diff --git a/en_US.ISO8859-1/books/handbook/book.sgml b/en_US.ISO8859-1/books/handbook/book.sgml
index 5a05e624d2..3d478cbcb1 100644
--- a/en_US.ISO8859-1/books/handbook/book.sgml
+++ b/en_US.ISO8859-1/books/handbook/book.sgml
@@ -1,237 +1,241 @@
%man;
%bookinfo;
%freebsd;
%chapters;
%authors;
%teams;
%mailing-lists;
%newsgroups;
%trademarks;
%txtfiles;
%pgpkeys;
]>
FreeBSD HandbookThe FreeBSD Documentation ProjectFebruary 1999199519961997199819992000200120022003The FreeBSD Documentation Project
&bookinfo.legalnotice;
&tm-attrib.freebsd;
&tm-attrib.3com;
+ &tm-attrib.3ware;
+ &tm-attrib.adaptec;
&tm-attrib.adobe;
&tm-attrib.apple;
&tm-attrib.corel;
&tm-attrib.creative;
&tm-attrib.ibm;
&tm-attrib.ieee;
&tm-attrib.intel;
&tm-attrib.intuit;
&tm-attrib.linux;
+ &tm-attrib.lsilogic;
+ &tm-attrib.m-systems;
&tm-attrib.macromedia;
&tm-attrib.microsoft;
&tm-attrib.netscape;
&tm-attrib.opengroup;
&tm-attrib.oracle;
&tm-attrib.powerquest;
&tm-attrib.realnetworks;
&tm-attrib.redhat;
&tm-attrib.sap;
&tm-attrib.sun;
&tm-attrib.symantec;
&tm-attrib.waterloomaple;
&tm-attrib.wolframresearch;
&tm-attrib.general;
Welcome to FreeBSD! This handbook covers the installation and day
to day use of FreeBSD &rel2.current;-RELEASE
and FreeBSD &rel.current;-RELEASE.
This manual is a work in progress and is the work
of many individuals. Many sections do not yet exist and some of those
that do exist need to be updated. If you are interested in helping
with this project, send email to the &a.doc;. The latest version of
this document is always available from the FreeBSD web site.
It may also be downloaded in a variety of formats and compression
options from the FreeBSD FTP
server or one of the numerous mirror sites. If you would prefer
to have a hard copy of the handbook, you can purchase one at the
FreeBSD Mall. You
may also want to search the
handbook.
&chap.preface;
Getting StartedThis part of the FreeBSD Handbook is for users and
administrators who are new to FreeBSD. These chapters:Introduce you to FreeBSD.Guide you through the installation process.Teach you some &unix; basics.Show you how to install the wealth of third party
applications available for FreeBSD.Introduce you to X, the &unix; windowing system, and
detail how to configure a desktop environment that makes you
more productive.We have tried to keep the number of forward references in
the text to a minimum so that you can read this section of the
Handbook from front to back with the minimum of page flipping
required.System AdministrationThe remaining chapters of the FreeBSD Handbook cover all
aspects of FreeBSD system administration. Each chapter
starts by describing what you will learn as a result of reading
the chapter, and also details what you are expected to know
before tackling the material.These chapters are designed to be read when
you need the information. You do not have to read them in any
particular order, nor do you need to read all of them before you
can begin using FreeBSD.Appendices
&chap.colophon;
diff --git a/en_US.ISO8859-1/books/handbook/boot/chapter.sgml b/en_US.ISO8859-1/books/handbook/boot/chapter.sgml
index 55a5a6f1df..7285d61e79 100644
--- a/en_US.ISO8859-1/books/handbook/boot/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/boot/chapter.sgml
@@ -1,799 +1,799 @@
The FreeBSD Booting ProcessSynopsisbootingbootstrapThe process of starting a computer and loading the operating system
is referred to as the bootstrap process, or simply
booting. FreeBSD's boot process provides a great deal of
flexibility in customizing what happens when you start the system,
allowing you to select from different operating systems installed on the
same computer, or even different versions of the same operating system
or installed kernel.This chapter details the configuration options you can set and how
to customize the FreeBSD boot process. This includes everything that
happens until the FreeBSD kernel has started, probed for devices, and
started &man.init.8;. If you are not quite sure when this happens, it
occurs when the text color changes from bright white to grey.After reading this chapter, you will know:What the components of the FreeBSD bootstrap system are, and how
they interact.The options you can give to the components in the FreeBSD
bootstrap to control the boot process.The basics of &man.device.hints.5;.x86 OnlyThis chapter only describes the boot process for FreeBSD running
on Intel x86 systems.The Booting ProblemTurning on a computer and starting the operating system poses an
interesting dilemma. By definition, the computer does not know how to
do anything until the operating system is started. This includes
running programs from the disk. So if the computer can not run a
program from the disk without the operating system, and the operating
system programs are on the disk, how is the operating system
started?This problem parallels one in the book The Adventures of
Baron Munchausen. A character had fallen part way down a
manhole, and pulled himself out by grabbing his bootstraps, and
lifting. In the early days of computing the term
bootstrap was applied to the mechanism used to
load the operating system, which has become shortened to
booting.On x86 hardware the Basic Input/Output System (BIOS) is responsible
for loading the operating system. To do this, the BIOS looks on the
hard disk for the Master Boot Record (MBR), which must be located on a
specific place on the disk. The BIOS has enough knowledge to load and
run the MBR, and assumes that the MBR can then carry out the rest of the
tasks involved in loading the operating system.BIOSBasic Input/Output SystemIf you only have one operating system installed on your disks then
the standard MBR will suffice. This MBR searches for the first bootable
slice on the disk, and then runs the code on that slice to load the
remainder of the operating system.If you have installed multiple operating systems on your disks then
you can install a different MBR, one that can display a list of
different operating systems, and allows you to choose the one to boot
from. FreeBSD comes with one such MBR which can be installed, and other
operating system vendors also provide alternative MBRs.The remainder of the FreeBSD bootstrap system is divided into three
stages. The first stage is run by the MBR, which knows just enough to
get the computer into a specific state and run the second stage. The
second stage can do a little bit more, before running the third stage.
The third stage finishes the task of loading the operating system. The
work is split into these three stages because the PC standards put
limits on the size of the programs that can be run at stages one and
two. Chaining the tasks together allows FreeBSD to provide a more
flexible loader.kernelinitThe kernel is then started and it begins to probe for devices
and initialize them for use. Once the kernel boot
process is finished, the kernel passes control to the user process
&man.init.8;, which then makes sure the disks are in a usable state.
&man.init.8; then starts the user-level resource configuration which
mounts file systems, sets up network cards to communicate on the
network, and generally starts all the processes that usually
are run on a FreeBSD system at startup.The MBR, and Boot Stages One, Two, and ThreeMBR, <filename>/boot/boot0</filename>Master Boot Record (MBR)The FreeBSD MBR is located in /boot/boot0.
This is a copy of the MBR, as the real MBR must
be placed on a special part of the disk, outside the FreeBSD
area.boot0 is very simple, since the
program in the MBR can only be 512 bytes in
size. If you have installed the FreeBSD MBR and have installed
multiple operating systems on your hard disks then you will see a
display similar to this one at boot time:<filename>boot0</filename> ScreenshotF1 DOS
F2 FreeBSD
F3 Linux
F4 ??
F5 Drive 1
Default: F2
- Other operating systems, in particular Windows 95, have been known
+ Other operating systems, in particular &windows; 95, have been known
to overwrite an existing MBR with their own. If this happens to you,
or you want to replace your existing MBR with the FreeBSD MBR then use
the following command:&prompt.root; fdisk -B -b /boot/boot0 deviceWhere device is the device that you
boot from, such as ad0 for the first IDE
disk, ad2 for the first IDE disk on a second
IDE controller, da0 for the first SCSI disk,
and so on.If you are a Linux user, however, and prefer that
LILO control the boot process, you can
edit the /etc/lilo.conf file for FreeBSD, or
select
during the FreeBSD installation process. If you have installed the
FreeBSD boot manager, you can boot back into Linux and modify the
LILO configuration file
/etc/lilo.conf and add the following
option:other=/dev/hdXY
table=/dev/hdb
loader=/boot/chain.b
label=FreeBSDwhich will permit the booting of FreeBSD and Linux via
LILO. In our example, we use
XY to determine drive number and
partition. If you are using a SCSI drive, you
will want to change /dev/hdXY to read
something similar to /dev/sdXY, which
again uses the XY syntax. The
can be omitted if you have
both operating systems on the same drive. You can now run
/sbin/lilo -v to commit your new changes to the
system, this should be verified with screen messages.Stage One, <filename>/boot/boot1</filename>, and Stage Two,
<filename>/boot/boot2</filename>Conceptually the first and second stages are part of the same
program, on the same area of the disk. Because of space constraints
they have been split into two, but you would always install them
together.They are found on the boot sector of
the boot slice, which is where boot0, or any other program on the
MBR expects to find the program to run to
continue the boot process. The files in the
/boot directory are copies of the real files,
which are stored outside of the FreeBSD file system.boot1 is very simple, since it too
can only be 512 bytes
in size, and knows just enough about the FreeBSD
disklabel, which stores information
about the slice, to find and execute boot2.boot2 is slightly more sophisticated, and understands
the FreeBSD file system enough to find files on it, and can
provide a simple interface to choose the kernel or loader to
run.Since the loader is
much more sophisticated, and provides a nice easy-to-use
boot configuration, boot2 usually runs
it, but previously it
was tasked to run the kernel directly.<filename>boot2</filename> Screenshot>> FreeBSD/i386 BOOT
Default: 0:ad(0,a)/kernel
boot:If you ever need to replace the installed
boot1 and boot2 use
&man.disklabel.8;.&prompt.root; disklabel -B disksliceWhere diskslice is the disk and slice
you boot from, such as ad0s1 for the first
slice on the first IDE disk.Dangerously Dedicated ModeIf you use just the disk name, such as
ad0, in the &man.disklabel.8; command you
will create a dangerously dedicated disk, without slices. This is
almost certainly not what you want to do, so make sure you double
check the &man.disklabel.8; command before you press
Return.Stage Three, <filename>/boot/loader</filename>boot-loaderThe loader is the final stage of the three-stage
bootstrap, and is located on the file system, usually as
/boot/loader.The loader is intended as a user-friendly method for
configuration, using an easy-to-use built-in command set,
backed up by a more powerful interpreter, with a more complex
command set.Loader Program FlowDuring initialization, the loader will probe for a
console and for disks, and figure out what disk it is
booting from. It will set variables accordingly, and an
interpreter is started where user commands can be passed from
a script or interactively.loaderloader configurationThe loader will then read
/boot/loader.rc, which by default reads
in /boot/defaults/loader.conf which
sets reasonable defaults for variables and reads
/boot/loader.conf for local changes to
those variables. loader.rc then acts
on these variables, loading whichever modules and kernel are
selected.Finally, by default, the loader issues a 10 second wait
for key presses, and boots the kernel if it is not interrupted.
If interrupted, the user is presented with a prompt which
understands the easy-to-use command set, where the user may
adjust variables, unload all modules, load modules, and then
finally boot or reboot.Loader Built-In CommandsThese are the most commonly used loader commands. For a
complete discussion of all available commands, please see
&man.loader.8;.autoboot secondsProceeds to boot the kernel if not interrupted
within the time span given, in seconds. It displays a
countdown, and the default time span is 10
seconds.boot
-optionskernelnameImmediately proceeds to boot the kernel, with the
given options, if any, and with the kernel name given,
if it is.boot-confGoes through the same automatic configuration of
modules based on variables as what happens at boot.
This only makes sense if you use
unload first, and change some
variables, most commonly kernel.help
topicShows help messages read from
/boot/loader.help. If the topic
given is index, then the list of
available topics is given.include filename
…Processes the file with the given filename. The
file is read in, and interpreted line by line. An
error immediately stops the include command.load typefilenameLoads the kernel, kernel module, or file of the
type given, with the filename given. Any arguments
after filename are passed to the file.ls pathDisplays a listing of files in the given path, or
the root directory, if the path is not specified. If
is specified, file sizes will be
shown too.lsdev Lists all of the devices from which it may be
possible to load modules. If is
specified, more details are printed.lsmod Displays loaded modules. If is
specified, more details are shown.more filenameDisplays the files specified, with a pause at each
LINES displayed.rebootImmediately reboots the system.set variableset
variable=valueSets the loader's environment variables.unloadRemoves all loaded modules.Loader ExamplesHere are some practical examples of loader usage:single-user modeTo simply boot your usual kernel, but in single-user
mode:boot -sTo unload your usual kernel and modules, and then
load just your old (or another) kernel:kernel.oldunloadload kernel.oldYou can use kernel.GENERIC to
refer to the generic kernel that comes on the install
disk, or kernel.old to refer to
your previously installed kernel (when you have upgraded
or configured your own kernel, for example).Use the following to load your usual modules with
another kernel:unloadset kernel="kernel.old"boot-confTo load a kernel configuration script (an automated
script which does the things you would normally do in the
kernel boot-time configurator):load -t userconfig_script /boot/kernel.confKernel Interaction During Bootkernelboot interactionOnce the kernel is loaded by either loader (as usual) or boot2 (bypassing the loader), it
examines its boot flags, if any, and adjusts its behavior as
necessary.kernelbootflagsKernel Boot FlagsHere are the more common boot flags:during kernel initialization, ask for the device
to mount as the root file system.boot from CDROM.run UserConfig, the boot-time kernel
configuratorboot into single-user modebe more verbose during kernel startupThere are other boot flags, read &man.boot.8; for more
information on them.TomRhodesContributed by device.hintsDevice HintsThis is a FreeBSD 5.0 and later feature which does not
exist in earlier versions.During initial system startup, the boot &man.loader.8; will read the
&man.device.hints.5; file. This file stores kernel boot information
known as variables, sometimes referred to as device hints.
These device hints are used by device drivers for device
configuration.Device hints may also be specified at the
Stage 3 boot loader prompt. Variables can be added using
set, removed with unset, and viewed
with the show commands. Variables set in the
/boot/device.hints file can be overridden here also. Device hints entered at
the boot loader are not permanent and will be forgotten on the next
reboot.Once the system is booted, the &man.kenv.1; command can be used to
dump all of the variables.The syntax for the /boot/device.hints file is one variable per line, using
the standard hash # as comment markers. Lines are
constructed as follows:hint.driver.unit.keyword="value"The syntax for the Stage 3 boot loader is:set hint.driver.unit.keyword=valuedriver is the device driver name, unit
is the device driver unit number, and keyword is the hint
keyword. The keyword may consist of the following options:at: specifies the bus which the device is attached to.port: specifies the start address of the I/O
to be used.irq: specifies the interrupt request number to be used.drq: specifies the DMA channel number.maddr: specifies the physical memory address occupied by the
device.flags: sets various flag bits for the device.disabled: if set to 1 the device is disabled.Device drivers may accept (or require) more hints not listed here, viewing
their manual page is recommended. For more information, consult the
&man.device.hints.5;, &man.kenv.1;, &man.loader.conf.5;, and &man.loader.8;
manual pages.initInit: Process Control InitializationOnce the kernel has finished booting, it passes control to
the user process &man.init.8;, which is located at
/sbin/init, or the program path specified
in the init_path variable in
loader.Automatic Reboot SequenceThe automatic reboot sequence makes sure that the
file systems available on the system are consistent. If they
are not, and &man.fsck.8; cannot fix the
inconsistencies, &man.init.8; drops the system
into single-user mode
for the system administrator to take care of the problems
directly.Single-User Modesingle-user modeconsoleThis mode can be reached through the automatic reboot
sequence, or by the user booting with the
option or setting the
boot_single variable in
loader.It can also be reached by calling
&man.shutdown.8; without the reboot
() or halt () options,
from multi-user
mode.If the system console is set
to insecure in /etc/ttys,
then the system prompts for the root password
before initiating single-user mode.An Insecure Console in <filename>/etc/ttys</filename># name getty type status comments
#
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none unknown off insecureAn insecure console means that you
consider your physical security to the console to be
insecure, and want to make sure only someone who knows the
root password may use single-user mode, and it
does not mean that you want to run your console insecurely. Thus,
if you want security, choose insecure,
not secure.Multi-User Modemulti-user modeIf &man.init.8; finds your file systems to be
in order, or once the user has finished in single-user mode, the
system enters multi-user mode, in which it starts the
resource configuration of the system.rc filesResource Configuration (rc)The resource configuration system reads in
configuration defaults from
/etc/defaults/rc.conf, and
system-specific details from
/etc/rc.conf, and then proceeds to
mount the system file systems mentioned in
/etc/fstab, start up networking
services, start up miscellaneous system daemons, and
finally runs the startup scripts of locally installed
packages.The &man.rc.8; manual page is a good reference to the resource
configuration system, as is examining the scripts
themselves.Shutdown SequenceshutdownUpon controlled shutdown, via &man.shutdown.8;,
&man.init.8; will attempt to run the script
/etc/rc.shutdown, and then proceed to send
all processes the TERM signal, and subsequently
the KILL signal to any that do not terminate
timely.To power down a FreeBSD machine on architectures and systems
that support power management, simply use the command
shutdown -p now to turn the power off
immediately. To just reboot a FreeBSD system, just use
shutdown -r now. You need to be
root or a member of
operator group to run &man.shutdown.8;.
The &man.halt.8; and &man.reboot.8; commands can also be used,
please refer to their manual pages and to &man.shutdown.8;'s one
for more informations.Power management requires &man.acpi.4; support in the kernel
or loaded as module for FreeBSD 5.X and &man.apm.4;
support for FreeBSD 4.X.
diff --git a/en_US.ISO8859-1/books/handbook/config/chapter.sgml b/en_US.ISO8859-1/books/handbook/config/chapter.sgml
index e1537030f6..6894c204d2 100644
--- a/en_US.ISO8859-1/books/handbook/config/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/config/chapter.sgml
@@ -1,2318 +1,2318 @@
ChernLeeWritten by MikeSmithBased on a tutorial written by MattDillonAlso based on tuning(7) written by Configuration and TuningSynopsissystem configurationsystem optimizationOne of the important aspects of FreeBSD is system configuration.
Correct system configuration will help prevent headaches during future upgrades.
This chapter will explain much of the FreeBSD configuration process,
including some of the parameters which
can be set to tune a FreeBSD system.
After reading this chapter, you will know:How to efficiently work with
file systems and swap partitions.The basics of rc.conf configuration and
/usr/local/etc/rc.d startup systems.How to configure and test a network card.How to configure virtual hosts on your network devices.How to use the various configuration files in
/etc.How to tune FreeBSD using sysctl
variables.How to tune disk performance and modify kernel
limitations.Before reading this chapter, you should:
- Understand Unix and FreeBSD basics (Understand &unix; and FreeBSD basics ().Be familiar with keeping FreeBSD sources up to date
(), and
the basics of kernel configuration/compilation
().Initial ConfigurationPartition Layoutpartition layout/etc/var/usrBase PartitionsWhen laying out file systems with &man.disklabel.8;
or &man.sysinstall.8;, remember that hard
drives transfer data faster from the outer
tracks to the inner.
Thus smaller and heavier-accessed file systems
should be closer to the outside of the drive While
larger partitions like /usr should be placed
toward the inner. It is a good idea to create
partitions in a similar order to: root, swap,
/var, /usr.The size of /var
reflects the intended machine usage.
/var is used to hold
mailboxes, log files, and printer spools. Mailboxes and log
files can grow to unexpected sizes depending
on how many users exist and how long log
files are kept. Most users would never require a gigabyte,
but remember that /var/tmp
must be large enough to contain packages.
The /usr partition holds much
of the files required to support the system, the &man.ports.7;
collection (recommended) and the source code (optional). Both
of which are optional at install time.
At least 2 gigabytes would be recommended for this partition.
When selecting partition sizes, keep the space
requirements in mind. Running out of space in
one partition while barely using another can be a
hassle.Some users have found that &man.sysinstall.8;'s
Auto-defaults partition sizer will
sometimes select smaller than adequate /var
and / partitions. Partition wisely and
generously.Swap Partitionswap sizingswap partitionAs a rule of thumb, the swap partition should be
about double the size of system memory (RAM). For example,
if the machine has 128 megabytes of memory,
the swap file should be 256 megabytes. Systems with
less memory may perform better with more swap.
Less than 256 megabytes of swap is not recommended and
memory expansion should be considered.
The kernel's VM paging algorithms are tuned to
perform best when the swap partition is at least two times the
size of main memory. Configuring too little swap can lead to
inefficiencies in the VM page scanning code and might create
issues later if more memory is added.On larger systems with multiple SCSI disks (or
multiple IDE disks operating on different controllers), it is
recommend that a swap is configured on each drive (up
to four drives). The swap partitions should be
approximately the same size. The kernel can handle arbitrary
sizes but internal data structures scale to 4 times the
largest swap partition. Keeping the swap partitions near the
same size will allow the kernel to optimally stripe swap space
across disks.
Large swap sizes are fine, even if swap is not
used much. It might be easier to recover
from a runaway program before being forced to reboot.Why Partition?Several users think a single large partition will be fine,
but there are several reasons why this is a bad idea.
First, each partition has different operational
characteristics and separating them allows the file system to
tune accordingly. For example, the root
and /usr partitions are read-mostly, without
much writing. While a lot of reading and writing could
occur in /var and
/var/tmp.By properly partitioning a system, fragmentation
introduced in the smaller write heavy partitions
will not bleed over into the mostly-read partitions.
