is high because <application>Kerberos</application>
-	    stores all passwords encrypted with the same key (the
-	    <quote>master</quote> key), which in turn is stored as a file
-	    on the <acronym>KDC</acronym>.</para>
-
-	  <para>As a side note, a compromised master key is not quite as
-	    bad as one might normally fear.  The master key is only used
-	    to encrypt the <application>Kerberos</application> database
-	    and as a seed for the random number generator.  As long as
-	    access to your <acronym>KDC</acronym> is secure, an attacker
-	    cannot do much with the master key.</para>
-
-	  <para>Additionally, if the <acronym>KDC</acronym> is unavailable
-	    (perhaps due to a denial of service attack or network problems)
-	    the network services are unusable as authentication can not be
-	    performed, a recipe for a denial-of-service attack.  This can
-	    alleviated with multiple <acronym>KDC</acronym>s (a single
-	    master and one or more slaves) and with careful implementation
-	    of secondary or fall-back authentication
-	    (<acronym>PAM</acronym> is excellent for this).</para>
-
-	</sect3>
-
-	<sect3>
-	  <title><application>Kerberos</application> Shortcomings</title>
-
-	  <para><application>Kerberos</application> allows users, hosts
-	    and services to authenticate between themselves.  It does not
-	    have a mechanism to authenticate the <acronym>KDC</acronym>
-	    to the users, hosts or services.  This means that a trojanned
-	    <command>kinit</command> (for example) could record all user
-	    names and passwords.  Something like
-	    <package>security/tripwire</package> or
-	    other file system integrity checking tools can alleviate
-	    this.</para>
-
-	</sect3>
-      </sect2>
-
-      <sect2>
-	<title>Resources and further information</title>
-
-	<indexterm>
-	  <primary>Kerberos5</primary>
-	  <secondary>external resources</secondary>
-	</indexterm>
-
-	<itemizedlist>
-	  <listitem>
-	  <para><link xlink:href="http://www.faqs.org/faqs/Kerberos-faq/general/preamble.html">
-	    The <application>Kerberos</application> FAQ</link></para>
+      <itemizedlist>
+	<listitem>
+	  <para><link
+	      xlink:href="http://www.faqs.org/faqs/Kerberos-faq/general/preamble.html">
+	      The <application>Kerberos</application>
+	      FAQ</link></para>
 	</listitem>
 
 	<listitem>
-	  <para><link xlink:href="http://web.mit.edu/Kerberos/www/dialogue.html">Designing
-	    an Authentication System: a Dialog in Four Scenes</link></para>
+	  <para><link
+	      xlink:href="http://web.mit.edu/Kerberos/www/dialogue.html">Designing
+	      an Authentication System: a Dialog in Four
+	      Scenes</link></para>
 	</listitem>
 
 	<listitem>
-	  <para><link xlink:href="http://www.ietf.org/rfc/rfc1510.txt?number=1510">RFC 1510,
-	    The <application>Kerberos</application> Network Authentication Service
-	    (V5)</link></para>
+	  <para><link
+	      xlink:href="http://www.ietf.org/rfc/rfc4120.txt?number=4120">RFC
+	      4120, The <application>Kerberos</application> Network
+	      Authentication Service (V5)</link></para>
 	</listitem>
 
 	<listitem>
-	  <para><link xlink:href="http://web.mit.edu/Kerberos/www/"><acronym>MIT</acronym>
-	    <application>Kerberos</application> home page</link></para>
+	  <para><link
+	      xlink:href="http://web.mit.edu/Kerberos/www/"><acronym>MIT</acronym>
+	      <application>Kerberos</application> home
+	      page</link></para>
 	</listitem>
 
 	<listitem>
-	<para><link xlink:href="http://www.pdc.kth.se/heimdal/">Heimdal
-	  <application>Kerberos</application> home page</link></para>
+	  <para><link
+	      xlink:href="http://www.pdc.kth.se/heimdal/">Heimdal
+	      <application>Kerberos</application> home
+	      page</link></para>
 	</listitem>
-
-	</itemizedlist>
+      </itemizedlist>
     </sect2>
   </sect1>
 
   <sect1 xml:id="openssl">
-    <info><title>OpenSSL</title>
+    <info>
+      <title>OpenSSL</title>
+
       <authorgroup>
-	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by: </contrib></author>
+	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written
+	  by </contrib></author>
       </authorgroup>
     </info>
-    
+
     <indexterm>
       <primary>security</primary>
       <secondary>OpenSSL</secondary>
     </indexterm>
 
-    <para>One feature that many users overlook is the
-      <application>OpenSSL</application> toolkit included
-      in &os;.  <application>OpenSSL</application> provides an
-      encryption transport layer on top of the normal communications
-      layer; thus allowing it to be intertwined with many network
-      applications and services.</para>
-
-    <para>Some uses of <application>OpenSSL</application> may include
-      encrypted authentication of mail clients, web based transactions
-      such as credit card payments and more.  Many ports such as
-      <package>www/apache13-ssl</package>, and
-      <package>mail/sylpheed-claws</package>
-      will offer compilation support for building with
+    <para><application>OpenSSL</application> is an open source
+      implementation of the <acronym>SSL</acronym> and
+      <acronym>TLS</acronym> protocols.  It provides an encryption
+      transport layer on top of the normal communications layer,
+      allowing it to be intertwined with many network applications and
+      services.</para>
+
+    <para>The version of <application>OpenSSL</application> included
+      in &os; supports the Secure Sockets Layer v2/v3 (SSLv2/SSLv3)
+      and Transport Layer Security v1 (TLSv1) network security
+      protocols and can be used as a general cryptographic
+      library.</para>
+
+    <para><application>OpenSSL</application> is often used to encrypt
+      authentication of mail clients and to secure web based
+      transactions such as credit card payments.  Some ports, such as
+      <package>www/apache24</package> and
+      <package>databases/postgresql91-server</package>, include a
+      compile option for building with
       <application>OpenSSL</application>.</para>
 
-    <note>
-      <para>In most cases the Ports Collection will attempt to build
-	the <package>security/openssl</package> port
-	unless the <varname>WITH_OPENSSL_BASE</varname> make variable
-	is explicitly set to <quote>yes</quote>.</para>
-    </note>
+    <para>&os; provides two versions of
+      <application>OpenSSL</application>: one in the base system and
+      one in the Ports Collection.  Users can choose which version to
+      use by default for other ports using the following knobs:</para>
 
-    <para>The version of <application>OpenSSL</application> included
-      in &os; supports Secure Sockets Layer v2/v3 (SSLv2/SSLv3),
-      Transport Layer Security v1 (TLSv1) network security protocols
-      and can be used as a general cryptographic library.</para>
+    <itemizedlist>
+      <listitem>
+	<para>WITH_OPENSSL_PORT: when set, the port will use
+	  <application>OpenSSL</application> from the
+	  <package>security/openssl</package> port, even if the
+	  version in the base system is up to date or newer.</para>
+      </listitem>
 
-    <note>
-      <para>While <application>OpenSSL</application> supports the
-	<acronym>IDEA</acronym> algorithm, it is disabled by default
-	due to United States patents.  To use it, the license should
-	be reviewed and, if the restrictions are acceptable, the
-	<varname>MAKE_IDEA</varname> variable must be set in
-	<filename>make.conf</filename>.</para>
-    </note>
+      <listitem>
+	<para>WITH_OPENSSL_BASE: when set, the port will compile
+	  against <application>OpenSSL</application> provided by the
+	  base system.</para>
+      </listitem>
+    </itemizedlist>
 
-    <para>One of the most common uses of
-      <application>OpenSSL</application> is to provide certificates for
-      use with software applications.  These certificates ensure
-      that the credentials of the company or individual are valid
-      and not fraudulent.  If the certificate in question has
-      not been verified by one of the several <quote>Certificate Authorities</quote>,
-      or <acronym>CA</acronym>s, a warning is usually produced.  A
-      Certificate Authority is a company, such as <link xlink:href="http://www.verisign.com">VeriSign</link>, which will
-      sign certificates in order to validate credentials of individuals
-      or companies.  This process has a cost associated with it and
-      is definitely not a requirement for using certificates; however,
-      it can put some of the more paranoid users at ease.</para>
+    <para>Another common use of <application>OpenSSL</application> is
+      to provide certificates for use with software applications.
+      Certificates can be used to verify the credentials of a company
+      or individual.  If a certificate has not been signed by an
+      external <firstterm>Certificate Authority</firstterm>
+      (<acronym>CA</acronym>), such as <link
+	xlink:href="http://www.verisign.com">http://www.verisign.com</link>,
+      the application that uses the certificate will produce a
+      warning.  There is a cost associated with obtaining a signed
+      certificate and using a signed certificate is not mandatory as
+      certificates can be self-signed.  However, using an external
+      authority will prevent warnings and can put users at
+      ease.</para>
+
+    <para>This section demonstrates how to create and use certificates
+      on a &os; system.  Refer to <xref linkend="ldap-config"/> for an
+      example of how to create a <acronym>CA</acronym> for signing
+      one's own certificates.</para>
 
     <sect2>
       <title>Generating Certificates</title>
@@ -2963,8 +1874,16 @@
 	<secondary>certificate generation</secondary>
       </indexterm>
 
-      <para>To generate a certificate, the following command is
-	available:</para>
+      <para>To generate a certificate that will be signed by an
+	external <acronym>CA</acronym>, issue the following command
+	and input the information requested at the prompts.  This
+	input information will be written to the certificate.  At the
+	<literal>Common Name</literal> prompt, input the fully
+	qualified name for the system that will use the certificate.
+	If this name does not match the server, the application
+	verifying the certificate will issue a warning to the user,
+	rendering the verification provided by the certificate as
+	useless.</para>
 
       <screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput>
 Generating a 1024 bit RSA private key
@@ -2979,114 +1898,134 @@
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
-Country Name (2 letter code) [AU]:<userinput>US</userinput>
-State or Province Name (full name) [Some-State]:<userinput>PA</userinput>
-Locality Name (eg, city) []:<userinput>Pittsburgh</userinput>
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:<userinput>My Company</userinput>
-Organizational Unit Name (eg, section) []:<userinput>Systems Administrator</userinput>
-Common Name (eg, YOUR name) []:<userinput>localhost.example.org</userinput>
-Email Address []:<userinput>trhodes@FreeBSD.org</userinput>
+Country Name (2 letter code) [AU]:<userinput><replaceable>US</replaceable></userinput>
+State or Province Name (full name) [Some-State]:<userinput><replaceable>PA</replaceable></userinput>
+Locality Name (eg, city) []:<userinput><replaceable>Pittsburgh</replaceable></userinput>
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:<userinput><replaceable>My Company</replaceable></userinput>
+Organizational Unit Name (eg, section) []:<userinput><replaceable>Systems Administrator</replaceable></userinput>
+Common Name (eg, YOUR name) []:<userinput><replaceable>localhost.example.org</replaceable></userinput>
+Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput>
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
-A challenge password []:<userinput>SOME PASSWORD</userinput>
-An optional company name []:<userinput>Another Name</userinput></screen>
+A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput>
+An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen>
+
+      <para>Other options, such as the expire time and alternate
+	encryption algorithms, are available when creating a
+	certificate.  A complete list of options is described in
+	&man.openssl.1;.</para>
+
+      <para>This command will create two files in the current
+	directory.  The certificate request,
+	<filename>req.pem</filename>, can be sent to a
+	<acronym>CA</acronym> who will validate the entered
+	credentials, sign the request, and return the signed
+	certificate.  The second file,
+	<filename>cert.pem</filename>, is the private key for the
+	certificate and should be stored in a secure location.  If
+	this falls in the hands of others, it can be used to
+	impersonate the user or the server.</para>
+
+      <para>Alternately, if a signature from a <acronym>CA</acronym>
+	is not required, a self-signed certificate can be created.
+	First, generate the <acronym>RSA</acronym> key:</para>
+
+      <screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput>
+0 semi-random bytes loaded
+Generating DSA parameters, 1024 bit long prime
+This could take some time
+.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
+..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++*</screen>
+
+      <para>Next, generate the <acronym>CA</acronym> key.  When
+	prompted, enter a passphrase between 4 to 1023 characters.
+	Remember this passphrase as it is needed whenever the key is
+	used to sign a certificate.</para>
+
+      <screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput>
+Generating DSA key, 1024 bits
+Enter PEM pass phrase:
+Verifying - Enter PEM pass phrase:</screen>
+
+      <para>Use this key to create a self-signed certificate.  When
+	prompted, enter the passphrase.  Then follow the usual prompts
+	for creating a certificate:</para>
 
-      <para>Notice the response directly after the
-	<quote>Common Name</quote> prompt shows a domain name.
-	This prompt requires a server name to be entered for
-	verification purposes; placing anything	but a domain name
-	would yield a useless certificate.  Other options, for
-	instance expire time, alternate encryption algorithms, etc.
-	are available.  A complete list may be obtained by viewing
-	the &man.openssl.1; manual page.</para>
-
-      <para>Two files should now exist in
-	the directory in which the aforementioned command was issued.
-	The certificate request, <filename>req.pem</filename>, may be
-	sent to a certificate authority who will validate the credentials
-	that you entered, sign the request and return the certificate to
-	you.  The second file created will be named <filename>cert.pem</filename>
-	and is the private key for the certificate and should be
-	protected at all costs; if this falls in the hands of others it
-	can be used to impersonate you (or your server).</para>
-
-      <para>In cases where a signature from a <acronym>CA</acronym> is
-	not required, a self signed certificate can be created.  First,
-	generate the <acronym>RSA</acronym> key:</para>
-
-      <screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput></screen>
-
-	<para>Next, generate the <acronym>CA</acronym> key:</para>
-
-      <screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput></screen>
-
-      <para>Use this key to create the certificate:</para>
-
-      <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput></screen>
-
-      <para>Two new files should appear in the directory: a certificate
-	authority signature file, <filename>myca.key</filename> and the
-	certificate itself, <filename>new.crt</filename>.  These should
-	be placed in a directory, preferably under
-	<filename>/etc</filename>, which is readable
-	only by <systemitem class="username">root</systemitem>.  Permissions of 0700 should be fine for this and
-	they can be set with the <command>chmod</command>
-	utility.</para>
+      <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput>
+Enter pass phrase for myca.key:
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:<userinput><replaceable>US</replaceable></userinput>
+State or Province Name (full name) [Some-State]:<userinput><replaceable>PA</replaceable></userinput>
+Locality Name (eg, city) []:<userinput><replaceable>Pittsburgh</replaceable></userinput>
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:<userinput><replaceable>My Company</replaceable></userinput>
+Organizational Unit Name (eg, section) []:<userinput><replaceable>Systems Administrator</replaceable></userinput>
+Common Name (e.g. server FQDN or YOUR name) []:<userinput><replaceable>localhost.example.org</replaceable></userinput>
+Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput></screen>
+
+      <para>This will create two new files in the current directory: a
+	certificate authority signature file,
+	<filename>myca.key</filename>, and the certificate itself,
+	<filename>new.crt</filename>.  These should be placed in a
+	directory, preferably under <filename>/etc</filename>, which
+	is readable only by <systemitem
+	  class="username">root</systemitem>.  Permissions of
+	<literal>0700</literal> are appropriate for these files and
+	can be set using <command>chmod</command>.</para>
     </sect2>
 
     <sect2>
-      <title>Using Certificates, an Example</title>
-
-      <para>So what can these files do?  A good use would be to
-	encrypt connections to the <application>Sendmail</application>
-	<acronym>MTA</acronym>.  This would dissolve the use of clear
-	text authentication for users who send mail via the local
-	<acronym>MTA</acronym>.</para>
+      <title>Using Certificates</title>
+
+      <para>One use for a certificate is to encrypt connections to the
+	<application>Sendmail</application> mail server in order to
+	prevent the use of clear text authentication.</para>
 
       <note>
-	<para>This is not the best use in the world as some
-	  <acronym>MUA</acronym>s will present the user with an
-	  error if they have not installed the certificate locally.
-	  Refer to the documentation included with the software for
-	  more information on certificate installation.</para>
+	<para>Some mail clients will display an error if the user has
+	  not installed a local copy of the certificate.  Refer to the
+	  documentation included with the software for more
+	  information on certificate installation.</para>
       </note>
 
-      <para>The following lines should be placed inside the
-	local <filename>.mc</filename> file:</para>
-
-      <programlisting>dnl SSL Options
-define(`confCACERT_PATH',`/etc/certs')dnl
-define(`confCACERT',`/etc/certs/new.crt')dnl
-define(`confSERVER_CERT',`/etc/certs/new.crt')dnl
-define(`confSERVER_KEY',`/etc/certs/myca.key')dnl
-define(`confTLS_SRV_OPTIONS', `V')dnl</programlisting>
-
-      <para>Where <filename>/etc/certs/</filename>
-	is the directory to be used for storing the certificate
-	and key files locally.  The last few requirements are a rebuild
-	of the local <filename>.cf</filename> file.  This is easily
-	achieved by typing <command>make</command>
-	<parameter>install</parameter> within the
-	<filename>/etc/mail</filename>
-	directory.  Follow that up with <command>make</command>
-	<parameter>restart</parameter> which should start the
-	<application>Sendmail</application> daemon.</para>
-
-      <para>If all went well there will be no error messages in the
-	<filename>/var/log/maillog</filename> file and
-	<application>Sendmail</application> will show up in the process
-	list.</para>
+      <para>In &os; 10.0-RELEASE and above, it is possible to create a
+	self-signed certificate for
+	<application>Sendmail</application> automatically.  To enable
+	this, add the following lines to
+	<filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>sendmail_enable="YES"
+sendmail_cert_create="YES"
+sendmail_cert_cn="<replaceable>localhost.example.org</replaceable>"</programlisting>
+
+      <para>This will automatically create a self-signed certificate,
+	<filename>/etc/mail/certs/host.cert</filename>, a signing key,
+	<filename>/etc/mail/certs/host.key</filename>, and a
+	<acronym>CA</acronym> certificate,
+	<filename>/etc/mail/certs/cacert.pem</filename>.  The
+	certificate will use the <literal>Common Name</literal>
+	specified in <option>sendmail_cert_cn</option>.  After saving
+	the edits, restart <application>Sendmail</application>:</para>
+
+      <screen>&prompt.root; <userinput>service sendmail restart</userinput></screen>
+
+      <para>If all went well, there will be no error messages in
+	<filename>/var/log/maillog</filename>.  For a simple test,
+	connect to the mail server's listening port using
+	<command>telnet</command>:</para>
 
-      <para>For a simple test, simply connect to the mail server
-	using the &man.telnet.1; utility:</para>
-
-      <screen>&prompt.root; <userinput>telnet example.com 25</userinput>
+      <screen>&prompt.root; <userinput>telnet <replaceable>example.com</replaceable> 25</userinput>
 Trying 192.0.34.166...
-Connected to <systemitem class="fqdomainname">example.com</systemitem>.
+Connected to example.com.
 Escape character is '^]'.
-220 <systemitem class="fqdomainname">example.com</systemitem> ESMTP Sendmail 8.12.10/8.12.10; Tue, 31 Aug 2004 03:41:22 -0400 (EDT)
-<userinput>ehlo example.com</userinput>
+220 example.com ESMTP Sendmail 8.14.7/8.14.7; Fri, 18 Apr 2014 11:50:32 -0400 (EDT)
+<userinput>ehlo <replaceable>example.com</replaceable></userinput>
 250-example.com Hello example.com [192.0.34.166], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-PIPELINING
@@ -3099,1311 +2038,787 @@
 250-DELIVERBY
 250 HELP
 <userinput>quit</userinput>
-221 2.0.0 <systemitem class="fqdomainname">example.com</systemitem> closing connection
+221 2.0.0 example.com closing connection
 Connection closed by foreign host.</screen>
 
-      <para>If the <quote>STARTTLS</quote> line appears in the output
-	then everything is working correctly.</para>
+      <para>If the <literal>STARTTLS</literal> line appears in the
+	output, everything is working correctly.</para>
     </sect2>
   </sect1>
 
   <sect1 xml:id="ipsec">
-    <info><title>VPN over IPsec</title>
+    <info>
+      <title><acronym>VPN</acronym> over
+	<acronym>IPsec</acronym></title>
+
       <authorgroup>
-        <author><personname><firstname>Nik</firstname><surname>Clayton</surname></personname><affiliation>
-	    <address><email>nik@FreeBSD.org</email></address>
-          </affiliation><contrib>Written by </contrib></author>
+	<author>
+	  <personname>
+	    <firstname>Nik</firstname>
+	    <surname>Clayton</surname>
+	  </personname>
+	  <affiliation>
+	    <address>
+	      <email>nik@FreeBSD.org</email>
+	    </address>
+	  </affiliation>
+	  <contrib>Written by </contrib>
+	</author>
       </authorgroup>
-    </info>
 
-    
+      <authorgroup>
+	<author>
+	  <personname>
+	    <firstname>Hiten M.</firstname>
+	    <surname>Pandya</surname>
+	  </personname>
+	  <affiliation>
+	    <address>
+	      <email>hmp@FreeBSD.org</email>
+	    </address>
+	  </affiliation>
+	  <contrib>Written by </contrib>
+	</author>
+      </authorgroup>
+    </info>
 
     <indexterm>
-      <primary>IPsec</primary>
+      <primary><acronym>IPsec</acronym></primary>
     </indexterm>
 
-    <para>Creating a VPN between two networks, separated by the
-      Internet, using FreeBSD gateways.</para>
-
-    <sect2>
-      <info><title>Understanding IPsec</title>
-        <authorgroup>
-          <author><personname><firstname>Hiten M.</firstname><surname>Pandya</surname></personname><affiliation>
-	      <address><email>hmp@FreeBSD.org</email></address>
-	    </affiliation><contrib>Written by </contrib></author>
-	</authorgroup>
-      </info>
-
-      
-
-      <para>This section will guide you through the process of setting
-	up IPsec, and to use it in an environment which consists of
-	FreeBSD and <application>&microsoft.windows; 2000/XP</application>
-	machines, to make them communicate securely.  In order to set up
-	IPsec, it is necessary that you are familiar with the concepts
-	of building a custom kernel (see
-	<xref linkend="kernelconfig"/>).</para>
-
-      <para><emphasis>IPsec</emphasis> is a protocol which sits on top
-	of the Internet Protocol (IP) layer.  It allows two or more
-	hosts to communicate in a secure manner (hence the name).  The
-	FreeBSD IPsec <quote>network stack</quote> is based on the
-	<link xlink:href="http://www.kame.net/">KAME</link> implementation,
-	which has support for both protocol families, IPv4 and
-	IPv6.</para>
+    <para>Internet Protocol Security (<acronym>IPsec</acronym>) is a
+      set of protocols which sit on top of the Internet Protocol
+      (<acronym>IP</acronym>) layer.  It allows two or more hosts to
+      communicate in a secure manner by authenticating and encrypting
+      each <acronym>IP</acronym> packet of a communication session.
+      The &os; <acronym>IPsec</acronym> network stack is based on the
+      <link
+	xlink:href="http://www.kame.net/">http://www.kame.net/</link>
+      implementation and supports both <acronym>IPv4</acronym> and
+      <acronym>IPv6</acronym> sessions.</para>
 
-      <note>
-        <para>FreeBSD 5.X contains a <quote>hardware
-        accelerated</quote> IPsec stack, known as <quote>Fast
-        IPsec</quote>, that was obtained from OpenBSD.  It employs
-        cryptographic hardware (whenever possible) via the
-        &man.crypto.4; subsystem to optimize the performance of IPsec.
-        This subsystem is new, and does not support all the features
-        that are available in the KAME version of IPsec.  However, in
-        order to enable hardware-accelerated IPsec, the following
-        kernel option has to be added to your kernel configuration
-        file:</para>
-
-	<indexterm>
-	  <primary>kernel options</primary>
-	  <secondary>FAST_IPSEC</secondary>
-	</indexterm>
+    <indexterm>
+      <primary><acronym>IPsec</acronym></primary>
+      <secondary>ESP</secondary>
+    </indexterm>
 
-        <screen>
-options	  FAST_IPSEC  # new IPsec (cannot define w/ IPSEC)
-        </screen>
-
-        <para> Note, that it is not currently possible to use the
-	  <quote>Fast IPsec</quote> subsystem in lue with the KAME
-	  implementation of IPsec.  Consult the &man.fast.ipsec.4;
-	  manual page for more information.</para>
+    <indexterm>
+      <primary><acronym>IPsec</acronym></primary>
+      <secondary>AH</secondary>
+    </indexterm>
 