Keeping the write-loaded partitions closer to
the disk's edge,
will
increase I/O performance in the partitions where it occurs
the most. Now while I/O
performance in the larger partitions may be needed,
shifting them more toward the edge of the disk will not
lead to a significant performance improvement over moving
/var to the edge.
Finally, there are safety concerns. A smaller, neater root
partition which is mostly read-only has a greater
chance of surviving a bad crash.Core Configurationrc filesrc.confThe principal location for system configuration information
is within /etc/rc.conf. This file
contains a wide range of configuration information, principally
used at system startup to configure the system. Its name
directly implies this; it is configuration information for the
rc* files.An administrator should make entries in the
rc.conf file to
override the default settings from
/etc/defaults/rc.conf. The defaults file
should not be copied verbatim to /etc - it
contains default values, not examples. All system-specific
changes should be made in the rc.conf
file itself.A number of strategies may be applied in clustered
applications to separate site-wide configuration from
system-specific configuration in order to keep administration
overhead down. The recommended approach is to place site-wide
configuration into another file,
such as /etc/rc.conf.site, and then include
this file into /etc/rc.conf, which will
contain only system-specific information.As rc.conf is read by &man.sh.1; it is
trivial to achieve this. For example:rc.conf: . rc.conf.site
hostname="node15.example.com"
network_interfaces="fxp0 lo0"
ifconfig_fxp0="inet 10.1.1.1"rc.conf.site: defaultrouter="10.1.1.254"
saver="daemon"
blanktime="100"The rc.conf.site file can then be
distributed to every system using rsync or a
similar program, while the rc.conf file
remains unique.Upgrading the system using &man.sysinstall.8;
or make world will not overwrite the
rc.conf
file, so system configuration information will not be lost.Application ConfigurationTypically, installed applications have their own
configuration files, with their own syntax, etc. It is
important that these files be kept separate from the base
system, so that they may be easily located and managed by the
package management tools./usr/local/etcTypically, these files are installed in
/usr/local/etc. In the case where an
application has a large number of configuration files, a
subdirectory will be created to hold them.Normally, when a port or package is installed, sample
configuration files are also installed. These are usually
identified with a .default suffix. If there
are no existing
configuration files for the application, they will be created by
copying the .default files.For example, consider the contents of the directory
/usr/local/etc/apache:-rw-r--r-- 1 root wheel 2184 May 20 1998 access.conf
-rw-r--r-- 1 root wheel 2184 May 20 1998 access.conf.default
-rw-r--r-- 1 root wheel 9555 May 20 1998 httpd.conf
-rw-r--r-- 1 root wheel 9555 May 20 1998 httpd.conf.default
-rw-r--r-- 1 root wheel 12205 May 20 1998 magic
-rw-r--r-- 1 root wheel 12205 May 20 1998 magic.default
-rw-r--r-- 1 root wheel 2700 May 20 1998 mime.types
-rw-r--r-- 1 root wheel 2700 May 20 1998 mime.types.default
-rw-r--r-- 1 root wheel 7980 May 20 1998 srm.conf
-rw-r--r-- 1 root wheel 7933 May 20 1998 srm.conf.defaultThe file sizes show that only the srm.conf
file has been changed. A later update of the Apache port would not
overwrite this changed file.Starting ServicesservicesIt is common for a system to host a number of services.
These may be started in several different fashions, each having
different advantages./usr/local/etc/rc.dSoftware installed from a port or the packages collection
will often place a script in
/usr/local/etc/rc.d which is invoked at
system startup with a argument, and at
system shutdown with a argument.
This is the recommended way for
starting system-wide services that are to be run as
root, or that
expect to be started as root.
These scripts are registered as
part of the installation of the package, and will be removed
when the package is removed.A generic startup script in
/usr/local/etc/rc.d looks like:#!/bin/sh
echo -n ' FooBar'
case "$1" in
start)
/usr/local/bin/foobar
;;
stop)
kill -9 `cat /var/run/foobar.pid`
;;
*)
echo "Usage: `basename $0` {start|stop}" >&2
exit 64
;;
esac
exit 0
The startup scripts of FreeBSD will look in
/usr/local/etc/rc.d for scripts that have an
.sh extension and are executable by
root. Those scripts that are found are called with
an option at startup, and
at shutdown to allow them to carry out their purpose. So if you wanted
the above sample script to be picked up and run at the proper time during
system startup, you should save it to a file called
FooBar.sh in
/usr/local/etc/rc.d and make sure it is
executable. You can make a shell script executable with &man.chmod.1;
as shown below:&prompt.root; chmod 755 FooBar.shSome services expect to be invoked by &man.inetd.8; when a
connection is received on a suitable port. This is common for
mail reader servers (POP and IMAP, etc.). These services are
enabled by editing the file /etc/inetd.conf.
See &man.inetd.8; for details on editing this file.Some additional system services may not be covered by the
toggles in /etc/rc.conf. These are
traditionally enabled by placing the command(s) to invoke them
in /etc/rc.local. As of FreeBSD 3.1 there
is no default /etc/rc.local; if it is
created by the administrator it will however be honored in the
normal fashion. Note that rc.local is
generally regarded as the location of last resort; if there is a
better place to start a service, do it there.Do not place any commands in
/etc/rc.conf. To start daemons, or
run any commands at boot time, place a script in
/usr/local/etc/rc.d instead.It is also possible to use the &man.cron.8; daemon to start
system services. This approach has a number of advantages, not
least being that because &man.cron.8; runs these processes as the
owner of the crontab, services may be started
and maintained by non-root users.This takes advantage of a feature of &man.cron.8;: the
time specification may be replaced by @reboot,
which will
cause the job to be run when &man.cron.8; is started shortly after
system boot.TomRhodesContributed by Configuring the <command>cron</command> UtilitycronconfigurationOne of the most useful utilities in FreeBSD is &man.cron.8;. The
cron utility runs in the background and constantly
checks the /etc/crontab file. The cron
utility also checks the /var/cron/tabs directory, in
search of new crontab files. These
crontab files store information about specific
functions which cron is supposed to perform at
certain times.Let us take a look at the /etc/crontab file:# /etc/crontab - root's crontab for FreeBSD
#
# $FreeBSD: src/etc/crontab,v 1.32 2002/11/22 16:13:39 tom Exp $
#
#
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
HOME=/var/log
#
#
#minute hour mday month wday who command
#
#
*/5 * * * * root /usr/libexec/atrun Like most &os; configuration files, the #
character represents a comment. A comment can be placed in
the file as a reminder of what and why a desired action is performed.
Comments cannot be on the same line as a command or else they will
be interpreted as part of the command; they must be on a new line.
Blank lines are ignored.First, the environment must be defined. The equals
(=) character is used to define any environment
settings, as with this example where it is used for the SHELL,
PATH, and HOME options. If the shell line is
omitted, cron will use the default, which is
sh. If the variable is
omitted, no default will be used and file locations will need to
be absolute. If is omitted, cron
will use the invoking users home directory.This line defines a total of seven fields. Listed here are the
values minute, hour,
mday, month, wday,
who, and command. These
are almost all self explanatory. Minute is the time in minutes the
command will be run. Hour is similar to the minute option, just in
hours. Mday stands for day of the month. Month is similar to hour
and minute, as it designates the month. The wday options stands for
day of the week. All these fields must be numeric values, and follow
the twenty-four hour clock. The who field is special,
and only exists in the /etc/crontab file.
This field specifies which user the command should be run as.
When a user installs his or her crontab file, they
will not have this option. Finally, the command option is listed.
This is the last field, so naturally it should designate the command
to be executed.This last line will define the values discussed above. Notice here
we have a */5 listing, followed by several more
* characters. These * characters
mean first-last, and can be interpreted as
every time. So, judging by this line,
its apparent that the atrun command is to be invoked by
root every five minutes regardless of what
day or month it is. For more information on the atrun,
see the &man.atrun.8; manual page.Commands can have any number of flags passed to them; however,
commands which extend to multiple lines need to be broken with the backslash
\ continuation character.This is the basic set up for every
crontab file, although there is one thing
different about this one. Field number six, where we specified
the username, only exists in the system
/etc/crontab file. This field should be
omitted for individual user crontab
files.Installing a CrontabTo install your freshly written
crontab, just use the
crontab utility. The most common usage
is:&prompt.root; crontab crontabThere is also an option to list installed
crontab files, just pass the
to crontab and look
over the output.Users who wish to begin their own crontab file from scratch,
without the use of a template, the crontab -e
option is available. This will invoke the selected editor
with an empty file. When the file is saved, it will be
automatically installed by the crontab command.
TomRhodesContributed by Using rc under FreeBSD 5.XrcNGFreeBSD has recently integrated the NetBSD
rc.d system for system initialization.
Users should notice the files listed in the
/etc/rc.d directory. Many of these files
are for basic services which can be controlled with the
, ,
and options.
For instance, &man.sshd.8; can be restarted with the following
command:&prompt.root; /etc/rc.d/sshd restartThis procedure is similar for other services. Of course,
services are usually started automatically as specified in
&man.rc.conf.5;. For example, enabling the Network Address
Translation daemon at startup is as simple as adding the
following line to /etc/rc.conf:natd_enable="YES"If a line is already
present, then simply change the to
. The rc scripts will automatically load
any other dependent services during the next reboot, as
described below.Since the rc.d system is primarily
intended to start/stop services at system startup/shutdown time;
the standard ,
and options will only
perform their action if the appropriate
/etc/rc.conf variables are set. For
instance the above sshd restart command will
only work if sshd_enable is set to
in /etc/rc.conf. To
, or
a service regardless of the settings in
/etc/rc.conf, the commands should be
prefixed with force. For instance to restart
sshd regardless of the current
/etc/rc.conf setting, execute the following
command:&prompt.root; /etc/rc.d/sshd forcerestartIt's easy to check if a service is enabled in
/etc/rc.conf by running the appropriate
rc.d script with the option
. Thus, an administrator can check that
sshd is in fact enabled in
/etc/rc.conf by running:&prompt.root; /etc/rc.d/sshd rcvar
# sshd
$sshd_enable=YESThe second line (# sshd) is the output
from the sshd command; not a root
console.To determine if a service is running, a
option is available. For instance to
verify that sshd is actually started:&prompt.root; /etc/rc.d/sshd status
sshd is running as pid 433.It is also possible to a service.
This will attempt to send a signal to an individual service, forcing the
service to reload its configuration files. In most cases this
means sending the service a SIGHUP
signal.The rcNG structure is not only used for network services, it also
contributes to most of the system initialization. For
instance, consider the bgfsck file. When
this script is executed, it will print out the following
message:Starting background file system checks in 60 seconds.Therefore this file is used for background file system
checks, which are done only during system initialization.Many system services depend on other services to function
properly. For example, NIS and other RPC-based services may
fail to start until after the rpcbind
(portmapper) service has started. To resolve this issue,
information about dependencies and other meta-data is included
in the comments at the top of each startup script. The
&man.rcorder.8; program is then used to parse these comments
during system initialization to determine the order in which
system services should be invoked to satisfy the dependencies.
The following words may be included at the top of each startup
file:PROVIDE: Name of serviceREQUIRE: Name of services which may be required for this service to functionBEFORE: What service should be run before this serviceKEYWORD: FreeBSD or NetBSD. This is used for *BSD dependent features.By using this method, an administrator can easily control system
services without the hassle of runlevels like
some other &unix; operating systems.Additional information about the &os; 5.X
rc.d system can be found in the &man.rc.8;
and &man.rc.subr.8; manual pages.MarcFonvieilleContributed by Setting Up Network Interface Cardsnetwork card configurationNowadays we can not think about a computer without thinking
about a network connection. Adding and configuring a network
card is a common task for any FreeBSD administrator.Locating the Correct Drivernetwork card configurationlocating the driverBefore you begin, you should know the model of the card
you have, the chip it uses, and whether it is a PCI or ISA card.
FreeBSD supports a wide variety of both PCI and ISA cards.
Check the Hardware Compatibility List for your release to see
if your card is supported.Once you are sure your card is supported, you need
to determine the proper driver for the card. The file
/usr/src/sys/i386/conf/LINT will give you
the list of network interfaces drivers with some information
about the supported chipsets/cards. If you have doubts about
which driver is the correct one, read the manual page of the
driver. The manual page will give you more information about
the supported hardware and even the possible problems that
could occur.If you own a common card, most of the time you will not
have to look very hard for a driver. Drivers for common
network cards are present in the GENERIC
kernel, so your card should show up during boot, like so:dc0: <82c169 PNIC 10/100BaseTX> port 0xa000-0xa0ff mem 0xd3800000-0xd38
000ff irq 15 at device 11.0 on pci0
dc0: Ethernet address: 00:a0:cc:da:da:da
miibus0: <MII bus> on dc0
ukphy0: <Generic IEEE 802.3u media interface> on miibus0
ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
dc1: <82c169 PNIC 10/100BaseTX> port 0x9800-0x98ff mem 0xd3000000-0xd30
000ff irq 11 at device 12.0 on pci0
dc1: Ethernet address: 00:a0:cc:da:da:db
miibus1: <MII bus> on dc1
ukphy1: <Generic IEEE 802.3u media interface> on miibus1
ukphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, autoIn this example, we see that two cards using the &man.dc.4;
driver are present on the system.To use your network card, you will need to load the proper
driver. This may be accomplished in one of two ways. The
easiest way is to simply load a kernel module for your network
card with &man.kldload.8;. A module is not available for all
network card drivers (ISA cards and cards using the &man.ed.4;
driver, for example). Alternatively, you may statically compile
the support for your card into your kernel. Check
/usr/src/sys/i386/conf/LINT and the
manual page of the driver to know what to add in your kernel
configuration file. For more information about recompiling your
kernel, please see . If your card
was detected at boot by your kernel (GENERIC)
you do not have to build a new kernel.Configuring the Network CardNetwork card configurationconfigurationOnce the right driver is loaded for the network card, the
card needs to be configured. As with many other things, the
network card may have been configured at installation time by
sysinstall.To display the configuration for the network interfaces on
your system, enter the following command:&prompt.user; ifconfig
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:a0:cc:da:da:da
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
ether 00:a0:cc:da:da:db
media: Ethernet 10baseT/UTP
status: no carrier
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500Old versions of FreeBSD may require the
option following &man.ifconfig.8;, for more details about the
correct syntax of &man.ifconfig.8;, please refer to the manual
page. Note also that entries concerning IPv6
(inet6 etc.) were omitted in this
example.In this example, the following devices were
displayed:dc0: The first Ethernet
interfacedc1: The second Ethernet
interfacelp0: The parallel port
interfacelo0: The loopback devicetun0: The tunnel device used by
pppFreeBSD uses the driver name followed by the order in
which one the card is detected at the kernel boot to name the
network card. For example sis2 would
be the third network card on the system using the &man.sis.4;
driver.In this example, the dc0 device is
up and running. The key indicators are:UP means that the card is configured
and ready.The card has an Internet (inet)
address (in this case
192.168.1.3).It has a valid subnet mask (netmask;
0xffffff00 is the same as
255.255.255.0).It has a valid broadcast address (in this case,
192.168.1.255).The MAC address of the card (ether)
is 00:a0:cc:da:da:daThe physical media selection is on autoselection mode
(media: Ethernet autoselect (100baseTX
<full-duplex>)). We see that
dc1 was configured to run with
10baseT/UTP media. For more
information on available media types for a driver, please
refer to its manual page.The status of the link (status)
is active, i.e. the carrier is detected.
For dc1, we see
status: no carrier. This is normal when
an ethernet cable is not plugged into the card.If the &man.ifconfig.8; output had shown something similar
to:dc0: flags=8843<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
ether 00:a0:cc:da:da:dait would indicate the card has not been configured.To configure your card, you need root
privileges. The network card configuration can be done from the
command line with &man.ifconfig.8; but you would have to do it
after each reboot of the system. The file
/etc/rc.conf is where to add the network
card's configuration.Open /etc/rc.conf in your favorite
editor. You need to add a line for each network card present on
the system, for example in our case, we added these lines:ifconfig_dc0="inet 192.168.1.3 netmask 255.255.255.0"
ifconfig_dc1="inet 10.0.0.1 netmask 255.255.255.0 media 10baseT/UTP"You have to replace dc0,
dc1, and so on, with
the correct device for your cards, and the addresses with the
proper ones. You should read the card driver and
&man.ifconfig.8; manual pages for more details about the allowed
options and also &man.rc.conf.5; manual page for more
information on the syntax of
/etc/rc.conf.If you configured the network during installation, some
lines about the network card(s) may be already present. Double
check /etc/rc.conf before adding any
lines.You will also have to edit the file
/etc/hosts to add the names and the IP
addresses of various machines of the LAN, if they are not already
there. For more information please refer to &man.hosts.5;
and to /usr/share/examples/etc/hosts.Testing and TroubleshootingOnce you have made the necessary changes in
/etc/rc.conf, you should reboot your
system. This will allow the change(s) to the interface(s) to
be applied, and verify that the system restarts without any
configuration errors.Once the system has been rebooted, you should test the
network interfaces.Testing the Ethernet Cardnetwork card configurationtesting the cardTo verify that an Ethernet card is configured correctly,
you have to try two things. First, ping the interface itself,
and then ping another machine on the LAN.First test the local interface:&prompt.user; ping -c5 192.168.1.3
PING 192.168.1.3 (192.168.1.3): 56 data bytes
64 bytes from 192.168.1.3: icmp_seq=0 ttl=64 time=0.082 ms
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.074 ms
64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.076 ms
64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.108 ms
64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=0.076 ms
--- 192.168.1.3 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.074/0.083/0.108/0.013 msNow we have to ping another machine on the LAN:&prompt.user; ping -c5 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: icmp_seq=0 ttl=64 time=0.726 ms
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.766 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.700 ms
64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=0.747 ms
64 bytes from 192.168.1.2: icmp_seq=4 ttl=64 time=0.704 ms
--- 192.168.1.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.700/0.729/0.766/0.025 msYou could also use the machine name instead of
192.168.1.2 if you have set up the
/etc/hosts file.Troubleshootingnetwork card configurationtroubleshootingTroubleshooting hardware and software configurations is always
a pain, and a pain which can be alleviated by checking the simple
things first. Is your network cable plugged in? Have you properly
configured the network services? Did you configure the firewall
correctly? Is the card you are using supported by FreeBSD? Always
check the hardware notes before sending off a bug report. Update
your version of FreeBSD to the latest STABLE version. Check the
mailing list archives, or perhaps search the Internet.If the card works, yet performance is poor, it would be
worthwhile to read over the &man.tuning.7; manual page. You
can also check the network configuration as incorrect network
settings can cause slow connections.Some users experience one or two device
timeouts, which is normal for some cards. If they
continue, or are bothersome, you may wish to be sure the
device is not conflicting with another device. Double check
the cable connections. Perhaps you may just need to get
another card.At times, users see a few watchdog timeout
errors. The first thing to do here is to check your network
cable. Many cards require a PCI slot which supports Bus
Mastering. On some old motherboards, only one PCI slot allows
it (usually slot 0). Check the network card and the
motherboard documentation to determine if that may be the
problem.No route to host messages occur if the
system is unable to route a packet to the destination host.
This can happen if no default route is specified, or if a
cable is unplugged. Check the output of netstat
-rn and make sure there is a valid route to the host
you are trying to reach. If there is not, read on to .ping: sendto: Permission denied error
messages are often caused by a misconfigured firewall. If
ipfw is enabled in the kernel but no rules
have been defined, then the default policy is to deny all
traffic, even ping requests! Read on to for more information.Virtual Hostsvirtual hostsIP aliasesA very common use of FreeBSD is virtual site hosting, where
one server appears to the network as many servers. This is
achieved by assigning multiple network addresses to a single
interface.A given network interface has one real address,
and may have any number of alias addresses.
These aliases are
normally added by placing alias entries in
/etc/rc.conf.An alias entry for the interface fxp0
looks like:ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx"Note that alias entries must start with alias0 and proceed
upwards in order, (for example, _alias1, _alias2, and so on).
The configuration process will stop at the first missing number.
The calculation of alias netmasks is important, but
fortunately quite simple. For a given interface, there must be
one address which correctly represents the network's netmask.
Any other addresses which fall within this network must have a
netmask of all 1s.For example, consider the case where the
fxp0 interface is
connected to two networks, the 10.1.1.0
network with a netmask of 255.255.255.0
and the 202.0.75.16 network with
a netmask of 255.255.255.240.
We want the system to appear at 10.1.1.1
through 10.1.1.5 and at
202.0.75.17 through
202.0.75.20.The following entries configure the adapter correctly for
this arrangement: ifconfig_fxp0="inet 10.1.1.1 netmask 255.255.255.0"
ifconfig_fxp0_alias0="inet 10.1.1.2 netmask 255.255.255.255"
ifconfig_fxp0_alias1="inet 10.1.1.3 netmask 255.255.255.255"
ifconfig_fxp0_alias2="inet 10.1.1.4 netmask 255.255.255.255"
ifconfig_fxp0_alias3="inet 10.1.1.5 netmask 255.255.255.255"
ifconfig_fxp0_alias4="inet 202.0.75.17 netmask 255.255.255.240"
ifconfig_fxp0_alias5="inet 202.0.75.18 netmask 255.255.255.255"
ifconfig_fxp0_alias6="inet 202.0.75.19 netmask 255.255.255.255"
ifconfig_fxp0_alias7="inet 202.0.75.20 netmask 255.255.255.255"Configuration Files<filename>/etc</filename> LayoutThere are a number of directories in which configuration
information is kept. These include:/etcGeneric system configuration information; data here is
system-specific./etc/defaultsDefault versions of system configuration files./etc/mailExtra &man.sendmail.8; configuration, other
MTA configuration files.
/etc/pppConfiguration for both user- and kernel-ppp programs.
/etc/namedbDefault location for &man.named.8; data. Normally
named.conf and zone files are stored
here./usr/local/etcConfiguration files for installed applications.
May contain per-application subdirectories./usr/local/etc/rc.dStart/stop scripts for installed applications./var/dbAutomatically generated system-specific database files,
such as the package database, the locate database, and so
onHostnameshostnameDNS<filename>/etc/resolv.conf</filename>resolv.conf/etc/resolv.conf dictates how FreeBSD's
resolver accesses the Internet Domain Name System (DNS).The most common entries to resolv.conf are:
nameserverThe IP address of a name server the resolver
should query. The servers are queried in the order
listed with a maximum of three.searchSearch list for hostname lookup. This is normally
determined by the domain of the local hostname.domainThe local domain name.A typical resolv.conf:search example.com
nameserver 147.11.1.11
nameserver 147.11.100.30Only one of the search and
domain options should be used.If you are using DHCP, &man.dhclient.8; usually rewrites
resolv.conf with information received from the
DHCP server.<filename>/etc/hosts</filename>hosts/etc/hosts is a simple text
database reminiscent of the old Internet. It works in
conjunction with DNS and NIS providing name to IP address
mappings. Local computers connected via a LAN can be placed
in here for simplistic naming purposes instead of setting up
a &man.named.8; server. Additionally,
/etc/hosts can be used to provide a
local record of Internet names, reducing the need to query
externally for commonly accessed names.# $FreeBSD$
#
# Host Database
# This file should contain the addresses and aliases
# for local hosts that share this file.
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1 localhost localhost.my.domain myname.my.domain
127.0.0.1 localhost localhost.my.domain myname.my.domain
#
# Imaginary network.
#10.0.0.2 myname.my.domain myname
#10.0.0.3 myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers. PLEASE PLEASE PLEASE do not try
# to invent your own network numbers but instead get one from your
# network provider (if any) or from the Internet Registry (ftp to
# rs.internic.net, directory `/templates').
#/etc/hosts takes on the simple format
of:[Internet address] [official hostname] [alias1] [alias2] ...For example:10.0.0.1 myRealHostname.example.com myRealHostname foobar1 foobar2Consult &man.hosts.5; for more information.Log File Configurationlog files<filename>syslog.conf</filename>syslog.confsyslog.conf is the configuration file
for the &man.syslogd.8; program. It indicates which types
of syslog messages are logged to particular
log files.# $FreeBSD$
#
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manual page.
*.err;kern.debug;auth.notice;mail.crit /dev/console
*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.* /var/log/security
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
cron.* /var/log/cron
*.err root
*.notice;news.err root
*.alert root
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
#*.* /var/log/all.log
# uncomment this to enable logging to a remote log host named loghost
#*.* @loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
!startslip
*.* /var/log/slip.log
!ppp
*.* /var/log/ppp.logConsult the &man.syslog.conf.5; manual page for more
information.<filename>newsyslog.conf</filename>newsyslog.confnewsyslog.conf is the configuration
file for &man.newsyslog.8;, a program that is normally scheduled
to run by &man.cron.8;. &man.newsyslog.8; determines when log
files require archiving or rearranging.
logfile is moved to
logfile.0, logfile.0
is moved to logfile.1, and so on.
Alternatively, the log files may be archived in &man.gzip.1; format
causing them to be named: logfile.0.gz,
logfile.1.gz, and so on.newsyslog.conf indicates which log
files are to be managed, how many are to be kept, and when
they are to be touched. Log files can be rearranged and/or
archived when they have either reached a certain size, or at a
certain periodic time/date.# configuration file for newsyslog
# $FreeBSD$
#
# filename [owner:group] mode count size when [ZB] [/pid_file] [sig_num]
/var/log/cron 600 3 100 * Z
/var/log/amd.log 644 7 100 * Z
/var/log/kerberos.log 644 7 100 * Z
/var/log/lpd-errs 644 7 100 * Z
/var/log/maillog 644 7 * @T00 Z
/var/log/sendmail.st 644 10 * 168 B
/var/log/messages 644 5 100 * Z
/var/log/all.log 600 7 * @T00 Z
/var/log/slip.log 600 3 100 * Z
/var/log/ppp.log 600 3 100 * Z
/var/log/security 600 10 100 * Z
/var/log/wtmp 644 3 * @01T05 B
/var/log/daily.log 640 7 * @T00 Z
/var/log/weekly.log 640 5 1 $W6D0 Z
/var/log/monthly.log 640 12 * $M1D0 Z
/var/log/console.log 640 5 100 * ZConsult the &man.newsyslog.8; manual page for more
information.<filename>sysctl.conf</filename>sysctl.confsysctlsysctl.conf looks much like
rc.conf. Values are set in a
variable=value
form. The specified values are set after the system goes into
multi-user mode. Not all variables are settable in this mode.A sample sysctl.conf turning off logging
of fatal signal exits and letting Linux programs know they are really
running under FreeBSD:kern.logsigexit=0 # Do not log fatal signal exits (e.g. sig 11)
compat.linux.osname=FreeBSD
compat.linux.osrelease=4.3-STABLETuning with sysctlsysctltuningwith sysctl&man.sysctl.8; is an interface that allows you to make changes
to a running FreeBSD system. This includes many advanced
options of the TCP/IP stack and virtual memory system that can
dramatically improve performance for an experienced system
administrator. Over five hundred system variables can be read
and set using &man.sysctl.8;.At its core, &man.sysctl.8; serves two functions: to read and
to modify system settings.To view all readable variables:&prompt.user; sysctl -aTo read a particular variable, for example,
kern.maxproc:&prompt.user; sysctl kern.maxproc
kern.maxproc: 1044To set a particular variable, use the intuitive
variable=value
syntax:&prompt.root; sysctl kern.maxfiles=5000
kern.maxfiles: 2088 -> 5000Settings of sysctl variables are usually either strings,
numbers, or booleans (a boolean being 1 for yes
or a 0 for no).TomRhodesContributed by &man.sysctl.8; Read-onlyIn some cases it may be desirable to modify read-only &man.sysctl.8;
values. While this is not recommended, it is also sometimes unavoidable.For instance on some laptop models the &man.cardbus.4; device will
not probe memory ranges, and fail with errors which look similar to:cbb0: Could not map register memorydevice_probe_and_attach: cbb0 attach returned 12Cases like the one above usually require the modification of some
default &man.sysctl.8; settings which are set read only. To overcome
these situations a user can put &man.sysctl.8; OIDs
in their local /boot/loader.conf.local. Default
settings are located in the /boot/defaults/loader.conf
file.Fixing the problem mentioned above would require a user to set
in the aforementioned
file. Now &man.cardbus.4; will work properly.Tuning DisksSysctl Variables<varname>vfs.vmiodirenable</varname>vfs.vmiodirenableThe vfs.vmiodirenable sysctl variable
may be set to either 0 (off) or 1 (on); it is 1 by default. This variable controls how
directories are cached by the system. Most directories are
small, using just a single fragment (typically 1 K) in the
file system and less (typically 512 bytes) in the buffer
cache. However, when operating in the default mode the buffer
cache will only cache a fixed number of directories even if
you have a huge amount of memory. Turning on this sysctl
allows the buffer cache to use the VM Page Cache to cache the
directories, making all the memory available for caching
directories. However,
the minimum in-core memory used to cache a directory is the
physical page size (typically 4 K) rather than 512 bytes. We
recommend turning this option on if you are running any
services which manipulate large numbers of files. Such
services can include web caches, large mail systems, and news
systems. Turning on this option will generally not reduce
performance even with the wasted memory but you should
experiment to find out.<varname>vfs.write_behind</varname>vfs.write_behindThe vfs.write_behind sysctl variable
defaults to 1 (on). This tells the file system
to issue media writes as full clusters are collected, which
typically occurs when writing large sequential files. The idea
is to avoid saturating the buffer cache with dirty buffers when
it would not benefit I/O performance. However, this may stall
processes and under certain circumstances you may wish to turn it
off.<varname>vfs.hirunningspace</varname>vfs.hirunningspaceThe vfs.hirunningspace sysctl variable
determines how much outstanding write I/O may be queued to disk
controllers system-wide at any given instance. The default is
usually sufficient but on machines with lots of disks you may
want to bump it up to four or five megabytes.
Note that setting too high a value (exceeding the buffer cache's
write threshold) can lead to extremely bad clustering
performance. Do not set this value arbitrarily high! Higher
write values may add latency to reads occurring at the same time.
There are various other buffer-cache and VM page cache
related sysctls. We do not recommend modifying these values. As
of FreeBSD 4.3, the VM system does an extremely good job of
automatically tuning itself.<varname>vm.swap_idle_enabled</varname>vm.swap_idle_enabledThe vm.swap_idle_enabled sysctl variable
is useful in large multi-user systems where you have lots of
users entering and leaving the system and lots of idle processes.
Such systems tend to generate a great deal of continuous pressure
on free memory reserves. Turning this feature on and tweaking
the swapout hysteresis (in idle seconds) via
vm.swap_idle_threshold1 and
vm.swap_idle_threshold2 allows you to depress
the priority of memory pages associated with idle processes more
quickly then the normal pageout algorithm. This gives a helping
hand to the pageout daemon. Do not turn this option on unless
you need it, because the tradeoff you are making is essentially
pre-page memory sooner rather than later; thus eating more swap
and disk bandwidth. In a small system this option will have a
determinable effect but in a large system that is already doing
moderate paging this option allows the VM system to stage whole
processes into and out of memory easily.<varname>hw.ata.wc</varname>hw.ata.wcFreeBSD 4.3 flirted with turning off IDE write caching.
This reduced write bandwidth to IDE disks but was considered
necessary due to serious data consistency issues introduced
by hard drive vendors. The problem is that IDE
drives lie about when a write completes. With IDE write
caching turned on, IDE hard drives not only write data
to disk out of order, but will sometimes delay writing some
blocks indefinitely when under heavy disk loads. A crash or
power failure may cause serious file system corruption.
FreeBSD's default was changed to be safe. Unfortunately, the
result was such a huge performance loss that we changed
write caching back to on by default after the release. You
should check the default on your system by observing the
hw.ata.wc sysctl variable. If IDE write
caching is turned off, you can turn it back on by setting
the kernel variable back to 1. This must be done from the
boot loader at boot time. Attempting to do it after the
kernel boots will have no effect.For more information, please see &man.ata.4;.<option>SCSI_DELAY</option>
(<varname>kern.cam.scsi_delay</varname>)kern.cam.scsi_delayThe kernel config may be used to
reduce system boot times. The defaults are fairly high and can be
responsible for 15+ seconds of delay in the
boot process. Reducing it to 5 seconds usually
works (especially with modern drives). Newer versions of FreeBSD
(5.0+) should use the kern.cam.scsi_delay
boot time tunable. The tunable, and kernel config option accept
values in terms of milliseconds and notseconds.Soft UpdatesSoft UpdatestunefsThe &man.tunefs.8; program can be used to fine-tune a
file system. This program has many different options, but for
now we are only concerned with toggling Soft Updates on and
off, which is done by:&prompt.root; tunefs -n enable /filesystem
&prompt.root; tunefs -n disable /filesystemA filesystem cannot be modified with &man.tunefs.8; while
it is mounted. A good time to enable Soft Updates is before any
partitions have been mounted, in single-user mode.As of FreeBSD 4.5, it is possible to enable Soft Updates
at filesystem creation time, through use of the -U
option to &man.newfs.8;.Soft Updates drastically improves meta-data performance, mainly
file creation and deletion, through the use of a memory cache. We
recommend to use Soft Updates on all of your file systems. There
are two downsides to Soft Updates that you should be aware of: First,
Soft Updates guarantees filesystem consistency in the case of a crash
but could very easily be several seconds (even a minute!) behind
updating the physical disk. If your system crashes you may lose more
work than otherwise. Secondly, Soft Updates delays the freeing of
filesystem blocks. If you have a filesystem (such as the root
filesystem) which is almost full, performing a major update, such as
make installworld, can cause the filesystem to run
out of space and the update to fail.More Details about Soft UpdatesSoft UpdatesdetailsThere are two traditional approaches to writing a file systems meta-data
back to disk. (Meta-data updates are updates to
non-content data like inodes or directories.)Historically, the default behavior was to write out
meta-data updates synchronously. If a directory had been
changed, the system waited until the change was actually
written to disk. The file data buffers (file contents) were
passed through the buffer cache and backed up
to disk later on asynchronously. The advantage of this
implementation is that it operates safely. If there is
a failure during an update, the meta-data are always in a
consistent state. A file is either created completely
or not at all. If the data blocks of a file did not find
their way out of the buffer cache onto the disk by the time
of the crash, &man.fsck.8; is able to recognize this and
repair the filesystem by setting the file length to
0. Additionally, the implementation is clear and simple.
The disadvantage is that meta-data changes are slow. An
rm -r, for instance, touches all the files in a
directory sequentially, but each directory
change (deletion of a file) will be written synchronously
to the disk. This includes updates to the directory itself,
to the inode table, and possibly to indirect blocks
allocated by the file. Similar considerations apply for
unrolling large hierarchies (tar -x).The second case is asynchronous meta-data updates. This
is the default for Linux/ext2fs and
mount -o async for *BSD ufs. All
meta-data updates are simply being passed through the buffer
cache too, that is, they will be intermixed with the updates
of the file content data. The advantage of this
implementation is there is no need to wait until each
meta-data update has been written to disk, so all operations
which cause huge amounts of meta-data updates work much
faster than in the synchronous case. Also, the
implementation is still clear and simple, so there is a low
risk for bugs creeping into the code. The disadvantage is
that there is no guarantee at all for a consistent state of
the filesystem. If there is a failure during an operation
that updated large amounts of meta-data (like a power
failure, or someone pressing the reset button),
the filesystem
will be left in an unpredictable state. There is no opportunity
to examine the state of the filesystem when the system
comes up again; the data blocks of a file could already have
been written to the disk while the updates of the inode
table or the associated directory were not. It is actually
impossible to implement a fsck which is
able to clean up the resulting chaos (because the necessary
information is not available on the disk). If the
filesystem has been damaged beyond repair, the only choice
is to use &man.newfs.8; on it and restore it from backup.
The usual solution for this problem was to implement
dirty region logging, which is also
referred to as journaling, although that
term is not used consistently and is occasionally applied
to other forms of transaction logging as well. Meta-data
updates are still written synchronously, but only into a
small region of the disk. Later on they will be moved
to their proper location. Because the logging
area is a small, contiguous region on the disk, there
are no long distances for the disk heads to move, even
during heavy operations, so these operations are quicker
than synchronous updates.
Additionally the complexity of the implementation is fairly
limited, so the risk of bugs being present is low. A disadvantage
is that all meta-data are written twice (once into the
logging region and once to the proper location) so for
normal work, a performance pessimization
might result. On the other hand, in case of a crash, all
pending meta-data operations can be quickly either rolled-back
or completed from the logging area after the system comes
up again, resulting in a fast filesystem startup.Kirk McKusick, the developer of Berkeley FFS,
solved this problem with Soft Updates: all pending
meta-data updates are kept in memory and written out to disk
in a sorted sequence (ordered meta-data
updates). This has the effect that, in case of
heavy meta-data operations, later updates to an item
catch the earlier ones if the earlier ones are still in
memory and have not already been written to disk. So all
operations on, say, a directory are generally performed in
memory before the update is written to disk (the data
blocks are sorted according to their position so
that they will not be on the disk ahead of their meta-data).
If the system crashes, this causes an implicit log
rewind: all operations which did not find their way
to the disk appear as if they had never happened. A
consistent filesystem state is maintained that appears to
be the one of 30 to 60 seconds earlier. The
algorithm used guarantees that all resources in use
are marked as such in their appropriate bitmaps: blocks and inodes.
After a crash, the only resource allocation error
that occurs is that resources are
marked as used which are actually free.
&man.fsck.8; recognizes this situation,
and frees the resources that are no longer used. It is safe to
ignore the dirty state of the filesystem after a crash by
forcibly mounting it with mount -f. In
order to free resources that may be unused, &man.fsck.8;
needs to be run at a later time. This is the idea behind
the background fsck: at system startup
time, only a snapshot of the
filesystem is recorded. The fsck can be
run later on. All file systems can then be mounted
dirty, so the system startup proceeds in
multiuser mode. Then, background fscks
will be scheduled for all file systems where this is required, to free
resources that may be unused. (File systems that do not use
Soft Updates still need the usual foreground
fsck though.)The advantage is that meta-data operations are nearly as
fast as asynchronous updates (i.e. faster than with
logging, which has to write the
meta-data twice). The disadvantages are the complexity of
the code (implying a higher risk for bugs in an area that
is highly sensitive regarding loss of user data), and a
higher memory consumption. Additionally there are some
idiosyncrasies one has to get used to.
After a crash, the state of the filesystem appears to be
somewhat older. In situations where
the standard synchronous approach would have caused some
zero-length files to remain after the
fsck, these files do not exist at all
with a Soft Updates filesystem because neither the meta-data
nor the file contents have ever been written to disk.
Disk space is not released until the updates have been
written to disk, which may take place some time after
running rm. This may cause problems
when installing large amounts of data on a filesystem
that does not have enough free space to hold all the files
twice.Tuning Kernel Limitstuningkernel limitsFile/Process Limits<varname>kern.maxfiles</varname>kern.maxfileskern.maxfiles can be raised or
lowered based upon your system requirements. This variable
indicates the maximum number of file descriptors on your
system. When the file descriptor table is full,
file: table is full will show up repeatedly
in the system message buffer, which can be viewed with the
dmesg command.Each open file, socket, or fifo uses one file
descriptor. A large-scale production server may easily
require many thousands of file descriptors, depending on the
kind and number of services running concurrently.kern.maxfile's default value is
dictated by the option in your
kernel configuration file. kern.maxfiles grows
proportionally to the value of . When
compiling a custom kernel, it is a good idea to set this kernel
configuration option according to the uses of your system. From
this number, the kernel is given most of its pre-defined limits.
Even though a production machine may not actually have 256 users
connected at once, the resources needed may be similar to a
high-scale web server.As of FreeBSD 4.5, setting to
0 in your kernel configuration file will choose
a reasonable default value based on the amount of RAM present in
your system.<varname>kern.ipc.somaxconn</varname>kern.ipc.somaxconnThe kern.ipc.somaxconn sysctl variable
limits the size of the listen queue for accepting new TCP
connections. The default value of 128 is
typically too low for robust handling of new connections in a
heavily loaded web server environment. For such environments, it
is recommended to increase this value to 1024 or
higher. The service daemon may itself limit the listen queue size
(e.g. &man.sendmail.8;, or Apache) but
will often have a directive in it's configuration file to adjust
the queue size. Large listen queues also do a better job of
avoiding Denial of Service (DoS) attacks.Network LimitsThe kernel configuration
option dictates the amount of network Mbufs available to the
system. A heavily-trafficked server with a low number of Mbufs
will hinder FreeBSD's ability. Each cluster represents
approximately 2 K of memory, so a value of 1024 represents 2
megabytes of kernel memory reserved for network buffers. A
simple calculation can be done to figure out how many are
needed. If you have a web server which maxes out at 1000
simultaneous connections, and each connection eats a 16 K receive
and 16 K send buffer, you need approximately 32 MB worth of
network buffers to cover the web server. A good rule of thumb is
to multiply by 2, so 2x32 MB / 2 KB = 64 MB / 2 kB = 32768. We recommend values between 4096 and
32768 for machines with greater amounts of memory. Under no
circumstances should you specify an arbitrarily high value for this
parameter as it could lead to a boot time crash. The
option to &man.netstat.1; may be used to
observe network cluster use.kern.ipc.nmbclusters loader tunable should
be used to tune this at boot time. Only older versions of FreeBSD
will require you to use the kernel
&man.config.8; option.For busy servers that make extensive use of the
&man.sendfile.2; system call, it may be necessary to increase
the number of &man.sendfile.2; buffers via the
kernel configuration option or by
setting its value in /boot/loader.conf
(see &man.loader.8; for details). A common indicator that
this parameter needs to be adjusted is when processes are seen
in the sfbufa state. The sysctl
variable kern.ipc.nsfbufs is a read-only
glimpse at the kernel configured variable. This parameter
nominally scales with kern.maxusers,
however it may be necessary to tune accordingly.Even though a socket has been marked as non-blocking,
calling &man.sendfile.2; on the non-blocking socket may
result in the &man.sendfile.2; call blocking until enough
struct sf_buf's are made
available.<varname>net.inet.ip.portrange.*</varname>net.inet.ip.portrange.*The net.inet.ip.portrange.* sysctl
variables control the port number ranges automatically bound to TCP
and UDP sockets. There are three ranges: a low range, a default
range, and a high range. Most network programs use the default
range which is controlled by the
net.inet.ip.portrange.first and
net.inet.ip.portrange.last, which default to
1024 and 5000, respectively. Bound port ranges are used for
outgoing connections, and it is possible to run the system out of
ports under certain circumstances. This most commonly occurs
when you are running a heavily loaded web proxy. The port range
is not an issue when running servers which handle mainly incoming
connections, such as a normal web server, or has a limited number
of outgoing connections, such as a mail relay. For situations
where you may run yourself out of ports, it is recommended to
increase net.inet.ip.portrange.last modestly.