-      </note>
+    <para><acronym>IPsec</acronym> is comprised of the following
+      sub-protocols:</para>
 
-      <indexterm>
-	<primary>IPsec</primary>
-	<secondary>ESP</secondary>
-      </indexterm>
+    <itemizedlist>
+      <listitem>
+	<para><emphasis>Encapsulated Security Payload
+	    (<acronym>ESP</acronym>)</emphasis>: this protocol
+	  protects the <acronym>IP</acronym> packet data from third
+	  party interference by encrypting the contents using
+	  symmetric cryptography algorithms such as Blowfish and
+	  <acronym>3DES</acronym>.</para>
+      </listitem>
 
-      <indexterm>
-	<primary>IPsec</primary>
-	<secondary>AH</secondary>
-      </indexterm>
+      <listitem>
+	<para><emphasis>Authentication Header
+	    (<acronym>AH</acronym>)</emphasis>): this protocol
+	  protects the <acronym>IP</acronym> packet header from third
+	  party interference and spoofing by computing a cryptographic
+	  checksum and hashing the <acronym>IP </acronym> packet
+	  header fields with a secure hashing function.  This is then
+	  followed by an additional header that contains the hash, to
+	  allow the information in the packet to be
+	  authenticated.</para>
+      </listitem>
 
-      <para>IPsec consists of two sub-protocols:</para>
+      <listitem>
+	<para><emphasis>IP Payload Compression Protocol
+	    (<acronym>IPComp</acronym></emphasis>): this protocol
+	  tries to increase communication performance by compressing
+	  the <acronym>IP </acronym> payload in order ro reduce the
+	  amount of data sent.</para>
+      </listitem>
+    </itemizedlist>
 
-      <itemizedlist>
-        <listitem>
-          <para><emphasis>Encapsulated Security Payload
-	      (ESP)</emphasis>, protects the IP packet data from third
-	    party interference, by encrypting the contents using
-	    symmetric cryptography algorithms (like Blowfish,
-	    3DES).</para>
-        </listitem>
-        <listitem>
-          <para><emphasis>Authentication Header (AH)</emphasis>,
-	    protects the IP packet header from third party interference
-	    and spoofing, by computing a cryptographic checksum and
-	    hashing the IP packet header fields with a secure hashing
-	    function.  This is then followed by an additional header
-	    that contains the hash, to allow the information in the
-	    packet to be authenticated.</para>
-        </listitem>
-      </itemizedlist>
+    <para>These protocols can either be used together or separately,
+      depending on the environment.</para>
 
-      <para><acronym>ESP</acronym> and <acronym>AH</acronym> can
-	either be used together or separately, depending on the
-	environment.</para>
+    <indexterm>
+      <primary><acronym>VPN</acronym></primary>
+    </indexterm>
 
-      <indexterm>
-	<primary>VPN</primary>
-      </indexterm>
+    <indexterm>
+      <primary>virtual private network</primary>
+      <see>VPN</see>
+    </indexterm>
 
-      <indexterm>
-	<primary>virtual private network</primary>
-	<see>VPN</see>
-      </indexterm>
+    <para><acronym>IPsec</acronym> supports two modes of operation.
+      The first mode, <firstterm>Transport Mode</firstterm>, protects
+      communications between two hosts.  The second mode,
+      <firstterm>Tunnel Mode</firstterm>, is used to build virtual
+      tunnels, commonly known as Virtual Private Networks
+      (<acronym>VPN</acronym>s).  Consult &man.ipsec.4; for detailed
+      information on the <acronym>IPsec</acronym> subsystem in
+      &os;.</para>
+
+    <para>To add <acronym>IPsec</acronym> support to the kernel, add
+      the following options to the custom kernel configuration file
+      and rebuild the kernel using the instructions in <xref
+	linkend="kernelconfig"/>:</para>
 
-      <para>IPsec can either be used to directly encrypt the traffic
-	between two hosts (known as <emphasis>Transport
-	  Mode</emphasis>); or to build <quote>virtual tunnels</quote>
-	between two subnets, which could be used for secure
-	communication between two corporate networks (known as
-	<emphasis>Tunnel Mode</emphasis>).  The latter is more commonly
-	known as a <emphasis>Virtual Private Network (VPN)</emphasis>.
-	The &man.ipsec.4; manual page should be consulted for detailed
-	information on the IPsec subsystem in FreeBSD.</para>
+    <indexterm>
+      <primary>kernel options</primary>
+      <secondary>IPSEC</secondary>
+    </indexterm>
 
-      <para>To add IPsec support to your kernel, add the following
-	options to your kernel configuration file:</para>
+    <screen>options   IPSEC        #IP security
+device    crypto</screen>
 
-      <indexterm>
-	<primary>kernel options</primary>
-	<secondary>IPSEC</secondary>
-      </indexterm>
+    <indexterm>
+      <primary>kernel options</primary>
+      <secondary>IPSEC_DEBUG</secondary>
+    </indexterm>
 
-      <indexterm>
-	<primary>kernel options</primary>
-	<secondary>IPSEC_ESP</secondary>
-      </indexterm>
+    <para>If <acronym>IPsec</acronym> debugging support is desired,
+      the following kernel option should also be added:</para>
 
-      <screen>
-options   IPSEC        #IP security
-options   IPSEC_ESP    #IP security (crypto; define w/ IPSEC)
-      </screen>
+    <screen>options   IPSEC_DEBUG  #debug for IP security</screen>
 
-      <indexterm>
-	<primary>kernel options</primary>
-	<secondary>IPSEC_DEBUG</secondary>
-      </indexterm>
-
-      <para>If IPsec debugging support is desired, the following
-	kernel option should also be added:</para>
+    <para>This rest of this chapter demonstrates the process of
+      setting up an <acronym>IPsec</acronym> <acronym>VPN</acronym>
+      between a home network and a corporate network.  In the example
+      scenario:</para>
 
-      <screen>
-options   IPSEC_DEBUG  #debug for IP security
-      </screen>
-    </sect2>
+    <itemizedlist>
+      <listitem>
+	<para>Both sites are connected to the Internet through a
+	  gateway that is running &os;.</para>
+      </listitem>
 
-    <sect2>
-      <title>The Problem</title>
+      <listitem>
+	<para>The gateway on each network has at least one external
+	  <acronym>IP</acronym> address.  In this example, the
+	  corporate <acronym>LAN</acronym>'s external
+	  <acronym>IP</acronym> address is <systemitem
+	    class="ipaddress">172.16.5.4</systemitem> and the home
+	  <acronym>LAN</acronym>'s external <acronym>IP</acronym>
+	  address is <systemitem
+	    class="ipaddress">192.168.1.12</systemitem>.</para>
+      </listitem>
 
-      <para>There is no standard for what constitutes a VPN.  VPNs can
-	be implemented using a number of different technologies, each of
-	which have their own strengths and weaknesses.  This section
-	presents a scenario, and the strategies used for implementing a
-	VPN for this scenario.</para>
-    </sect2>
+      <listitem>
+	<para>The internal addresses of the two networks can be either
+	  public or private <acronym>IP</acronym> addresses.  However,
+	  the address space must not collide.  For example, both
+	  networks cannot use <systemitem
+	    class="ipaddress">192.168.1.x</systemitem>.  In this
+	  example, the corporate <acronym>LAN</acronym>'s internal
+	  <acronym>IP</acronym> address is <systemitem
+	    class="ipaddress">10.246.38.1</systemitem> and the home
+	  <acronym>LAN</acronym>'s internal <acronym>IP</acronym>
+	  address is <systemitem
+	    class="ipaddress">10.0.0.5</systemitem>.</para>
+      </listitem>
+    </itemizedlist>
 
     <sect2>
-      <title>The Scenario: Two networks, connected to the Internet, to
-        behave as one</title>
-
-      <indexterm>
-	<primary>VPN</primary>
-	<secondary>creating</secondary>
-      </indexterm>
-
-      <para>The premise is as follows:</para>
+      <info>
+	<title>Configuring a <acronym>VPN</acronym> on &os;</title>
 
-      <itemizedlist>
-        <listitem>
-          <para>You have at least two sites</para>
-        </listitem>
-        <listitem>
-          <para>Both sites are using IP internally</para>
-        </listitem>
-        <listitem>
-          <para>Both sites are connected to the Internet, through a
-            gateway that is running FreeBSD.</para>
-        </listitem>
-        <listitem>
-          <para>The gateway on each network has at least one public IP
-            address.</para>
-        </listitem>
-        <listitem>
-          <para>The internal addresses of the two networks can be
-            public or private IP addresses, it does not matter.  You can
-            be running NAT on the gateway machine if necessary.</para>
-        </listitem>
-        <listitem>
-          <para>The internal IP addresses of the two networks
-            <emphasis>do not collide</emphasis>.  While I expect it is
-            theoretically possible to use a combination of VPN
-            technology and NAT to get this to work, I expect it to be a
-            configuration nightmare.</para>
-        </listitem>
-      </itemizedlist>
-
-      <para>If you find that you are trying to connect two networks,
-        both of which, internally, use the same private IP address range
-        (e.g. both of them use <systemitem class="ipaddress">192.168.1.x</systemitem>), then one of the networks will
-        have to be renumbered.</para>
-
-      <para>The network topology might look something like this:</para>
-
-      <mediaobject>
-	<imageobject>
-	  <imagedata fileref="security/ipsec-network" align="center"/>
-	</imageobject>
-
-	<textobject>
-<literallayout class="monospaced">Network #1            [ Internal Hosts ]    Private Net, 192.168.1.2-254
-                      [   Win9x/NT/2K  ]
-                      [      UNIX      ]
-                               |
-                               |
-                        .---[fxp1]---.      Private IP, 192.168.1.1
-                        |   FreeBSD  |
-                        `---[fxp0]---'      Public IP, A.B.C.D
-                               |
-                               |
-                      -=-=- Internet -=-=-
-                               |
-                               |
-                        .---[fxp0]---.      Public IP, W.X.Y.Z
-                        |   FreeBSD  |
-                        `---[fxp1]---'      Private IP, 192.168.2.1
-                               |
-                               |
-Network #2            [ Internal Hosts ]
-                      [   Win9x/NT/2K  ]    Private Net, 192.168.2.2-254
-                      [      UNIX      ]</literallayout>
-	</textobject>
-      </mediaobject>
-
-      <para>Notice the two public IP addresses.  I will use the letters to
-        refer to them in the rest of this article.  Anywhere you see those
-        letters in this article, replace them with your own public IP
-        addresses.  Note also that internally, the two gateway
-        machines have .1 IP addresses, and that the two networks have
-        different private IP addresses (<systemitem class="ipaddress">192.168.1.x</systemitem> and <systemitem class="ipaddress">192.168.2.x</systemitem> respectively).  All the
-        machines on the private networks have been configured to use the
-        <systemitem class="ipaddress">.1</systemitem> machine as their default
-        gateway.</para>
-
-      <para>The intention is that, from a network point of view, each
-        network should view the machines on the other network as though
-        they were directly attached the same router -- albeit a slightly
-        slow router with an occasional tendency to drop packets.</para>
-
-      <para>This means that (for example), machine <systemitem class="ipaddress">192.168.1.20</systemitem> should be able to run</para>
-
-      <programlisting>ping 192.168.2.34</programlisting>
-
-      <para>and have it work, transparently.  &windows; machines should
-        be able to see the machines on the other network, browse file
-        shares, and so on, in exactly the same way that they can browse
-        machines on the local network.</para>
-
-      <para>And the whole thing has to be secure.  This means that
-        traffic between the two networks has to be encrypted.</para>
-
-      <para>Creating a VPN between these two networks is a multi-step
-        process.  The stages are as follows:</para>
-
-      <orderedlist>
-        <listitem>
-          <para>Create a <quote>virtual</quote> network link between the two
-            networks, across the Internet.  Test it, using tools like
-            &man.ping.8;, to make sure it works.</para>
-        </listitem>
-
-        <listitem>
-          <para>Apply security policies to ensure that traffic between
-            the two networks is transparently encrypted and decrypted as
-            necessary.  Test this, using tools like &man.tcpdump.1;, to
-            ensure that traffic is encrypted.</para>
-        </listitem>
-
-        <listitem>
-          <para>Configure additional software on the FreeBSD gateways,
-            to allow &windows; machines to see one another across the
-            VPN.</para>
-        </listitem>
-      </orderedlist>
-
-    <sect3>
-      <title>Step 1: Creating and testing a <quote>virtual</quote>
-        network link</title>
-
-      <para>Suppose that you were logged in to the gateway machine on
-        network #1 (with public IP address <systemitem class="ipaddress">A.B.C.D</systemitem>, private IP address <systemitem class="ipaddress">192.168.1.1</systemitem>), and you ran <command>ping
-        192.168.2.1</command>, which is the private address of the machine
-        with IP address <systemitem class="ipaddress">W.X.Y.Z</systemitem>.  What
-        needs to happen in order for this to work?</para>
-
-      <orderedlist>
-        <listitem>
-          <para>The gateway machine needs to know how to reach <systemitem class="ipaddress">192.168.2.1</systemitem>.  In other words, it needs
-            to have a route to <systemitem class="ipaddress">192.168.2.1</systemitem>.</para>
-        </listitem>
-        <listitem>
-          <para>Private IP addresses, such as those in the <systemitem class="ipaddress">192.168.x</systemitem> range are not supposed to
-            appear on the Internet at large.  Instead, each packet you
-            send to <systemitem class="ipaddress">192.168.2.1</systemitem> will need
-            to be wrapped up inside another packet.  This packet will need
-            to appear to be from <systemitem class="ipaddress">A.B.C.D</systemitem>,
-            and it will have to be sent to <systemitem class="ipaddress">W.X.Y.Z</systemitem>.  This process is called
-            <firstterm>encapsulation</firstterm>.</para>
-        </listitem>
-        <listitem>
-          <para>Once this packet arrives at <systemitem class="ipaddress">W.X.Y.Z</systemitem> it will need to
-            <quote>unencapsulated</quote>, and delivered to <systemitem class="ipaddress">192.168.2.1</systemitem>.</para>
-	</listitem>
-      </orderedlist>
+	<authorgroup>
+	  <author>
+	    <personname>
+	      <firstname>Tom</firstname>
+	      <surname>Rhodes</surname>
+	    </personname>
+	    <affiliation>
+	      <address>
+		<email>trhodes@FreeBSD.org</email>
+	      </address>
+	    </affiliation>
+	    <contrib>Written by </contrib>
+	  </author>
+	</authorgroup>
+      </info>
 
-      <para>You can think of this as requiring a <quote>tunnel</quote>
-        between the two networks.  The two <quote>tunnel mouths</quote> are the IP
-        addresses <systemitem class="ipaddress">A.B.C.D</systemitem> and <systemitem class="ipaddress">W.X.Y.Z</systemitem>, and the tunnel must be told the
-        addresses of the private IP addresses that will be allowed to pass
-        through it.  The tunnel is used to transfer traffic with private
-        IP addresses across the public Internet.</para>
-
-      <para>This tunnel is created by using the generic interface, or
-        <filename>gif</filename> devices on FreeBSD.  As you can
-        imagine, the <filename>gif</filename> interface on each
-        gateway host must be configured with four IP addresses; two for
-        the public IP addresses, and two for the private IP
-        addresses.</para>
-
-      <para>Support for the gif device must be compiled in to the
-        &os; kernel on both machines.  You can do this by adding the
-        line:</para>
-
-      <programlisting>device gif</programlisting>
-
-      <para>to the kernel configuration files on both machines, and
-        then compile, install, and reboot as normal.</para>
-
-      <para>Configuring the tunnel is a two step process.  First the
-        tunnel must be told what the outside (or public) IP addresses
-        are, using &man.gifconfig.8;.  Then the private IP addresses must be
-        configured using &man.ifconfig.8;.</para>
+      <para>To begin, <package>security/ipsec-tools</package> must be
+	installed from the Ports Collection.  This software provides a
+	number of applications which support the configuration.</para>
+
+      <para>The next requirement is to create two &man.gif.4;
+	pseudo-devices which will be used to tunnel packets and allow
+	both networks to communicate properly.  As <systemitem
+	  class="username">root</systemitem>, run the following
+	commands, replacing <replaceable>internal</replaceable> and
+	<replaceable>external</replaceable> with the real IP
+	addresses of the internal and external interfaces of the two
+	gateways:</para>
+
+      <screen>&prompt.root; <userinput>ifconfig gif0 create</userinput>
+&prompt.root; <userinput>ifconfig gif0 <replaceable>internal1 internal2</replaceable></userinput>
+&prompt.root; <userinput>ifconfig gif0 tunnel <replaceable>external1 external2</replaceable></userinput></screen>
+
+      <para>Verify the setup on each gateway, using
+	<command>ifconfig</command>.  Here is the output from Gateway
+	1:</para>
+
+      <programlisting>gif0: flags=8051 mtu 1280
+tunnel inet 172.16.5.4 --&gt; 192.168.1.12
+inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6
+inet 10.246.38.1 --&gt; 10.0.0.5 netmask 0xffffff00</programlisting>
+
+      <para>Here is the output from Gateway 2:</para>
+
+      <programlisting>gif0: flags=8051 mtu 1280
+tunnel inet 192.168.1.12 --&gt; 172.16.5.4
+inet 10.0.0.5 --&gt; 10.246.38.1 netmask 0xffffff00
+inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4</programlisting>
+
+      <para>Once complete, both internal <acronym>IP</acronym>
+	addresses should be reachable using &man.ping.8;:</para>
+
+      <programlisting>priv-net# ping 10.0.0.5
+PING 10.0.0.5 (10.0.0.5): 56 data bytes
+64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms
+64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms
+64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=20.440 ms
+64 bytes from 10.0.0.5: icmp_seq=3 ttl=64 time=21.036 ms
+--- 10.0.0.5 ping statistics ---
+4 packets transmitted, 4 packets received, 0% packet loss
+round-trip min/avg/max/stddev = 19.255/25.879/42.786/9.782 ms
+
+corp-net# ping 10.246.38.1
+PING 10.246.38.1 (10.246.38.1): 56 data bytes
+64 bytes from 10.246.38.1: icmp_seq=0 ttl=64 time=28.106 ms
+64 bytes from 10.246.38.1: icmp_seq=1 ttl=64 time=42.917 ms
+64 bytes from 10.246.38.1: icmp_seq=2 ttl=64 time=127.525 ms
+64 bytes from 10.246.38.1: icmp_seq=3 ttl=64 time=119.896 ms
+64 bytes from 10.246.38.1: icmp_seq=4 ttl=64 time=154.524 ms
+--- 10.246.38.1 ping statistics ---
+5 packets transmitted, 5 packets received, 0% packet loss
+round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms</programlisting>
+
+      <para>As expected, both sides have the ability to send and
+	receive <acronym>ICMP</acronym> packets from the privately
+	configured addresses.  Next, both gateways must be told how to
+	route packets in order to correctly send traffic from either
+	network.  The following commands will achieve this
+	goal:</para>
+
+      <screen>&prompt.root; <userinput>corp-net# route add <replaceable>10.0.0.0 10.0.0.5 255.255.255.0</replaceable></userinput>
+&prompt.root; <userinput>corp-net# route add net <replaceable>10.0.0.0: gateway 10.0.0.5</replaceable></userinput>
+&prompt.root; <userinput>priv-net# route add <replaceable>10.246.38.0 10.246.38.1 255.255.255.0</replaceable></userinput>
+&prompt.root; <userinput>priv-net# route add host <replaceable>10.246.38.0: gateway 10.246.38.1</replaceable></userinput></screen>
+
+      <para>At this point, internal machines should be reachable from
+	each gateway as well as from machines behind the gateways.
+	Again, use &man.ping.8; to confirm:</para>
+
+      <programlisting>corp-net# ping 10.0.0.8
+PING 10.0.0.8 (10.0.0.8): 56 data bytes
+64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms
+64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms
+64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=198.022 ms
+64 bytes from 10.0.0.8: icmp_seq=3 ttl=63 time=22.241 ms
+64 bytes from 10.0.0.8: icmp_seq=4 ttl=63 time=174.705 ms
+--- 10.0.0.8 ping statistics ---
+5 packets transmitted, 5 packets received, 0% packet loss
+round-trip min/avg/max/stddev = 21.870/101.846/198.022/74.001 ms
+
+priv-net# ping 10.246.38.107
+PING 10.246.38.1 (10.246.38.107): 56 data bytes
+64 bytes from 10.246.38.107: icmp_seq=0 ttl=64 time=53.491 ms
+64 bytes from 10.246.38.107: icmp_seq=1 ttl=64 time=23.395 ms
+64 bytes from 10.246.38.107: icmp_seq=2 ttl=64 time=23.865 ms
+64 bytes from 10.246.38.107: icmp_seq=3 ttl=64 time=21.145 ms
+64 bytes from 10.246.38.107: icmp_seq=4 ttl=64 time=36.708 ms
+--- 10.246.38.107 ping statistics ---
+5 packets transmitted, 5 packets received, 0% packet loss
+round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms</programlisting>
+
+      <para>Setting up the tunnels is the easy part.  Configuring a
+	secure link is a more in depth process.  The following
+	configuration uses pre-shared (<acronym>PSK</acronym>)
+	<acronym>RSA</acronym> keys.  Other than the
+	<acronym>IP</acronym> addresses, the
+	<filename>/usr/local/etc/racoon/racoon.conf</filename> on both
+	gateways will be identical and look similar to:</para>
+
+      <programlisting>path    pre_shared_key  "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
+log     debug;	#log verbosity setting: set to 'notify' when testing and debugging is complete
+
+padding	# options are not to be changed
+{
+        maximum_length  20;
+        randomize       off;
+        strict_check    off;
+        exclusive_tail  off;
+}
+
+timer	# timing options. change as needed
+{
+        counter         5;
+        interval        20 sec;
+        persend         1;
+#       natt_keepalive  15 sec;
+        phase1          30 sec;
+        phase2          15 sec;
+}
+
+listen	# address [port] that racoon will listen on
+{
+        isakmp          172.16.5.4 [500];
+        isakmp_natt     172.16.5.4 [4500];
+}
+
+remote  192.168.1.12 [500]
+{
+        exchange_mode   main,aggressive;
+        doi             ipsec_doi;
+        situation       identity_only;
+        my_identifier   address 172.16.5.4;
+        peers_identifier        address 192.168.1.12;
+        lifetime        time 8 hour;
+        passive         off;
+        proposal_check  obey;
+#       nat_traversal   off;
+        generate_policy off;
+
+                        proposal {
+                                encryption_algorithm    blowfish;
+                                hash_algorithm          md5;
+                                authentication_method   pre_shared_key;
+                                lifetime time           30 sec;
+                                dh_group                1;
+                        }
+}
+
+sainfo  (address 10.246.38.0/24 any address 10.0.0.0/24 any)	# address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
+{								# $network must be the two internal networks you are joining.
+        pfs_group       1;
+        lifetime        time    36000 sec;
+        encryption_algorithm    blowfish,3des,des;
+        authentication_algorithm        hmac_md5,hmac_sha1;
+        compression_algorithm   deflate;
+}</programlisting>
+
+      <para>For descriptions of each available option, refer to the
+	manual page for <filename>racoon.conf</filename>.</para>
+
+      <para>The Security Policy Database (<acronym>SPD</acronym>)
+	needs to be configured so that &os; and
+	<application>racoon</application> are able to encrypt and
+	decrypt network traffic between the hosts.</para>
+
+      <para>This can be achieved with a shell script, similar to the
+	following, on the corporate gateway.  This file will be used
+	during system initialization and should be saved as
+	<filename>/usr/local/etc/racoon/setkey.conf</filename>.</para>
+
+      <programlisting>flush;
+spdflush;
+# To the home network
+spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use;
+spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use;</programlisting>
+
+      <para>Once in place, <application>racoon</application> may be
+	started on both gateways using the following command:</para>
+
+      <screen>&prompt.root; <userinput>/usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log</userinput></screen>
+
+      <para>The output should be similar to the following:</para>
+
+      <programlisting>corp-net# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
+Foreground mode.
+2006-01-30 01:35:47: INFO: begin Identity Protection mode.
+2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon
+2006-01-30 01:35:55: INFO: received Vendor ID: KAME/racoon
+2006-01-30 01:36:04: INFO: ISAKMP-SA established 172.16.5.4[500]-192.168.1.12[500] spi:623b9b3bd2492452:7deab82d54ff704a
+2006-01-30 01:36:05: INFO: initiate new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]
+2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]-&gt;172.16.5.4[0] spi=28496098(0x1b2d0e2)
+2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]-&gt;192.168.1.12[0] spi=47784998(0x2d92426)
+2006-01-30 01:36:13: INFO: respond new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]
+2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]-&gt;172.16.5.4[0] spi=124397467(0x76a279b)
+2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]-&gt;192.168.1.12[0] spi=175852902(0xa7b4d66)</programlisting>
+
+      <para>To ensure the tunnel is working properly, switch to
+	another console and use &man.tcpdump.1; to view network
+	traffic using the following command.  Replace
+	<literal>em0</literal> with the network interface card as
+	required:</para>
+
+      <screen>&prompt.root; <userinput>tcpdump -i em0 host <replaceable>172.16.5.4 and dst 192.168.1.12</replaceable></userinput></screen>
+
+      <para>Data similar to the following should appear on the
+	console.  If not, there is an issue and debugging the
+	returned data will be required.</para>
+
+      <programlisting>01:47:32.021683 IP corporatenetwork.com &gt; 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa)
+01:47:33.022442 IP corporatenetwork.com &gt; 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xb)
+01:47:34.024218 IP corporatenetwork.com &gt; 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xc)</programlisting>
+
+      <para>At this point, both networks should be available and seem
+	to be part of the same network.  Most likely both networks are
+	protected by a firewall.  To allow traffic to flow between
+	them, rules need to be added to pass packets.  For the
+	&man.ipfw.8; firewall, add the following lines to the firewall
+	configuration file:</para>
+
+      <programlisting>ipfw add 00201 allow log esp from any to any
+ipfw add 00202 allow log ah from any to any
+ipfw add 00203 allow log ipencap from any to any
+ipfw add 00204 allow log udp from any 500 to any</programlisting>
 
       <note>
-	<para>In &os;&nbsp;5.X, the functionality provided by the
-	  &man.gifconfig.8; utility has been merged into
-	  &man.ifconfig.8;.</para></note>
-
-      <para>On the gateway machine on network #1 you would run the
-        following two commands to configure the tunnel.</para>
-
-      <programlisting>gifconfig gif0 A.B.C.D W.X.Y.Z
-ifconfig gif0 inet 192.168.1.1 192.168.2.1 netmask 0xffffffff
-      </programlisting>
-
-      <para>On the other gateway machine you run the same commands,
-        but with the order of the IP addresses reversed.</para>
-
-      <programlisting>gifconfig gif0 W.X.Y.Z A.B.C.D
-ifconfig gif0 inet 192.168.2.1 192.168.1.1 netmask 0xffffffff
-      </programlisting>
-
-      <para>You can then run:</para>
-
-      <programlisting>gifconfig gif0</programlisting>
-
-      <para>to see the configuration.  For example, on the network #1
-        gateway, you would see this:</para>
-
-      <screen>&prompt.root; <userinput>gifconfig gif0</userinput>
-gif0: flags=8011&lt;UP,POINTTOPOINT,MULTICAST&gt; mtu 1280
-inet 192.168.1.1 --&gt; 192.168.2.1 netmask 0xffffffff
-physical address inet A.B.C.D --&gt; W.X.Y.Z
-      </screen>
-
-      <para>As you can see, a tunnel has been created between the
-        physical addresses <systemitem class="ipaddress">A.B.C.D</systemitem> and
-        <systemitem class="ipaddress">W.X.Y.Z</systemitem>, and the traffic allowed
-        through the tunnel is that between <systemitem class="ipaddress">192.168.1.1</systemitem> and <systemitem class="ipaddress">192.168.2.1</systemitem>.</para>
-
-      <para>This will also have added an entry to the routing table
-        on both machines, which you can examine with the command <command>netstat -rn</command>.
-        This output is from the gateway host on network #1.</para>
-
-      <screen>&prompt.root; <userinput>netstat -rn</userinput>
-Routing tables
-
-Internet:
-Destination      Gateway       Flags    Refs    Use    Netif  Expire
-...
-192.168.2.1      192.168.1.1   UH        0        0    gif0
-...
-      </screen>
-
-      <para>As the <quote>Flags</quote> value indicates, this is a
-        host route, which means that each gateway knows how to reach the
-        other gateway, but they do not know how to reach the rest of
-        their respective networks.  That problem will be fixed
-        shortly.</para>
-
-      <para>It is likely that you are running a firewall on both
-        machines.  This will need to be circumvented for your VPN
-        traffic.  You might want to allow all traffic between both
-        networks, or you might want to include firewall rules that
-        protect both ends of the VPN from one another.</para>
-
-      <para>It greatly simplifies testing if you configure the
-        firewall to allow all traffic through the VPN.  You can always
-        tighten things up later.  If you are using &man.ipfw.8; on the
-        gateway machines then a command like</para>
-
-      <programlisting>ipfw add 1 allow ip from any to any via gif0</programlisting>
-
-      <para>will allow all traffic between the two end points of the
-        VPN, without affecting your other firewall rules.  Obviously
-        you will need to run this command on both gateway hosts.</para>
-
-      <para>This is sufficient to allow each gateway machine to ping
-        the other.  On <systemitem class="ipaddress">192.168.1.1</systemitem>, you
-        should be able to run</para>
-
-      <programlisting>ping 192.168.2.1</programlisting>
-
-      <para>and get a response, and you should be able to do the same
-        thing on the other gateway machine.</para>
-
-      <para>However, you will not be able to reach internal machines
-        on either network yet.  This is because of the routing --
-        although the gateway machines know how to reach one another,
-        they do not know how to reach the network behind each one.</para>
-
-      <para>To solve this problem you must add a static route on each
-        gateway machine.  The command to do this on the first gateway
-        would be:</para>
-
-      <programlisting>route add 192.168.2.0 192.168.2.1 netmask 0xffffff00
-      </programlisting>
-
-      <para>This says <quote>In order to reach the hosts on the
-        network <systemitem class="ipaddress">192.168.2.0</systemitem>, send the
-        packets to the host <systemitem class="ipaddress">192.168.2.1</systemitem></quote>.  You will need to
-        run a similar command on the other gateway, but with the
-        <systemitem class="ipaddress">192.168.1.x</systemitem> addresses
-        instead.</para>
-
-      <para>IP traffic from hosts on one network will now be able to
-        reach hosts on the other network.</para>
-
-      <para>That has now created two thirds of a VPN between the two
-        networks, in as much as it is <quote>virtual</quote> and it is a
-        <quote>network</quote>.  It is not private yet.  You can test
-        this using &man.ping.8; and &man.tcpdump.1;.  Log in to the
-        gateway host and run</para>
-
-      <programlisting>tcpdump dst host 192.168.2.1</programlisting>
-
-      <para>In another log in session on the same host run</para>
-
-      <programlisting>ping 192.168.2.1</programlisting>
-
-      <para>You will see output that looks something like this:</para>
-
-      <programlisting>
-16:10:24.018080 192.168.1.1 &gt; 192.168.2.1: icmp: echo request
-16:10:24.018109 192.168.1.1 &gt; 192.168.2.1: icmp: echo reply
-16:10:25.018814 192.168.1.1 &gt; 192.168.2.1: icmp: echo request
-16:10:25.018847 192.168.1.1 &gt; 192.168.2.1: icmp: echo reply
-16:10:26.028896 192.168.1.1 &gt; 192.168.2.1: icmp: echo request
-16:10:26.029112 192.168.1.1 &gt; 192.168.2.1: icmp: echo reply
-      </programlisting>
-
-      <para>As you can see, the ICMP messages are going back and forth
-        unencrypted.  If you had used the <option>-s</option> parameter to
-        &man.tcpdump.1; to grab more bytes of data from the packets you
-        would see more information.</para>
-
-      <para>Obviously this is unacceptable.  The next section will
-        discuss securing the link between the two networks so that it
-        all traffic is automatically encrypted.</para>
-
-      <itemizedlist>
-        <title>Summary:</title>
-        <listitem>
-          <para>Configure both kernels with <quote>pseudo-device
-          gif</quote>.</para>
-        </listitem>
-        <listitem>
-          <para>Edit <filename>/etc/rc.conf</filename> on gateway host
-            #1 and add the following lines (replacing IP addresses as
-            necessary).</para>
-          <programlisting>gifconfig_gif0="A.B.C.D W.X.Y.Z"
-ifconfig_gif0="inet 192.168.1.1 192.168.2.1 netmask 0xffffffff"
-static_routes="vpn"
-route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00"
-          </programlisting>
-        </listitem>
-
-        <listitem>
-          <para>Edit your firewall script
-          (<filename>/etc/rc.firewall</filename>, or similar) on both
-          hosts, and add</para>
-
-          <programlisting>ipfw add 1 allow ip from any to any via gif0</programlisting>
-        </listitem>
-        <listitem>
-          <para>Make similar changes to
-            <filename>/etc/rc.conf</filename> on gateway host #2,
-            reversing the order of IP addresses.</para>
-        </listitem>
-      </itemizedlist>
-    </sect3>
-
-    <sect3>
-      <title>Step 2: Securing the link</title>
-
-      <para>To secure the link we will be using IPsec.  IPsec provides
-        a mechanism for two hosts to agree on an encryption key, and to
-        then use this key in order to encrypt data between the two
-        hosts.</para>
-
-      <para>The are two areas of configuration to be considered here.</para>
-
-      <orderedlist>
-        <listitem>
-          <para>There must be a mechanism for two hosts to agree on the
-            encryption mechanism to use.  Once two hosts have agreed on
-            this mechanism there is said to be a <quote>security association</quote>
-            between them.</para>
-        </listitem>
-        <listitem>
-          <para>There must be a mechanism for specifying which traffic
-            should be encrypted.  Obviously, you do not want to encrypt
-            all your outgoing traffic -- you only want to encrypt the
-            traffic that is part of the VPN.  The rules that you put in
-            place to determine what traffic will be encrypted are called
-            <quote>security policies</quote>.</para>
-         </listitem>
-       </orderedlist>
-
-       <para>Security associations and security policies are both
-         maintained by the kernel, and can be modified by userland
-         programs.  However, before you can do this you must configure the
-         kernel to support IPsec and the Encapsulated Security Payload
-         (ESP) protocol.  This is done by configuring a kernel with:</para>
-
-       <indexterm>
-	 <primary>kernel options</primary>
-	 <secondary>IPSEC</secondary>
-       </indexterm>
-
-       <programlisting>options IPSEC
-options IPSEC_ESP
-       </programlisting>
-
-       <para>and recompiling, reinstalling, and rebooting.  As before
-         you will need to do this to the kernels on both of the gateway
-         hosts.</para>
-
-       <indexterm>
-	 <primary>IKE</primary>
-       </indexterm>
-
-       <para>You have two choices when it comes to setting up security
-         associations.  You can configure them by hand between two hosts,
-         which entails choosing the encryption algorithm, encryption keys,
-         and so forth, or you can use daemons that implement the Internet
-         Key Exchange protocol (IKE) to do this for you.</para>
-
-       <para>I recommend the latter.  Apart from anything else, it is
-         easier to set up.</para>
-
-       <indexterm>
-	 <primary>IPsec</primary>
-	 <secondary>security policies</secondary>
-       </indexterm>
-
-       <indexterm>
-	 <primary><command>setkey</command></primary>
-       </indexterm>
-
-       <para>Editing and displaying security policies is carried out
-         using &man.setkey.8;.  By analogy, <command>setkey</command> is
-         to the kernel's security policy tables as &man.route.8; is to
-         the kernel's routing tables.  <command>setkey</command> can
-         also display the current security associations, and to continue
-         the analogy further, is akin to <command>netstat -r</command>
-         in that respect.</para>
-
-       <para>There are a number of choices for daemons to manage
-         security associations with FreeBSD.  This article will describe
-         how to use one of these, racoon&nbsp;&mdash; which is available from
-	 <package>security/ipsec-tools</package> in the &os; Ports
-	 collection.</para>
-
-       <indexterm>
-	 <primary>racoon</primary>
-       </indexterm>
-
-       <para>The <application>racoon</application> software must be run on both gateway hosts.  On each host it
-         is configured with the IP address of the other end of the VPN,
-         and a secret key (which you choose, and must be the same on both
-         gateways).</para>
-
-       <para>The two daemons then contact one another, confirm that they
-         are who they say they are (by using the secret key that you
-         configured).  The daemons then generate a new secret key, and use
-         this to encrypt the traffic over the VPN.  They periodically
-         change this secret, so that even if an attacker were to crack one
-         of the keys (which is as theoretically close to unfeasible as it
-         gets) it will not do them much good -- by the time they have cracked
-         the key the two daemons have chosen another one.</para>
-
-       <para>The configuration file for racoon is stored in
-         <filename>${PREFIX}/etc/racoon</filename>.  You should find a
-         configuration file there, which should not need to be changed
-         too much.  The other component of racoon's configuration,
-         which you will need to change, is the <quote>pre-shared
-         key</quote>.</para>
-
-       <para>The default racoon configuration expects to find this in
-         the file <filename>${PREFIX}/etc/racoon/psk.txt</filename>.  It is important to note
-         that the pre-shared key is <emphasis>not</emphasis> the key that will be used to
-         encrypt your traffic across the VPN link, it is simply a token
-         that allows the key management daemons to trust one another.</para>
-
-       <para><filename>psk.txt</filename> contains a line for each
-         remote site you are dealing with.  In this example, where there
-         are two sites, each <filename>psk.txt</filename> file will contain one line (because
-         each end of the VPN is only dealing with one other end).</para>
-
-       <para>On gateway host #1 this line should look like this:</para>
-
-       <programlisting>W.X.Y.Z            secret</programlisting>
-
-       <para>That is, the <emphasis>public</emphasis> IP address of the remote end,
-         whitespace, and a text string that provides the secret.
-         Obviously, you should not use <quote>secret</quote> as your key -- the normal
-         rules for choosing a password apply.</para>
-
-       <para>On gateway host #2 the line would look like this</para>
-
-       <programlisting>A.B.C.D            secret</programlisting>
-
-       <para>That is, the public IP address of the remote end, and the
-         same secret key.  <filename>psk.txt</filename> must be mode
-         <literal>0600</literal> (i.e., only read/write to
-         <systemitem class="username">root</systemitem>) before racoon will run.</para>
-
-       <para>You must run racoon on both gateway machines.  You will
-         also need to add some firewall rules to allow the IKE traffic,
-         which is carried over UDP to the ISAKMP (Internet Security Association
-         Key Management Protocol) port.  Again, this should be fairly early in
-         your firewall ruleset.</para>
-
-       <programlisting>ipfw add 1 allow udp from A.B.C.D to W.X.Y.Z isakmp
-ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
-       </programlisting>
-
-       <para>Once racoon is running you can try pinging one gateway host
-         from the other.  The connection is still not encrypted, but
-         racoon will then set up the security associations between the two
-         hosts -- this might take a moment, and you may see this as a
-         short delay before the ping commands start responding.</para>
-
-       <para>Once the security association has been set up you can
-         view it using &man.setkey.8;.  Run</para>
-
-       <programlisting>setkey -D</programlisting>
-
-       <para>on either host to view the security association information.</para>
-
-       <para>That's one half of the problem.  They other half is setting
-         your security policies.</para>
-
-       <para>To create a sensible security policy, let's review what's
-         been set up so far.  This discussions hold for both ends of the
-         link.</para>
-
-       <para>Each IP packet that you send out has a header that contains
-         data about the packet.  The header includes the IP addresses of
-         both the source and destination.  As we already know, private IP
-         addresses, such as the <systemitem class="ipaddress">192.168.x.y</systemitem>
-         range are not supposed to appear on the public Internet.
-         Instead, they must first be encapsulated inside another packet.
-         This packet must have the public source and destination IP
-         addresses substituted for the private addresses.</para>
-
-       <para>So if your outgoing packet started looking like this:</para>
-
-	<mediaobject>
-	  <imageobject>
-	    <imagedata fileref="security/ipsec-out-pkt" align="center"/>
-	  </imageobject>
-
-	  <textobject>
-	    <literallayout class="monospaced">
-  .----------------------.
-  | Src: 192.168.1.1     |
-  | Dst: 192.168.2.1     |
-  | &lt;other header info&gt;  |
-  +----------------------+
-  | &lt;packet data&gt;        |
-  `----------------------'</literallayout>
-	  </textobject>
-	</mediaobject>
-
-       <para>Then it will be encapsulated inside another packet, looking
-         something like this:</para>
-
-	<mediaobject>
-	  <imageobject>
-	    <imagedata fileref="security/ipsec-encap-pkt" align="center"/>
-	  </imageobject>
-
-	  <textobject>
-	    <literallayout class="monospaced">
-  .--------------------------.
-  | Src: A.B.C.D             |
-  | Dst: W.X.Y.Z             |
-  | &lt;other header info&gt;      |
-  +--------------------------+
-  | .----------------------. |
-  | | Src: 192.168.1.1     | |
-  | | Dst: 192.168.2.1     | |
-  | | &lt;other header info&gt;  | |
-  | +----------------------+ |
-  | | &lt;packet data&gt;        | |
-  | `----------------------' |
-  `--------------------------'</literallayout>
-	  </textobject>
-	</mediaobject>
-
-       <para>This encapsulation is carried out by the
-         <filename>gif</filename> device.  As
-         you can see, the packet now has real IP addresses on the outside,
-         and our original packet has been wrapped up as data inside the
-         packet that will be put out on the Internet.</para>
-
-       <para>Obviously, we want all traffic between the VPNs to be
-         encrypted.  You might try putting this in to words, as:</para>
-
-       <para><quote>If a packet leaves from <systemitem class="ipaddress">A.B.C.D</systemitem>, and it is destined for <systemitem class="ipaddress">W.X.Y.Z</systemitem>, then encrypt it, using the
-         necessary security associations.</quote></para>
-
-       <para><quote>If a packet arrives from <systemitem class="ipaddress">W.X.Y.Z</systemitem>, and it is destined for <systemitem class="ipaddress">A.B.C.D</systemitem>, then decrypt it, using the
-         necessary security associations.</quote></para>
-
-       <para>That's close, but not quite right.  If you did this, all
-         traffic to and from <systemitem class="ipaddress">W.X.Y.Z</systemitem>, even
-         traffic that was not part of the VPN, would be encrypted.  That's
-         not quite what you want.  The correct policy is as follows</para>
-
-       <para><quote>If a packet leaves from <systemitem class="ipaddress">A.B.C.D</systemitem>, and that packet is encapsulating
-         another packet, and it is destined for <systemitem class="ipaddress">W.X.Y.Z</systemitem>, then encrypt it, using the
-         necessary security associations.</quote></para>
-
-       <para><quote>If a packet arrives from <systemitem class="ipaddress">W.X.Y.Z</systemitem>, and that packet is encapsulating
-         another packet, and it is destined for <systemitem class="ipaddress">A.B.C.D</systemitem>, then decrypt it, using the
-         necessary security associations.</quote></para>
-
-       <para>A subtle change, but a necessary one.</para>
-
-       <para>Security policies are also set using &man.setkey.8;.
-         &man.setkey.8; features a configuration language for defining the
-         policy.  You can either enter configuration instructions via
-         stdin, or you can use the <option>-f</option> option to specify a
-         filename that contains configuration instructions.</para>
-
-       <para>The configuration on gateway host #1 (which has the public
-         IP address <systemitem class="ipaddress">A.B.C.D</systemitem>) to force all
-         outbound traffic to <systemitem class="ipaddress">W.X.Y.Z</systemitem> to be
-         encrypted is:</para>
-
-       <programlisting>
-spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;
-       </programlisting>
-
-       <para>Put these commands in a file (e.g.
-       <filename>/etc/ipsec.conf</filename>) and then run</para>
-
-       <screen>&prompt.root; <userinput>setkey -f /etc/ipsec.conf</userinput></screen>
-
-       <para><option>spdadd</option> tells &man.setkey.8; that we want
-         to add a rule to the secure policy database.  The rest of this
-         line specifies which packets will match this policy.  <systemitem class="ipaddress">A.B.C.D/32</systemitem> and <systemitem class="ipaddress">W.X.Y.Z/32</systemitem> are the IP addresses and
-         netmasks that identify the network or hosts that this policy will
-         apply to.  In this case, we want it to apply to traffic between
-         these two hosts.  <option>ipencap</option> tells the kernel that
-         this policy should only apply to packets that encapsulate other
-         packets.  <option>-P out</option> says that this policy applies
-         to outgoing packets, and <option>ipsec</option> says that the
-         packet will be secured.</para>
-
-       <para>The second line specifies how this packet will be
-         encrypted.  <option>esp</option> is the protocol that will be
-         used, while <option>tunnel</option> indicates that the packet
-         will be further encapsulated in an IPsec packet.  The repeated
-         use of <systemitem class="ipaddress">A.B.C.D</systemitem> and <systemitem class="ipaddress">W.X.Y.Z</systemitem> is used to select the security
-         association to use, and the final <option>require</option>
-         mandates that packets must be encrypted if they match this
-         rule.</para>
-
-       <para>This rule only matches outgoing packets.  You will need a
-         similar rule to match incoming packets.</para>
-
-       <programlisting>spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;</programlisting>
-
-       <para>Note the <option>in</option> instead of
-         <option>out</option> in this case, and the necessary reversal of
-         the IP addresses.</para>
-
-       <para>The other gateway host (which has the public IP address
-         <systemitem class="ipaddress">W.X.Y.Z</systemitem>) will need similar rules.</para>
-
-       <programlisting>spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
-spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;</programlisting>
-
-       <para>Finally, you need to add firewall rules to allow ESP and
-        IPENCAP packets back and forth.  These rules will need to be
-        added to both hosts.</para>
-
-       <programlisting>ipfw add 1 allow esp from A.B.C.D to W.X.Y.Z
-ipfw add 1 allow esp from W.X.Y.Z to A.B.C.D
-ipfw add 1 allow ipencap from A.B.C.D to W.X.Y.Z
-ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
-       </programlisting>
-
-       <para>Because the rules are symmetric you can use the same rules
-         on each gateway host.</para>
-
-       <para>Outgoing packets will now look something like this:</para>
-
-	<mediaobject>
-	  <imageobject>
-	    <imagedata fileref="security/ipsec-crypt-pkt" align="center"/>
-	  </imageobject>
-
-	  <textobject>
-	    <literallayout class="monospaced">
-  .------------------------------.  --------------------------.
-  | Src: A.B.C.D                 |                            |
-  | Dst: W.X.Y.Z                 |                            |
-  | &lt;other header info&gt;          |                            |  Encrypted
-  +------------------------------+                            |  packet.
-  | .--------------------------. |  -------------.            |  contents
-  | | Src: A.B.C.D             | |               |            |  are
-  | | Dst: W.X.Y.Z             | |               |            |  completely
-  | | &lt;other header info&gt;      | |               |            |- secure
-  | +--------------------------+ |               |  Encap'd   |  from third
-  | | .----------------------. | |  -.           |  packet    |  party
-  | | | Src: 192.168.1.1     | | |   |  Original |- with real |  snooping
-  | | | Dst: 192.168.2.1     | | |   |  packet,  |  IP addr   |
-  | | | &lt;other header info&gt;  | | |   |- private  |            |
-  | | +----------------------+ | |   |  IP addr  |            |
-  | | | &lt;packet data&gt;        | | |   |           |            |
-  | | `----------------------' | |  -'           |            |
-  | `--------------------------' |  -------------'            |
-  `------------------------------'  --------------------------'
-	    </literallayout>
-	  </textobject>
-	</mediaobject>
-
-       <para>When they are received by the far end of the VPN they will
-         first be decrypted (using the security associations that have
-         been negotiated by racoon).  Then they will enter the
-         <filename>gif</filename> interface, which will unwrap
-         the second layer, until you are left with the innermost
-         packet, which can then travel in to the inner network.</para>
-
-       <para>You can check the security using the same &man.ping.8; test from
-         earlier.  First, log in to the
-         <systemitem class="ipaddress">A.B.C.D</systemitem> gateway machine, and
-         run:</para>
-
-       <programlisting>tcpdump dst host 192.168.2.1</programlisting>
-
-       <para>In another log in session on the same host run</para>
-
-       <programlisting>ping 192.168.2.1</programlisting>
-
-       <para>This time you should see output like the following:</para>
-
-       <programlisting>XXX tcpdump output</programlisting>
-
-       <para>Now, as you can see, &man.tcpdump.1; shows the ESP packets.  If
-         you try to examine them with the <option>-s</option> option you will see
-         (apparently) gibberish, because of the encryption.</para>
-
-      <para>Congratulations.  You have just set up a VPN between two
-        remote sites.</para>
+	<para>The rule numbers may need to be altered depending on the
+	  current host configuration.</para>
+      </note>
 