A value of 10000, 20000 or
30000 may be reasonable. You should also
consider firewall effects when changing the port range. Some
firewalls may block large ranges of ports (usually low-numbered
ports) and expect systems to use higher ranges of ports for
outgoing connections — for this reason it is recommended that
net.inet.ip.portrange.first be lowered.TCP Bandwidth Delay ProductTCP Bandwidth Delay Product Limitingnet.inet.tcp.inflight_enableThe TCP Bandwidth Delay Product Limiting is similar to
TCP/Vegas in NetBSD. It can be
enabled by setting net.inet.tcp.inflight_enable
sysctl variable to 1. The system will attempt
to calculate the bandwidth delay product for each connection and
limit the amount of data queued to the network to just the amount
required to maintain optimum throughput.This feature is useful if you are serving data over modems,
Gigabit Ethernet, or even high speed WAN links (or any other link
with a high bandwidth delay product), especially if you are also
using window scaling or have configured a large send window. If
you enable this option, you should also be sure to set
net.inet.tcp.inflight_debug to
0 (disable debugging), and for production use
setting net.inet.tcp.inflight_min to at least
6144 may be beneficial. However, note that
setting high minimums may effectively disable bandwidth limiting
depending on the link. The limiting feature reduces the amount of
data built up in intermediate route and switch packet queues as
well as reduces the amount of data built up in the local host's
interface queue. With fewer packets queued up, interactive
connections, especially over slow modems, will also be able to
operate with lower Round Trip Times. However,
note that this feature only effects data transmission (uploading
/ server side). It has no effect on data reception (downloading).
Adjusting net.inet.tcp.inflight_stab is
not recommended. This parameter defaults to
20, representing 2 maximal packets added to the bandwidth delay
product window calculation. The additional window is required to
stabilize the algorithm and improve responsiveness to changing
conditions, but it can also result in higher ping times over slow
links (though still much lower than you would get without the
inflight algorithm). In such cases, you may wish to try reducing
this parameter to 15, 10, or 5; and may also have to reduce
net.inet.tcp.inflight_min (for example, to
3500) to get the desired effect. Reducing these parameters
should be done as a last resort only.Adding Swap SpaceNo matter how well you plan, sometimes a system does not run
as you expect. If you find you need more swap space, it is
simple enough to add. You have three ways to increase swap
space: adding a new hard drive, enabling swap over NFS, and
creating a swap file on an existing partition.Swap on a New Hard DriveThe best way to add swap, of course, is to use this as an
excuse to add another hard drive. You can always use another
hard drive, after all. If you can do this, go reread the
discussion of swap space
from the Initial Configuration
section of the Handbook for some suggestions on how to best
arrange your swap.Swapping over NFSSwapping over NFS is only recommended if you do not have a
local hard disk to swap to. Swapping over NFS is slow and
inefficient in versions of FreeBSD prior to 4.X. It is
reasonably fast and efficient in 4.0-RELEASE and newer. Even
with newer versions of FreeBSD, NFS swapping will be limited
by the available network bandwidth and puts an additional
burden on the NFS server.SwapfilesYou can create a file of a specified size to use as a swap
file. In our example here we will use a 64MB file called
/usr/swap0. You can use any name you
want, of course.Creating a Swapfile on FreeBSD 4.XBe certain that your kernel configuration includes
the vnode driver. It is not in recent versions of
GENERIC.pseudo-device vn 1 #Vnode driver (turns a file into a device)create a vn-device:&prompt.root; cd /dev
&prompt.root; sh MAKEDEV vn0create a swapfile (/usr/swap0):&prompt.root; dd if=/dev/zero of=/usr/swap0 bs=1024k count=64set proper permissions on (/usr/swap0):&prompt.root; chmod 0600 /usr/swap0enable the swap file in /etc/rc.conf:swapfile="/usr/swap0" # Set to name of swapfile if aux swapfile desired.Reboot the machine or to enable the swap file immediately,
type:&prompt.root; vnconfig -e /dev/vn0b /usr/swap0 swapCreating a Swapfile on FreeBSD 5.XBe certain that your kernel configuration includes
the memory disk driver (&man.md.4;). It is default in
GENERIC kernel.device md # Memory "disks"create a swapfile (/usr/swap0):&prompt.root; dd if=/dev/zero of=/usr/swap0 bs=1024k count=64set proper permissions on (/usr/swap0):&prompt.root; chmod 0600 /usr/swap0enable the swap file in /etc/rc.conf:swapfile="/usr/swap0" # Set to name of swapfile if aux swapfile desired.Reboot the machine or to enable the swap file immediately,
type:&prompt.root; mdconfig -a -t vnode -f /usr/swap0 -u 0 && swapon /dev/md0HitenPandyaWritten by TomRhodesPower and Resource ManagementIt is very important to utilize hardware resources in an
efficient manner. Before ACPI was introduced,
it was very difficult and inflexible for operating systems to manage
the power usage and thermal properties of a system. The hardware was
controlled by some sort of BIOS embedded
interface, such as Plug and Play BIOS (PNPBIOS), or
Advanced Power Management (APM) and so on.
Power and Resource Management is one of the key components of a modern
operating system. For example, you may want an operating system to
monitor system limits (and possibly alert you) in case your system
temperature increased unexpectedly.In this section of the FreeBSD Handbook, we will provide
comprehensive information about ACPI. References
will be provided for further reading at the end. Please be aware
that ACPI is only available on FreeBSD 5.X and
above.What Is ACPI?Advanced Configuration and Power Interface
(ACPI) is a standard written by
an alliance of vendors to provide a standard interface for
hardware resources and power management (hence the name).
It is a key element in Operating System-directed
configuration and Power Management, i.e.: it provides
more control and flexibility to the operating system (OS).
Modern systems stretched the limits of the current
Plug and Play interfaces (such as APM, which is used in FreeBSD 4.X),
prior to the introduction of ACPI. ACPI
is the direct successor to APM (Advanced Power
Management).Shortcomings of Advanced Power Management (APM)The Advanced Power Management (APM)
facility control's the power usage of a system based on its
activity. The APM BIOS is supplied by the (system) vendor and
it is specific to the hardware platform. An APM driver in the
OS mediates access to the APM Software Interface,
which allows management of power levels.There are four major problems in APM. Firstly, power
management is done by the (vendor-specific) BIOS, and the OS
does not have any knowledge of it. One example of this, is when
the user sets idle-time values for a hard drive in the APM BIOS,
that when exceeded, it (BIOS) would spin down the hard drive,
without the consent of the OS. Secondly, the APM logic is
embedded in the BIOS, and it operates outside the scope of the
OS. This means users can only fix problems in their APM BIOS by
flashing a new one into the ROM; which, is a very dangerous
procedure, and if it fails, it could leave the system in an
unrecoverable state. Thirdly, APM is a vendor-specific
technology, which, means that there is a lot or parity
(duplication of efforts) and bugs found in one vendor's BIOS,
may not be solved in others. Last but not the least, the APM
BIOS did not have enough room to implement a sophisticated power
policy, or one that can adapt very well to the purpose of the
machine.Plug and Play BIOS (PNPBIOS) was
unreliable in many situations. PNPBIOS is 16-bit technology,
so the OS has to use 16-bit emulation in order to
interface with PNPBIOS methods.The FreeBSD APM driver is documented in
the &man.apm.4; manual page.Configuring <acronym>ACPI</acronym>The acpi.ko driver is loaded by default
at start up by the &man.loader.8; and should not
be compiled into the kernel. The reasoning behind this is that modules
are easier to work with, say if switching to another acpi.ko
without doing a kernel rebuild. This has the advantage of making testing easier.
Another reason is that starting ACPI after a system has been
brought up is not too useful, and in some cases can be fatal. In doubt, just
disable ACPI all together. This driver should not and can not
be unloaded because the system bus uses it for various hardware interactions.
ACPI can be disabled with the &man.acpiconf.8; utility.
In fact most of the interaction with ACPI can be done via
&man.acpiconf.8;. Basically this means, if anything about ACPI
is in the &man.dmesg.8; output, then most likely it is already running.ACPI and APM cannot coexist and
should be used separately. The last one to load will terminate if the driver
notices the other running.In the simplest form, ACPI can be used to put the
system into a sleep mode with &man.acpiconf.8;, the
flag, and a 1-5 option. Most users will only need
1. Option 5 will do a soft-off
which is the same action as:&prompt.root; halt -pThe other options are available. Check out the &man.acpiconf.8;
manual page for more information.Debugging and Disabling <acronym>ACPI</acronym>Almost everything in ACPI is transparent, until
it does not work. That is usually when you as a user will know there
is something not working properly. The &man.acpi.4; driver
supports many debugging options, it is even possible to
selectively disable some parts of the ACPI
system. For more information about debugging facilities, read
the &man.acpi.4; manual page.Sometimes for various reasons, the
acpi.ko module must be unloaded. This
can only be done at boot time by the &man.loader.8;. You can
type at &man.loader.8; prompt the command
unset acpi_load each time you boot the
system, or to stop the autoloading of the
&man.acpi.4; driver add the following line to the
/boot/loader.conf file:exec="unset acpi_load"&os; 5.1-RELEASE and later come with a boot-time menu
that controls how &os; is booted. One of the proposed options
is to turn off ACPI. So to disable
ACPI just select
2. Boot &os; with ACPI disabled
in the menu.
diff --git a/en_US.ISO8859-1/books/handbook/disks/chapter.sgml b/en_US.ISO8859-1/books/handbook/disks/chapter.sgml
index 03936128cf..c6a78b70fa 100644
--- a/en_US.ISO8859-1/books/handbook/disks/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/disks/chapter.sgml
@@ -1,3234 +1,3234 @@
StorageSynopsisThis chapter covers the use of disks in FreeBSD. This
includes memory-backed disks, network-attached disks, and
standard SCSI/IDE storage devices.After reading this chapter, you will know:The terminology FreeBSD uses to describe the
organization of data on a physical disk (partitions and slices).How to mount and unmount file systems.How to add additional hard disks to your system.How to setup virtual file systems, such as memory
disks.How to use quotas to limit disk space usage.How to encrypt disks to secure them against attackers.How to create and burn CDs and DVDs on FreeBSD.The various storage media options for backups.How to use backup programs available under FreeBSD.How to backup to floppy disks.What snapshots are and how to use them efficiently.Device NamesThe following is a list of physical storage devices
supported in FreeBSD, and the device names associated with
them.
Physical Disk Naming ConventionsDrive typeDrive device nameIDE hard drivesadIDE CDROM drivesacdSCSI hard drives and USB Mass storage devicesdaSCSI CDROM drivescdAssorted non-standard CDROM drivesmcd for Mitsumi CD-ROM,
scd for Sony CD-ROM,
matcd for Matsushita/Panasonic CD-ROM
The &man.matcd.4; driver has been removed
in FreeBSD 4.X branch since October 5th,
2002 and does not exist in FreeBSD 5.0 and
5.1 releases. However this driver is back in the
FreeBSD 5.X branch since June 16th,
2003.Floppy drivesfdSCSI tape drivessaIDE tape drivesastFlash drives
- fla for DiskOnChip Flash device
+ fla for &diskonchip; Flash deviceRAID drives
- aacd for Adaptec AdvancedRAID,
+ aacd for &adaptec; AdvancedRAID,
mlxd and mlyd
- for Mylex,
- amrd for AMI MegaRAID,
+ for &mylex;,
+ amrd for AMI &megaraid;,
idad for Compaq Smart RAID,
- twed for 3Ware RAID.
+ twed for &tm.3ware; RAID.
DavidO'BrienOriginally contributed by Adding DisksdisksaddingLets say we want to add a new SCSI disk to a machine that
currently only has a single drive. First turn off the computer
and install the drive in the computer following the instructions
of the computer, controller, and drive manufacturer. Due to the
wide variations of procedures to do this, the details are beyond
the scope of this document.Login as user root. After you have installed the
drive, inspect /var/run/dmesg.boot to ensure the new
disk was found. Continuing with our example, the newly added drive will
be da1 and we want to mount it on
/1 (if you are adding an IDE drive, the device name
will be wd1 in pre-4.0 systems, or
ad1 in most 4.X systems).partitionsslicesfdiskBecause FreeBSD runs on IBM-PC compatible computers, it must
take into account the PC BIOS partitions. These are different
from the traditional BSD partitions. A PC disk has up to four
BIOS partition entries. If the disk is going to be truly
dedicated to FreeBSD, you can use the
dedicated mode. Otherwise, FreeBSD will
have to live within one of the PC BIOS partitions. FreeBSD
calls the PC BIOS partitions slices so as
not to confuse them with traditional BSD partitions. You may
also use slices on a disk that is dedicated to FreeBSD, but used
in a computer that also has another operating system installed.
This is to not confuse the fdisk utility of
the other operating system.In the slice case the drive will be added as
/dev/da1s1e. This is read as: SCSI disk,
unit number 1 (second SCSI disk), slice 1 (PC BIOS partition 1),
and e BSD partition. In the dedicated
case, the drive will be added simply as
/dev/da1e.Using &man.sysinstall.8;sysinstalladding diskssuNavigating <application>Sysinstall</application>You may use /stand/sysinstall to
partition and label a new disk using its easy to use menus.
Either login as user root or use the
su command. Run
/stand/sysinstall and enter the
Configure menu. Within the
FreeBSD Configuration Menu, scroll down and
select the Fdisk option.<application>fdisk</application> Partition EditorOnce inside fdisk, we can type A to
use the entire disk for FreeBSD. When asked if you want to
remain cooperative with any future possible operating
systems, answer YES. Write the
changes to the disk using W. Now exit the
FDISK editor by typing q. Next you will be
asked about the Master Boot Record. Since you are adding a
disk to an already running system, choose
None.Disk Label EditorBSD partitionsNext, you need to exit sysinstall
and start it again. Follow the directions above, although this
time choose the Label option. This will
enter the Disk Label Editor. This
is where you will create the traditional BSD partitions. A
disk can have up to eight partitions, labeled
a-h.
A few of the partition labels have special uses. The
a partition is used for the root partition
(/). Thus only your system disk (e.g,
the disk you boot from) should have an a
partition. The b partition is used for
swap partitions, and you may have many disks with swap
partitions. The c partition addresses the
entire disk in dedicated mode, or the entire FreeBSD slice in
slice mode. The other partitions are for general use.sysinstall's Label editor
favors the e
partition for non-root, non-swap partitions. Within the
Label editor, create a single file system by typing
C. When prompted if this will be a FS
(file system) or swap, choose FS and type in a
mount point (e.g, /mnt). When adding a
disk in post-install mode, sysinstall
will not create entries
in /etc/fstab for you, so the mount point
you specify is not important.You are now ready to write the new label to the disk and
create a file system on it. Do this by typing
W. Ignore any errors from
sysinstall that
it could not mount the new partition. Exit the Label Editor
and sysinstall completely.FinishThe last step is to edit /etc/fstab
to add an entry for your new disk.Using Command Line UtilitiesUsing SlicesThis setup will allow your disk to work correctly with
other operating systems that might be installed on your
computer and will not confuse other operating systems'
fdisk utilities. It is recommended
to use this method for new disk installs. Only use
dedicated mode if you have a good reason
to do so!&prompt.root; dd if=/dev/zero of=/dev/da1 bs=1k count=1
&prompt.root; fdisk -BI da1 #Initialize your new disk
&prompt.root; disklabel -B -w -r da1s1 auto #Label it.
&prompt.root; disklabel -e da1s1 # Edit the disklabel just created and add any partitions.
&prompt.root; mkdir -p /1
&prompt.root; newfs /dev/da1s1e # Repeat this for every partition you created.
&prompt.root; mount /dev/da1s1e /1 # Mount the partition(s)
&prompt.root; vi /etc/fstab # Add the appropriate entry/entries to your /etc/fstab.If you have an IDE disk, substitute ad
for da. On pre-4.X systems use
wd.DedicatedOS/2If you will not be sharing the new drive with another operating
system, you may use the dedicated mode. Remember
this mode can confuse Microsoft operating systems; however, no damage
- will be done by them. IBM's OS/2 however, will
+ will be done by them. IBM's &os2; however, will
appropriate any partition it finds which it does not
understand.&prompt.root; dd if=/dev/zero of=/dev/da1 bs=1k count=1
&prompt.root; disklabel -Brw da1 auto
&prompt.root; disklabel -e da1 # create the `e' partition
&prompt.root; newfs -d0 /dev/da1e
&prompt.root; mkdir -p /1
&prompt.root; vi /etc/fstab # add an entry for /dev/da1e
&prompt.root; mount /1An alternate method is:&prompt.root; dd if=/dev/zero of=/dev/da1 count=2
&prompt.root; disklabel /dev/da1 | disklabel -BrR da1 /dev/stdin
&prompt.root; newfs /dev/da1e
&prompt.root; mkdir -p /1
&prompt.root; vi /etc/fstab # add an entry for /dev/da1e
&prompt.root; mount /1Since &os; 5.1-RELEASE, the &man.bsdlabel.8;
utility replaces the old &man.disklabel.8; program. With
&man.bsdlabel.8; a number of obsolete options and parameters
have been retired; in the examples above the option
should be removed with &man.bsdlabel.8;.
For more information, please refer to the &man.bsdlabel.8;
manual page.RAIDSoftware RAIDChristopherShumwayOriginal work by JimBrownRevised by RAIDsoftwareRAIDCCDConcatenated Disk Driver (CCD) ConfigurationWhen choosing a mass storage solution the most important
factors to consider are speed, reliability, and cost. It is
rare to have all three in balance; normally a fast, reliable mass
storage device is expensive, and to cut back on cost either speed
or reliability must be sacrificed.In designing the system described below, cost was chosen
as the most important factor, followed by speed, then reliability.
Data transfer speed for this system is ultimately
constrained by the network. And while reliability is very important,
the CCD drive described below serves online data that is already
fully backed up on CD-R's and can easily be replaced.Defining your own requirements is the first step
in choosing a mass storage solution. If your requirements prefer
speed or reliability over cost, your solution will differ from
the system described in this section.Installing the HardwareIn addition to the IDE system disk, three Western
Digital 30GB, 5400 RPM IDE disks form the core
of the CCD disk described below providing approximately
90GB of online storage. Ideally,
each IDE disk would have its own IDE controller
and cable, but to minimize cost, additional
IDE controllers were not used. Instead the disks were
configured with jumpers so that each IDE controller has
one master, and one slave.Upon reboot, the system BIOS was configured to
automatically detect the disks attached. More importantly,
FreeBSD detected them on reboot:ad0: 19574MB <WDC WD205BA> [39770/16/63] at ata0-master UDMA33
ad1: 29333MB <WDC WD307AA> [59598/16/63] at ata0-slave UDMA33
ad2: 29333MB <WDC WD307AA> [59598/16/63] at ata1-master UDMA33
ad3: 29333MB <WDC WD307AA> [59598/16/63] at ata1-slave UDMA33If FreeBSD does not detect all the disks, ensure
that you have jumpered them correctly. Most IDE drives
also have a Cable Select jumper. This is
not the jumper for the master/slave
relationship. Consult the drive documentation for help in
identifying the correct jumper.Next, consider how to attach them as part of the file
system. You should research both &man.vinum.8; () and &man.ccd.4;. In this
particular configuration, &man.ccd.4; was chosen.Setting Up the CCDThe driver &man.ccd.4; allows you to take
several identical disks and concatenate them into one
logical file system. In order to use
&man.ccd.4;, you need a kernel with
&man.ccd.4; support built in.
Add this line to your kernel configuration file, rebuild, and
reinstall the kernel:pseudo-device ccd 4On 5.X systems, you have to use instead the following
line:device ccdIn FreeBSD 5.X, it is not necessary to specify
a number of &man.ccd.4; devices, as the &man.ccd.4; device driver is now
self-cloning — new device instances will automatically be
created on demand.The &man.ccd.4; support can also be
loaded as a kernel loadable module in FreeBSD 3.0 or
later.To set up &man.ccd.4;, you must first use
&man.disklabel.8; to label the disks:disklabel -r -w ad1 auto
disklabel -r -w ad2 auto
disklabel -r -w ad3 autoThis creates a disklabel for ad1c, ad2c and ad3c that
spans the entire disk.Since &os; 5.1-RELEASE, the &man.bsdlabel.8;
utility replaces the old &man.disklabel.8; program. With
&man.bsdlabel.8; a number of obsolete options and parameters
have been retired; in the examples above the option
should be removed. For more
information, please refer to the &man.bsdlabel.8;
manual page.The next step is to change the disk label type. You
can use &man.disklabel.8; to edit the
disks:disklabel -e ad1
disklabel -e ad2
disklabel -e ad3This opens up the current disk label on each disk with
the editor specified by the EDITOR
environment variable, typically &man.vi.1;.An unmodified disk label will look something like
this:8 partitions:
# size offset fstype [fsize bsize bps/cpg]
c: 60074784 0 unused 0 0 0 # (Cyl. 0 - 59597)Add a new e partition for &man.ccd.4; to use. This
can usually be copied from the c partition,
but the must
be 4.2BSD. The disk label should
now look something like this:8 partitions:
# size offset fstype [fsize bsize bps/cpg]
c: 60074784 0 unused 0 0 0 # (Cyl. 0 - 59597)
e: 60074784 0 4.2BSD 0 0 0 # (Cyl. 0 - 59597)Building the File SystemThe device node for
ccd0c may not exist yet, so to
create it, perform the following commands:cd /dev
sh MAKEDEV ccd0In FreeBSD 5.0, &man.devfs.5; will automatically
manage device nodes in /dev, so use of
MAKEDEV is not necessary.Now that you have all of the disks labeled, you must
build the &man.ccd.4;. To do that,
use &man.ccdconfig.8;, with options similar to the following:ccdconfig ccd0 32 0 /dev/ad1e /dev/ad2e /dev/ad3eThe use and meaning of each option is shown below:The first argument is the device to configure, in this case,
/dev/ccd0c. The /dev/
portion is optional.The interleave for the file system. The interleave
defines the size of a stripe in disk blocks, each normally 512 bytes.