-      <itemizedlist>
-        <title>Summary</title>
-        <listitem>
-          <para>Configure both kernels with:</para>
-
-          <programlisting>options IPSEC
-options IPSEC_ESP
-          </programlisting>
-        </listitem>
-        <listitem>
-          <para>Install <package>security/ipsec-tools</package>.  Edit
-            <filename>${PREFIX}/etc/racoon/psk.txt</filename> on both
-            gateway hosts, adding an entry for the remote host's IP
-            address and a secret key that they both know.  Make sure
-            this file is mode 0600.</para>
-        </listitem>
-        <listitem>
-          <para>Add the following lines to
-            <filename>/etc/rc.conf</filename> on each host:</para>
-
-          <programlisting>ipsec_enable="YES"
-ipsec_file="/etc/ipsec.conf"
-          </programlisting>
-        </listitem>
-        <listitem>
-          <para>Create an <filename>/etc/ipsec.conf</filename> on each
-            host that contains the necessary spdadd lines.  On gateway
-            host #1 this would be:</para>
-
-          <programlisting>
-spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec
-  esp/tunnel/A.B.C.D-W.X.Y.Z/require;
-spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec
-  esp/tunnel/W.X.Y.Z-A.B.C.D/require;
-</programlisting>
-
-          <para>On gateway host #2 this would be:</para>
-
-<programlisting>
-spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec
-  esp/tunnel/W.X.Y.Z-A.B.C.D/require;
-spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec
-  esp/tunnel/A.B.C.D-W.X.Y.Z/require;
-</programlisting>
-        </listitem>
-        <listitem>
-          <para>Add firewall rules to allow IKE, ESP, and IPENCAP
-            traffic to both hosts:</para>
-
-          <programlisting>
-ipfw add 1 allow udp from A.B.C.D to W.X.Y.Z isakmp
-ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
-ipfw add 1 allow esp from A.B.C.D to W.X.Y.Z
-ipfw add 1 allow esp from W.X.Y.Z to A.B.C.D
-ipfw add 1 allow ipencap from A.B.C.D to W.X.Y.Z
-ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
-          </programlisting>
-        </listitem>
-      </itemizedlist>
+      <para>For users of &man.pf.4; or &man.ipf.8;, the following
+	rules should do the trick:</para>
 
-      <para>The previous two steps should suffice to get the VPN up and
-        running.  Machines on each network will be able to refer to one
-        another using IP addresses, and all traffic across the link will
-        be automatically and securely encrypted.</para>
-    </sect3>
+      <programlisting>pass in quick proto esp from any to any
+pass in quick proto ah from any to any
+pass in quick proto ipencap from any to any
+pass in quick proto udp from any port = 500 to any port = 500
+pass in quick on gif0 from any to any
+pass out quick proto esp from any to any
+pass out quick proto ah from any to any
+pass out quick proto ipencap from any to any
+pass out quick proto udp from any port = 500 to any port = 500
+pass out quick on gif0 from any to any</programlisting>
+
+      <para>Finally, to allow the machine to start support for the
+	<acronym>VPN</acronym> during system initialization, add the
+	following lines to <filename>/etc/rc.conf</filename>:</para>
+
+      <programlisting>ipsec_enable="YES"
+ipsec_program="/usr/local/sbin/setkey"
+ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
+racoon_enable="yes"</programlisting>
     </sect2>
   </sect1>
 
   <sect1 xml:id="openssh">
-    <info><title>OpenSSH</title>
+    <info>
+      <title>OpenSSH</title>
+
       <authorgroup>
-	<author><personname><firstname>Chern</firstname><surname>Lee</surname></personname><contrib>Contributed by </contrib></author>
+	<author><personname><firstname>Chern</firstname><surname>Lee</surname></personname><contrib>Contributed
+	  by </contrib></author>
 	<!-- 21 April 2001 -->
       </authorgroup>
     </info>
 
-    
     <indexterm><primary>OpenSSH</primary></indexterm>
     <indexterm>
       <primary>security</primary>
       <secondary>OpenSSH</secondary>
     </indexterm>
 
-    <para><application>OpenSSH</application> is a set of network connectivity tools used to
-      access remote machines securely.  It can be used as a direct
-      replacement for <command>rlogin</command>,
-      <command>rsh</command>, <command>rcp</command>, and
-      <command>telnet</command>.  Additionally, TCP/IP
-      connections can be tunneled/forwarded securely through SSH.
-      <application>OpenSSH</application> encrypts all traffic to effectively eliminate eavesdropping,
-      connection hijacking, and other network-level attacks.</para>
-
-    <para><application>OpenSSH</application> is maintained by the OpenBSD project, and is based
-      upon SSH v1.2.12 with all the recent bug fixes and updates.  It
-      is compatible with both SSH protocols 1 and 2.  <application>OpenSSH</application> has been
-      in the base system since FreeBSD&nbsp;4.0.</para>
-
-    <sect2>
-      <title>Advantages of Using OpenSSH</title>
-
-      <para>Normally, when using &man.telnet.1; or &man.rlogin.1;,
-        data is sent over the network in an clear, un-encrypted form.
-        Network sniffers anywhere in between the client and server can
-        steal your user/password information or data transferred in
-        your session.  <application>OpenSSH</application> offers a variety of authentication and
-        encryption methods to prevent this from happening.</para>
-    </sect2>
-
-    <sect2>
-      <title>Enabling sshd</title>
-      <indexterm>
-        <primary>OpenSSH</primary>
-        <secondary>enabling</secondary>
-      </indexterm>
-
-      <para>The <application>sshd</application> daemon is enabled by
-        default on &os;&nbsp;4.X.  In &os; 5.X and later enabling
-        <application>sshd</application> is an option presented during
-        a <literal>Standard</literal> install of &os;.  To see if
-        <application>sshd</application> is enabled, check the
-        <filename>rc.conf</filename> file for:</para>
-      <screen>sshd_enable="YES"</screen>
-      <para>This will load &man.sshd.8;, the daemon program for <application>OpenSSH</application>,
-	the next time your system initializes.  Alternatively, you can
-	simply run directly the <application>sshd</application> daemon by typing <command>sshd</command> on the command line.</para>
-    </sect2>
-
-    <sect2>
-      <title>SSH Client</title>
-      <indexterm>
-        <primary>OpenSSH</primary>
-        <secondary>client</secondary>
-      </indexterm>
-
-      <para>The &man.ssh.1; utility works similarly to
-        &man.rlogin.1;.</para>
-
-      <screen>&prompt.root; <userinput>ssh user@example.com</userinput>
-Host key not found from the list of known hosts.
+    <para><application>OpenSSH</application> is a set of network
+      connectivity tools used to provide secure access to remote
+      machines.  Additionally, <acronym>TCP/IP</acronym> connections
+      can be tunneled or forwarded securely through
+      <acronym>SSH</acronym> connections.
+      <application>OpenSSH</application> encrypts all traffic to
+      effectively eliminate eavesdropping, connection hijacking, and
+      other network-level attacks.</para>
+
+    <para><application>OpenSSH</application> is maintained by the
+      OpenBSD project and is installed by default in &os;.  It is
+      compatible with both <acronym>SSH</acronym> version 1 and 2
+      protocols.</para>
+
+    <para>When data is sent over the network in an unencrypted form,
+      network sniffers anywhere in between the client and server can
+      steal user/password information or data transferred during the
+      session.  <application>OpenSSH</application> offers a variety of
+      authentication and encryption methods to prevent this from
+      happening.  More information about
+      <application>OpenSSH</application> is available from <link
+	xlink:href="http://www.openssh.com/">http://www.openssh.com/</link>.</para>
+
+    <para>This section provides an overview of the built-in client
+      utilities to securely access other systems and securely transfer
+      files from a &os; system.  It then describes how to configure a
+      <acronym>SSH</acronym> server on a &os; system.  More
+      information is available in the man pages mentioned in this
+      chapter.</para>
+
+    <sect2>
+      <title>Using the SSH Client Utilities</title>
+
+      <indexterm>
+	<primary>OpenSSH</primary>
+	<secondary>client</secondary>
+      </indexterm>
+
+      <para>To log into a <acronym>SSH</acronym> server, use
+	<command>ssh</command> and specify a username that exists on
+	that server and the <acronym>IP</acronym> address or hostname
+	of the server.  If this is the first time a connection has
+	been made to the specified server, the user will be prompted
+	to first verify the server's fingerprint:</para>
+
+      <screen>&prompt.root; <userinput>ssh <replaceable>user@example.com</replaceable></userinput>
+The authenticity of host 'example.com (10.0.0.1)' can't be established.
+ECDSA key fingerprint is 25:cc:73:b5:b3:96:75:3d:56:19:49:d2:5c:1f:91:3b.
 Are you sure you want to continue connecting (yes/no)? <userinput>yes</userinput>
-Host 'example.com' added to the list of known hosts.
-user@example.com's password: <userinput>*******</userinput></screen>
-
-      <para>The login will continue just as it would have if a session was
-        created using <command>rlogin</command> or
-        <command>telnet</command>.  SSH utilizes a key fingerprint
-        system for verifying the authenticity of the server when the
-        client connects.  The user is prompted to enter
-	<literal>yes</literal> only when
-        connecting for the first time.  Future attempts to login are all
-        verified against the saved fingerprint key.  The SSH client
-        will alert you if the saved fingerprint differs from the
-        received fingerprint on future login attempts.  The fingerprints
-        are saved in <filename>~/.ssh/known_hosts</filename>, or
-	<filename>~/.ssh/known_hosts2</filename> for SSH v2
-	fingerprints.</para>
-
-      <para>By default, recent versions of the
-        <application>OpenSSH</application> servers only accept SSH v2
-        connections.  The client will use version 2 if possible and
-        will fall back to version 1.  The client can also be forced to
-        use one or the other by passing it the <option>-1</option> or
-        <option>-2</option> for version 1 or version 2, respectively.
-        The version 1 compatability is maintained in the client for
-        backwards compatability with older versions.</para>
-    </sect2>
-
-    <sect2>
-      <title>Secure Copy</title>
-      <indexterm>
-        <primary>OpenSSH</primary>
-        <secondary>secure copy</secondary>
-      </indexterm>
-      <indexterm><primary><command>scp</command></primary></indexterm>
+Permanently added 'example.com' (ECDSA) to the list of known hosts.
+Password for user@example.com: <userinput><replaceable>user_password</replaceable></userinput></screen>
 
-      <para>The &man.scp.1; command works similarly to
-	&man.rcp.1;; it copies a file to or from a remote machine,
-	except in a secure fashion.</para>
+      <para><acronym>SSH</acronym> utilizes a key fingerprint system
+	to verify the authenticity of the server when the client
+	connects.  When the user accepts the key's fingerprint by
+	typing <literal>yes</literal> when connecting for the first
+	time, a copy of the key is saved to
+	<filename>.ssh/known_hosts</filename> in the user's home
+	directory.  Future attempts to login are verified against the
+	saved key and <command>ssh</command> will display an alert if
+	the server's key does not match the saved key.  If this
+	occurs, the user should first verify why the key has changed
+	before continuing with the connection.</para>
+
+      <para>By default, recent versions of
+	<application>OpenSSH</application> only accept
+	<acronym>SSH</acronym>v2 connections.  By default, the client
+	will use version 2 if possible and will fall back to version 1
+	if the server does not support version 2.  To force
+	<command>ssh</command> to only use the specified protocol,
+	include <option>-1</option> or <option>-2</option>.
+	Additional options are described in &man.ssh.1;.</para>
+
+      <indexterm>
+	<primary>OpenSSH</primary>
+	<secondary>secure copy</secondary>
+      </indexterm>
+      <indexterm>
+	<primary>&man.scp.1;</primary>
+      </indexterm>
+
+      <para>Use &man.scp.1; to securely copy a file to or from a
+	remote machine.  This example copies
+	<filename>COPYRIGHT</filename> on the remote system to a file
+	of the same name in the current directory of the local
+	system:</para>
 
-      <screen>&prompt.root; <userinput> scp user@example.com:/COPYRIGHT COPYRIGHT</userinput>
-user@example.com's password: <userinput>*******</userinput>
+      <screen>&prompt.root; <userinput>scp <replaceable>user@example.com:/COPYRIGHT COPYRIGHT</replaceable></userinput>
+Password for user@example.com: <userinput><replaceable>*******</replaceable></userinput>
 COPYRIGHT            100% |*****************************|  4735
 00:00
 &prompt.root;</screen>
-      <para>Since the fingerprint was already saved for this host in the
-        previous example, it is verified when using &man.scp.1;
-        here.</para>
-
-      <para>The arguments passed to &man.scp.1; are similar
-	to &man.cp.1;, with the file or files in the first
-	argument, and the destination in the second.  Since the file is
-	fetched over the network, through SSH, one or more of the file
-	arguments takes on the form
-	<option>user@host:&lt;path_to_remote_file&gt;</option>.</para>
-
-    </sect2>
-
-    <sect2>
-      <title>Configuration</title>
-      <indexterm>
-        <primary>OpenSSH</primary>
-        <secondary>configuration</secondary>
-      </indexterm>
 
-      <para>The system-wide configuration files for both the
-        <application>OpenSSH</application> daemon and client reside
-        within the <filename>/etc/ssh</filename> directory.</para>
-
-      <para><filename>ssh_config</filename> configures the client
-        settings, while <filename>sshd_config</filename> configures the
-        daemon.</para>
-
-      <para>Additionally, the <option>sshd_program</option>
-	(<filename>/usr/sbin/sshd</filename> by default), and
-	<option>sshd_flags</option> <filename>rc.conf</filename>
-	options can provide more levels of configuration.</para>
-    </sect2>
-
-    <sect2 xml:id="security-ssh-keygen">
-      <title>ssh-keygen</title>
+      <para>Since the fingerprint was already verified for this host,
+	the server's key is automatically checked before prompting for
+	the user's password.</para>
+
+      <para>The arguments passed to <command>scp</command> are similar
+	to <command>cp</command>.  The file or files to copy is the
+	first argument and the destination to copy to is the second.
+	Since the file is fetched over the network, one or more of the
+	file arguments takes the form
+	<option>user@host:&lt;path_to_remote_file&gt;</option>.  Be
+	aware when copying directories recursively that
+	<command>scp</command> uses <option>-r</option>, whereas
+	<command>cp</command> uses <option>-R</option>.</para>
+
+      <para>To open an interactive session for copying files, use
+	<command>sftp</command>.  Refer to &man.sftp.1; for a list of
+	available commands while in an <command>sftp</command>
+	session.</para>
+
+      <sect3 xml:id="security-ssh-keygen">
+	<title>Key-based Authentication</title>
+
+	<para>Instead of using passwords, a client can be configured
+	  to connect to the remote machine using keys.  To generate
+	  <acronym>DSA</acronym> or <acronym>RSA</acronym>
+	  authentication keys, use <command>ssh-keygen</command>.  To
+	  generate a public and private key pair, specify the type of
+	  key and follow the prompts.  It is recommended to protect
+	  the keys with a memorable, but hard to guess
+	  passphrase.</para>
 
-      <para>Instead of using passwords, &man.ssh-keygen.1; can
-        be used to generate DSA or RSA keys to authenticate a user:</para>
-
-      <screen>&prompt.user; <userinput>ssh-keygen -t dsa</userinput>
+	<screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput>
 Generating public/private dsa key pair.
 Enter file in which to save the key (/home/user/.ssh/id_dsa):
 Created directory '/home/user/.ssh'.
-Enter passphrase (empty for no passphrase):
-Enter same passphrase again:
+Enter passphrase (empty for no passphrase): <replaceable>type some passphrase here which can contain spaces</replaceable>
+Enter same passphrase again: <replaceable>type some passphrase here which can contain spaces</replaceable>
 Your identification has been saved in /home/user/.ssh/id_dsa.
 Your public key has been saved in /home/user/.ssh/id_dsa.pub.
 The key fingerprint is:
-bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com
-</screen>
+bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com</screen>
 
-      <para>&man.ssh-keygen.1; will create a public and private
-        key pair for use in authentication.  The private key is stored in
-        <filename>~/.ssh/id_dsa</filename> or
-        <filename>~/.ssh/id_rsa</filename>, whereas the public key is
-        stored in <filename>~/.ssh/id_dsa.pub</filename> or
-        <filename>~/.ssh/id_rsa.pub</filename>, respectively for DSA and
-        RSA key types.  The public key must be placed in
-        <filename>~/.ssh/authorized_keys</filename> of the remote
-        machine in order for the setup to work.  Similarly, RSA version
-        1 public keys should be placed in
-        <filename>~/.ssh/authorized_keys</filename>.</para>
-
-      <para>This will allow connection to the remote machine based upon
-        SSH keys instead of passwords.</para>
-
-      <para>If a passphrase is used in &man.ssh-keygen.1;, the user
-        will be prompted for a password each time in order to use the
-        private key.  &man.ssh-agent.1; can alleviate the strain of
-        repeatedly entering long passphrases, and is explored in the
-        <xref linkend="security-ssh-agent"/> section below.</para>
-
-      <warning><para>The various options and files can be different
-        according to the <application>OpenSSH</application> version
-        you have on your system; to avoid problems you should consult
-        the &man.ssh-keygen.1; manual page.</para></warning>
-    </sect2>
+	<para>Depending upon the specified protocol, the private key
+	  is stored in <filename>~/.ssh/id_dsa</filename> (or
+	  <filename>~/.ssh/id_rsa</filename>), and the public key
+	  is stored in <filename>~/.ssh/id_dsa.pub</filename> (or
+	  <filename>~/.ssh/id_rsa.pub</filename>).  The
+	  <emphasis>public</emphasis> key must be first copied to
+	  <filename>~/.ssh/authorized_keys</filename> on the remote
+	  machine in order for key-based authentication to
+	  work.</para>
 
-    <sect2 xml:id="security-ssh-agent">
-      <title>ssh-agent and ssh-add</title>
+	<warning>
+	  <para>Many users believe that keys are secure by design and
+	    will use a key without a passphrase.  This is
+	    <emphasis>dangerous</emphasis> behavior.  An
+	    administrator can verify that a key pair is protected by a
+	    passphrase by viewing the private key manually.  If the
+	    private key file contains the word
+	    <literal>ENCRYPTED</literal>, the key owner is using a
+	    passphrase.  In addition, to better secure end users,
+	    <literal>from</literal> may be placed in the public key
+	    file.  For example, adding
+	    <literal>from="192.168.10.5"</literal> in the front of
+	    <literal>ssh-rsa</literal> or <literal>rsa-dsa</literal>
+	    prefix will only allow that specific user to login from
+	    that <acronym>IP</acronym> address.</para>
+	</warning>
 
-      <para>The &man.ssh-agent.1; and &man.ssh-add.1; utilities provide
-        methods for <application>SSH</application> keys to be loaded
-        into memory for use, without needing to type the passphrase
-        each time.</para>
-
-      <para>The &man.ssh-agent.1; utility will handle the authentication
-        using the private key(s) that are loaded into it.
-        &man.ssh-agent.1; should be used to launch another application.
-        At the most basic level, it could spawn a shell or at a more
-        advanced level, a window manager.</para>
-
-      <para>To use &man.ssh-agent.1; in a shell, first it will need to
-        be spawned with a shell as an argument.  Secondly, the
-        identity needs to be added by running &man.ssh-add.1; and
-        providing it the passphrase for the private key.  Once these
-        steps have been completed the user will be able to &man.ssh.1;
-        to any host that has the corresponding public key installed.
-        For example:</para>
+	<para>The various options and files can be different
+	  according to the <application>OpenSSH</application> version.
+	  To avoid problems, consult &man.ssh-keygen.1;.</para>
+
+	<para>If a passphrase is used, the user will be prompted for
+	  the passphrase each time a connection is made to the server.
+	  To load <acronym>SSH</acronym> keys into memory, without
+	  needing to type the passphrase each time, use
+	  &man.ssh-agent.1; and &man.ssh-add.1;.</para>
+
+	<para>Authentication is handled by
+	  <command>ssh-agent</command>, using the private key(s) that
+	  are loaded into it.  Then, <command>ssh-agent</command>
+	  should be used to launch another application such as a
+	  shell or a window manager.</para>
+
+	<para>To use <command>ssh-agent</command> in a shell, start it
+	  with a shell as an argument.  Next, add the identity by
+	  running <command>ssh-add</command> and providing it the
+	  passphrase for the private key.  Once these steps have been
+	  completed, the user will be able to <command>ssh</command>
+	  to any host that has the corresponding public key installed.
+	  For example:</para>
 
-      <screen>&prompt.user; ssh-agent <replaceable>csh</replaceable>
+	<screen>&prompt.user; ssh-agent <replaceable>csh</replaceable>
 &prompt.user; ssh-add
-Enter passphrase for /home/user/.ssh/id_dsa:
-Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
+Enter passphrase for key '/usr/home/user/.ssh/id_dsa': <replaceable>type passphrase here</replaceable>
+Identity added: /usr/home/user/.ssh/id_dsa (/usr/home/user/.ssh/id_dsa)
 &prompt.user;</screen>
 
-      <para>To use &man.ssh-agent.1; in X11, a call to
-        &man.ssh-agent.1; will need to be placed in
-        <filename>~/.xinitrc</filename>.  This will provide the
-        &man.ssh-agent.1; services to all programs launched in X11.
-        An example <filename>~/.xinitrc</filename> file might look
-        like this:</para>
-
-      <programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting>
-
-      <para>This would launch &man.ssh-agent.1;, which would in turn
-        launch <application>XFCE</application>, every time X11 starts.
-        Then once that is done and X11 has been restarted so that the
-        changes can take effect, simply run &man.ssh-add.1; to load
-        all of your SSH keys.</para>
-    </sect2>
+	<para>To use <command>ssh-agent</command> in
+	  <application>&xorg;</application>, add an entry for it in
+	  <filename>~/.xinitrc</filename>.  This provides the
+	  <command>ssh-agent</command> services to all programs
+	  launched in <application>&xorg;</application>.  An example
+	  <filename>~/.xinitrc</filename> might look like this:</para>
+
+	<programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting>
+
+	<para>This launches <command>ssh-agent</command>, which in
+	  turn launches <application>XFCE</application>, every time
+	  <application>&xorg;</application> starts.  Once
+	  <application>&xorg;</application> has been restarted so that
+	  the changes can take effect, run <command>ssh-add</command>
+	  to load all of the <acronym>SSH</acronym> keys.</para>
+      </sect3>
 
-    <sect2 xml:id="security-ssh-tunneling">
-      <title>SSH Tunneling</title>
-      <indexterm>
-        <primary>OpenSSH</primary>
-        <secondary>tunneling</secondary>
-      </indexterm>
+      <sect3 xml:id="security-ssh-tunneling">
+	<title><acronym>SSH</acronym> Tunneling</title>
 
-      <para><application>OpenSSH</application> has the ability to create a tunnel to encapsulate
-        another protocol in an encrypted session.</para>
+	<indexterm>
+	  <primary>OpenSSH</primary>
+	  <secondary>tunneling</secondary>
+	</indexterm>
 
-      <para>The following command tells &man.ssh.1; to create a tunnel
-         for <application>telnet</application>:</para>
+	<para><application>OpenSSH</application> has the ability to
+	  create a tunnel to encapsulate another protocol in an
+	  encrypted session.</para>
+
+	<para>The following command tells <command>ssh</command> to
+	  create a tunnel for
+	  <application>telnet</application>:</para>
 
-       <screen>&prompt.user; <userinput>ssh -2 -N -f -L 5023:localhost:23 user@foo.example.com</userinput>
+	<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput>
 &prompt.user;</screen>
 
-      <para>The <command>ssh</command> command is used with the
-	following options:</para>
+	<para>This example uses the following options:</para>
+
+	<variablelist>
+	  <varlistentry>
+	    <term><option>-2</option></term>
+
+	    <listitem>
+	      <para>Forces <command>ssh</command> to use version 2 to
+		connect to the server.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term><option>-N</option></term>
+
+	    <listitem>
+	      <para>Indicates no command, or tunnel only.  If omitted,
+		<command>ssh</command> initiates a normal
+		session.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term><option>-f</option></term>
 
-      <variablelist>
-	<varlistentry>
-	  <term><option>-2</option></term>
-
-	  <listitem>
-	    <para>Forces <command>ssh</command> to use version 2 of
-	      the protocol. (Do not use if you are working with older
-	      SSH servers)</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>-N</option></term>
-
-	  <listitem>
-	    <para>Indicates no command, or tunnel only.  If omitted,
-	      <command>ssh</command> would initiate a normal
-	      session.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>-f</option></term>
-
-	  <listitem>
-	    <para>Forces <command>ssh</command> to run in the
-	      background.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>-L</option></term>
-
-	  <listitem>
-	    <para>Indicates a local tunnel in
-	      <replaceable>localport:remotehost:remoteport</replaceable>
-	      fashion.</para>
-	  </listitem>
+	    <listitem>
+	      <para>Forces <command>ssh</command> to run in the
+		background.</para>
+	    </listitem>
 	  </varlistentry>
 
-	<varlistentry>
-	  <term><option>user@foo.example.com</option></term>
+	  <varlistentry>
+	    <term><option>-L</option></term>
+
+	    <listitem>
+	      <para>Indicates a local tunnel in
+		<replaceable>localport:remotehost:remoteport</replaceable>
+		format.</para>
+	    </listitem>
+	  </varlistentry>
 
-	  <listitem>
-	    <para>The remote SSH server.</para>
-	  </listitem>
-	</varlistentry>
-      </variablelist>
-
-
-      <para>An SSH tunnel works by creating a listen socket on
-	<systemitem>localhost</systemitem> on the specified port.
-	It then forwards any connection received
-	on the local host/port via the SSH connection to the specified
-	remote host and port.</para>
-
-      <para>In the example, port <replaceable>5023</replaceable> on
-	<systemitem>localhost</systemitem> is being forwarded to port
-	<replaceable>23</replaceable> on <systemitem>localhost</systemitem>
-	of the remote machine.  Since <replaceable>23</replaceable> is <application>telnet</application>,
-	this would create a secure <application>telnet</application> session through an SSH tunnel.</para>
+	  <varlistentry>
+	    <term><option>user@foo.example.com</option></term>
 
-      <para>This can be used to wrap any number of insecure TCP
-        protocols such as SMTP, POP3, FTP, etc.</para>
+	    <listitem>
+	      <para>The login name to use on the specified remote
+		<acronym>SSH</acronym> server.</para>
+	    </listitem>
+	  </varlistentry>
+	</variablelist>
 
-      <example>
-	<title>Using SSH to Create a Secure Tunnel for SMTP</title>
+	<para>An <acronym>SSH</acronym> tunnel works by creating a
+	  listen socket on <systemitem>localhost</systemitem> on the
+	  specified <literal>localport</literal>.  It then forwards
+	  any connections received on <literal>localport</literal> via
+	  the <acronym>SSH</acronym> connection to the specified
+	  <literal>remotehost:remoteport</literal>.  In the example,
+	  port <literal>5023</literal> on the client is forwarded to
+	  port <literal>23</literal> on the remote machine.  Since
+	  port 23 is used by <application>telnet</application>, this
+	  creates an encrypted <application>telnet</application>
+	  session through an <acronym>SSH</acronym> tunnel.</para>
+
+	<para>This method can be used to wrap any number of insecure
+	  <acronym>TCP</acronym> protocols such as
+	  <acronym>SMTP</acronym>, <acronym>POP3</acronym>, and
+	  <acronym>FTP</acronym>, as seen in the following
+	  examples.</para>
+
+	<example>
+	  <title>Create a Secure Tunnel for
+	    <acronym>SMTP</acronym></title>
 
-        <screen>&prompt.user; <userinput>ssh -2 -N -f -L 5025:localhost:25 user@mailserver.example.com</userinput>
+	  <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user@mailserver.example.com</replaceable></userinput>
 user@mailserver.example.com's password: <userinput>*****</userinput>
 &prompt.user; <userinput>telnet localhost 5025</userinput>
 Trying 127.0.0.1...
@@ -4411,210 +2826,261 @@
 Escape character is '^]'.
 220 mailserver.example.com ESMTP</screen>
 
-        <para>This can be used in conjunction with an
-          &man.ssh-keygen.1; and additional user accounts to create a
-          more seamless/hassle-free SSH tunneling environment.  Keys
-          can be used in place of typing a password, and the tunnels
-          can be run as a separate user.</para>
-      </example>
-
-      <sect3>
-	<title>Practical SSH Tunneling Examples</title>
-
-	<sect4>
-	  <title>Secure Access of a POP3 Server</title>
+	  <para>This can be used in conjunction with
+	    <command>ssh-keygen</command> and additional user accounts
+	    to create a more seamless <acronym>SSH</acronym> tunneling
+	    environment.  Keys can be used in place of typing a
+	    password, and the tunnels can be run as a separate
+	    user.</para>
+	</example>
 
-	  <para>At work, there is an SSH server that accepts
-	    connections from the outside.  On the same office network
-	    resides a mail server running a POP3 server.  The network,
-	    or network path between your home and office may or may not
-	    be completely trustable.  Because of this, you need to check
-	    your e-mail in a secure manner.  The solution is to create
-	    an SSH connection to your office's SSH server, and tunnel
-	    through to the mail server.</para>
+	<example>
+	  <title>Secure Access of a <acronym>POP3</acronym>
+	    Server</title>
+
+	  <para>In this example, there is an <acronym>SSH</acronym>
+	    server that accepts connections from the outside.  On the
+	    same network resides a mail server running a
+	    <acronym>POP3</acronym> server.  To check email in a
+	    secure manner, create an <acronym>SSH</acronym> connection
+	    to the <acronym>SSH</acronym> server and tunnel through to
+	    the mail server:</para>
 
-	  <screen>&prompt.user; <userinput>ssh -2 -N -f -L 2110:mail.example.com:110 user@ssh-server.example.com</userinput>
+	  <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>2110:mail.example.com:110 user@ssh-server.example.com</replaceable></userinput>
 user@ssh-server.example.com's password: <userinput>******</userinput></screen>
 
-	  <para>When the tunnel is up and running, you can point your
-	    mail client to send POP3 requests to <systemitem>localhost</systemitem>
-	    port 2110.  A connection here will be forwarded securely across
-	    the tunnel to <systemitem>mail.example.com</systemitem>.</para>
-	</sect4>
-
-	<sect4>
-	  <title>Bypassing a Draconian Firewall</title>
-
-	  <para>Some network administrators impose extremely draconian
-	    firewall rules, filtering not only incoming connections,
-	    but outgoing connections.  You may be only given access
-	    to contact remote machines on ports 22 and 80 for SSH
-	    and web surfing.</para>
-
-	  <para>You may wish to access another (perhaps non-work
-	    related) service, such as an Ogg Vorbis server to stream
-	    music.  If this Ogg Vorbis server is streaming on some other
-	    port than 22 or 80, you will not be able to access it.</para>
-
-	  <para>The solution is to create an SSH connection to a machine
-	    outside of your network's firewall, and use it to tunnel to
-	    the Ogg Vorbis server.</para>
+	  <para>Once the tunnel is up and running, point the email
+	    client to send <acronym>POP3</acronym> requests to
+	    <systemitem>localhost</systemitem> on port 2110.  This
+	    connection will be forwarded securely across the tunnel to
+	    <systemitem>mail.example.com</systemitem>.</para>
+	</example>
+
+	<example>
+	  <title>Bypassing a Firewall</title>
+
+	  <para>Some firewalls
+	    filter both incoming and outgoing connections.  For
+	    example, a firewall might limit access from remote
+	    machines to ports 22 and 80 to only allow
+	    <acronym>SSH</acronym> and web surfing.  This prevents
+	    access to any other service which uses a port other than
+	    22 or 80.</para>
+
+	  <para>The solution is to create an <acronym>SSH</acronym>
+	    connection to a machine outside of the network's firewall
+	    and use it to tunnel to the desired service:</para>
 
-	  <screen>&prompt.user; <userinput>ssh -2 -N -f -L 8888:music.example.com:8000 user@unfirewalled-system.example.org</userinput>
+	  <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>8888:music.example.com:8000 user@unfirewalled-system.example.org</replaceable></userinput>
 user@unfirewalled-system.example.org's password: <userinput>*******</userinput></screen>
 
-	  <para>Your streaming client can now be pointed to
-	    <systemitem>localhost</systemitem> port 8888, which will be
-	    forwarded over to <systemitem>music.example.com</systemitem> port
-	    8000, successfully evading the firewall.</para>
-        </sect4>
+	  <para>In this example, a streaming Ogg Vorbis client can now
+	    be pointed to <systemitem>localhost</systemitem> port
+	    8888, which will be forwarded over to
+	    <systemitem>music.example.com</systemitem> on port 8000,
+	    successfully bypassing the firewall.</para>
+	</example>
       </sect3>
     </sect2>
 
     <sect2>
-      <title>The <varname>AllowUsers</varname> Users Option</title>
+      <title>Enabling the SSH Server</title>
+
+      <indexterm>
+	<primary>OpenSSH</primary>
+	<secondary>enabling</secondary>
+      </indexterm>
+
+      <para>In addition to providing built-in <acronym>SSH</acronym>
+	client utilities, a &os; system can be configured as an
+	<acronym>SSH</acronym> server, accepting connections from
+	other <acronym>SSH</acronym> clients.</para>
+
+      <para>To see if <application>sshd</application> is enabled,
+	check <filename>/etc/rc.conf</filename> for this line and add
+	it if it is missing:</para>
+
+      <programlisting>sshd_enable="YES"</programlisting>
+
+      <para>This will start <application>sshd</application>, the
+	daemon program for <application>OpenSSH</application>, the
+	next time the system boots.  To start it now:</para>
 
-      <para>It is often a good idea to limit which users can log in and
-        from where.  The <literal>AllowUsers</literal> option is a good
-        way to accomplish this.  For example, to only allow the
-        <systemitem class="username">root</systemitem> user to log in from
-        <systemitem class="ipaddress">192.168.1.32</systemitem>, something like this
-        would be appropriate in the
-        <filename>/etc/ssh/sshd_config</filename> file:</para>
+      <screen>&prompt.root; <userinput>service sshd start</userinput></screen>
+
+      <para>The first time <application>sshd</application> starts on a
+	&os; system, the system's host keys will be automatically
+	created and the fingerprint will be displayed on the console.
+	Provide users with the fingerprint so that they can verify it
+	the first time they connect to the server.</para>
+
+      <para>Refer to &man.sshd.8; for the list of available options
+	when starting <application>sshd</application> and a more
+	complete discussion about authentication, the login process,
+	and the various configuration files.</para>
+
+      <para>It is a good idea to limit which users can log into the
+	<acronym>SSH</acronym> server and from where using the
+	<literal>AllowUsers</literal> keyword in the
+	<application>OpenSSH</application> server configuration file.
+	For example, to only allow <systemitem
+	  class="username">root</systemitem> to log in from
+	<systemitem class="ipaddress">192.168.1.32</systemitem>, add
+	this line to <filename>/etc/ssh/sshd_config</filename>:</para>
 
       <programlisting>AllowUsers root@192.168.1.32</programlisting>
 
-      <para>To allow the user <systemitem class="username">admin</systemitem> to log in from
-        anywhere, just list the username by itself:</para>
+      <para>To allow <systemitem class="username">admin</systemitem>
+	to log in from anywhere, list that user without specifying an
+	<acronym>IP</acronym> address:</para>
 
       <programlisting>AllowUsers admin</programlisting>
 
-      <para>Multiple users should be listed on the same line, like so:</para>
+      <para>Multiple users should be listed on the same line, like
+	so:</para>
 
       <programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
 
-      <note>
-        <para>It is important that you list each user that needs to
-          log in to this machine; otherwise they will be locked out.</para>
-      </note>
-
       <para>After making changes to
-         <filename>/etc/ssh/sshd_config</filename> you must tell
-         &man.sshd.8; to reload its config files, by running:</para>
+	<filename>/etc/ssh/sshd_config</filename>,
+	tell <application>sshd</application> to reload its
+	configuration file by running:</para>
 
-      <screen>&prompt.root; <userinput>/etc/rc.d/sshd reload</userinput></screen>
-    </sect2>
+      <screen>&prompt.root; <userinput>service sshd reload</userinput></screen>
 
-    <sect2>
-      <title>Further Reading</title>
-      <para><link xlink:href="http://www.openssh.com/">OpenSSH</link></para>
-      <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
-        &man.ssh-agent.1; &man.ssh-add.1; &man.ssh.config.5;</para>
-      <para>&man.sshd.8; &man.sftp-server.8; &man.sshd.config.5;</para>
+      <note>
+	<para>When this keyword is used, it is important to list each
+	  user that needs to log into this machine.  Any user that is
+	  not specified in that line will be locked out.  Also, the
+	  keywords used in the <application>OpenSSH</application>
+	  server configuration file are case-sensitive.  If the
+	  keyword is not spelled correctly, including its case, it
+	  will be ignored.  Always test changes to this file to make
+	  sure that the edits are working as expected.  Refer to
+	  &man.sshd.config.5; to verify the spelling and use of the
+	  available keywords.</para>
+      </note>
+
+      <tip>
+	<para>Do not confuse <filename>/etc/ssh/sshd_config</filename>
+	  with <filename>/etc/ssh/ssh_config</filename> (note the
+	  extra <literal>d</literal> in the first filename).  The
+	  first file configures the server and the second file
+	  configures the client.  Refer to &man.ssh.config.5; for a
+	  listing of the available client settings,.</para>
+      </tip>
     </sect2>
   </sect1>
 
   <sect1 xml:id="fs-acl">
-    <info><title>File System Access Control Lists</title>
+    <info>
+      <title>Access Control Lists</title>
+
       <authorgroup>
-	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed by </contrib></author>
+	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed
+	  by </contrib></author>
       </authorgroup>
     </info>
 
-    
-
     <indexterm>
       <primary>ACL</primary>
     </indexterm>
 
-    <para>In conjunction with file system enhancements like snapshots, FreeBSD 5.0
-      and later offers the security of File System Access Control Lists
-      (<acronym>ACLs</acronym>).</para>
-
-    <para>Access Control Lists extend the standard &unix;
-      permission model in a highly compatible (&posix;.1e) way.  This feature
-      permits an administrator to make use of and take advantage of a
-      more sophisticated security model.</para>
-
-    <para>To enable <acronym>ACL</acronym> support for <acronym>UFS</acronym>
-      file systems, the following:</para>
+    <para>Access Control Lists (<acronym>ACL</acronym>s) extend the
+      standard &unix; permission model in a &posix;.1e compatible way.
+      This permits an administrator to take advantage of a more
+      fine-grained permissions model.</para>
+
+    <para>The &os; <filename>GENERIC</filename> kernel provides
+      <acronym>ACL</acronym> support for <acronym>UFS</acronym> file
+      systems.  Users who prefer to compile a custom kernel must
+      include the following option in their custom kernel
+      configuration file:</para>
 
     <programlisting>options UFS_ACL</programlisting>
 
-    <para>must be compiled into the kernel.  If this option has
-      not been compiled in, a warning message will be displayed
-      when attempting to mount a file system supporting <acronym>ACLs</acronym>.
-      This option is included in the <filename>GENERIC</filename> kernel.
-      <acronym>ACLs</acronym> rely on extended attributes being enabled on
-      the file system.  Extended attributes are natively supported in the next generation
-      &unix; file system, <acronym>UFS2</acronym>.</para>
-
-    <note><para>A higher level of administrative overhead is required to
-      configure extended attributes on <acronym>UFS1</acronym> than on
-      <acronym>UFS2</acronym>.  The performance of extended attributes
-      on <acronym>UFS2</acronym> is also substantially higher.  As a
-      result, <acronym>UFS2</acronym> is generally recommended in preference
-      to <acronym>UFS1</acronym> for use with access control lists.</para></note>
-
-    <para><acronym>ACLs</acronym> are enabled by the mount-time administrative
-      flag, <option>acls</option>, which may be added to <filename>/etc/fstab</filename>.
-      The mount-time flag can also be automatically set in a persistent manner using
-      &man.tunefs.8; to modify a superblock <acronym>ACLs</acronym> flag in the
-      file system header.  In general, it is preferred to use the superblock flag
-      for several reasons:</para>
+    <para>If this option is not compiled in, a warning message will be
+      displayed when attempting to mount a file system with
+      <acronym>ACL</acronym> support.  <acronym>ACL</acronym>s rely on
+      extended attributes which are natively supported in
+      <acronym>UFS2</acronym>.</para>
+
+    <para>This chapter describes how to enable
+      <acronym>ACL</acronym> support and provides some usage
+      examples.</para>
+
+    <sect2>
+      <title>Enabling <acronym>ACL</acronym> Support</title>
+
+      <para><acronym>ACL</acronym>s are enabled by the mount-time
+	administrative flag, <option>acls</option>, which may be added
+	to <filename>/etc/fstab</filename>.  The mount-time flag can
+	also be automatically set in a persistent manner using
+	&man.tunefs.8; to modify a superblock <acronym>ACL</acronym>s
+	flag in the file system header.  In general, it is preferred
+	to use the superblock flag for several reasons:</para>
 
-    <itemizedlist>
-      <listitem>
-	<para>The mount-time <acronym>ACLs</acronym> flag cannot be changed by a
-	remount (&man.mount.8; <option>-u</option>), only by means of a complete
-	&man.umount.8; and fresh &man.mount.8;.  This means that
-	<acronym>ACLs</acronym> cannot be enabled on the root file system after boot.
-	It also means that you cannot change the disposition of a file system once
-	it is in use.</para>
-      </listitem>
+      <itemizedlist>
+	<listitem>
+	  <para>The superblock flag cannot be changed by a remount
+	    using <option>mount -u</option> as it requires a complete
+	    <command>umount</command> and fresh
+	    <command>mount</command>.  This means that
+	    <acronym>ACL</acronym>s cannot be enabled on the root file
+	    system after boot.  It also means that
+	    <acronym>ACL</acronym> support on a file system cannot be
+	    changed while the system is in use.</para>
+	</listitem>
 
-      <listitem>
-	<para>Setting the superblock flag will cause the file system to always be
-	mounted with <acronym>ACLs</acronym> enabled even if there is not an
-	<filename>fstab</filename> entry or if the devices re-order.  This prevents
-	accidental mounting of the file system without <acronym>ACLs</acronym>
-	enabled, which can result in <acronym>ACLs</acronym> being improperly enforced,
-	and hence security problems.</para>
-      </listitem>
-    </itemizedlist>
+	<listitem>
+	  <para>Setting the superblock flag causes the file system to
+	    always be mounted with <acronym>ACL</acronym>s enabled,
+	    even if there is not an <filename>fstab</filename> entry
+	    or if the devices re-order.  This prevents accidental
+	    mounting of the file system without <acronym>ACL</acronym>
+	    support.</para>
+	</listitem>
+      </itemizedlist>
 
-    <note><para>We may change the <acronym>ACLs</acronym> behavior to allow the flag to
-      be enabled without a complete fresh &man.mount.8;, but we consider it desirable to
-      discourage accidental mounting without <acronym>ACLs</acronym> enabled, because you
-      can shoot your feet quite nastily if you enable <acronym>ACLs</acronym>, then disable
-      them, then re-enable them without flushing the extended attributes.  In general, once
-      you have enabled <acronym>ACLs</acronym> on a file system, they should not be disabled,
-      as the resulting file protections may not be compatible with those intended by the
-      users of the system, and re-enabling <acronym>ACLs</acronym> may re-attach the previous
-      <acronym>ACLs</acronym> to files that have since had their permissions changed,
-      resulting in other unpredictable behavior.</para></note>
+      <note>
+	<para>It is desirable to discourage accidental mounting
+	  without <acronym>ACL</acronym>s enabled because nasty things
+	  can happen if <acronym>ACL</acronym>s are enabled, then
+	  disabled, then re-enabled without flushing the extended
+	  attributes.  In general, once <acronym>ACL</acronym>s are
+	  enabled on a file system, they should not be disabled, as
+	  the resulting file protections may not be compatible with
+	  those intended by the users of the system, and re-enabling
+	  <acronym>ACL</acronym>s may re-attach the previous
+	  <acronym>ACL</acronym>s to files that have since had their
+	  permissions changed, resulting in unpredictable
+	  behavior.</para>
+      </note>
 
-    <para>File systems with <acronym>ACLs</acronym> enabled will show a <literal>+</literal>
-      (plus) sign in their permission settings when viewed.  For example:</para>
+      <para>File systems with <acronym>ACL</acronym>s enabled will
+	show a plus (<literal>+</literal>) sign in their permission
+	settings:</para>
 
-    <programlisting>drwx------  2 robert  robert  512 Dec 27 11:54 private
+      <programlisting>drwx------  2 robert  robert  512 Dec 27 11:54 private
 drwxrwx---+ 2 robert  robert  512 Dec 23 10:57 directory1
 drwxrwx---+ 2 robert  robert  512 Dec 22 10:20 directory2
 drwxrwx---+ 2 robert  robert  512 Dec 27 11:57 directory3
 drwxr-xr-x  2 robert  robert  512 Nov 10 11:54 public_html</programlisting>
 
-    <para>Here we see that the <filename>directory1</filename>,
-      <filename>directory2</filename>, and <filename>directory3</filename>
-      directories are all taking advantage of <acronym>ACLs</acronym>.  The
-      <filename>public_html</filename> directory is not.</para>
+      <para>In this example, <filename>directory1</filename>,
+	<filename>directory2</filename>, and
+	<filename>directory3</filename> are all taking advantage of
+	<acronym>ACL</acronym>s, whereas
+	<filename>public_html</filename> is not.</para>
+    </sect2>
 
     <sect2>
-      <title>Making Use of <acronym>ACL</acronym>s</title>
+      <title>Using <acronym>ACL</acronym>s</title>
 
-      <para>The file system <acronym>ACL</acronym>s can be viewed by the
-	&man.getfacl.1; utility.  For instance, to view the
-	<acronym>ACL</acronym> settings on the <filename>test</filename>
-	file, one would use the command:</para>
+      <para>File system <acronym>ACL</acronym>s can be viewed using
+	<command>getfacl</command>.  For instance, to view the
+	<acronym>ACL</acronym> settings on
+	<filename>test</filename>:</para>
 
       <screen>&prompt.user; <userinput>getfacl test</userinput>
 	#file:test
@@ -4624,95 +3090,101 @@
 	group::r--
 	other::r--</screen>
 
-      <para>To change the <acronym>ACL</acronym> settings on this file,
-	invoke the &man.setfacl.1; utility.  Observe:</para>
+      <para>To change the <acronym>ACL</acronym> settings on this
+	file, use <command>setfacl</command>.  To remove all of the
+	currently defined <acronym>ACL</acronym>s from a file or file
+	system, include <option>-k</option>.  However, the preferred
+	method is to use <option>-b</option> as it leaves the basic
+	fields required for <acronym>ACL</acronym>s to work.</para>
 
       <screen>&prompt.user; <userinput>setfacl -k test</userinput></screen>
 
-      <para>The <option>-k</option> flag will remove all of the
-	currently defined <acronym>ACL</acronym>s from a file or file
-	system.  The more preferable method would be to use
-	<option>-b</option> as it leaves the basic fields required for
-	<acronym>ACL</acronym>s to work.</para>
+      <para>To modify the default <acronym>ACL</acronym> entries, use
+	<option>-m</option>:</para>
 
       <screen>&prompt.user; <userinput>setfacl -m u:trhodes:rwx,group:web:r--,o::--- test</userinput></screen>
 
-      <para>In the aforementioned command, the <option>-m</option>
-	option was used to modify the default <acronym>ACL</acronym>
-	entries.  Since there were no pre-defined entries, as they were
-	removed by the previous command, this will restore the default
-	options and assign the options listed.  Take care to notice that
-	if you add a user or group which does not exist on the system,
-	an <errorname>Invalid argument</errorname> error will be printed
-	to <filename>stdout</filename>.</para>
+      <para>In this example, there were no pre-defined entries, as
+	they were removed by the previous command.  This command
+	restores the default options and assigns the options listed.
+	If a user or group is added which does not exist on the
+	system, an <errorname>Invalid argument</errorname> error will
+	be displayed.</para>
+
+      <para>Refer to &man.getfacl.1; and &man.setfacl.1; for more
+	information about the options available for these
+	commands.</para>
     </sect2>
   </sect1>
 