So, an interleave of 32 would be 16,384 bytes.Flags for &man.ccdconfig.8;. If you want to enable drive
mirroring, you can specify a flag here. This
configuration does not provide mirroring for
&man.ccd.4;, so it is set at 0 (zero).The final arguments to &man.ccdconfig.8;
are the devices to place into the array. Use the complete pathname
for each device.After running &man.ccdconfig.8; the &man.ccd.4;
is configured. A file system can be installed. Refer to &man.newfs.8;
for options, or simply run: newfs /dev/ccd0cMaking it All AutomaticGenerally, you will want to mount the
&man.ccd.4; upon each reboot. To do this, you must
configure it first. Write out your current configuration to
/etc/ccd.conf using the following command:ccdconfig -g > /etc/ccd.confDuring reboot, the script /etc/rc
runs ccdconfig -C if /etc/ccd.conf
exists. This automatically configures the
&man.ccd.4; so it can be mounted.If you are booting into single user mode, before you can
&man.mount.8; the &man.ccd.4;, you
need to issue the following command to configure the
array:ccdconfig -CTo automatically mount the &man.ccd.4;,
place an entry for the &man.ccd.4; in
/etc/fstab so it will be mounted at
boot time:/dev/ccd0c /media ufs rw 2 2The Vinum Volume ManagerRAIDsoftwareRAIDVinumThe Vinum Volume Manager is a block device driver which
implements virtual disk drives. It isolates disk hardware
from the block device interface and maps data in ways which
result in an increase in flexibility, performance and
reliability compared to the traditional slice view of disk
storage. &man.vinum.8; implements the RAID-0, RAID-1 and
RAID-5 models, both individually and in combination.See for more
information about &man.vinum.8;.Hardware RAIDRAIDhardwareFreeBSD also supports a variety of hardware RAID
controllers. These devices control a RAID subsystem
without the need for FreeBSD specific software to manage the
array.Using an on-card BIOS, the card controls most of the disk operations
itself. The following is a brief setup description using a Promise IDE RAID
controller. When this card is installed and the system is started up, it
displays a prompt requesting information. Follow the instructions
to enter the card's setup screen. From here, you have the ability to
combine all the attached drives. After doing so, the disk(s) will look like
a single drive to FreeBSD. Other RAID levels can be set up
accordingly.
Rebuilding ATA RAID1 ArraysFreeBSD allows you to hot-replace a failed disk in an array. This requires
that you catch it before you reboot.You will probably see something like the following in /var/log/messages or in the &man.dmesg.8;
output:ad6 on monster1 suffered a hard error.
ad6: READ command timeout tag=0 serv=0 - resetting
ad6: trying fallback to PIO mode
ata3: resetting devices .. done
ad6: hard error reading fsbn 1116119 of 0-7 (ad6 bn 1116119; cn 1107 tn 4 sn 11) status=59 error=40
ar0: WARNING - mirror lostUsing &man.atacontrol.8;, check for further information:&prompt.root; atacontrol list
ATA channel 0:
Master: no device present
Slave: acd0 <HL-DT-ST CD-ROM GCR-8520B/1.00> ATA/ATAPI rev 0
ATA channel 1:
Master: no device present
Slave: no device present
ATA channel 2:
Master: ad4 <MAXTOR 6L080J4/A93.0500> ATA/ATAPI rev 5
Slave: no device present
ATA channel 3:
Master: ad6 <MAXTOR 6L080J4/A93.0500> ATA/ATAPI rev 5
Slave: no device present
&prompt.root; atacontrol status ar0
ar0: ATA RAID1 subdisks: ad4 ad6 status: DEGRADEDYou will first need to detach the disk from the array so that you can
safely remove it:&prompt.root; atacontrol detach 3Replace the disk.Reattach the disk as a spare:&prompt.root; atacontrol attach 3
Master: ad6 <MAXTOR 6L080J4/A93.0500> ATA/ATAPI rev 5
Slave: no device presentRebuild the array:&prompt.root; atacontrol rebuild ar0The rebuild command hangs until complete. However, it is possible to open another
terminal (using AltFn)
and check on the progress by issuing the following command:&prompt.root; dmesg | tail -10
[output removed]
ad6: removed from configuration
ad6: deleted from ar0 disk1
ad6: inserted into ar0 disk1 as spare
&prompt.root; atacontrol status ar0
ar0: ATA RAID1 subdisks: ad4 ad6 status: REBUILDING 0% completedWait until this operation completes.MikeMeyerContributed by Creating and Using Optical Media (CDs & DVDs)CDROMscreatingIntroductionCDs have a number of features that differentiate them from
conventional disks. Initially, they were not writable by the
user. They are designed so that they can be read continuously without
delays to move the head between tracks. They are also much easier
to transport between systems than similarly sized media were at the
time.CDs do have tracks, but this refers to a section of data to
be read continuously and not a physical property of the disk. To
produce a CD on FreeBSD, you prepare the data files that are going
to make up the tracks on the CD, then write the tracks to the
CD.ISO 9660file systemsISO 9660The ISO 9660 file system was designed to deal with these
differences. It unfortunately codifies file system limits that were
common then. Fortunately, it provides an extension mechanism that
allows properly written CDs to exceed those limits while still
working with systems that do not support those extensions.sysutils/mkisofsThe sysutils/mkisofs
program is used to produce a data file containing an ISO 9660 file
system. It has options that support various extensions, and is
described below. You can install it with the
sysutils/mkisofs port.CD burnerATAPIWhich tool to use to burn the CD depends on whether your CD burner
is ATAPI or something else. ATAPI CD burners use the burncd program that is part of
the base system. SCSI and USB CD burners should use
cdrecord from
the sysutils/cdrtools port.burncd has a limited number of
supported drives. To find out if a drive is supported, see the
CD-R/RW supported
drives list.CD burnerATAPI/CAM driverIf you run &os; 5.X, &os; 4.8-RELEASE version or
higher, it will be possible to use cdrecord and other tools
for SCSI drives on an ATAPI hardware with the ATAPI/CAM module.mkisofssysutils/mkisofs produces an ISO 9660 file system
- that is an image of a directory tree in the Unix file system name
+ that is an image of a directory tree in the &unix; file system name
space. The simplest usage is:&prompt.root; mkisofs -o imagefile.iso/path/to/treefile systemsISO 9660This command will create an imagefile.iso
containing an ISO 9660 file system that is a copy of the tree at
/path/to/tree. In the process, it will
map the file names to names that fit the limitations of the
standard ISO 9660 file system, and will exclude files that have
names uncharacteristic of ISO file systems.file systemsHFSfile systemsJolietA number of options are available to overcome those
restrictions. In particular, enables the
- Rock Ridge extensions common to Unix systems,
+ Rock Ridge extensions common to &unix; systems,
enables Joliet extensions used by Microsoft systems, and
can be used to create HFS file systems used
- by MacOS.
+ by &macos;.
For CDs that are going to be used only on FreeBSD systems,
can be used to disable all filename
restrictions. When used with , it produces a
file system image that is identical to the FreeBSD tree you started
from, though it may violate the ISO 9660 standard in a number of
ways.CDROMscreating bootableThe last option of general use is . This is
used to specify the location of the boot image for use in producing an
El Torito bootable CD. This option takes an
argument which is the path to a boot image from the top of the
tree being written to the CD. So, given that
/tmp/myboot holds a bootable FreeBSD system
with the boot image in
/tmp/myboot/boot/cdboot, you could produce the
image of an ISO 9660 file system in
/tmp/bootable.iso like so:&prompt.root; mkisofs -U -R -b boot/cdboot -o /tmp/bootable.iso /tmp/mybootHaving done that, if you have vn
(FreeBSD 4.X), or md
(FreeBSD 5.X)
configured in your kernel, you can mount the file system with:&prompt.root; vnconfig -e vn0c /tmp/bootable.iso
&prompt.root; mount -t cd9660 /dev/vn0c /mntfor FreeBSD 4.X, and for FreeBSD 5.X:&prompt.root; mdconfig -a -t vnode -f /tmp/bootable.iso -u 0
&prompt.root; mount -t cd9660 /dev/md0 /mntAt which point you can verify that /mnt
and /tmp/myboot are identical.There are many other options you can use with
sysutils/mkisofs to fine-tune its behavior. In particular:
modifications to an ISO 9660 layout and the creation of Joliet
and HFS discs. See the &man.mkisofs.8; manual page for details.burncdCDROMsburningIf you have an ATAPI CD burner, you can use the
burncd command to burn an ISO image onto a
CD. burncd is part of the base system, installed
as /usr/sbin/burncd. Usage is very simple, as
it has few options:&prompt.root; burncd -f cddevice data imagefile.iso fixateWill burn a copy of imagefile.iso on
cddevice. The default device is
/dev/acd0c. See &man.burncd.8; for options to
set the write speed, eject the CD after burning, and write audio
data.cdrecordIf you do not have an ATAPI CD burner, you will have to use
cdrecord to burn your
CDs. cdrecord is not part of the base system;
you must install it from either the port at sysutils/cdrtools
or the appropriate
package. Changes to the base system can cause binary versions of
this program to fail, possibly resulting in a
coaster. You should therefore either upgrade the
port when you upgrade your system, or if you are tracking -STABLE, upgrade the port when a
new version becomes available.While cdrecord has many options, basic usage
is even simpler than burncd. Burning an ISO 9660
image is done with:&prompt.root; cdrecord dev=deviceimagefile.isoThe tricky part of using cdrecord is finding
the to use. To find the proper setting, use
the flag of cdrecord,
which might produce results like this:CDROMsburning&prompt.root; cdrecord -scanbus
Cdrecord 1.9 (i386-unknown-freebsd4.2) Copyright (C) 1995-2000 Jörg Schilling
Using libscg version 'schily-0.1'
scsibus0:
0,0,0 0) 'SEAGATE ' 'ST39236LW ' '0004' Disk
0,1,0 1) 'SEAGATE ' 'ST39173W ' '5958' Disk
0,2,0 2) *
0,3,0 3) 'iomega ' 'jaz 1GB ' 'J.86' Removable Disk
0,4,0 4) 'NEC ' 'CD-ROM DRIVE:466' '1.26' Removable CD-ROM
0,5,0 5) *
0,6,0 6) *
0,7,0 7) *
scsibus1:
1,0,0 100) *
1,1,0 101) *
1,2,0 102) *
1,3,0 103) *
1,4,0 104) *
1,5,0 105) 'YAMAHA ' 'CRW4260 ' '1.0q' Removable CD-ROM
1,6,0 106) 'ARTEC ' 'AM12S ' '1.06' Scanner
1,7,0 107) *This lists the appropriate value for the
devices on the list. Locate your CD burner, and use the three
numbers separated by commas as the value for
. In this case, the CRW device is 1,5,0, so the
appropriate input would be
. There are easier
ways to specify this value; see &man.cdrecord.1; for
details. That is also the place to look for information on writing
audio tracks, controlling the speed, and other things.Duplicating Audio CDsYou can duplicate an audio CD by extracting the audio data from
the CD to a series of files, and then writing these files to a blank
CD. The process is slightly different for ATAPI and SCSI
drives.SCSI DrivesUse cdda2wav to extract the audio.&prompt.user; cdda2wav -v255 -D2,0 -B -OwavUse cdrecord to write the
.wav files.&prompt.user; cdrecord -v dev=2,0 -dao -useinfo *.wavMake sure that 2.0 is set
appropriately, as described in .ATAPI DrivesThe ATAPI CD driver makes each track available as
/dev/acddtnn,
where d is the drive number, and
nn is the track number written with two
decimal digits, prefixed with zero as needed.
So the first track on the first disk is
/dev/acd0t01, the second is
/dev/acd0t02, the third is
/dev/acd0t03, and so on.Make sure the appropriate files exist in
/dev.&prompt.root; cd /dev
&prompt.root; sh MAKEDEV acd0t99In FreeBSD 5.0, &man.devfs.5; will automatically
create and manage entries in /dev
for you, so it is not necessary to use
MAKEDEV.Extract each track using &man.dd.1;. You must also use a
specific block size when extracting the files.&prompt.root; dd if=/dev/acd0t01 of=track1.cdr bs=2352
&prompt.root; dd if=/dev/acd0t02 of=track2.cdr bs=2352
...
Burn the extracted files to disk using
burncd. You must specify that these are audio
files, and that burncd should fixate the disk
when finished.&prompt.root; burncd -f /dev/acd0c audio track1.cdr track2.cdr ... fixateDuplicating Data CDsYou can copy a data CD to a image file that is
functionally equivalent to the image file created with
sysutils/mkisofs, and you can use it to duplicate
any data CD. The example given here assumes that your CDROM
device is acd0. Substitute your
correct CDROM device. A c must be appended
to the end of the device name to indicate the entire partition
or, in the case of CDROMs, the entire disc.&prompt.root; dd if=/dev/acd0c of=file.iso bs=2048Now that you have an image, you can burn it to CD as
described above.Using Data CDsNow that you have created a standard data CDROM, you
probably want to mount it and read the data on it. By
default, &man.mount.8; assumes that a file system is of type
ufs. If you try something like:&prompt.root; mount /dev/cd0c /mntyou will get a complaint about Incorrect super
block, and no mount. The CDROM is not a
UFS file system, so attempts to mount it
as such will fail. You just need to tell &man.mount.8; that
the file system is of type ISO9660, and
everything will work. You do this by specifying the
option &man.mount.8;. For
example, if you want to mount the CDROM device,
/dev/cd0c, under
/mnt, you would execute:&prompt.root; mount -t cd9660 /dev/cd0c /mntNote that your device name
(/dev/cd0c in this example) could be
different, depending on the interface your CDROM uses. Also,
the option just executes
&man.mount.cd9660.8;. The above example could be shortened
to:&prompt.root; mount_cd9660 /dev/cd0c /mntYou can generally use data CDROMs from any vendor in this
way. Disks with certain ISO 9660 extensions might behave
oddly, however. For example, Joliet disks store all filenames
in two-byte Unicode characters. The FreeBSD kernel does not
speak Unicode (yet!), so non-English characters show up as
question marks. (If you are running FreeBSD 4.3 or later, the
CD9660 driver includes hooks to load an appropriate Unicode
conversion table on the fly. Modules for some of the common
encodings are available via the
sysutils/cd9660_unicode port.)Occasionally, you might get Device not
configured when trying to mount a CDROM. This
usually means that the CDROM drive thinks that there is no
disk in the tray, or that the drive is not visible on the bus.
It can take a couple of seconds for a CDROM drive to realize
that it has been fed, so be patient.Sometimes, a SCSI CDROM may be missed because it didn't
have enough time to answer the bus reset. If you have a SCSI
CDROM please add the following option to your kernel
configuration and rebuild your kernel.options SCSI_DELAY=15000This tells your SCSI bus to pause 15 seconds during boot,
to give your CDROM drive every possible chance to answer the
bus reset.Burning Raw Data CDsYou can choose to burn a file directly to CD, without
creating an ISO 9660 file system. Some people do this for
backup purposes. This runs more quickly than burning a
standard CD:&prompt.root; burncd -f /dev/acd1c -s 12 data archive.tar.gz fixateIn order to retrieve the data burned to such a CD, you
must read data from the raw device node:&prompt.root; tar xzvf /dev/acd1cYou cannot mount this disk as you would a normal CDROM.
Such a CDROM cannot be read under any operating system
except FreeBSD. If you want to be able to mount the CD, or
share data with another operating system, you must use
sysutils/mkisofs as described above.CD burnerATAPI/CAM driverUsing the ATAPI/CAM DriverThis driver allows ATAPI devices (CD-ROM, CD-RW, DVD
drives etc...) to be accessed through the SCSI subsystem, and
so allows the use of applications like sysutils/cdrdao or
&man.cdrecord.1;.To use this driver, you will need to add the following
lines to your kernel configuration file:device atapicam
device scbus
device cd
device passYou also need the following lines in your kernel
configuration file:device ata
device atapicdBoth of which should already be present.Then rebuild, install your new kernel, and reboot your
machine. During the boot process, your burner should show up,
like so:acd0: CD-RW <MATSHITA CD-RW/DVD-ROM UJDA740> at ata1-master PIO4
cd0 at ata1 bus 0 target 0 lun 0
cd0: <MATSHITA CDRW/DVD UJDA740 1.00> Removable CD-ROM SCSI-0 device
cd0: 16.000MB/s transfers
cd0: Attempt to query device size failed: NOT READY, Medium not present - tray closedThe drive could now be accessed via the
/dev/cd0 device name, for example to
mount a CD-ROM on /mnt, just type the
following:&prompt.root; mount -t cd9660 /dev/cd0c /mntAs root, you can run the following
command to get the SCSI address of the burner:&prompt.root; camcontrol devlist
<MATSHITA CDRW/DVD UJDA740 1.00> at scbus1 target 0 lun 0 (pass0,cd0)So 1,0,0 will be the SCSI address to
use with &man.cdrecord.1; and other SCSI application.For more information about ATAPI/CAM and SCSI system,
refer to the &man.atapicam.4; and &man.cam.4; manual
pages.JulioMerinoOriginal work by MartinKarlssonRewritten by Creating and Using Floppy DisksStoring data on floppy disks is sometimes useful, for
example when one does not have any other removable storage media
or when one needs to transfer small amounts of data to another
computer.This section will explain how to use floppy disks in
FreeBSD. It will primarily cover formatting and usage of
3.5inch DOS floppies, but the concepts are similar for other
floppy disk formats.Formatting FloppiesThe DeviceFloppy disks are accessed through entries in
/dev, just like other devices. To
access the raw floppy disk in 4.X and earlier releases, one
uses
/dev/fdN,
where N stands for the drive
number, usually 0, or
/dev/fdNX,
where X stands for a
letter.In 5.0 or newer releases, simply use
/dev/fdN.The Disk Size in 4.X and Earlier ReleasesThere are also /dev/fdN.size
devices, where size is a floppy disk
size in kilobytes. These entries are used at low-level format
time to determine the disk size. 1440kB is the size that will be
used in the following examples.Sometimes the entries under /dev will
have to be (re)created. To do that, issue:&prompt.root; cd /dev && ./MAKEDEV "fd*"The Disk Size in 5.0 and Newer ReleasesIn 5.0, &man.devfs.5; will automatically
manage device nodes in /dev, so use of
MAKEDEV is not necessary.The desired disk size is passed to &man.fdformat.1; through
the flag. Supported sizes are listed in
&man.fdcontrol.8;, but be advised that 1440kB is what works best.FormattingA floppy disk needs to be low-level formated before it
can be used. This is usually done by the vendor, but
formatting is a good way to check media integrity. Although
it is possible to force larger (or smaller) disk sizes,
1440kB is what most floppy disks are designed for.To low-level format the floppy disk you need to use
&man.fdformat.1;. This utility expects the device name as an
argument.Make note of any error messages, as these can help
determine if the disk is good or bad.Formatting in 4.X and Earlier ReleasesUse the
/dev/fdN.size
devices to format the floppy. Insert a new 3.5inch floppy
disk in your drive and issue:&prompt.root; /usr/sbin/fdformat /dev/fd0.1440Formatting in 5.0 and Newer ReleasesUse the
/dev/fdN
devices to format the floppy. Insert a new 3.5inch floppy
disk in your drive and issue:&prompt.root; /usr/sbin/fdformat -f 1440 /dev/fd0The Disk LabelAfter low-level formatting the disk, you will need to
place a disk label on it. This disk label will be destroyed
later, but it is needed by the system to determine the size of
the disk and its geometry later.The new disk label will take over the whole disk, and will
contain all the proper information about the geometry of the
floppy. The geometry values for the disk label are listed in
/etc/disktab.You can run now &man.disklabel.8; like so:&prompt.root; /sbin/disklabel -B -r -w /dev/fd0 fd1440Since &os; 5.1-RELEASE, the &man.bsdlabel.8;
utility replaces the old &man.disklabel.8; program. With
&man.bsdlabel.8; a number of obsolete options and parameters
have been retired; in the example above the option
should be removed. For more
information, please refer to the &man.bsdlabel.8;
manual page.The File SystemNow the floppy is ready to be high-level formated. This
will place a new file system on it, which will let FreeBSD read
and write to the disk. After creating the new file system, the
disk label is destroyed, so if you want to reformat the disk, you
will have to recreate the disk label.The floppy's file system can be either UFS or FAT.
FAT is generally a better choice for floppies.To put a new file system on the floppy, issue:&prompt.root; /sbin/newfs_msdos /dev/fd0The disk is now ready for use.Using the FloppyTo use the floppy, mount it with &man.mount.msdos.8; (in
4.X and earlier releases) or &man.mount.msdosfs.8; (in 5.0 or
newer releases). One can also use
emulators/mtools from the ports
collection.Creating and Using Data Tapestape mediaThe major tape media are the 4mm, 8mm, QIC, mini-cartridge and
DLT.4mm (DDS: Digital Data Storage)tape mediaDDS (4mm) tapestape mediaQIC tapes4mm tapes are replacing QIC as the workstation backup media of
choice. This trend accelerated greatly when Conner purchased Archive,
a leading manufacturer of QIC drives, and then stopped production of
QIC drives. 4mm drives are small and quiet but do not have the
reputation for reliability that is enjoyed by 8mm drives. The
cartridges are less expensive and smaller (3 x 2 x 0.5 inches, 76 x 51
x 12 mm) than 8mm cartridges. 4mm, like 8mm, has comparatively short
head life for the same reason, both use helical scan.Data throughput on these drives starts ~150 kB/s, peaking at ~500 kB/s.