   <sect1 xml:id="security-portaudit">
-    <info><title>Monitoring Third Party Security Issues</title>
+    <info>
+      <title>Monitoring Third Party Security Issues</title>
+
       <authorgroup>
-	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed by </contrib></author>
+	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed
+	  by </contrib></author>
       </authorgroup>
     </info>
 
-    
-
     <indexterm>
-      <primary>Portaudit</primary>
+      <primary>portaudit</primary>
     </indexterm>
 
-    <para>In recent years, the security world has made many improvements
-      to how vulnerability assessment is handled.  The threat of system
-      intrusion increases as third party utilities are installed and
-      configured for virtually any operating system available
-      today.</para>
+    <para>In recent years, the security world has made many
+      improvements to how vulnerability assessment is handled.  The
+      threat of system intrusion increases as third party utilities
+      are installed and configured for virtually any operating
+      system available today.</para>
 
-    <para>Vulnerability assessment is a key factor in security, and
-      while &os; releases advisories for the base system, doing so
+    <para>Vulnerability assessment is a key factor in security.
+      While &os; releases advisories for the base system, doing so
       for every third party utility is beyond the &os; Project's
       capability.  There is a way to mitigate third party
       vulnerabilities and warn administrators of known security
       issues.  A &os; add on utility known as
-      <application>Portaudit</application> exists solely for this
+      <application>portaudit</application> exists solely for this
       purpose.</para>
 
-    <para>The <package role="port">security/portaudit</package> port
-      polls a database, updated and maintained by the &os; Security
-      Team and ports developers, for known security issues.</para>
+    <para>The
+      <package>ports-mgmt/portaudit</package>
+      port polls a database, which is updated and maintained by the
+      &os; Security Team and ports developers, for known security
+      issues.</para>
 
-    <para>To begin using <application>Portaudit</application>, one
-      must install it from the Ports Collection:</para>
+    <para>To install <application>portaudit</application> from the
+      Ports Collection:</para>
 
-    <screen>&prompt.root; <userinput>cd /usr/ports/security/portaudit &amp;&amp; make install clean</userinput></screen>
+    <screen>&prompt.root; <userinput>cd /usr/ports/ports-mgmt/portaudit &amp;&amp; make install clean</userinput></screen>
 
-    <para>During the install process, the configuration files for
+    <para>During the installation, the configuration files for
       &man.periodic.8; will be updated, permitting
-      <application>Portaudit</application> output in the daily security
-      runs.  Ensure the daily security run emails, which are sent to
-      <systemitem class="username">root</systemitem>'s email account, are being read.  No
-      more configuration will be required here.</para>
-
-    <para>After installation, an administrator can update the database
-      and view known vulnerabilities in installed packages by invoking
-      the following command:</para>
+      <application>portaudit</application> output in the daily
+      security runs.  Ensure that the daily security run emails, which
+      are sent to <systemitem class="username">root</systemitem>'s
+      email account, are being read.  No other configuration is
+      required.</para>
+
+    <para>After installation, an administrator can update the
+      database and view known vulnerabilities in installed packages
+      by invoking the following command:</para>
 
     <screen>&prompt.root; <userinput>portaudit -Fda</userinput></screen>
 
     <note>
-      <para>The database will automatically be updated during the
-	&man.periodic.8; run; thus, the previous command is completely
-	optional.  It is only required for the following
-	examples.</para>
+      <para>The database is automatically updated during the
+	&man.periodic.8; run.  The above command is optional and can
+	be used to manually update the database now.</para>
     </note>
 
     <para>To audit the third party utilities installed as part of
-      the Ports Collection at anytime, an administrator need only run
-      the following command:</para>
+      the Ports Collection at anytime, an administrator can run the
+      following command:</para>
 
     <screen>&prompt.root; <userinput>portaudit -a</userinput></screen>
 
-    <para><application>Portaudit</application> will produce something
-      like this for vulnerable packages:</para>
+    <para><application>portaudit</application> will display messages
+      for any installed vulnerable packages:</para>
 
     <programlisting>Affected package: cups-base-1.1.22.0_1
 Type of problem: cups-base -- HPGL buffer overflow vulnerability.
@@ -4722,271 +3194,760 @@
 
 You are advised to update or deinstall the affected package(s) immediately.</programlisting>
 
-    <para>By pointing a web browser to the <acronym>URL</acronym> shown,
-      an administrator may obtain more information about the
-      vulnerability in question.  This will include versions affected,
-      by &os; Port version, along with other web sites which may contain
-      security advisories.</para>
-
-    <para>In short, <application>Portaudit</application> is a powerful
-      utility and extremely useful when coupled with the
-      <application>Portupgrade</application> port.</para>
+    <para>By pointing a web browser to the displayed
+      <acronym>URL</acronym>, an administrator may obtain more
+      information about the vulnerability.  This will include the
+      versions affected, by &os; port version, along with other web
+      sites which may contain security advisories.</para>
+
+    <para><application>portaudit</application> is a powerful utility
+      and is extremely useful when coupled with the
+      <application>portmaster</application> port.</para>
   </sect1>
 
   <sect1 xml:id="security-advisories">
-    <info><title>&os; Security Advisories</title>
+    <info>
+      <title>&os; Security Advisories</title>
+
       <authorgroup>
-	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed by </contrib></author>
+	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed
+	  by </contrib></author>
       </authorgroup>
     </info>
 
-    
-
     <indexterm>
-      <primary>FreeBSD Security Advisories</primary>
+      <primary>&os; Security Advisories</primary>
     </indexterm>
 
-    <para>Like many production quality operating systems, &os; publishes
-      <quote>Security Advisories</quote>.  These advisories are usually
-      mailed to the security lists and noted in the Errata only
-      after the appropriate releases have been patched.  This section
-      will work to explain what an advisory is, how to understand it,
-      and what measures to take in order to patch a system.</para>
+    <para>Like many producers of quality operating systems, the &os;
+      Project has a security team which is responsible for
+      determining the End-of-Life (<acronym>EoL</acronym>) date for
+      each &os; release and to provide security updates for supported
+      releases which have not yet reached their
+      <acronym>EoL</acronym>.  More information about the &os;
+      security team and the supported releases is available on the
+      <link xlink:href="&url.base;/security">&os; security
+	page</link>.</para>
+
+    <para>One task of the security team is to respond to reported
+      security vulnerabilities in the &os; operating system.  Once a
+      vulnerability is confirmed, the security team verifies the steps
+      necessary to fix the vulnerability and updates the source code
+      with the fix.  It then publishes the details as a
+      <quote>Security Advisory</quote>.  Security
+      advisories are published on the <link
+	xlink:href="&url.base;/security/advisories.html">&os;
+	website</link> and mailed to the
+      &a.security-notifications.name;, &a.security.name;, and
+      &a.announce.name; mailing lists.</para>
+
+    <para>This section describes the format of a &os; security
+      advisory.</para>
 
     <sect2>
-      <title>What does an advisory look like?</title>
+      <title>Format of a Security Advisory</title>
 
-      <para>The &os; security advisories look similar to the one below,
-	taken from the &a.security-notifications.name; mailing list.</para>
+      <para>Here is an example of a &os; security advisory:</para>
 
       <programlisting>=============================================================================
-&os;-SA-XX:XX.UTIL                                     Security Advisory
-                                                          The &os; Project
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
 
-Topic:          denial of service due to some problem<co xml:id="co-topic"/>
-
-Category:       core<co xml:id="co-category"/>
-Module:         sys<co xml:id="co-module"/>
-Announced:      2003-09-23<co xml:id="co-announce"/>
-Credits:        Person@EMAIL-ADDRESS<co xml:id="co-credit"/>
-Affects:        All releases of &os;<co xml:id="co-affects"/>
-                &os; 4-STABLE prior to the correction date
-Corrected:      2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
-                2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
-                2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
-                2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
-                2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
-                2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
-                2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
-                2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
-                2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39)<co xml:id="co-corrected"/>
-&os; only:   NO<co xml:id="co-only"/>
+=============================================================================
+FreeBSD-SA-14:04.bind                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          BIND remote denial of service vulnerability
+
+Category:       contrib
+Module:         bind
+Announced:      2014-01-14
+Credits:        ISC
+Affects:        FreeBSD 8.x and FreeBSD 9.x
+Corrected:      2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE)
+                2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
+                2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
+                2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE)
+                2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
+                2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
+CVE Name:       CVE-2014-0591
 
 For general information regarding FreeBSD Security Advisories,
 including descriptions of the fields above, security branches, and the
-following sections, please visit
-http://www.FreeBSD.org/security/.
+following sections, please visit &lt;URL:http://security.FreeBSD.org/&gt;.
+
+I.   Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+II.  Problem Description
+
+Because of a defect in handling queries for NSEC3-signed zones, BIND can
+crash with an "INSIST" failure in name.c when processing queries possessing
+certain properties.  This issue only affects authoritative nameservers with
+at least one NSEC3-signed zone.  Recursive-only servers are not at risk.
+
+III. Impact
+
+An attacker who can send a specially crafted query could cause named(8)
+to crash, resulting in a denial of service.
+
+IV.  Workaround
+
+No workaround is available, but systems not running authoritative DNS service
+with at least one NSEC3-signed zone using named(8) are not vulnerable.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
 
-I.   Background<co xml:id="co-backround"/>
+2) To update your vulnerable system via a source code patch:
 
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
 
-II.  Problem Description<co xml:id="co-descript"/>
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
 
+[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE]
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc
+# gpg --verify bind-release.patch.asc
 
-III. Impact<co xml:id="co-impact"/>
+[FreeBSD 9.2-STABLE]
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc
+# gpg --verify bind-stable-9.patch.asc
 
+b) Execute the following commands as root:
 
-IV.  Workaround<co xml:id="co-workaround"/>
+# cd /usr/src
+# patch &lt; /path/to/patch
 
+Recompile the operating system using buildworld and installworld as
+described in &lt;URL:http://www.FreeBSD.org/handbook/makeworld.html&gt;.
 
-V.   Solution<co xml:id="co-solution"/>
+Restart the applicable daemons, or reboot the system.
 
+3) To update your vulnerable system via a binary patch:
 
-VI.  Correction details<co xml:id="co-details"/>
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
 
+# freebsd-update fetch
+# freebsd-update install
 
-VII. References<co xml:id="co-ref"/></programlisting>
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r260646
+releng/8.3/                                                       r260647
+releng/8.4/                                                       r260647
+stable/9/                                                         r260646
+releng/9.1/                                                       r260647
+releng/9.2/                                                       r260647
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+&lt;URL:http://svnweb.freebsd.org/base?view=revision&amp;revision=NNNNNN&gt;
+
+VII. References
+
+&lt;URL:https://kb.isc.org/article/AA-01078&gt;
+
+&lt;URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591&gt;
+
+The latest revision of this advisory is available at
+&lt;URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc&gt;
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG
+ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO
+XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg
+ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG
+9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5
+fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua
+OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb
+zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag
+Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm
+067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq
+7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO
+UWWemqWuz3lAZuORQ9KX
+=OQzQ
+-----END PGP SIGNATURE-----</programlisting>
+
+      <para>Every security advisory uses the following format:</para>
+
+      <itemizedlist>
+	<listitem>
+	  <para>Each security advisory is signed by the
+	    <acronym>PGP</acronym> key of the Security Officer.  The
+	    public key for the Security Officer can be verified at
+	    <xref linkend="pgpkeys"/>.</para>
+	</listitem>
 
+	<listitem>
+	  <para>The name of the security advisory always begins with
+	    <literal>FreeBSD-SA-</literal> (for FreeBSD Security
+	    Advisory), followed by the year in two digit format
+	    (<literal>14:</literal>), followed by the advisory number
+	    for that year (<literal>04.</literal>), followed by the
+	    name of the affected application or subsystem
+	    (<literal>bind</literal>).  The advisory shown here is the
+	    fourth advisory for 2014 and it affects
+	    <application>BIND</application>.</para>
+	</listitem>
 
-      <calloutlist>
-	<callout arearefs="co-topic">
-	  <para>The <literal>Topic</literal> field indicates exactly what the problem is.
-	    It is basically an introduction to the current security
-	    advisory and notes the utility with the
+	<listitem>
+	  <para>The <literal>Topic</literal> field summarizes the
 	    vulnerability.</para>
-	</callout>
+	</listitem>
 
-	<callout arearefs="co-category">
-	  <para>The <literal>Category</literal> refers to the affected part of the system
-	    which may be one of <literal>core</literal>, <literal>contrib</literal>, or <literal>ports</literal>.  The <literal>core</literal>
+	<listitem>
+	  <para>The <literal>Category</literal> refers to the
+	    affected part of the system which may be one of
+	    <literal>core</literal>, <literal>contrib</literal>, or
+	    <literal>ports</literal>.  The <literal>core</literal>
 	    category means that the vulnerability affects a core
-	    component of the &os; operating system.  The <literal>contrib</literal>
-	    category means that the vulnerability affects software
-	    contributed to the &os; Project, such as
-	    <application>sendmail</application>.  Finally the <literal>ports</literal>
-	    category indicates that the vulnerability affects add on
-	    software available as part of the Ports Collection.</para>
-	</callout>
-
-	<callout arearefs="co-module">
-	  <para>The <literal>Module</literal> field refers to the component location, for
-	    instance <literal>sys</literal>.  In this example, we see that the module,
-	    <literal>sys</literal>, is affected; therefore, this vulnerability
-	    affects a component used within the kernel.</para>
-	</callout>
-
-	<callout arearefs="co-announce">
-	  <para>The <literal>Announced</literal> field reflects the date said security
-	    advisory was published, or announced to the world.  This
-	    means that the security team has verified that the problem
-	    does exist and that a patch has been committed to the &os;
+	    component of the &os; operating system.  The
+	    <literal>contrib</literal> category means that the
+	    vulnerability affects software included with  &os;,
+	    such as <application>BIND</application>.  The
+	    <literal>ports</literal> category indicates that the
+	    vulnerability affects software available through the Ports
+	    Collection.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>Module</literal> field refers to the
+	    component location.  In this example, the
+	    <literal>bind</literal> module is affected; therefore,
+	    this vulnerability affects an application installed with
+	    the operating system.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>Announced</literal> field reflects the
+	    date the security advisory was published.  This means
+	    that the security team has verified that the problem
+	    exists and that a patch has been committed to the &os;
 	    source code repository.</para>
-	</callout>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>Credits</literal> field gives credit to
+	    the individual or organization who noticed the
+	    vulnerability and reported it.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>Affects</literal> field explains which
+	    releases of &os; are affected by this
+	    vulnerability.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>Corrected</literal> field indicates the
+	    date, time, time offset, and releases that were
+	    corrected.  The section in parentheses shows each branch
+	    for which the fix has been merged, and the version number
+	    of the corresponding release from that branch.  The
+	    release identifier itself includes the version number
+	    and, if appropriate, the patch level.  The patch level is
+	    the letter <literal>p</literal> followed by a number,
+	    indicating the sequence number of the patch, allowing
+	    users to track which patches have already been applied to
+	    the system.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>CVE Name</literal> field lists the
+	    advisory number, if one exists, in the public <link
+	      xlink:href="http://cve.mitre.org">cve.mitre.org</link>
+	    security vulnerabilities database.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>Background</literal> field provides a
+	    description of the affected module.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>Problem Description</literal> field
+	    explains the vulnerability.  This can include
+	    information about the flawed code and how the utility
+	    could be maliciously used.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>Impact</literal> field describes what
+	    type of impact the problem could have on a system.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>Workaround</literal> field indicates if
+	    a workaround is available to system administrators who
+	    cannot immediately patch the system .</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>Solution</literal> field provides the
+	    instructions for patching the affected system.  This is a
+	    step by step tested and verified method for getting a
+	    system patched and working securely.</para>
+	</listitem>
 
-	<callout arearefs="co-credit">
-	  <para>The <literal>Credits</literal> field gives credit to the individual or
-	    organization who noticed the vulnerability and reported
-	    it.</para>
-	</callout>
-
-	<callout arearefs="co-affects">
-	  <para>The <literal>Affects</literal> field explains which releases of &os; are
-	    affected by this vulnerability.  For the kernel, a quick
-	    look over the output from <command>ident</command> on the
-	    affected files will help in determining the revision.
-	    For ports, the version number is listed after the port name
-	    in <filename>/var/db/pkg</filename>.  If the system does not
-	    sync with the &os; <acronym>CVS</acronym> repository and rebuild
-	    daily, chances are that it is affected.</para>
-	</callout>
-
-	<callout arearefs="co-corrected">
-	  <para>The <literal>Corrected</literal> field indicates the date, time, time
-	    offset, and release that was corrected.</para>
-	</callout>
-
-	<callout arearefs="co-only">
-	  <para>The <literal>&os; only</literal> field indicates whether this vulnerability
-	    affects just &os;, or if it affects other operating systems
-	    as well.</para>
-	</callout>
-
-	<callout arearefs="co-backround">
-	  <para>The <literal>Background</literal> field gives information on exactly what
-	    the affected utility is.  Most of the time this is why
-	    the utility exists in &os;, what it is used for, and a bit
-	    of information on how the utility came to be.</para>
-	</callout>
-
-	<callout arearefs="co-descript">
-	  <para>The <literal>Problem Description</literal> field explains the security hole
-	    in depth.  This can include information on flawed code, or
-	    even how the utility could be maliciously used to open
-	    a security hole.</para>
-	</callout>
-
-	<callout arearefs="co-impact">
-	  <para>The <literal>Impact</literal> field describes what type of impact the
-	    problem could have on a system.  For example, this could
-	    be anything from a denial of service attack, to extra
-	    privileges available to users, or even giving the attacker
-	    superuser access.</para>
-	</callout>
-
-	<callout arearefs="co-workaround">
-	  <para>The <literal>Workaround</literal> field offers a feasible workaround to
-	    system administrators who may be incapable of upgrading
-	    the system.  This may be due to time constraints, network
-	    availability, or a slew of other reasons.  Regardless,
-	    security should not be taken lightly, and an affected system
-	    should either be patched or the security hole workaround
-	    should be implemented.</para>
-	</callout>
-
-	<callout arearefs="co-solution">
-	  <para>The <literal>Solution</literal> field offers instructions on patching the
-	    affected system.  This is a step by step tested and verified
-	    method for getting a system patched and working
-	    securely.</para>
-	</callout>
-
-	<callout arearefs="co-details">
-	  <para>The <literal>Correction Details</literal> field displays the
-	    <acronym>CVS</acronym> branch or release name with the
-	    periods changed to underscore characters.  It also shows
-	    the revision number of the affected files within each
-	    branch.</para>
-	</callout>
-
-	<callout arearefs="co-ref">
-	  <para>The <literal>References</literal> field usually offers sources of other
-	    information.  This can included web <acronym>URL</acronym>s,
-	    books, mailing lists, and newsgroups.</para>
-	</callout>
-      </calloutlist>
+	<listitem>
+	  <para>The <literal>Correction Details</literal> field
+	    displays each affected Subversion branch with the revision
+	    number that contains the corrected code.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The <literal>References</literal> field offers sources
+	    of additional information regarding the
+	    vulnerability.</para>
+	</listitem>
+      </itemizedlist>
     </sect2>
   </sect1>
 
   <sect1 xml:id="security-accounting">
-    <info><title>Process Accounting</title>
+    <info>
+      <title>Process Accounting</title>
+
       <authorgroup>
-	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed by </contrib></author>
+	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed
+	  by </contrib></author>
       </authorgroup>
     </info>
 
-    
-
     <indexterm>
       <primary>Process Accounting</primary>
     </indexterm>
 
     <para>Process accounting is a security method in which an
-      administrator may keep track of system resources used,
+      administrator may keep track of system resources used and
       their allocation among users, provide for system monitoring,
       and minimally track a user's commands.</para>
 
-    <para>This indeed has its own positive and negative points.  One of
-      the positives is that an intrusion may be narrowed down
+    <para>Process accounting has both positive and negative points.
+      One of the positives is that an intrusion may be narrowed down
       to the point of entry.  A negative is the amount of logs
       generated by process accounting, and the disk space they may
-      require.  This section will walk an administrator through
-      the basics of process accounting.</para>
+      require.  This section walks an administrator through the basics
+      of process accounting.</para>
+
+    <note>
+      <para>If more fine-grained accounting is needed, refer to
+	<xref linkend="audit"/>.</para>
+    </note>
 
     <sect2>
-      <title>Enable and Utilizing Process Accounting</title>
-      <para>Before making use of process accounting, it
-	must be enabled.  To do this, execute the following
-	commands:</para>
+      <title>Enabling and Utilizing Process Accounting</title>
 
-      <screen>&prompt.root; <userinput>touch /var/account/acct</userinput>
+      <para>Before using process accounting, it must be enabled using
+	the following commands:</para>
 
+      <screen>&prompt.root; <userinput>touch /var/account/acct</userinput>
+&prompt.root; <userinput>chmod 600 /var/account/acct</userinput>
 &prompt.root; <userinput>accton /var/account/acct</userinput>
-
 &prompt.root; <userinput>echo 'accounting_enable="YES"' &gt;&gt; /etc/rc.conf</userinput></screen>
 
-      <para>Once enabled, accounting will begin to track
-	<acronym>CPU</acronym> stats, commands, etc.  All accounting
-	logs are in a non-human readable format and may be viewed
-	using the &man.sa.8; utility.  If issued without any options,
-	<command>sa</command> will print information relating to the
-	number of per user calls, the total elapsed time in minutes,
-	total <acronym>CPU</acronym> and user time in minutes, average
-	number of I/O operations, etc.</para>
-
-      <para>To view information about commands being issued, one
-	would use the &man.lastcomm.1; utility.  The
-	<command>lastcomm</command> may be used to print out commands
-	issued by users on specific &man.ttys.5;, for example:</para>
-
-      <screen>&prompt.root; <userinput>lastcomm ls
-	trhodes ttyp1</userinput></screen>
-
-      <para>Would print out all known usage of the <command>ls</command>
-        by <systemitem class="username">trhodes</systemitem> on the ttyp1 terminal.</para>
-
-      <para>Many other useful options exist and are explained in the
-	&man.lastcomm.1;, &man.acct.5; and &man.sa.8; manual
-	pages.</para>
+      <para>Once enabled, accounting will begin to track information
+	such as <acronym>CPU</acronym> statistics and executed
+	commands.  All accounting logs are in a non-human readable
+	format which can be viewed using <command>sa</command>.  If
+	issued without any options, <command>sa</command> prints
+	information relating to the number of per-user calls, the
+	total elapsed time in minutes, total <acronym>CPU</acronym>
+	and user time in minutes, and the average number of
+	<acronym>I/O</acronym> operations.  Refer to &man.sa.8; for
+	the list of available options which control the output.</para>
+
+      <para>To display the commands issued by users, use
+	<command>lastcomm</command>.  For example, this command
+	prints out all usage of <command>ls</command> by <systemitem
+	  class="username">trhodes</systemitem> on the
+	<literal>ttyp1</literal> terminal:</para>
+
+      <screen>&prompt.root; <userinput>lastcomm ls trhodes ttyp1</userinput></screen>
+
+      <para>Many other useful options exist and are explained in
+	&man.lastcomm.1;, &man.acct.5;, and &man.sa.8;.</para>
+    </sect2>
+  </sect1>
+
+  <sect1 xml:id="security-resourcelimits">
+    <info>
+      <title>Resource Limits</title>
+
+      <authorgroup>
+	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed
+	  by </contrib></author>
+      </authorgroup>
+    </info>
+
+    <indexterm>
+      <primary>Resource limits</primary>
+    </indexterm>
+
+      <para>&os; provides several methods for an administrator to
+	limit the amount of system resources an individual may use.
+	Disk quotas limit the amount of disk space available to users.
+	Quotas are discussed in <xref linkend="quotas"/>.</para>
+
+      <indexterm>
+	<primary>quotas</primary>
+      </indexterm>
+      <indexterm>
+	<primary>limiting users</primary>
+	<secondary>quotas</secondary>
+      </indexterm>
+      <indexterm>
+	<primary>disk quotas</primary>
+      </indexterm>
+
+    <para>Limits to other resources, such as <acronym>CPU</acronym>
+      and memory, can be set using either a flat file or a command to
+      configure a resource limits database.  The traditional method
+      defines login classes by editing
+      <filename>/etc/login.conf</filename>.  While this method is
+      still supported, any changes require a multi-step process of
+      editing this file, rebuilding the resource database, making
+      necessary changes to <filename>/etc/master.passwd</filename>,
+      and rebuilding the password database.  This can become time
+      consuming, depending upon the number of users to
+      configure.</para>
+
+    <para>Beginning with &os;&nbsp;9.0-RELEASE,
+      <command>rctl</command> can be used to provide a more
+      fine-grained method for controlling resource limits.  This
+      command supports more than user limits as it can also be used to
+      set resource constraints on processes and jails.</para>
+
+    <para>This section demonstrates both methods for controlling
+      resources, beginning with the traditional method.</para>
+
+    <sect2 xml:id="users-limiting">
+      <title>Configuring Login Classes</title>
+
+      <indexterm>
+	<primary>limiting users</primary>
+      </indexterm>
+      <indexterm>
+	<primary>accounts</primary>
+	<secondary>limiting</secondary>
+      </indexterm>
+      <indexterm>
+	<primary><filename>/etc/login.conf</filename></primary>
+      </indexterm>
+
+      <para>In the traditional method, login classes and the resource
+	limits to apply to a login class are defined in
+	<filename>/etc/login.conf</filename>.   Each user account can
+	be assigned to a login class, where <literal>default</literal>
+	is the default login class.  Each login class has a set of
+	login capabilities associated with it.  A login capability is
+	a
+	<literal><replaceable>name</replaceable>=<replaceable>value</replaceable></literal>
+	pair, where <replaceable>name</replaceable> is a well-known
+	identifier and <replaceable>value</replaceable> is an
+	arbitrary string which is processed accordingly depending on
+	the <replaceable>name</replaceable>.</para>
+
+      <note>
+	<para>Whenever <filename>/etc/login.conf</filename> is edited,
+	  the <filename>/etc/login.conf.db</filename> must be updated
+	  by executing the following command:</para>
+
+	<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
+      </note>
+
+      <para>Resource limits differ from the default login capabilities
+	in two ways.  First, for every limit, there is a
+	<firstterm>soft</firstterm> and <firstterm>hard</firstterm>
+	limit.  A soft limit may be adjusted by the user or
+	application, but may not be set higher than the hard limit.
+	The hard limit may be lowered by the user, but can only be
+	raised by the superuser.  Second, most resource limits apply
+	per process to a specific user.</para>
+
+      <para><xref linkend="resource-limits"/> lists the most commonly
+	used resource limits.  All of the available resource limits
+	and capabilities are described in detail in
+	&man.login.conf.5;.</para>
+
+      <indexterm>
+	<primary>limiting users</primary>
+	<secondary>coredumpsize</secondary>
+      </indexterm>
+      <indexterm>
+	<primary>limiting users</primary>
+	<secondary>cputime</secondary>
+      </indexterm>
+      <indexterm>
+	<primary>limiting users</primary>
+	<secondary>filesize</secondary>
+      </indexterm>
+      <indexterm>
+	<primary>limiting users</primary>
+	<secondary>maxproc</secondary>
+      </indexterm>
+      <indexterm>
+	<primary>limiting users</primary>
+	<secondary>memorylocked</secondary>
+      </indexterm>
+      <indexterm>
+	<primary>limiting users</primary>
+	<secondary>memoryuse</secondary>
+      </indexterm>
+      <indexterm>
+	<primary>limiting users</primary>
+	<secondary>openfiles</secondary>
+      </indexterm>
+      <indexterm>
+	<primary>limiting users</primary>
+	<secondary>sbsize</secondary>
+      </indexterm>
+      <indexterm>
+	<primary>limiting users</primary>
+	<secondary>stacksize</secondary>
+      </indexterm>
+
+      <table xml:id="resource-limits" frame="none" pgwide="1">
+	<title>Login Class Resource Limits</title>
+
+	<tgroup cols="2">
+	  <thead>
+	    <row>
+	      <entry>Resource Limit</entry>
+	      <entry>Description</entry>
+	    </row>
+	  </thead>
+
+	  <tbody>
+	    <row>
+	      <entry>coredumpsize</entry>
+	      <entry>The limit on the size of a core file generated by
+		a program is subordinate to other limits on disk
+		usage, such as <literal>filesize</literal> or disk
+		quotas.  This limit is often used as a less severe
+		method of controlling disk space consumption.  Since
+		users do not generate core files and often do not
+		delete them, this setting may save them from running
+		out of disk space should a large program
+		crash.</entry>
+	    </row>
+
+	    <row>
+	      <entry>cputime</entry>
+	      <entry>The maximum amount of <acronym>CPU</acronym> time
+		a user's process may consume.  Offending processes
+		will be killed by the kernel.  This is a limit on
+		<acronym>CPU</acronym> <emphasis>time</emphasis>
+		consumed, not the percentage of the
+		<acronym>CPU</acronym> as displayed in some of the
+		fields generated by <command>top</command> and
+		<command>ps</command>.</entry>
+	    </row>
+
+	    <row>
+	      <entry>filesize</entry>
+	      <entry>The maximum size of a file the user may own.
+		Unlike disk quotas (<xref linkend="quotas"/>), this
+		limit is enforced on individual files, not the set of
+		all files a user owns.</entry>
+	    </row>
+
+	    <row>
+	      <entry>maxproc</entry>
+	      <entry>The maximum number of foreground and background
+		processes a user can run.  This limit may not be
+		larger than the system limit specified by
+		<varname>kern.maxproc</varname>.  Setting this limit
+		too small may hinder a user's productivity as some
+		tasks, such as compiling a large program, start lots
+		of processes.</entry>
+	    </row>
+
+	    <row>
+	      <entry>memorylocked</entry>
+	      <entry>The maximum amount of memory a process may
+		request to be locked into main memory using
+		&man.mlock.2;.  Some system-critical programs, such as
+		&man.amd.8;, lock into main memory so that if the
+		system begins to swap, they do not contribute to disk
+		thrashing.</entry>
+	    </row>
+
+	    <row>
+	      <entry>memoryuse</entry>
+	      <entry>The maximum amount of memory a process may
+		consume at any given time.  It includes both core
+		memory and swap usage.  This is not a catch-all limit
+		for restricting memory consumption, but is a good
+		start.</entry>
+	    </row>
+
+	    <row>
+	      <entry>openfiles</entry>
+	      <entry>The maximum number of files a process may have
+		open.  In &os;, files are used to represent sockets
+		and <acronym>IPC</acronym> channels, so be careful not
+		to set this too low.  The system-wide limit for this
+		is defined by
+		<varname>kern.maxfiles</varname>.</entry>
+	    </row>
+
+	    <row>
+	      <entry>sbsize</entry>
+	      <entry>The limit on the amount of network memory a user
+		may consume.  This can be generally used to limit
+		network communications.</entry>
+	    </row>
+
+	    <row>
+	      <entry>stacksize</entry>
+	      <entry>The maximum size of a process stack.  This alone
+		is not sufficient to limit the amount of memory a
+		program may use, so it should be used in conjunction
+		with other limits.</entry>
+	    </row>
+	  </tbody>
+	</tgroup>
+      </table>
+
+      <para>There are a few other things to remember when setting
+	resource limits:</para>
+
+      <itemizedlist>
+	<listitem>
+	  <para>Processes started at system startup by
+	    <filename>/etc/rc</filename> are assigned to the
+	    <literal>daemon</literal> login class.</para>
+	</listitem>
+
+	<listitem>
+	  <para>Although the default
+	    <filename>/etc/login.conf</filename> is a good source of
+	    reasonable values for most limits, they may not be
+	    appropriate for every system.  Setting a limit too high
+	    may open the system up to abuse, while setting it too low
+	    may put a strain on productivity.</para>
+	</listitem>
+
+	<listitem>
+	  <para><application>&xorg;</application> takes a lot of
+	    resources and encourages users to run more programs
+	    simultaneously.</para>
+	</listitem>
+
+	<listitem>
+	  <para>Many limits apply to individual processes, not the
+	    user as a whole.  For example, setting
+	    <varname>openfiles</varname> to <literal>50</literal>
+	    means that each process the user runs may open up to
+	    <literal>50</literal> files.  The total amount of files a
+	    user may open is the value of <literal>openfiles</literal>
+	    multiplied by the value of <literal>maxproc</literal>.
+	    This also applies to memory consumption.</para>
+	</listitem>
+      </itemizedlist>
+
+      <para>For further information on resource limits and login
+	classes and capabilities in general, refer to
+	&man.cap.mkdb.1;, &man.getrlimit.2;, and
+	&man.login.conf.5;.</para>
+    </sect2>
+
+    <sect2>
+      <title>Enabling and Configuring Resource Limits</title>
+
+      <para>By default, kernel support for <command>rctl</command> is
+	not built-in, meaning that the kernel will first need to be
+	recompiled using the instructions in <xref
+	  linkend="kernelconfig"/>.  Add these lines to either
+	<filename>GENERIC</filename> or a custom kernel configuration
+	file, then rebuild the kernel:</para>
+
+      <programlisting>options         RACCT
+options         RCTL</programlisting>
+
+      <para>Once the system has rebooted into the new kernel,
+	<command>rctl</command> may be used to set rules for the
+	system.</para>
+
+      <para>Rule syntax is controlled through the use of a subject,
+	subject-id, resource, and action, as seen in this example
+	rule:</para>
+
+      <programlisting>user:trhodes:maxproc:deny=10/user</programlisting>
+
+      <para>In this rule, the subject is <literal>user</literal>, the
+	subject-id is <literal>trhodes</literal>, the resource,
+	<literal>maxproc</literal>, is the maximum number of
+	processes, and the action is <literal>deny</literal>, which
+	blocks any new processes from being created.  This means that
+	the user, <literal>trhodes</literal>, will be constrained to
+	no greater than <literal>10</literal> processes.  Other
+	possible actions include logging to the console, passing a
+	notification to &man.devd.8;, or sending a sigterm to the
+	process.</para>
+
+      <para>Some care must be taken when adding rules.  Since this
+	user is constrained to <literal>10</literal> processes, this
+	example will prevent the user from performing other tasks
+	after logging in and executing a
+	<command>screen</command> session.  Once a resource limit has
+	been hit, an error will be printed, as in this example:</para>
+
+      <screen>&prompt.user; <userinput>man test</userinput>
+    /usr/bin/man: Cannot fork: Resource temporarily unavailable
+eval: Cannot fork: Resource temporarily unavailable</screen>
+
+      <para>As another example, a jail can be prevented from exceeding
+	a memory limit.  This rule could be written as:</para>
+
+      <screen>&prompt.root; <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput></screen>
+
+      <para>Rules will persist across reboots if they have been added
+	to <filename>/etc/rctl.conf</filename>.  The format is a rule,
+	without the preceding command.  For example, the previous rule
+	could be added as:</para>
+
+      <programlisting># Block jail from using more than 2G memory:
+jail:httpd:memoryuse:deny=2G/jail</programlisting>
+
+      <para>To remove a rule, use <command>rctl</command> to remove it
+	from the list:</para>
+
+      <screen>&prompt.root; <userinput>rctl -r user:trhodes:maxproc:deny=10/user</userinput></screen>
+
+      <para>A method for removing all rules is documented in
+	&man.rctl.8;.  However, if removing all rules for a single
+	user is required, this command may be issued:</para>
+
+      <screen>&prompt.root; <userinput>rctl -r user:trhodes</userinput></screen>
+
+      <para>Many other resources exist which can be used to exert
+	additional control over various <literal>subjects</literal>.
+	See &man.rctl.8; to learn about them.</para>
     </sect2>
   </sect1>
 </chapter>
Index: zh_TW.UTF-8/books/handbook/serialcomms/chapter.xml
===================================================================
--- zh_TW.UTF-8/books/handbook/serialcomms/chapter.xml
+++ zh_TW.UTF-8/books/handbook/serialcomms/chapter.xml
@@ -2666,7 +2666,7 @@
 
 	<procedure>
 	  <step>
-	    <para>Get the kernel source. (See <xref linkend="cutting-edge"/>)</para>
+	    <para>Get the kernel source.</para>
 	  </step>
 
 	  <step>
Index: zh_TW.UTF-8/share/xml/mailing-lists.ent
===================================================================
--- zh_TW.UTF-8/share/xml/mailing-lists.ent
+++ zh_TW.UTF-8/share/xml/mailing-lists.ent
@@ -3,7 +3,7 @@
      Names of FreeBSD 郵遞論壇s and related software.
      The FreeBSD Traditional-Chinese Documentation Project
 
-     Original revision: 1.57
+     Original revision: r46084
      $FreeBSD$
 -->
 
@@ -27,10 +27,6 @@
 <!ENTITY a.aic7xxx "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.aic7xxx.url;'>FreeBSD Adaptec AIC7xxx discussions 郵遞論壇</link>">
 <!ENTITY a.aic7xxx.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.aic7xxx.url;'>freebsd-aic7xxx</link>">
 
-<!ENTITY a.alpha.url "&a.mailman.listinfo;/freebsd-alpha">
-<!ENTITY a.alpha "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.alpha.url;'>FreeBSD Alpha porting 郵遞論壇</link>">
-<!ENTITY a.alpha.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.alpha.url;'>freebsd-alpha</link>">
-
 <!ENTITY a.amd64.url "&a.mailman.listinfo;/freebsd-amd64">
 <!ENTITY a.amd64 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.amd64.url;'>Porting FreeBSD to AMD64 systems</link>">
 <!ENTITY a.amd64.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.amd64.url;'>freebsd-amd64</link>">
@@ -55,14 +51,6 @@
 <!ENTITY a.atm "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.atm.url;'>FreeBSD ATM networking 郵遞論壇</link>">
 <!ENTITY a.atm.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.atm.url;'>freebsd-atm</link>">
 
-<!ENTITY a.audit.url "&a.mailman.listinfo;/freebsd-audit">
-<!ENTITY a.audit "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.audit.url;'>FreeBSD source code audit 郵遞論壇</link>">
-<!ENTITY a.audit.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.audit.url;'>freebsd-audit</link>">
-
-<!ENTITY a.binup.url "&a.mailman.listinfo;/freebsd-binup">
-<!ENTITY a.binup "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.binup.url;'>FreeBSD binary update system 郵遞論壇</link>">
-<!ENTITY a.binup.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.binup.url;'>freebsd-binup</link>">
-
 <!ENTITY a.bluetooth.url "&a.mailman.listinfo;/freebsd-bluetooth">
 <!ENTITY a.bluetooth "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.bluetooth.url;'>FreeBSD Bluetooth 郵遞論壇</link>">
 <!ENTITY a.bluetooth.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.bluetooth.url;'>freebsd-bluetooth</link>">
@@ -79,6 +67,10 @@
 <!ENTITY a.chat "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.chat.url;'>FreeBSD chat 郵遞論壇</link>">
 <!ENTITY a.chat.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.chat.url;'>freebsd-chat</link>">
 
+<!ENTITY a.chromium.url "&a.mailman.listinfo;/freebsd-chromium">
+<!ENTITY a.chromium "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.chromium.url;'>FreeBSD-specific Chromium issues</link>">
+<!ENTITY a.chromium.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.chromium.url;'>freebsd-chromium</link>">
+
 <!ENTITY a.cluster.url "&a.mailman.listinfo;/freebsd-cluster">
 <!ENTITY a.cluster "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.cluster.url;'>FreeBSD clustering 郵遞論壇</link>">
 <!ENTITY a.cluster.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.cluster.url;'>freebsd-cluster</link>">
@@ -86,7 +78,6 @@
 <!ENTITY a.committers "FreeBSD committer's 郵遞論壇">
 <!ENTITY a.committers.name "cvs-committers">
 
-<!ENTITY a.core "FreeBSD core team">
 <!ENTITY a.core.name "freebsd-core">
 
 <!ENTITY a.current.url "&a.mailman.listinfo;/freebsd-current">
@@ -97,14 +88,34 @@
 <!ENTITY a.ctm-announce "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-announce.url;'>CTM 公告</link>">
 <!ENTITY a.ctm-announce.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-announce.url;'>ctm-announce</link>">
 
-<!ENTITY a.ctm-cvs-cur.url "&a.mailman.listinfo;/ctm-cvs-cur">
-<!ENTITY a.ctm-cvs-cur "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-cvs-cur.url;'>透過 CTM 發佈的 CVS 檔案</link>">
-<!ENTITY a.ctm-cvs-cur.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-cvs-cur.url;'>ctm-cvs-cur</link>">
-
 <!ENTITY a.ctm-src-4.url "&a.mailman.listinfo;/ctm-src-4">
 <!ENTITY a.ctm-src-4 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-4.url;'>CTM 4-STABLE src branch distribution 郵遞論壇</link>">
 <!ENTITY a.ctm-src-4.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-4.url;'>ctm-src-4</link>">
 
+<!ENTITY a.ctm-src-5.url "&a.mailman.listinfo;/ctm-src-5">
+<!ENTITY a.ctm-src-5 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-5.url;'>CTM 5-STABLE src branch distribution mailing list</link>">
+<!ENTITY a.ctm-src-5.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-5.url;'>ctm-src-5</link>">
+
+<!ENTITY a.ctm-src-6.url "&a.mailman.listinfo;/ctm-src-6">
+<!ENTITY a.ctm-src-6 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-6.url;'>CTM 6-STABLE src branch distribution mailing list</link>">
+<!ENTITY a.ctm-src-6.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-6.url;'>ctm-src-6</link>">
+
+<!ENTITY a.ctm-src-7.url "&a.mailman.listinfo;/ctm-src-7">
+<!ENTITY a.ctm-src-7 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-7.url;'>CTM 7-STABLE src branch distribution mailing list</link>">
+<!ENTITY a.ctm-src-7.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-7.url;'>ctm-src-7</link>">
+
+<!ENTITY a.ctm-src-8.url "&a.mailman.listinfo;/ctm-src-8">
+<!ENTITY a.ctm-src-8 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-8.url;'>CTM 8-STABLE src branch distribution mailing list</link>">
+<!ENTITY a.ctm-src-8.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-8.url;'>ctm-src-8</link>">
+
+<!ENTITY a.ctm-src-9.url "&a.mailman.listinfo;/ctm-src-9">
+<!ENTITY a.ctm-src-9 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-9.url;'>CTM 9-STABLE src branch distribution mailing list</link>">
+<!ENTITY a.ctm-src-9.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-9.url;'>ctm-src-9</link>">
+
+<!ENTITY a.ctm-src-10.url "&a.mailman.listinfo;/ctm-src-10">
+<!ENTITY a.ctm-src-10 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-10.url;'>CTM 10-STABLE src branch distribution mailing list</link>">
+<!ENTITY a.ctm-src-10.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-10.url;'>ctm-src-10</link>">
+
 <!ENTITY a.ctm-src-cur.url "&a.mailman.listinfo;/ctm-src-cur">
 <!ENTITY a.ctm-src-cur "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-cur.url;'>CTM -CURRENT src branch distribution 郵遞論壇</link>">
 <!ENTITY a.ctm-src-cur.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ctm-src-cur.url;'>ctm-src-cur</link>">
@@ -133,15 +144,15 @@
 <!ENTITY a.cvs-src "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.cvs-src.url;'>FreeBSD CVS src commit list</link>">
 <!ENTITY a.cvs-src.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.cvs-src.url;'>cvs-src</link>">
 
-<!ENTITY a.cvsweb.url "&a.mailman.listinfo;/freebsd-cvsweb">
-<!ENTITY a.cvsweb "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.cvsweb.url;'>FreeBSD CVSweb 維護郵遞論壇</link>">
-<!ENTITY a.cvsweb.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.cvsweb.url;'>freebsd-cvsweb</link>">
-
 <!ENTITY a.database.url "&a.mailman.listinfo;/freebsd-database">
 <!ENTITY a.database "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.database.url;'>FreeBSD based Databases 郵遞論壇</link>">
 <!ENTITY a.database.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.database.url;'>freebsd-database</link>">
 
 <!ENTITY a.developers "FreeBSD developers 郵遞論壇">
+<!ENTITY a.desktop "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.desktop.url;'>Using and improving &os; on the desktop</link>">
+<!ENTITY a.desktop.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.desktop.url;'>freebsd-desktop</link>">
+
+<!ENTITY a.developers "FreeBSD developers mailing list">
 <!ENTITY a.developers.name "freebsd-developers">
 
 <!ENTITY a.doc.url "&a.mailman.listinfo;/freebsd-doc">
@@ -158,10 +169,13 @@
 <!ENTITY a.drivers "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.drivers.url;'>Writing device drivers for FreeBSD</link>">
 <!ENTITY a.drivers.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.drivers.url;'>freebsd-drivers</link>">
 
+<!ENTITY a.dtrace.url "&a.mailman.listinfo;/freebsd-dtrace">
+<!ENTITY a.dtrace "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.dtrace.url;'>Using and working on DTrace in &os;.</link>">
+<!ENTITY a.dtrace.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.dtrace.url;'>freebsd-dtrace</link>">
+
 <!ENTITY a.eclipse.url "&a.mailman.listinfo;/freebsd-eclipse">
 <!ENTITY a.eclipse "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.eclipse.url;'>FreeBSD users of Eclipse IDE, tools, rich client applications and ports</link>">
 <!ENTITY a.eclipse.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.eclipse.url;'>freebsd-eclipse</link>">
-
 <!ENTITY a.embedded.url "&a.mailman.listinfo;/freebsd-embedded">
 <!ENTITY a.embedded "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.embedded.url;'>FreeBSD-embedded 郵遞論壇</link>">
 <!ENTITY a.embedded.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.embedded.url;'>freebsd-embedded</link>">
@@ -170,6 +184,10 @@
 <!ENTITY a.emulation "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.emulation.url;'>FreeBSD-emulation 郵遞論壇</link>">
 <!ENTITY a.emulation.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.emulation.url;'>freebsd-emulation</link>">
 
+<!ENTITY a.enlightenment.url "&a.mailman.listinfo;/freebsd-enlightenment">
+<!ENTITY a.enlightenment "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.enlightenment.url;'>FreeBSD-enlightenment mailing list</link>">
+<!ENTITY a.enlightenment.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.enlightenment.url;'>freebsd-enlightenment</link>">
+
 <!ENTITY a.eol.url "&a.mailman.listinfo;/freebsd-eol">
 <!ENTITY a.eol "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.eol.url;'>FreeBSD-eol 郵遞論壇</link>">
 <!ENTITY a.eol.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.eol.url;'>freebsd-eol</link>">
@@ -178,14 +196,30 @@
 <!ENTITY a.firewire "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.firewire.url;'>FreeBSD FireWire (IEEE 1394) discussion 郵遞論壇</link>">
 <!ENTITY a.firewire.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.firewire.url;'>freebsd-firewire</link>">
 
+<!ENTITY a.fortran.url "&a.mailman.listinfo;/freebsd-fortran">
+<!ENTITY a.fortran "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.fortran.url;'>Fortran on FreeBSD mailing list</link>">
+<!ENTITY a.fortran.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.fortran.url;'>freebsd-fortran</link>">
+
 <!ENTITY a.fs.url "&a.mailman.listinfo;/freebsd-fs">
 <!ENTITY a.fs "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.fs.url;'>FreeBSD file system project 郵遞論壇</link>">
 <!ENTITY a.fs.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.fs.url;'>freebsd-fs</link>">
 
+<!ENTITY a.games.url "&a.mailman.listinfo;/freebsd-games">
+<!ENTITY a.games "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.games.url;'>Games on FreeBSD mailing list</link>">
+<!ENTITY a.games.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.games.url;'>freebsd-games</link>">
+
+<!ENTITY a.gecko.url "&a.mailman.listinfo;/freebsd-gecko">
+<!ENTITY a.gecko "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.gecko.url;'>FreeBSD gecko mailing list</link>">
+<!ENTITY a.gecko.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.gecko.url;'>freebsd-gecko</link>">
+
 <!ENTITY a.geom.url "&a.mailman.listinfo;/freebsd-geom">
 <!ENTITY a.geom "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.geom.url;'>FreeBSD GEOM 郵遞論壇</link>">
 <!ENTITY a.geom.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.geom.url;'>freebsd-geom</link>">
 