Data capacity starts at 1.3 GB and ends at 2.0 GB. Hardware
compression, available with most of these drives, approximately
doubles the capacity. Multi-drive tape library units can have 6
drives in a single cabinet with automatic tape changing. Library
capacities reach 240 GB.The DDS-3 standard now supports tape capacities up to 12 GB (or
24 GB compressed).4mm drives, like 8mm drives, use helical-scan. All the benefits
and drawbacks of helical-scan apply to both 4mm and 8mm drives.Tapes should be retired from use after 2,000 passes or 100 full
backups.8mm (Exabyte)tape mediaExabyte (8mm) tapes8mm tapes are the most common SCSI tape drives; they are the best
choice of exchanging tapes. Nearly every site has an Exabyte 2 GB 8mm
tape drive. 8mm drives are reliable, convenient and quiet. Cartridges
are inexpensive and small (4.8 x 3.3 x 0.6 inches; 122 x 84 x 15 mm).
One downside of 8mm tape is relatively short head and tape life due to
the high rate of relative motion of the tape across the heads.Data throughput ranges from ~250 kB/s to ~500 kB/s. Data sizes start
at 300 MB and go up to 7 GB. Hardware compression, available with
most of these drives, approximately doubles the capacity. These
drives are available as single units or multi-drive tape libraries
with 6 drives and 120 tapes in a single cabinet. Tapes are changed
automatically by the unit. Library capacities reach 840+ GB.The Exabyte Mammoth model supports 12 GB on one tape
(24 GB with compression) and costs approximately twice as much as
conventional tape drives.Data is recorded onto the tape using helical-scan, the heads are
positioned at an angle to the media (approximately 6 degrees). The
tape wraps around 270 degrees of the spool that holds the heads. The
spool spins while the tape slides over the spool. The result is a
high density of data and closely packed tracks that angle across the
tape from one edge to the other.QICtape mediaQIC-150QIC-150 tapes and drives are, perhaps, the most common tape drive
and media around. QIC tape drives are the least expensive serious
backup drives. The downside is the cost of media. QIC tapes are
expensive compared to 8mm or 4mm tapes, up to 5 times the price per GB
data storage. But, if your needs can be satisfied with a half-dozen
tapes, QIC may be the correct choice. QIC is the
most common tape drive. Every site has a QIC
drive of some density or another. Therein lies the rub, QIC has a
large number of densities on physically similar (sometimes identical)
tapes. QIC drives are not quiet. These drives audibly seek before
they begin to record data and are clearly audible whenever reading,
writing or seeking. QIC tapes measure (6 x 4 x 0.7 inches; 15.2 x
10.2 x 1.7 mm). Mini-cartridges, which
also use 1/4" wide tape are discussed separately. Tape libraries and
changers are not available.Data throughput ranges from ~150 kB/s to ~500 kB/s. Data capacity
ranges from 40 MB to 15 GB. Hardware compression is available on many
of the newer QIC drives. QIC drives are less frequently installed;
they are being supplanted by DAT drives.Data is recorded onto the tape in tracks. The tracks run along
the long axis of the tape media from one end to the other. The number
of tracks, and therefore the width of a track, varies with the tape's
capacity. Most if not all newer drives provide backward-compatibility
at least for reading (but often also for writing). QIC has a good
reputation regarding the safety of the data (the mechanics are simpler
and more robust than for helical scan drives).Tapes should be retired from use after 5,000 backups.XXX* Mini-CartridgeDLTtape mediaDLTDLT has the fastest data transfer rate of all the drive types
listed here. The 1/2" (12.5mm) tape is contained in a single spool
cartridge (4 x 4 x 1 inches; 100 x 100 x 25 mm). The cartridge has a
swinging gate along one entire side of the cartridge. The drive
mechanism opens this gate to extract the tape leader. The tape leader
has an oval hole in it which the drive uses to hook the tape. The
take-up spool is located inside the tape drive. All the other tape
cartridges listed here (9 track tapes are the only exception) have
both the supply and take-up spools located inside the tape cartridge
itself.Data throughput is approximately 1.5 MB/s, three times the throughput of
4mm, 8mm, or QIC tape drives. Data capacities range from 10 GB to 20 GB
for a single drive. Drives are available in both multi-tape changers
and multi-tape, multi-drive tape libraries containing from 5 to 900
tapes over 1 to 20 drives, providing from 50 GB to 9 TB of
storage.With compression, DLT Type IV format supports up to 70 GB
capacity.Data is recorded onto the tape in tracks parallel to the direction
of travel (just like QIC tapes). Two tracks are written at once.
Read/write head lifetimes are relatively long; once the tape stops
moving, there is no relative motion between the heads and the
tape.AITtape mediaAITAIT is a new format from Sony, and can hold up to 50 GB (with
compression) per tape. The tapes contain memory chips which retain an
index of the tape's contents. This index can be rapidly read by the
tape drive to determine the position of files on the tape, instead of
the several minutes that would be required for other tapes. Software
such as SAMS:Alexandria can operate forty or more AIT tape libraries,
communicating directly with the tape's memory chip to display the
contents on screen, determine what files were backed up to which
tape, locate the correct tape, load it, and restore the data from the
tape.Libraries like this cost in the region of $20,000, pricing them a
little out of the hobbyist market.Using a New Tape for the First TimeThe first time that you try to read or write a new, completely
blank tape, the operation will fail. The console messages should be
similar to:sa0(ncr1:4:0): NOT READY asc:4,1
sa0(ncr1:4:0): Logical unit is in process of becoming readyThe tape does not contain an Identifier Block (block number 0).
All QIC tape drives since the adoption of QIC-525 standard write an
Identifier Block to the tape. There are two solutions:mt fsf 1 causes the tape drive to write an
Identifier Block to the tape.Use the front panel button to eject the tape.Re-insert the tape and dump data to
the tape.dump will report DUMP: End of tape
detected and the console will show: HARDWARE
FAILURE info:280 asc:80,96.rewind the tape using: mt rewind.Subsequent tape operations are successful.Backups to FloppiesCan I Use Floppies for Backing Up My Data?backup floppiesfloppy disksFloppy disks are not really a suitable media for
making backups as:The media is unreliable, especially over long periods of
time.Backing up and restoring is very slow.They have a very limited capacity (the days of backing up
an entire hard disk onto a dozen or so floppies has long since
passed).However, if you have no other method of backing up your data then
floppy disks are better than no backup at all.If you do have to use floppy disks then ensure that you use good
quality ones. Floppies that have been lying around the office for a
couple of years are a bad choice. Ideally use new ones from a
reputable manufacturer.So How Do I Backup My Data to Floppies?The best way to backup to floppy disk is to use
&man.tar.1; with the (multi
volume) option, which allows backups to span multiple
floppies.To backup all the files in the current directory and sub-directory
use this (as root):&prompt.root; tar Mcvf /dev/fd0 *When the first floppy is full &man.tar.1; will prompt you to
insert the next volume (because &man.tar.1; is media independent it
refers to volumes; in this context it means floppy disk).Prepare volume #2 for /dev/fd0 and hit return:This is repeated (with the volume number incrementing) until all
the specified files have been archived.Can I Compress My Backups?targzipcompressionUnfortunately, &man.tar.1; will not allow the
option to be used for multi-volume archives.
You could, of course, &man.gzip.1; all the files,
&man.tar.1; them to the floppies, then
&man.gunzip.1; the files again!How Do I Restore My Backups?To restore the entire archive use:&prompt.root; tar Mxvf /dev/fd0There are two ways that you can use to restore only
specific files. First, you can start with the first floppy
and use:&prompt.root; tar Mxvf /dev/fd0 filenameThe utility &man.tar.1; will prompt you to insert subsequent floppies until it
finds the required file.Alternatively, if you know which floppy the file is on then you
can simply insert that floppy and use the same command as above. Note
that if the first file on the floppy is a continuation from the
previous one then &man.tar.1; will warn you that it cannot
restore it, even if you have not asked it to!Backup BasicsThe three major backup programs are
&man.dump.8;,
&man.tar.1;,
and
&man.cpio.1;.Dump and Restorebackup softwaredump / restoredumprestore
- The traditional Unix backup programs are
+ The traditional &unix; backup programs are
dump and restore. They
operate on the drive as a collection of disk blocks, below the
abstractions of files, links and directories that are created by
the file systems. dump backs up an entire
file system on a device. It is unable to backup only part of a
file system or a directory tree that spans more than one
file system. dump does not write files and
directories to tape, but rather writes the raw data blocks that
comprise files and directories.If you use dump on your root directory, you
would not back up /home,
/usr or many other directories since
these are typically mount points for other file systems or
symbolic links into those file systems.dump has quirks that remain from its early days in
- Version 6 of AT&T Unix (circa 1975). The default
+ Version 6 of AT&T UNIX (circa 1975). The default
parameters are suitable for 9-track tapes (6250 bpi), not the
high-density media available today (up to 62,182 ftpi). These
defaults must be overridden on the command line to utilize the
capacity of current tape drives..rhostsIt is also possible to backup data across the network to a
tape drive attached to another computer with rdump and
rrestore. Both programs rely upon rcmd and
ruserok to access the remote tape drive. Therefore,
the user performing the backup must be listed in the
.rhosts file on the remote computer. The
arguments to rdump and rrestore must be suitable
to use on the remote computer. When
rdumping from a FreeBSD computer to an
Exabyte tape drive connected to a Sun called
komodo, use:&prompt.root; /sbin/rdump 0dsbfu 54000 13000 126 komodo:/dev/nsa8 /dev/da0a 2>&1Beware: there are security implications to
allowing .rhosts authentication. Evaluate your
situation carefully.It is also possible to use dump and
restore in a more secure fashion over
ssh.Using <command>dump</command> over <application>ssh</application>&prompt.root; /sbin/dump -0uan -f - /usr | gzip -2 | ssh1 -c blowfish \
targetuser@targetmachine.example.com dd of=/mybigfiles/dump-usr-l0.gz<command>tar</command>backup softwaretar
- &man.tar.1; also dates back to Version 6 of AT&T Unix
+ &man.tar.1; also dates back to Version 6 of AT&T UNIX
(circa 1975). tar operates in cooperation
with the file system; tar writes files and
directories to tape. tar does not support the
full range of options that are available from &man.cpio.1;, but
tar does not require the unusual command
pipeline that cpio uses.tarMost versions of tar do not support
backups across the network. The GNU version of
tar, which FreeBSD utilizes, supports remote
devices using the same syntax as rdump. To
tar to an Exabyte tape drive connected to a
Sun called komodo, use:&prompt.root; /usr/bin/tar cf komodo:/dev/nsa8 . 2>&1For versions without
remote device support, you can use a pipeline and
rsh to send the data to a remote tape
drive.&prompt.root; tar cf - . | rsh hostname dd of=tape-device obs=20bIf you are worried about the security of backing up over a
network you should use the ssh command
instead of rsh.<command>cpio</command>backup softwarecpio
- &man.cpio.1; is the original Unix file interchange tape
+ &man.cpio.1; is the original &unix; file interchange tape
program for magnetic media. cpio has options
(among many others) to perform byte-swapping, write a number of
different archive formats, and pipe the data to other programs.
This last feature makes cpio an excellent
choice for installation media. cpio does not
know how to walk the directory tree and a list of files must be
provided through stdin.cpiocpio does not support backups across
the network. You can use a pipeline and rsh
to send the data to a remote tape drive.&prompt.root; for f in directory_list; dofind $f >> backup.listdone
&prompt.root; cpio -v -o --format=newc < backup.list | ssh user@host "cat > backup_device"Where directory_list is the list of
directories you want to back up,
user@host is the
user/hostname combination that will be performing the backups, and
backup_device is where the backups should
be written to (e.g., /dev/nsa0).<command>pax</command>backup softwarepaxpaxPOSIXIEEE
- &man.pax.1; is IEEE/POSIX's answer to
+ &man.pax.1; is IEEE/&posix;'s answer to
tar and cpio. Over the
years the various versions of tar and
cpio have gotten slightly incompatible. So
- rather than fight it out to fully standardize them, POSIX
+ rather than fight it out to fully standardize them, &posix;
created a new archive utility. pax attempts
to read and write many of the various cpio
and tar formats, plus new formats of its own.
Its command set more resembles cpio than
tar.<application>Amanda</application>backup softwareAmandaAmandaAmanda (Advanced Maryland
Network Disk Archiver) is a client/server backup system,
rather than a single program. An Amanda server will backup to
a single tape drive any number of computers that have Amanda
clients and a network connection to the Amanda server. A
common problem at sites with a number of large disks is
that the length of time required to backup to data directly to tape
exceeds the amount of time available for the task. Amanda
solves this problem. Amanda can use a holding disk to
backup several file systems at the same time. Amanda creates
archive sets: a group of tapes used over a period of time to
create full backups of all the file systems listed in Amanda's
configuration file. The archive set also contains nightly
incremental (or differential) backups of all the file systems.
Restoring a damaged file system requires the most recent full
backup and the incremental backups.The configuration file provides fine control of backups and the
network traffic that Amanda generates. Amanda will use any of the
above backup programs to write the data to tape. Amanda is available
as either a port or a package, it is not installed by default.Do NothingDo nothing is not a computer program, but it is the
most widely used backup strategy. There are no initial costs. There
is no backup schedule to follow. Just say no. If something happens
to your data, grin and bear it!If your time and your data is worth little to nothing, then
Do nothing is the most suitable backup program for your
- computer. But beware, Unix is a useful tool, you may find that within
+ computer. But beware, &unix; is a useful tool, you may find that within
six months you have a collection of files that are valuable to
you.Do nothing is the correct backup method for
/usr/obj and other directory trees that can be
exactly recreated by your computer. An example is the files that
- comprise the HTML or PostScript version of this Handbook.
+ comprise the HTML or &postscript; version of this Handbook.
These document formats have been created from SGML input
- files. Creating backups of the HTML or PostScript files is
+ files. Creating backups of the HTML or &postscript; files is
not necessary. The SGML files are backed up regularly.Which Backup Program Is Best?LISA&man.dump.8; Period. Elizabeth D. Zwicky
torture tested all the backup programs discussed here. The clear
- choice for preserving all your data and all the peculiarities of Unix
+ choice for preserving all your data and all the peculiarities of &unix;
file systems is dump. Elizabeth created file systems containing
a large variety of unusual conditions (and some not so unusual ones)
and tested each program by doing a backup and restore of those
file systems. The peculiarities included: files with holes, files with
holes and a block of nulls, files with funny characters in their
names, unreadable and unwritable files, devices, files that change
size during the backup, files that are created/deleted during the
backup and more. She presented the results at LISA V in Oct. 1991.
See torture-testing
Backup and Archive Programs.Emergency Restore ProcedureBefore the DisasterThere are only four steps that you need to perform in
preparation for any disaster that may occur.disklabelFirst, print the disklabel from each of your disks
(e.g. disklabel da0 | lpr), your file system table
(/etc/fstab) and all boot messages,
two copies of
each.fix-it floppiesSecond, determine that the boot and fix-it floppies
(boot.flp and fixit.flp)
have all your devices. The easiest way to check is to reboot your
machine with the boot floppy in the floppy drive and check the boot
messages. If all your devices are listed and functional, skip on to
step three.Otherwise, you have to create two custom bootable
floppies which have a kernel that can mount all of your disks
and access your tape drive. These floppies must contain:
fdisk, disklabel,
newfs, mount, and
whichever backup program you use. These programs must be
statically linked. If you use dump, the
floppy must contain restore.Third, create backup tapes regularly. Any changes that you make
after your last backup may be irretrievably lost. Write-protect the
backup tapes.Fourth, test the floppies (either boot.flp
and fixit.flp or the two custom bootable
floppies you made in step two.) and backup tapes. Make notes of the
procedure. Store these notes with the bootable floppy, the
printouts and the backup tapes. You will be so distraught when
restoring that the notes may prevent you from destroying your backup
tapes (How? In place of tar xvf /dev/sa0, you
might accidentally type tar cvf /dev/sa0 and
over-write your backup tape).For an added measure of security, make bootable floppies and two
backup tapes each time. Store one of each at a remote location. A
remote location is NOT the basement of the same office building. A
number of firms in the World Trade Center learned this lesson the
hard way. A remote location should be physically separated from
your computers and disk drives by a significant distance.A Script for Creating a Bootable Floppy /mnt/sbin/init
gzip -c -best /sbin/fsck > /mnt/sbin/fsck
gzip -c -best /sbin/mount > /mnt/sbin/mount
gzip -c -best /sbin/halt > /mnt/sbin/halt
gzip -c -best /sbin/restore > /mnt/sbin/restore
gzip -c -best /bin/sh > /mnt/bin/sh
gzip -c -best /bin/sync > /mnt/bin/sync
cp /root/.profile /mnt/root
cp -f /dev/MAKEDEV /mnt/dev
chmod 755 /mnt/dev/MAKEDEV
chmod 500 /mnt/sbin/init
chmod 555 /mnt/sbin/fsck /mnt/sbin/mount /mnt/sbin/halt
chmod 555 /mnt/bin/sh /mnt/bin/sync
chmod 6555 /mnt/sbin/restore
#
# create the devices nodes
#
cd /mnt/dev
./MAKEDEV std
./MAKEDEV da0
./MAKEDEV da1
./MAKEDEV da2
./MAKEDEV sa0
./MAKEDEV pty0
cd /
#
# create minimum file system table
#
cat > /mnt/etc/fstab < /mnt/etc/passwd < /mnt/etc/master.passwd <After the DisasterThe key question is: did your hardware survive? You have been
doing regular backups so there is no need to worry about the
software.If the hardware has been damaged, the parts should be replaced
before attempting to use the computer.If your hardware is okay, check your floppies. If you are using
a custom boot floppy, boot single-user (type -s
at the boot: prompt). Skip the following
paragraph.If you are using the boot.flp and
fixit.flp floppies, keep reading. Insert the
boot.flp floppy in the first floppy drive and
boot the computer. The original install menu will be displayed on
the screen. Select the Fixit--Repair mode with CDROM or
floppy. option. Insert the
fixit.flp when prompted.
restore and the other programs that you need are
located in /mnt2/stand.Recover each file system separately.mountroot partitiondisklabelnewfsTry to mount (e.g. mount /dev/da0a
/mnt) the root partition of your first disk. If the
disklabel was damaged, use disklabel to re-partition and
label the disk to match the label that you printed and saved. Use
newfs to re-create the file systems. Re-mount the root
partition of the floppy read-write (mount -u -o rw
/mnt). Use your backup program and backup tapes to
recover the data for this file system (e.g. restore vrf
/dev/sa0). Unmount the file system (e.g. umount
/mnt). Repeat for each file system that was
damaged.Once your system is running, backup your data onto new tapes.
Whatever caused the crash or data loss may strike again. Another
hour spent now may save you from further distress later.* I Did Not Prepare for the Disaster, What Now?
]]>
MarcFonvieilleReorganized and enhanced by Network, Memory, and File-Backed File Systemsvirtual disksdisksvirtualAside from the disks you physically insert into your computer:
floppies, CDs, hard drives, and so forth; other forms of disks
are understood by FreeBSD - the virtual
disks.NFSCodadisksmemoryThese include network file systems such as the Network File System and Coda, memory-based
file systems and
file-backed file systems.According to the FreeBSD version you run, you will have to use
different tools for creation and use of file-backed and
memory-based file systems.The FreeBSD 4.X users will have to use &man.MAKEDEV.8;
to create the required devices. FreeBSD 5.0 and later use
&man.devfs.5; to allocate device nodes transparently for the
user.File-Backed File System under FreeBSD 4.Xdisksfile-backed (4.X)The utility &man.vnconfig.8; configures and enables vnode pseudo-disk
devices. A vnode is a representation
of a file, and is the focus of file activity. This means that
&man.vnconfig.8; uses files to create and operate a
file system. One possible use is the mounting of floppy or CD
images kept in files.To use &man.vnconfig.8;, you need &man.vn.4; support in your
kernel configuration file:pseudo-device vnTo mount an existing file system image:Using vnconfig to Mount an Existing File System
Image under FreeBSD 4.X&prompt.root; vnconfig vn0diskimage
&prompt.root; mount /dev/vn0c /mntTo create a new file system image with &man.vnconfig.8;:Creating a New File-Backed Disk with <command>vnconfig</command>&prompt.root; dd if=/dev/zero of=newimage bs=1k count=5k
5120+0 records in
5120+0 records out
&prompt.root; vnconfig -s labels -c vn0newimage
&prompt.root; disklabel -r -w vn0 auto
&prompt.root; newfs vn0c
Warning: 2048 sector(s) in last cylinder unallocated
/dev/vn0c: 10240 sectors in 3 cylinders of 1 tracks, 4096 sectors
5.0MB in 1 cyl groups (16 c/g, 32.00MB/g, 1280 i/g)
super-block backups (for fsck -b #) at:
32
&prompt.root; mount /dev/vn0c /mnt
&prompt.root; df /mnt
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/vn0c 4927 1 4532 0% /mntFile-Backed File System under FreeBSD 5.Xdisksfile-backed (5.X)The utility &man.mdconfig.8; is used to configure and enable
memory disks, &man.md.4;, under FreeBSD 5.X. To use
&man.mdconfig.8;, you have to load &man.md.4; module or to add
the support in your kernel configuration file:device mdThe &man.mdconfig.8; command supports three kinds of
memory backed virtual disks: memory disks allocated with
&man.malloc.9;, memory disks using a file or swap space as
backing. One possible use is the mounting of floppy
or CD images kept in files.To mount an existing file system image:Using <command>mdconfig</command> to Mount an Existing File System
Image under FreeBSD 5.X&prompt.root; mdconfig -a -t vnode -f diskimage -u 0
&prompt.root; mount /dev/md0c /mntTo create a new file system image with &man.mdconfig.8;:Creating a New File-Backed Disk with <command>mdconfig</command>&prompt.root; dd if=/dev/zero of=newimage bs=1k count=5k
5120+0 records in
5120+0 records out
&prompt.root; mdconfig -a -t vnode -f newimage -u 0
&prompt.root; disklabel -r -w md0 auto
&prompt.root; newfs md0c
/dev/md0c: 5.0MB (10240 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 1.27MB, 81 blks, 256 inodes.
super-block backups (for fsck -b #) at:
32, 2624, 5216, 7808
&prompt.root; mount /dev/md0c /mnt
&prompt.root; df /mnt
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md0c 4846 2 4458 0% /mntIf you do not specify the unit number with the
option, &man.mdconfig.8; will use the
&man.md.4; automatic allocation to select an unused device.
The name of the allocated unit will be output on stdout like
md4. For more details about
&man.mdconfig.8;, please refer to the manual page.Since &os; 5.1-RELEASE, the &man.bsdlabel.8;
utility replaces the old &man.disklabel.8; program. With
&man.bsdlabel.8; a number of obsolete options and parameters
have been retired; in the example above the option
should be removed. For more
information, please refer to the &man.bsdlabel.8;
manual page.The utility &man.mdconfig.8; is very useful, however it
asks many command lines to create a file-backed file system.
FreeBSD 5.0 also comes with a tool called &man.mdmfs.8;,
this program configures a &man.md.4; disk using
&man.mdconfig.8;, puts a UFS file system on it using
&man.newfs.8;, and mounts it using &man.mount.8;. For example,
if you want to create and mount the same file system image as
above, simply type the following:&prompt.root; dd if=/dev/zero of=newimage bs=1k count=5k
5120+0 records in
5120+0 records in
5120+0 records out
&prompt.root; mdmfs -F newimage -s 5m md0/mnt
&prompt.root; df /mnt
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md0 4846 2 4458 0% /mntIf you use the option without unit
number, &man.mdmfs.8; will use &man.md.4; auto-unit feature to
automatically select an unused device. For more details
about &man.mdmfs.8;, please refer to the manual page.Memory-Based File System under FreeBSD 4.Xdisksmemory file system (4.X)The &man.md.4; driver is a simple, efficient means to create memory
file systems under FreeBSD 4.X. &man.malloc.9; is used
to allocate the memory.Simply take a file system you have prepared with, for
example, &man.vnconfig.8;, and:md Memory Disk under FreeBSD 4.X&prompt.root; dd if=newimage of=/dev/md0
5120+0 records in
5120+0 records out
&prompt.root; mount /dev/md0c/mnt
&prompt.root; df /mnt
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md0c 4927 1 4532 0% /mntFor more details, please refer to &man.md.4; manual
page.Memory-Based File System under FreeBSD 5.Xdisksmemory file system (5.X)The same tools are used for memory-based and file-backed
file systems: &man.mdconfig.8; or &man.mdmfs.8;. The storage
for memory-based file system is allocated with
&man.malloc.9;.Creating a New Memory-Based Disk with
<command>mdconfig</command>&prompt.root; mdconfig -a -t malloc -s 5m -u 1
&prompt.root; newfs -U md1
/dev/md1: 5.0MB (10240 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 1.27MB, 81 blks, 256 inodes.
with soft updates
super-block backups (for fsck -b #) at:
32, 2624, 5216, 7808
&prompt.root; mount /dev/md1/mnt
&prompt.root; df /mnt
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md1 4846 2 4458 0% /mntCreating a New Memory-Based Disk with
<command>mdmfs</command>&prompt.root; mdmfs -M -s 5m md2/mnt
&prompt.root; df /mnt
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md2 4846 2 4458 0% /mntInstead of using a &man.malloc.9; backed file system, it is
possible to use swap, for that just replace
with in the
command line of &man.mdconfig.8;. The &man.mdmfs.8; utility
by default (without ) creates a swap-based
disk. For more details, please refer to &man.mdconfig.8;
and &man.mdmfs.8; manual pages.Detaching a Memory Disk from the Systemdisksdetaching a memory diskWhen a memory-based or file-based file system
is not used, you should release all resources to the system.
The first thing to do is to unmount the file system, then use
&man.mdconfig.8; to detach the disk from the system and release
the resources.For example to detach and free all resources used by
/dev/md4:&prompt.root; mdconfig -d -u 4It is possible to list information about configured
&man.md.4; devices in using the command mdconfig
-l.For FreeBSD 4.X, &man.vnconfig.8; is used to detach
the device. For example to detach and free all resources
used by /dev/vn4:&prompt.root; vnconfig -u vn4TomRhodesContributed by File System Snapshotsfile systemssnapshotsFreeBSD 5.0 offers a new feature in conjunction with
Soft Updates: File system snapshots.Snapshots allow a user to create images of specified file
systems, and treat them as a file.
Snapshot files must be created in the file system that the
action is performed on, and a user may create no more than 20
snapshots per file system. Active snapshots are recorded
in the superblock so they are persistent across unmount and
remount operations along with system reboots. When a snapshot
is no longer required, it can be removed with the standard &man.rm.1;
command. Snapshots may be removed in any order,
however all the used space may not be acquired because another snapshot will
possibly claim some of the released blocks.During initial creation, the flag (see the &man.chflags.1; manual page)
is set to ensure that even root cannot write to the snapshot.
The &man.unlink.1; command makes an exception for snapshot files
since it allows them to be removed
with the flag set, so it is not necessary to
clear the flag before removing a snapshot file.Snapshots are created with the &man.mount.8; command. To place
a snapshot of /var in the file
/var/snapshot/snap use the following
command:&prompt.root; mount -u -o snapshot /var/snapshot/snap /varOnce a snapshot has been created, they have several
uses:Some administrators will use a snapshot file for backup purposes,
because the snapshot can be transfered to CDs or tape.File integrity, &man.fsck.8; may be ran on the snapshot.
Assuming that the file system was clean when it was mounted, you
should always get a clean (and unchanging) result.
This is essentially what the
background &man.fsck.8; process does.Run the &man.dump.8; utility on the snapshot.
A dump will be returned that is consistent with the
file system and the timestamp of the snapshot. &man.dump.8;
can also take a snapshot, create a dump image and then
remove the snapshot in one command using the
flag.&man.mount.8; the snapshot as a frozen image of the file system.
To &man.mount.8; the snapshot
/var/snapshot/snap run:&prompt.root; mdconfig -a -t vnode -f /var/snapshot/snap -u 4&prompt.root; mount -r /dev/md4 /mntYou can now walk the hierarchy of your frozen /var
file system mounted at /mnt. Everything will
be in the same state it was during the snapshot creation time.
The only exception is that any earlier snapshots will appear
as zero length files. When the use of a snapshot has delimited,
it can be unmounted with:&prompt.root; umount /mnt&prompt.root; mdconfig -d -u 4For more information about and
file system snapshots, including technical papers, you can visit
Marshall Kirk McKusick's website at
http://www.mckusick.com.File System Quotasaccountingdisk spacedisk quotasQuotas are an optional feature of the operating system that
allow you to limit the amount of disk space and/or the number of
files a user or members of a group may allocate on a per-file
system basis. This is used most often on timesharing systems where
it is desirable to limit the amount of resources any one user or
group of users may allocate. This will prevent one user or group
of users from consuming all of the available disk space.Configuring Your System to Enable Disk QuotasBefore attempting to use disk quotas, it is necessary to make
sure that quotas are configured in your kernel. This is done by
adding the following line to your kernel configuration
file:options QUOTAThe stock GENERIC kernel does not have
this enabled by default, so you will have to configure, build and
install a custom kernel in order to use disk quotas. Please refer
to for more information on kernel
configuration.Next you will need to enable disk quotas in
/etc/rc.conf. This is done by adding the
line:enable_quotas="YES"disk quotascheckingFor finer control over your quota startup, there is an
additional configuration variable available. Normally on bootup,
the quota integrity of each file system is checked by the
&man.quotacheck.8; program. The
&man.quotacheck.8; facility insures that the data in
the quota database properly reflects the data on the file system.
This is a very time consuming process that will significantly
affect the time your system takes to boot. If you would like to
skip this step, a variable in /etc/rc.conf
is made available for the purpose:check_quotas="NO"If you are running FreeBSD prior to 3.2-RELEASE, the
configuration is simpler, and consists of only one variable. Set
the following in your /etc/rc.conf:check_quotas="YES"Finally you will need to edit /etc/fstab
to enable disk quotas on a per-file system basis. This is where
you can either enable user or group quotas or both for all of your
file systems.To enable per-user quotas on a file system, add the
option to the options field in the
/etc/fstab entry for the file system you want
to enable quotas on. For example:/dev/da1s2g /home ufs rw,userquota 1 2Similarly, to enable group quotas, use the
option instead of
. To enable both user and
group quotas, change the entry as follows:/dev/da1s2g /home ufs rw,userquota,groupquota 1 2By default, the quota files are stored in the root directory of
the file system with the names quota.user and
quota.group for user and group quotas
respectively. See &man.fstab.5; for more
information. Even though the &man.fstab.5; manual page says that
you can specify
an alternate location for the quota files, this is not recommended
because the various quota utilities do not seem to handle this
properly.At this point you should reboot your system with your new
kernel. /etc/rc will automatically run the
appropriate commands to create the initial quota files for all of
the quotas you enabled in /etc/fstab, so
there is no need to manually create any zero length quota
files.In the normal course of operations you should not be required
to run the &man.quotacheck.8;,
&man.quotaon.8;, or &man.quotaoff.8;
commands manually. However, you may want to read their manual pages
just to be familiar with their operation.Setting Quota Limitsdisk quotaslimitsOnce you have configured your system to enable quotas, verify
that they really are enabled. An easy way to do this is to
run:&prompt.root; quota -vYou should see a one line summary of disk usage and current
quota limits for each file system that quotas are enabled
on.You are now ready to start assigning quota limits with the
&man.edquota.8; command.You have several options on how to enforce limits on the
amount of disk space a user or group may allocate, and how many
files they may create. You may limit allocations based on disk
space (block quotas) or number of files (inode quotas) or a
combination of both. Each of these limits are further broken down
into two categories: hard and soft limits.hard limitA hard limit may not be exceeded. Once a user reaches his
hard limit he may not make any further allocations on the file
system in question. For example, if the user has a hard limit of
500 blocks on a file system and is currently using 490 blocks, the
user can only allocate an additional 10 blocks. Attempting to
allocate an additional 11 blocks will fail.soft limitSoft limits, on the other hand, can be exceeded for a limited
amount of time. This period of time is known as the grace period,
which is one week by default. If a user stays over his or her
soft limit longer than the grace period, the soft limit will
turn into a hard limit and no further allocations will be allowed.
When the user drops back below the soft limit, the grace period
will be reset.The following is an example of what you might see when you run
the &man.edquota.8; command. When the
&man.edquota.8; command is invoked, you are placed into
the editor specified by the EDITOR environment
variable, or in the vi editor if the
EDITOR variable is not set, to allow you to edit
the quota limits.&prompt.root; edquota -u testQuotas for user test:
/usr: blocks in use: 65, limits (soft = 50, hard = 75)
inodes in use: 7, limits (soft = 50, hard = 60)
/usr/var: blocks in use: 0, limits (soft = 50, hard = 75)
inodes in use: 0, limits (soft = 50, hard = 60)You will normally see two lines for each file system that has
quotas enabled. One line for the block limits, and one line for
inode limits. Simply change the value you want updated to modify
the quota limit. For example, to raise this user's block limit
from a soft limit of 50 and a hard limit of 75 to a soft limit of
500 and a hard limit of 600, change:/usr: blocks in use: 65, limits (soft = 50, hard = 75)to: /usr: blocks in use: 65, limits (soft = 500, hard = 600)The new quota limits will be in place when you exit the
editor.Sometimes it is desirable to set quota limits on a range of
UIDs. This can be done by use of the option
on the &man.edquota.8; command. First, assign the
desired quota limit to a user, and then run
edquota -p protouser startuid-enduid. For
example, if user test has the desired quota
limits, the following command can be used to duplicate those quota
limits for UIDs 10,000 through 19,999:&prompt.root; edquota -p test 10000-19999For more information see &man.edquota.8; manual page.Checking Quota Limits and Disk Usagedisk quotascheckingYou can use either the &man.quota.1; or the
&man.repquota.8; commands to check quota limits and
disk usage. The &man.quota.1; command can be used to
check individual user or group quotas and disk usage. A user
may only examine his own quota, and the quota of a group he
is a member of. Only the super-user may view all user and group
quotas. The
&man.repquota.8; command can be used to get a summary
of all quotas and disk usage for file systems with quotas
enabled.The following is some sample output from the
quota -v command for a user that has quota
limits on two file systems.Disk quotas for user test (uid 1002):
Filesystem blocks quota limit grace files quota limit grace
/usr 65* 50 75 5days 7 50 60
/usr/var 0 50 75 0 50 60grace periodOn the /usr file system in the above
example, this user is currently 15 blocks over the soft limit of
50 blocks and has 5 days of the grace period left. Note the
asterisk * which indicates that the user is
currently over his quota limit.Normally file systems that the user is not using any disk
space on will not show up in the output from the
&man.quota.1; command, even if he has a quota limit
assigned for that file system. The option
will display those file systems, such as the
/usr/var file system in the above
example.Quotas over NFSNFSQuotas are enforced by the quota subsystem on the NFS server.
The &man.rpc.rquotad.8; daemon makes quota information available
to the &man.quota.1; command on NFS clients, allowing users on
those machines to see their quota statistics.Enable rpc.rquotad in
/etc/inetd.conf like so:rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotadNow restart inetd:&prompt.root; kill -HUP `cat /var/run/inetd.pid`LuckyGreenContributed by shamrock@cypherpunks.toEncrypting Disk PartitionsdisksencryptingFreeBSD offers excellent online protections against
unauthorized data access. File permissions and Mandatory
Access Control (MAC) (see ) help prevent
unauthorized third-parties from accessing data while the operating
system is active and the computer is powered up. However,
the permissions enforced by the operating system are irrelevant if an
attacker has physical access to a computer and can simply move
the computer's hard drive to another system to copy and analyze
the sensitive data.Regardless of how an attacker may have come into possession of
a hard drive or powered-down computer, GEOM Based Disk
Encryption (gbde) can protect the data on the
computer's file systems against even highly-motivated attackers
with significant resources. Unlike cumbersome encryption methods
that encrypt only individual files, gbde
transparently encrypts entire file systems. No cleartext ever
touches the hard drive's platter.Enabling gbde in the KernelBecome <username>root</username>Configuring gbde requires
super-user privileges.&prompt.user; su -
Password:Verify the Operating System Version&man.gbde.4; requires FreeBSD 5.0 or higher.&prompt.root; uname -r
5.0-RELEASEAdd &man.gbde.4; Support to the Kernel Configuration FileUsing your favorite text editor, add the following
line to your kernel configuration file:options GEOM_BDEConfigure, recompile, and install the FreeBSD kernel.
This process is described in .Reboot into the new kernel.Preparing the Encrypted Hard DriveThe following example assumes that you are adding a new hard
drive to your system that will hold a single encrypted partition.
This partition will be mounted as /private.
gbde can also be used to encrypt
/home and /var/mail, but
this requires more complex instructions which exceed the scope of
this introduction.Add the New Hard DriveInstall the new drive to the system as explained in . For the purposes of this example,
a new hard drive partition has been added as
/dev/ad4s1c. The
/dev/ad0s1*
devices represent existing standard FreeBSD partitions on
the example system.&prompt.root; ls /dev/ad*
/dev/ad0 /dev/ad0s1b /dev/ad0s1e /dev/ad4s1
/dev/ad0s1 /dev/ad0s1c /dev/ad0s1f /dev/ad4s1c
/dev/ad0s1a /dev/ad0s1d /dev/ad4Create a Directory to Hold gbde Lock Files&prompt.root; mkdir /etc/gbdeThe gbde lock file contains
information that gbde requires to
access encrypted partitions. Without access to the lock file,
gbde will not be able to decrypt
the data contained in the encrypted partition without
significant manual intervention which is not supported by the
software. Each encrypted partition uses a separate lock
file.Initialize the gbde PartitionA gbde partition must be
initialized before it can be used. This initialization needs to
be performed only once:&prompt.root; gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c&man.gbde.8; will open your editor, permitting you to set
various configuration options in a template. For use with UFS1
or UFS2, set the sector_size to 2048:$FreeBSD: src/sbin/gbde/template.txt,v 1.1 2002/10/20 11:16:13 phk Exp $
#
# Sector size is the smallest unit of data which can be read or written.
# Making it too small decreases performance and decreases available space.
# Making it too large may prevent filesystems from working. 512 is the
# minimum and always safe. For UFS, use the fragment size
#
sector_size = 2048
[...]
&man.gbde.8; will ask you twice to type the passphrase that
should be used to secure the data. The passphrase must be the
same both times. gbde's ability to
protect your data depends entirely on the quality of the
passphrase that you choose.
For tips on how to select a secure passphrase that is easy
to remember, see the Diceware
Passphrase website.The gbde init command creates a lock
file for your gbde partition that in
this example is stored as
/etc/gbde/ad4s1c.gbde lock files
must be backed up together with the
contents of any encrypted partitions. While deleting a lock
file alone cannot prevent a determined attacker from
decrypting a gbde partition,
without the lock file, the legitimate owner will be unable
to access the data on the encrypted partition without a
significant amount of work that is totally unsupported by
&man.gbde.8; and its designer.Attach the Encrypted Partition to the Kernel&prompt.root; gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c You will be asked to provide the passphrase that you
selected during the initialization of the encrypted partition.
The new encrypted device will show up in
/dev as
/dev/device_name.bde:&prompt.root; ls /dev/ad*
/dev/ad0 /dev/ad0s1b /dev/ad0s1e /dev/ad4s1
/dev/ad0s1 /dev/ad0s1c /dev/ad0s1f /dev/ad4s1c
/dev/ad0s1a /dev/ad0s1d /dev/ad4 /dev/ad4s1c.bdeCreate a File System on the Encrypted DeviceOnce the encrypted device has been attached to the kernel,
you can create a file system on the device. To create a file
system on the encrypted device, use &man.newfs.8;. Since it is
much faster to initialize a new UFS2 file system than it is to
initialize the old UFS1 file system, using &man.newfs.8; with
the option is recommended.The option is the default
with &os; 5.1-RELEASE and later.&prompt.root; newfs -U -O2 /dev/ad4s1c.bdeThe &man.newfs.8; command must be performed on an
attached gbde partition which
is identified by a
*.bde
extension to the device name.Mount the Encrypted PartitionCreate a mount point for the encrypted file system.&prompt.root; mkdir /privateMount the encrypted file system.&prompt.root; mount /dev/ad4s1c.bde /privateVerify That the Encrypted File System is AvailableThe encrypted file system should now be visible to
&man.df.1; and be available for use.&prompt.user; df -H
Filesystem Size Used Avail Capacity Mounted on
/dev/ad0s1a 1037M 72M 883M 8% /
/devfs 1.0K 1.0K 0B 100% /dev
/dev/ad0s1f 8.1G 55K 7.5G 0% /home
/dev/ad0s1e 1037M 1.1M 953M 0% /tmp
/dev/ad0s1d 6.1G 1.9G 3.7G 35% /usr
/dev/ad4s1c.bde 150G 4.1K 138G 0% /privateMounting Existing Encrypted File SystemsAfter each boot, any encrypted file systems must be
re-attached to the kernel, checked for errors, and mounted, before
the file systems can be used. The required commands must be
executed as user root.Attach the gbde Partition to the Kernel&prompt.root; gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1cYou will be asked to provide the passphrase that you
selected during initialization of the encrypted gbde
partition.Check the File System for ErrorsSince encrypted file systems cannot yet be listed in
/etc/fstab for automatic mounting, the
file systems must be checked for errors by running &man.fsck.8;
manually before mounting.&prompt.root; fsck -p -t ffs /dev/ad4s1c.bdeMount the Encrypted File System&prompt.root; mount /dev/ad4s1c.bde /privateThe encrypted file system is now available for use.Automatically Mounting Encrypted PartitionsIt is possible to create a script to automatically attach,
check, and mount an encrypted partition, but for security reasons
the script should not contain the &man.gbde.8; password. Instead,
it is recommended that such scripts be run manually while
providing the password via the console or &man.ssh.1;.Cryptographic Protections Employed by gbde&man.gbde.8; encrypts the sector payload using 128-bit AES in
CBC mode. Each sector on the disk is encrypted with a different
AES key. For more information on gbde's
cryptographic design, including how the sector keys are derived
from the user-supplied passphrase, see &man.gbde.4;.Compatibility Issues&man.sysinstall.8; is incompatible with
gbde-encrypted devices. All
*.bde devices must be detached from the
kernel before starting &man.sysinstall.8; or it will crash during
its initial probing for devices. To detach the encrypted device
used in our example, use the following command:&prompt.root; gbde detach /dev/ad4s1cAlso note that, as &man.vinum.4; does not use the
&man.geom.4; subsystem, you cannot use
gbde with
vinum volumes.
diff --git a/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.sgml b/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.sgml
index 722dcc6389..cc90295aa6 100644
--- a/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.sgml
@@ -1,1554 +1,1554 @@
JimMockUpdated and restructured by JakeHambyOriginally contributed by Configuring the FreeBSD KernelSynopsiskernelbuilding a custom kernelThe kernel is the core of the &os; operating system. It is
responsible for managing memory, enforcing security controls,
networking, disk access, and much more. While more and more of &os;
becomes dynamically configurable it is still occasionally necessary to
reconfigure and recompile your kernel.After reading this chapter, you will know:Why you might need to build a custom kernel.How to write a kernel configuration file, or alter an existing
configuration file.How to use the kernel configuration file to create and build a
new kernel.How to install the new kernel.How to create any entries in /dev that may
be required.How to troubleshoot if things go wrong.Why Build a Custom Kernel?Traditionally, &os; has had what is called a
monolithic kernel. This means that the kernel was one
large program, supported a fixed list of devices, and if you wanted to
change the kernel's behavior then you had to compile a new kernel, and
then reboot your computer with the new kernel.Today, &os; is rapidly moving to a model where much of the
kernel's functionality is contained in modules which can be
dynamically loaded and unloaded from the kernel as necessary.