+<!ENTITY a.git.url "&a.mailman.listinfo;/freebsd-git">
+<!ENTITY a.git "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.git.url;'>Discussion of git use in the FreeBSD project</link>">
+<!ENTITY a.git.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.git.url;'>freebsd-git</link>">
+
 <!ENTITY a.gnome.url "&a.mailman.listinfo;/freebsd-gnome">
 <!ENTITY a.gnome "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.gnome.url;'>FreeBSD GNOME and GNOME applications 郵遞論壇</link>">
 <!ENTITY a.gnome.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.gnome.url;'>freebsd-gnome</link>">
@@ -218,6 +252,10 @@
 <!ENTITY a.ia64 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ia64.url;'>FreeBSD IA64 porting 郵遞論壇</link>">
 <!ENTITY a.ia64.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ia64.url;'>freebsd-ia64</link>">
 
+<!ENTITY a.infiniband.url "&a.mailman.listinfo;/freebsd-infiniband">
+<!ENTITY a.infiniband "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.infiniband.url;'>Infiniband on FreeBSD</link>">
+<!ENTITY a.infiniband.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.infiniband.url;'>freebsd-infiniband</link>">
+
 <!ENTITY a.ipfw.url "&a.mailman.listinfo;/freebsd-ipfw">
 <!ENTITY a.ipfw "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ipfw.url;'>FreeBSD IPFW code 郵遞論壇</link>">
 <!ENTITY a.ipfw.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ipfw.url;'>freebsd-ipfw</link>">
@@ -250,10 +288,6 @@
 <!ENTITY a.lfs "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.lfs.url;'>FreeBSD LFS porting 郵遞論壇</link>">
 <!ENTITY a.lfs.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.lfs.url;'>freebsd-lfs</link>">
 
-<!ENTITY a.libh.url "&a.mailman.listinfo;/freebsd-libh">
-<!ENTITY a.libh "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.libh.url;'>FreeBSD libh installation and packaging system 郵遞論壇</link>">
-<!ENTITY a.libh.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.libh.url;'>freebsd-libh</link>">
-
 <!ENTITY a.mips.url "&a.mailman.listinfo;/freebsd-mips">
 <!ENTITY a.mips "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.mips.url;'>FreeBSD MIPS porting 郵遞論壇</link>">
 <!ENTITY a.mips.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.mips.url;'>freebsd-mips</link>">
@@ -286,9 +320,17 @@
 <!ENTITY a.newbus "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.newbus.url;'>FreeBSD new-bus 郵遞論壇</link>">
 <!ENTITY a.newbus.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.newbus.url;'>freebsd-new-bus</link>">
 
-<!ENTITY a.openoffice.url "&a.mailman.listinfo;/freebsd-openoffice">
-<!ENTITY a.openoffice "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.openoffice.url;'>FreeBSD OpenOffice 郵遞論壇</link>">
-<!ENTITY a.openoffice.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.openoffice.url;'>freebsd-openoffice</link>">
+<!ENTITY a.numerics.url "&a.mailman.listinfo;/freebsd-numerics">
+<!ENTITY a.numerics "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.numerics.url;'>Discussions of high quality implementation of libm functions</link>">
+<!ENTITY a.numerics.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.numerics.url;'>freebsd-numerics</link>">
+
+<!ENTITY a.office.url "&a.mailman.listinfo;/freebsd-office">
+<!ENTITY a.office "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.office.url;'>Office applications on FreeBSD</link>">
+<!ENTITY a.office.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.office.url;'>freebsd-office</link>">
+
+<!ENTITY a.ops-announce.url "&a.mailman.listinfo;/freebsd-ops-announce">
+<!ENTITY a.ops-announce "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ops-announce.url;'>Project Infrastructure Announcements</link>">
+<!ENTITY a.ops-announce.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ops-announce.url;'>freebsd-ops-announce</link>">
 
 <!ENTITY a.performance.url "&a.mailman.listinfo;/freebsd-performance">
 <!ENTITY a.performance "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.performance.url;'>FreeBSD performance 郵遞論壇</link>">
@@ -302,18 +344,25 @@
 <!ENTITY a.pf "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.pf.url;'>FreeBSD packet filter 郵遞論壇</link>">
 <!ENTITY a.pf.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.pf.url;'>freebsd-pf</link>">
 
+<!ENTITY a.pkg.url "&a.mailman.listinfo;/freebsd-pkg">
+<!ENTITY a.pkg "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.pkg.url;'>Binary package management and package tools discussion</link>">
+<!ENTITY a.pkg.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.pkg.url;'>freebsd-pkg</link>">
+
+<!ENTITY a.pkg-fallout.url "&a.mailman.listinfo;/freebsd-pkg-fallout">
+<!ENTITY a.pkg-fallout "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.pkg-fallout.url;'>Fallout logs from package building</link>">
+<!ENTITY a.pkg-fallout.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.pkg-fallout.url;'>freebsd-pkg-fallout</link>">
+
 <!ENTITY a.platforms.url "&a.mailman.listinfo;/freebsd-platforms">
 <!ENTITY a.platforms "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.platforms.url;'>FreeBSD non-Intel platforms porting 郵遞論壇</link>">
 <!ENTITY a.platforms.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.platforms.url;'>freebsd-platforms</link>">
-
-<!ENTITY a.policy.url "&a.mailman.listinfo;/freebsd-policy">
-<!ENTITY a.policy "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.policy.url;'>FreeBSD core team policy decisions 郵遞論壇</link>">
-<!ENTITY a.policy.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.policy.url;'>freebsd-policy</link>">
-
 <!ENTITY a.ports.url "&a.mailman.listinfo;/freebsd-ports">
 <!ENTITY a.ports "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ports.url;'>FreeBSD ports 郵遞論壇</link>">
 <!ENTITY a.ports.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ports.url;'>freebsd-ports</link>">
 
+<!ENTITY a.ports-announce.url "&a.mailman.listinfo;/freebsd-ports-announce">
+<!ENTITY a.ports-announce "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ports-announce.url;'>FreeBSD ports announce mailing list</link>">
+<!ENTITY a.ports-announce.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ports-announce.url;'>freebsd-ports-announce</link>">
+
 <!ENTITY a.ports-bugs.url "&a.mailman.listinfo;/freebsd-ports-bugs">
 <!ENTITY a.ports-bugs "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ports-bugs.url;'>FreeBSD ports bugs 郵遞論壇</link>">
 <!ENTITY a.ports-bugs.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ports-bugs.url;'>freebsd-ports-bugs</link>">
@@ -336,10 +385,6 @@
 <!ENTITY a.python "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.python.url;'>FreeBSD Python 郵遞論壇</link>">
 <!ENTITY a.python.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.python.url;'>freebsd-python</link>">
 
-<!ENTITY a.qa.url "&a.mailman.listinfo;/freebsd-qa">
-<!ENTITY a.qa "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.qa.url;'>FreeBSD Quality Assurance 郵遞論壇</link>">
-<!ENTITY a.qa.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.qa.url;'>freebsd-qa</link>">
-
 <!ENTITY a.questions.url "&a.mailman.listinfo;/freebsd-questions">
 <!ENTITY a.questions "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.questions.url;'>FreeBSD general questions 郵遞論壇</link>">
 <!ENTITY a.questions.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.questions.url;'>freebsd-questions</link>">
@@ -352,6 +397,10 @@
 <!ENTITY a.realtime "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.realtime.url;'>FreeBSD realtime extensions 郵遞論壇</link>">
 <!ENTITY a.realtime.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.realtime.url;'>freebsd-realtime</link>">
 
+<!ENTITY a.ruby.url "&a.mailman.listinfo;/freebsd-ruby">
+<!ENTITY a.ruby "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ruby.url;'>FreeBSD Ruby mailing list</link>">
+<!ENTITY a.ruby.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.ruby.url;'>freebsd-ruby</link>">
+
 <!ENTITY a.scsi.url "&a.mailman.listinfo;/freebsd-scsi">
 <!ENTITY a.scsi "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.scsi.url;'>FreeBSD SCSI subsystem 郵遞論壇</link>">
 <!ENTITY a.scsi.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.scsi.url;'>freebsd-scsi</link>">
@@ -368,9 +417,9 @@
 <!ENTITY a.small "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.small.url;'>FreeBSD-small 郵遞論壇</link>">
 <!ENTITY a.small.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.small.url;'>freebsd-small</link>">
 
-<!ENTITY a.smp.url "&a.mailman.listinfo;/freebsd-smp">
-<!ENTITY a.smp "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.smp.url;'>FreeBSD symmetric multiprocessing 郵遞論壇</link>">
-<!ENTITY a.smp.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.smp.url;'>freebsd-smp</link>">
+<!ENTITY a.snapshots.url "&a.mailman.listinfo;/freebsd-snapshots">
+<!ENTITY a.snapshots "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.snapshots.url;'>FreeBSD Development Snapshot Announcements</link>">
+<!ENTITY a.snapshots.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.snapshots.url;'>freebsd-snapshots</link>">
 
 <!ENTITY a.sparc.url "&a.mailman.listinfo;/freebsd-sparc64">
 <!ENTITY a.sparc "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.sparc.url;'>FreeBSD SPARC porting 郵遞論壇</link>">
@@ -394,6 +443,102 @@
 <!ENTITY a.sun4v "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.sun4v.url;'>FreeBSD sun4v porting 郵遞論壇</link>">
 <!ENTITY a.sun4v.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.sun4v.url;'>freebsd-sun4v</link>">
 
+<!ENTITY a.svn-doc-all.url "&a.mailman.listinfo;/svn-doc-all">
+<!ENTITY a.svn-doc-all "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-doc-all.url;'>SVN commit messages for the entire doc tree (except for <quote>user</quote>, <quote>projects</quote> and <quote>translations</quote>)</link>">
+<!ENTITY a.svn-doc-all.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-doc-all.url;'>svn-doc-all</link>">
+
+<!ENTITY a.svn-doc-head.url "&a.mailman.listinfo;/svn-doc-head">
+<!ENTITY a.svn-doc-head "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-doc-head.url;'>SVN commit messages for the doc tree for head/</link>">
+<!ENTITY a.svn-doc-head.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-doc-head.url;'>svn-doc-head</link>">
+
+<!ENTITY a.svn-doc-projects.url "&a.mailman.listinfo;/svn-doc-projects">
+<!ENTITY a.svn-doc-projects "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-doc-projects.url;'>SVN commit messages for the doc <quote>projects</quote> tree</link>">
+<!ENTITY a.svn-doc-projects.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-doc-projects.url;'>svn-doc-projects</link>">
+
+<!ENTITY a.svn-doc-svnadmin.url "&a.mailman.listinfo;/svn-doc-svnadmin">
+<!ENTITY a.svn-doc-svnadmin "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-doc-svnadmin.url;'>SVN commit messages for the doc admin&nbsp;/ configuration tree</link>">
+<!ENTITY a.svn-doc-svnadmin.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-doc-svnadmin.url;'>svn-doc-svnadmin</link>">
+
+<!ENTITY a.svn-ports-all.url "&a.mailman.listinfo;/svn-ports-all">
+<!ENTITY a.svn-ports-all "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-ports-all.url;'>SVN commit messages for the entire ports tree</link>">
+<!ENTITY a.svn-ports-all.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-ports-all.url;'>svn-ports-all</link>">
+
+<!ENTITY a.svn-ports-head.url "&a.mailman.listinfo;/svn-ports-head">
+<!ENTITY a.svn-ports-head "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-ports-head.url;'>SVN commit messages for the ports tree for head/</link>">
+<!ENTITY a.svn-ports-head.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-ports-head.url;'>svn-ports-head</link>">
+
+<!ENTITY a.svn-ports-svnadmin.url "&a.mailman.listinfo;/svn-ports-svnadmin">
+<!ENTITY a.svn-ports-svnadmin "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-ports-svnadmin.url;'>SVN commit messages for the ports admin&nbsp;/ configuration tree</link>">
+<!ENTITY a.svn-ports-svnadmin.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-ports-svnadmin.url;'>svn-ports-svnadmin</link>">
+
+<!ENTITY a.svn-src-all.url "&a.mailman.listinfo;/svn-src-all">
+<!ENTITY a.svn-src-all "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-all.url;'>SVN commit messages for the entire src tree (except for <quote>user</quote> and <quote>projects</quote>)</link>">
+<!ENTITY a.svn-src-all.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-all.url;'>svn-src-all</link>">
+
+<!ENTITY a.svn-src-head.url "&a.mailman.listinfo;/svn-src-head">
+<!ENTITY a.svn-src-head "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-head.url;'>SVN commit messages for the src tree for head/-current</link>">
+<!ENTITY a.svn-src-head.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-head.url;'>svn-src-head</link>">
+
+<!ENTITY a.svn-src-projects.url "&a.mailman.listinfo;/svn-src-projects">
+<!ENTITY a.svn-src-projects "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-projects.url;'>SVN commit messages for the src <quote>projects</quote> tree</link>">
+<!ENTITY a.svn-src-projects.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-projects.url;'>svn-src-projects</link>">
+
+<!ENTITY a.svn-src-release.url "&a.mailman.listinfo;/svn-src-release">
+<!ENTITY a.svn-src-release "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-release.url;'>SVN commit messages for releases in the src tree</link>">
+<!ENTITY a.svn-src-release.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-release.url;'>svn-src-release</link>">
+
+<!ENTITY a.svn-src-releng.url "&a.mailman.listinfo;/svn-src-releng">
+<!ENTITY a.svn-src-releng "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-releng.url;'>SVN commit messages for the release engineering&nbsp;/ security commits to the src tree</link>">
+<!ENTITY a.svn-src-releng.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-releng.url;'>svn-src-releng</link>">
+
+<!ENTITY a.svn-src-stable.url "&a.mailman.listinfo;/svn-src-stable">
+<!ENTITY a.svn-src-stable "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable.url;'>SVN commit messages for all the -stable branches of the src tree</link>">
+<!ENTITY a.svn-src-stable.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable.url;'>svn-src-stable</link>">
+
+<!ENTITY a.svn-src-stable-6.url "&a.mailman.listinfo;/svn-src-stable-6">
+<!ENTITY a.svn-src-stable-6 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable-6.url;'>SVN commit messages for only the 6-stable src tree</link>">
+<!ENTITY a.svn-src-stable-6.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable-6.url;'>svn-src-stable-6</link>">
+
+<!ENTITY a.svn-src-stable-7.url "&a.mailman.listinfo;/svn-src-stable-7">
+<!ENTITY a.svn-src-stable-7 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable-7.url;'>SVN commit messages for only the 7-stable src tree</link>">
+<!ENTITY a.svn-src-stable-7.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable-7.url;'>svn-src-stable-7</link>">
+
+<!ENTITY a.svn-src-stable-8.url "&a.mailman.listinfo;/svn-src-stable-8">
+<!ENTITY a.svn-src-stable-8 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable-8.url;'>SVN commit messages for only the 8-stable src tree</link>">
+<!ENTITY a.svn-src-stable-8.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable-8.url;'>svn-src-stable-8</link>">
+
+<!ENTITY a.svn-src-stable-9.url "&a.mailman.listinfo;/svn-src-stable-9">
+<!ENTITY a.svn-src-stable-9 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable-9.url;'>SVN commit messages for only the 9-stable src tree</link>">
+<!ENTITY a.svn-src-stable-9.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable-9.url;'>svn-src-stable-9</link>">
+
+<!ENTITY a.svn-src-stable-10.url "&a.mailman.listinfo;/svn-src-stable-10">
+<!ENTITY a.svn-src-stable-10 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable-10.url;'>SVN commit messages for only the 10-stable src tree</link>">
+<!ENTITY a.svn-src-stable-10.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable-10.url;'>svn-src-stable-10</link>">
+
+<!ENTITY a.svn-src-stable-other.url "&a.mailman.listinfo;/svn-src-stable-other">
+<!ENTITY a.svn-src-stable-other "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable-other.url;'>SVN commit messages for the old stable src trees</link>">
+<!ENTITY a.svn-src-stable-other.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-stable-other.url;'>svn-src-stable-other</link>">
+
+<!ENTITY a.svn-src-svnadmin.url "&a.mailman.listinfo;/svn-src-svnadmin">
+<!ENTITY a.svn-src-svnadmin "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-svnadmin.url;'>SVN commit messages for the admin&nbsp;/ configuration tree</link>">
+<!ENTITY a.svn-src-svnadmin.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-svnadmin.url;'>svn-src-svnadmin</link>">
+
+<!ENTITY a.svn-src-user.url "&a.mailman.listinfo;/svn-src-user">
+<!ENTITY a.svn-src-user "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-user.url;'>SVN commit messages for the experimental <quote>user</quote> src tree</link>">
+<!ENTITY a.svn-src-user.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-user.url;'>svn-src-user</link>">
+
+<!ENTITY a.svn-src-vendor.url "&a.mailman.listinfo;/svn-src-vendor">
+<!ENTITY a.svn-src-vendor "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-vendor.url;'>SVN commit messages for the vendor work area tree</link>">
+<!ENTITY a.svn-src-vendor.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.svn-src-vendor.url;'>svn-src-vendor</link>">
+
+<!ENTITY a.sysinstall.url "&a.mailman.listinfo;/freebsd-sysinstall">
+<!ENTITY a.sysinstall "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.sysinstall.url;'>Sysinstall development mailing list</link>">
+<!ENTITY a.sysinstall.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.sysinstall.url;'>freebsd-sysinstall</link>">
+
+<!ENTITY a.tcltk.url "&a.mailman.listinfo;/freebsd-tcltk">
+<!ENTITY a.tcltk "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.tcltk.url;'>FreeBSD-specific Tcl/Tk discussions</link>">
+<!ENTITY a.tcltk.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.tcltk.url;'>freebsd-tcltk</link>">
+
 <!ENTITY a.test.url "&a.mailman.listinfo;/freebsd-test">
 <!ENTITY a.test "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.test.url;'>FreeBSD test 郵遞論壇</link>">
 <!ENTITY a.test.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.test.url;'>freebsd-test</link>">
@@ -402,14 +547,30 @@
 <!ENTITY a.testing "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.testing.url;'>FreeBSD performance and stability testing 郵遞論壇</link>">
 <!ENTITY a.testing.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.testing.url;'>freebsd-testing</link>">
 
+<!ENTITY a.tex.url "&a.mailman.listinfo;/freebsd-tex">
+<!ENTITY a.tex "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.tex.url;'>Porting TeX and its applications to &os;</link>">
+<!ENTITY a.tex.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.tex.url;'>freebsd-tex</link>">
+
 <!ENTITY a.threads.url "&a.mailman.listinfo;/freebsd-threads">
 <!ENTITY a.threads "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.threads.url;'>FreeBSD threads 郵遞論壇</link>">
 <!ENTITY a.threads.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.threads.url;'>freebsd-threads</link>">
 
+<!ENTITY a.tilera.url "&a.mailman.listinfo;/freebsd-tilera">
+<!ENTITY a.tilera "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.tilera.url;'>Porting FreeBSD to the Tilera family of CPUs</link>">
+<!ENTITY a.tilera.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.tilera.url;'>freebsd-tilera</link>">
+
 <!ENTITY a.tokenring.url "&a.mailman.listinfo;/freebsd-tokenring">
 <!ENTITY a.tokenring "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.tokenring.url;'>FreeBSD tokenring 郵遞論壇</link>">
 <!ENTITY a.tokenring.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.tokenring.url;'>freebsd-tokenring</link>">
 
+<!ENTITY a.toolchain.url "&a.mailman.listinfo;/freebsd-toolchain">
+<!ENTITY a.toolchain "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.toolchain.url;'>FreeBSD integrated toolchain mailing list</link>">
+<!ENTITY a.toolchain.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.toolchain.url;'>freebsd-toolchain</link>">
+
+<!ENTITY a.translators.url "&a.mailman.listinfo;/freebsd-translators">
+<!ENTITY a.translators "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.translators.url;'>FreeBSD translators mailing list</link>">
+<!ENTITY a.translators.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.translators.url;'>freebsd-translators</link>">
+
 <!ENTITY a.usb.url "&a.mailman.listinfo;/freebsd-usb">
 <!ENTITY a.usb "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.usb.url;'>FreeBSD USB 郵遞論壇</link>">
 <!ENTITY a.usb.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.usb.url;'>freebsd-usb</link>">
@@ -422,11 +583,23 @@
 <!ENTITY a.vendors "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.vendors.url;'>FreeBSD vendors pre-release coordination 郵遞論壇</link>">
 <!ENTITY a.vendors.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.vendors.url;'>freebsd-vendors</link>">
 
+<!ENTITY a.virtualization.url "&a.mailman.listinfo;/freebsd-virtualization">
+<!ENTITY a.virtualization "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.virtualization.url;'>Discussion of various virtualization techniques supported by FreeBSD</link>">
+<!ENTITY a.virtualization.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.virtualization.url;'>freebsd-virtualization</link>">
+
 <!ENTITY a.vuxml.url "&a.mailman.listinfo;/freebsd-vuxml">
 <!ENTITY a.vuxml "<unlink url='&a.vuxml.url;'>Discussion on the VuXML
 infrastructure</link>">
 <!ENTITY a.vuxml.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.vuxml.url;'>freebsd-vuxml</link>">
 
+<!ENTITY a.wip-status.url "&a.mailman.listinfo;/freebsd-wip-status">
+<!ENTITY a.wip-status "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.wip-status.url;'>FreeBSD Work-In-Progress Status</link>">
+<!ENTITY a.wip-status.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.wip-status.url;'>freebsd-wip-status</link>">
+
+<!ENTITY a.wireless.url "&a.mailman.listinfo;/freebsd-wireless">
+<!ENTITY a.wireless "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.wireless.url;'>Discussions of 802.11 stack, tools, device driver development</link>">
+<!ENTITY a.wireless.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.wireless.url;'>freebsd-wireless</link>">
+
 <!ENTITY a.www.url "&a.mailman.listinfo;/freebsd-www">
 <!ENTITY a.www "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.www.url;'>FreeBSD Webmaster 郵遞論壇</link>">
 <!ENTITY a.www.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.www.url;'>freebsd-www</link>">
@@ -435,9 +608,38 @@
 <!ENTITY a.x11 "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.x11.url;'>FreeBSD X11 郵遞論壇</link>">
 <!ENTITY a.x11.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.x11.url;'>freebsd-x11</link>">
 
+<!ENTITY a.xen.url "&a.mailman.listinfo;/freebsd-xen">
+<!ENTITY a.xen "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.xen.url;'>FreeBSD port to Xen mailing list</link>">
+<!ENTITY a.xen.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.xen.url;'>freebsd-xen</link>">
+
+<!ENTITY a.xfce.url "&a.mailman.listinfo;/freebsd-xfce">
+<!ENTITY a.xfce "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.xfce.url;'>XFCE for FreeBSD mailing list</link>">
+<!ENTITY a.xfce.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.xfce.url;'>freebsd-xfce</link>">
+
+<!ENTITY a.zope.url "&a.mailman.listinfo;/freebsd-zope">
+<!ENTITY a.zope "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.zope.url;'>Zope for FreeBSD mailing list</link>">
+<!ENTITY a.zope.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.zope.url;'>freebsd-zope</link>">
+
 <!-- Not really proper mailing lists -->
 
 <!ENTITY a.bugfollowup "<email xmlns='http://docbook.org/ns/docbook'>bug-followup@FreeBSD.org</email>">
 <!ENTITY a.bugsubmit "&a.bugfollowup;">
 
 <!ENTITY a.majordomo "<email xmlns='http://docbook.org/ns/docbook'>majordomo@FreeBSD.org</email>">
+
+<!--
+     The following mailinglists are deactivated.  Keep them until all references
+     in the documentation are gone.
+-->
+
+<!ENTITY a.alpha.url "&a.mailman.listinfo;/freebsd-alpha">
+<!ENTITY a.alpha "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.alpha.url;'>FreeBSD Alpha porting mailing list</link>">
+<!ENTITY a.alpha.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.alpha.url;'>freebsd-alpha</link>">
+
+<!ENTITY a.qa.url "&a.mailman.listinfo;/freebsd-qa">
+<!ENTITY a.qa "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.qa.url;'>FreeBSD Quality Assurance mailing list</link>">
+<!ENTITY a.qa.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.qa.url;'>freebsd-qa</link>">
+
+<!ENTITY a.smp.url "&a.mailman.listinfo;/freebsd-smp">
+<!ENTITY a.smp "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.smp.url;'>FreeBSD symmetric multiprocessing mailing list</link>">
+<!ENTITY a.smp.name "<link xmlns='http://docbook.org/ns/docbook' xlink:href='&a.smp.url;'>freebsd-smp</link>">