This allows the kernel to adapt to new hardware suddenly
becoming available (such as PCMCIA cards in a laptop), or for
new functionality to be brought into the kernel that was not
necessary when the kernel was originally compiled. This is
known as a modular kernel. Colloquially these are called
KLDs.Despite this, it is still necessary to carry out some static kernel
configuration. In some cases this is because the functionality is so
tied to the kernel that it can not be made dynamically loadable. In
others it may simply be because no one has yet taken the time to write a
dynamic loadable kernel module for that functionality yet.Building a custom kernel is one of the most important rites of
- passage nearly every Unix user must endure. This process, while
+ passage nearly every &unix; user must endure. This process, while
time consuming, will provide many benefits to your &os; system.
Unlike the GENERIC kernel, which must support a
wide range of hardware, a custom kernel only contains support for
your PC's hardware. This has a number of
benefits, such as:Faster boot time. Since the kernel will only probe the
hardware you have on your system, the time it takes your system to
boot will decrease dramatically.Less memory usage. A custom kernel often uses less memory
than the GENERIC kernel, which is important
because the kernel must always be present in real
memory. For this reason, a custom kernel is especially useful
on a system with a small amount of RAM.Additional hardware support. A custom kernel allows you to
add in support for devices such as sound cards, which are not
present in the GENERIC kernel.Building and Installing a Custom Kernelkernelbuilding / installingFirst, let us take a quick tour of the kernel build directory.
All directories mentioned will be relative to the main
/usr/src/sys directory, which is also
accessible through /sys. There are a number of
subdirectories here representing different parts of the kernel, but
the most important, for our purposes, are
arch/conf, where you
will edit your custom kernel configuration, and
compile, which is the staging area where your
kernel will be built. arch represents
either i386, alpha, or
pc98 (an alternative development branch of PC
hardware, popular in Japan). Everything inside a particular
architecture's directory deals with that architecture only; the rest
of the code is common to all platforms to which &os; could
potentially be ported. Notice the logical organization of the
directory structure, with each supported device, file system, and
option in its own subdirectory. &os; 5.X and up has support for
sparc64, and a few other architectures under
development.If there is not a
/usr/src/sys directory on your system,
then the kernel source has not been installed. The easiest
way to do this is by running
/stand/sysinstall as
root, choosing
Configure, then
Distributions, then
src, then
sys. If you have an aversion to
sysinstall and you have access to
an official &os; CDROM, then you can also
install the source from the command line:&prompt.root; mount /cdrom
&prompt.root; mkdir -p /usr/src/sys
&prompt.root; ln -s /usr/src/sys /sys
&prompt.root; cat /cdrom/src/ssys.[a-d]* | tar -xzvf -Next, move to the
arch/conf directory
and copy the GENERIC configuration file to the
name you want to give your kernel. For example:&prompt.root; cd /usr/src/sys/i386/conf
&prompt.root; cp GENERIC MYKERNELTraditionally, this name is in all capital letters and, if you
are maintaining multiple &os; machines with different hardware,
it is a good idea to name it after your machine's hostname. We will
call it MYKERNEL for the purpose of this
example.Storing your kernel config file directly under
/usr/src can be a bad idea. If you are
experiencing problems it can be tempting to just delete
/usr/src and start again. Five seconds after
you do that you realize that you have deleted your custom kernel
config file. Do not edit GENERIC
directly, as it may get overwritten the next time you
update your source tree, and
your kernel modifications will be lost.You might want to keep your kernel config file elsewhere, and then
create a symbolic link to the file in the i386
directory.For example:&prompt.root; cd /usr/src/sys/i386/conf
&prompt.root; mkdir /root/kernels
&prompt.root; cp GENERIC /root/kernels/MYKERNEL
&prompt.root; ln -s /root/kernels/MYKERNELYou must execute these and all of the following commands under
the root account or you will get
permission denied errors.Now, edit MYKERNEL with your favorite text
editor. If you are just starting out, the only editor available
will probably be vi, which is too complex to
explain here, but is covered well in many books in the bibliography. However, &os; does
offer an easier editor called ee which, if
you are a beginner, should be your editor of choice. Feel free to
change the comment lines at the top to reflect your configuration or
the changes you have made to differentiate it from
GENERIC.SunOS
- If you have built a kernel under SunOS or some other BSD
+ If you have built a kernel under &sunos; or some other BSD
operating system, much of this file will be very familiar to you.
If you are coming from some other operating system such as DOS, on
the other hand, the GENERIC configuration file
might seem overwhelming to you, so follow the descriptions in the
Configuration File
section slowly and carefully.Be sure to always check the file
/usr/src/UPDATING, before you perform any update
steps, in the case you sync your source tree with the
latest sources of the &os; project.
In this file all important issues with updating &os;
are typed out. /usr/src/UPDATING always fits
your version of the &os; source, and is therefore more accurate
for new information than the handbook.You must now compile the source code for the kernel. There are two
procedures you can use to do this, and the one you will use depends on
why you are rebuilding the kernel, and the version of &os; you are
running.If you have installed only the kernel
source code, use procedure 1.If you are running a &os; version prior to 4.0, and you are
not upgrading to &os; 4.0 or higher using
the make world procedure, use procedure 1.
If you are building a new kernel without updating the source
code (perhaps just to add a new option, such as
IPFIREWALL) you can use either procedure.If you are rebuilding the kernel as part of a
make world process, use procedure 2.
Procedure 1. Building a Kernel the <quote>Traditional</quote> WayRun &man.config.8; to generate the kernel source code.&prompt.root; /usr/sbin/config MYKERNELChange into the build directory. This is printed out after running the aforementioned
command.&prompt.root; cd ../compile/MYKERNELFor &os; version prior to 5.0, use instead:&prompt.root; cd ../../compile/MYKERNELCompile the kernel.&prompt.root; make depend
&prompt.root; makeInstall the new kernel.&prompt.root; make installProcedure 2. Building a Kernel the <quote>New</quote>
WayChange to the /usr/src directory.&prompt.root; cd /usr/srcCompile the kernel.&prompt.root; make buildkernel KERNCONF=MYKERNELInstall the new kernel.&prompt.root; make installkernel KERNCONF=MYKERNELIn &os; 4.2 and older you must replace
KERNCONF= with KERNEL=.
4.2-STABLE that was fetched before Feb 2nd, 2001 does not
recognize KERNCONF=.cvsupanonymous CVSCTMCVSanonymousIf you have not upgraded your source
tree in any way (you have not run CVSup,
CTM, or used
anoncvs), then you should use the
config, make depend,
make, make install sequence.
kernel.oldThe new kernel will be copied to the root directory as
/kernel and the old kernel will be moved to
/kernel.old. Now, shutdown the system and
reboot to use your new kernel. In case something goes wrong, there are
some troubleshooting
instructions at the end of this chapter. Be sure to read the
section which explains how to recover in case your new kernel does not boot.As of &os; 5.0, kernels are installed along with their
modules in /boot/kernel, and old kernels
will be backed up in /boot/kernel.old.
Other files relating to the boot process, such as the boot
&man.loader.8; and configuration are also stored in
/boot. Third party or custom modules
may be placed in /boot/modules, although
users should be aware that keeping modules in sync with the
compiled kernel is very important. Modules not intended
to run with the compiled kernel may result in instability
or incorrectness.If you have added any new devices (such as sound cards)
and you are running &os; 4.X or previous versions, you
may have to add some device nodes to your
/dev directory before you can use
them. For more information, take a look at Making Device Nodes
section later on in this chapter.The Configuration FilekernelLINTLINTkernelconfig fileThe general format of a configuration file is quite simple.
Each line contains a keyword and one or more arguments. For
simplicity, most lines only contain one argument. Anything
following a # is considered a comment and
ignored. The following sections describe each keyword, generally in
the order they are listed in GENERIC, although
some related keywords have been grouped together in a single section
(such as Networking) even though they are actually scattered
throughout the GENERIC file. An exhaustive list of options and more
detailed explanations of the device lines is present in the
LINT configuration file, located in the same
directory as GENERIC. If you are in doubt as
to the purpose or necessity of a line, check first in
LINT.In &os; 5.X and above the LINT is
non-existent. See the NOTES file for
architecture dependent options. Some options, mainly
architecture independent ones, are stored in the
/usr/src/sys/conf/NOTES file. It's
advisable to review the options in here also.kernelexample config fileThe following is an example GENERIC kernel
configuration file with various additional comments where needed for
clarity. This example should match your copy in
/usr/src/sys/i386/conf/GENERIC fairly
closely. For details of all the possible kernel options, see
/usr/src/sys/i386/conf/LINT.#
# GENERIC -- Generic kernel configuration file for &os;/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
# http://www.&os;.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# &os; World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.380 2003/03/29 13:36:41 mdodd Exp $The following are the mandatory keywords required in
every kernel you build:kernel optionsmachinemachine i386This is the machine architecture. It must be either
i386, pc98,
sparc64, alpha,
ia64, amd64, or
powerpc.kernel optionscpucpu I486_CPU
cpu I586_CPU
cpu I686_CPUThe above option specifies the type of CPU you have in your
system. You may have multiple instances of the CPU line (i.e.,
you are not sure whether you should use
I586_CPU or I686_CPU),
however, for a custom kernel, it is best to specify only the CPU
you have. If you are unsure of your CPU type, you can check the
/var/run/dmesg.boot file to view your boot
up messages.kernel optionscpu typeSupport for I386_CPU is still provided in the
source of &os;, but it is disabled by default in both -STABLE and
-CURRENT. This means that to install &os; with a 386-class cpu, you now
have the following options:Install an older &os; release and rebuild from source as
described in .Build the userland and kernel on a newer machine and install on
the 386 using the precompiled /usr/obj
files (see for details).Roll your own release of FreeBSD which includes
I386_CPU support in the kernels of the
installation CD-ROM.The first of these options is probably the easiest of all, but you
will need a lot of disk space on a 386-class machine which may be
difficult to find.kernel optionsidentident GENERICThis is the identification of the kernel. You should change
this to whatever you named your kernel,
i.e. MYKERNEL if you have followed the
instructions of the previous examples. The value you put in the
ident string will print when you boot up the
kernel, so it is useful to give the new kernel a different name if you
want to keep it separate from your usual kernel (i.e. you want to
build an experimental kernel).kernel optionsmaxusersmaxusers nThe maxusers option sets the size of a number
of important system tables. This number is supposed to be roughly
equal to the number of simultaneous users you expect to have on your
machine.Starting with &os; 4.5, the system will auto-tune this setting
for you if you explicitly set it to 0The auto-tuning algorithm sets maxuser equal
to the amount of memory in the system, with a minimum of 32, and a
maximum of 384..
In &os;-5.x, maxusers will default to
0 if not specified. If you are using an
version of &os; earlier than 4.5, or you want to manage it
yourself you will want to set
maxusers to at least 4, especially if you are
using the X Window System or compiling software. The reason is that
the most important table set by maxusers is the
maximum number of processes, which is set to 20 + 16 *
maxusers, so if you set maxusers to 1,
then you can only have 36 simultaneous processes, including the 18
or so that the system starts up at boot time, and the 15 or so you
will probably create when you start the X Window System. Even a
simple task like reading a manual page will start up nine processes to
filter, decompress, and view it. Setting
maxusers to 64 will allow you to have up to 1044
simultaneous processes, which should be enough for nearly all uses.
If, however, you see the dreaded proc table
full error when trying to start another program, or are
running a server with a large number of simultaneous users (like
ftp.FreeBSD.org), you can always
increase the number and rebuild.maxusers does not
limit the number of users which can log into your machine. It
simply sets various table sizes to reasonable values considering
the maximum number of users you will likely have on your system
and how many processes each of them will be running. One keyword
which does limit the number of simultaneous
remote logins and X terminal windows is pseudo-device pty
16.# Floating point support - do not disable.
device npx0 at nexus? port IO_NPX irq 13npx0 is the interface to the floating point
math unit in &os;, which is either the hardware co-processor or
the software math emulator. This is not
optional.# Pseudo devices - the number indicates how many units to allocate.
pseudo-device loop # Network loopbackThis is the generic loopback device for TCP/IP. If you telnet
or FTP to localhost (a.k.a., 127.0.0.1) it will come back at you through
this pseudo-device. This is mandatory.Everything that follows is more or less optional. See the notes
underneath or next to each option for more information.#To statically compile in device wiring instead of /boot/device.hints
#hints "GENERIC.hints" #Default places to look for devices.In &os; 5.x and newer versions the &man.device.hints.5; is
used to configure options of the device drivers. The default
location that &man.loader.8; will check at boot time is
/boot/device.hints. Using the
hints option you can compile these hints
statically into your kernel. Then there is no need to create a
device.hints file in
/boot.#makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbolsThe normal build process of the &os; does not include
debugging information when building the kernel and strips most
symbols after the resulting kernel is linked, to save some space
at the install location. If you are going to do tests of kernels
in the -CURRENT branch or develop changes of your own for the &os;
kernel, you might want to uncomment this line. It will enable the
use of the option which enables debugging
information when passed to &man.gcc.1;. The same can be
accomplished by the &man.config.8; option, if
you're using the old procedure of building your kernels (config;
make depend; etc.).options MATH_EMULATE #Support for x87 emulationThis line allows the kernel to simulate a math co-processor if
your computer does not have one (386 or 486SX). If you have a
486DX, or a 386 or 486SX (with a separate 387 or 487 chip), or
- higher (Pentium, Pentium II, etc.), you can comment this line
+ higher (&pentium;, &pentium; II, etc.), you can comment this line
out.The normal math co-processor emulation routines that come with
&os; are not very accurate. If you do not
have a math co-processor, and you need the best accuracy, it is
recommended that you change this option to
GPL_MATH_EMULATE to use the GNU math support,
which is not included by default for licensing reasons.In &os; 5.0, math emulation is disabled by default,
as older CPUs that do not have native floating point math support
are far less common, and in many cases not supported by the
GENERIC kernel without other additional options.options INET #InterNETworkingNetworking support. Leave this in, even if you do not plan to
be connected to a network. Most programs require at least loopback
networking (i.e., making network connections within your PC), so
this is essentially mandatory.options INET6 #IPv6 communications protocolsThis enables the IPv6 communication protocols.options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]This is the basic hard drive Filesystem. Leave it in if you
boot from the hard disk.In &os; 5.0, FFS_ROOT is no longer
required.options UFS_ACL #Support for access control listsThis option, present only in &os; 5.0, enables kernel support
for access control lists. This relies on the use of extended
attributes and UFS2, and the feature is described in detail
in the . ACLs are enabled by default, and should not be
disabled in the kernel if they have been used previously on a file
system, as this will remove the access control lists changing the
way files are protected in unpredictable ways.options UFS_DIRHASH #Improve performance on big directoriesThis option includes functionality to speed up disk
operations on large directories, at the expense of using
additional memory. You would normally keep this for a large
server, or interactive workstation, and remove it if you are
using &os; on a smaller system where memory is at a premium and
disk access speed is less important, such as a firewall.options SOFTUPDATES #Enable FFS Soft Updates supportThis option enables Soft Updates in the kernel, this will
help speed up write access on the disks. Even when this
functionality is provided by the kernel, it must be turned on
for specific disks. Review the output from &man.mount.8; to see
if SoftUpdates is enabled for your system disks. If you do not
see the soft-updates option then you will
need to activate it using the &man.tunefs.8; (for existing
filesystems) or &man.newfs.8; (for new filesystems)
commands.options MFS #Memory Filesystem
options MD_ROOT #MD is a potential root deviceThis is the memory-mapped Filesystem. This is basically a RAM
disk for fast storage of temporary files, useful if you have a lot
of swap space that you want to take advantage of. A perfect place
to mount an MFS partition is on the /tmp
directory, since many programs store temporary data here. To mount
an MFS RAM disk on /tmp, add the following line
to /etc/fstab:/dev/ad1s2b /tmp mfs rw 0 0Now you simply need to either reboot, or run the command
mount /tmp.In &os; 5.0, &man.md.4;-backed UFS file systems are
used for memory file systems rather than MFS. Information on
configuring MD-backed file systems may be found in the man pages
for &man.mdconfig.8; and &man.mdmfs.8;. As a result, the
MFS option is no longer supported.kernel optionsNFSkernel optionsNFS_ROOToptions NFS #Network Filesystem
options NFS_ROOT #NFS usable as root device, NFS requiredThe network Filesystem. Unless you plan to mount partitions
- from a Unix file server over TCP/IP, you can comment these
+ from a &unix; file server over TCP/IP, you can comment these
out.kernel optionsMSDOSFSoptions MSDOSFS #MSDOS Filesystem
- The MS-DOS Filesystem. Unless you plan to mount a DOS formatted
+ The &ms-dos; Filesystem. Unless you plan to mount a DOS formatted
hard drive partition at boot time, you can safely comment this out.
It will be automatically loaded the first time you mount a DOS
partition, as described above. Also, the excellent
mtools software (in the ports collection)
allows you to access DOS floppies without having to mount and
unmount them (and does not require MSDOSFS at
all).options CD9660 #ISO 9660 Filesystem
options CD9660_ROOT #CD-ROM usable as root, CD9660 requiredThe ISO 9660 Filesystem for CDROMs. Comment it out if you do
not have a CDROM drive or only mount data CDs occasionally (since it
will be dynamically loaded the first time you mount a data CD).
Audio CDs do not need this Filesystem.options PROCFS #Process filesystemThe process filesystem. This is a pretend
filesystem mounted on /proc which allows
programs like &man.ps.1; to give you more information on what
processes are running. In &os; 5.0, use of PROCFS
is not required under most circumstances, as most
debugging and monitoring tools have been adapted to run without
PROCFS. In addition, 5.0-CURRENT kernels
making use of PROCFS must now also include
support for PSEUDOFS:options PSEUDOFS #Pseudo-filesystem frameworkPSEUDOFS is not available in &os; 4.X.
Unlike in &os; 4.X, new installs of &os; 5.0 will not mount
the process file system by default.options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]Compatibility with 4.3BSD. Leave this in; some programs will
act strangely if you comment this out.options COMPAT_FREEBSD4 #Compatible with &os;4
- This option is required on &os; 5.0 i386 and alpha systems
+ This option is required on &os; 5.0 &i386; and alpha systems
to support applications compiled on older versions of &os;
that use older system call interfaces. It is recommended that
- this option be used on all i386 and alpha systems that may
+ this option be used on all &i386; and alpha systems that may
run older applications; platforms that gained support only in
- 5.0, such as ia64 and sparc64, do not require this option.
+ 5.0, such as ia64 and &sparc64;, do not require this option.options SCSI_DELAY=15000 #Delay (in ms) before probing SCSIThis causes the kernel to pause for 15 seconds before probing
each SCSI device in your system. If you only have IDE hard drives,
you can ignore this, otherwise you will probably want to lower this
number, perhaps to 5 seconds, to speed up booting. Of course, if
you do this, and &os; has trouble recognizing your SCSI devices,
you will have to raise it back up.options UCONSOLE #Allow users to grab the consoleAllow users to grab the console, which is useful for X users.
For example, you can create a console xterm
by typing xterm
-C, which will display any &man.write.1;,
&man.talk.1;, and any other messages you receive, as well
as any console messages sent by the kernel.In &os; 5.0, UCONSOLE is no
longer required.options USERCONFIG #boot -c editorThis option allows you to boot the configuration editor from the
boot menu.options VISUAL_USERCONFIG #visual boot -c editorThis option allows you to boot the visual configuration editor
from the boot menu.From &os; versions 5.0 and later, the USERCONFIG options has
been depreciated in favor of the new &man.device.hints.5;
method. For more information on &man.device.hints.5; please
visit .options KTRACE #ktrace(1) supportThis enables kernel process tracing, which is useful in
debugging.options SYSVSHM #SYSV-style shared memoryThis option provides for System V shared memory. The most
common use of this is the XSHM extension in X, which many
graphics-intensive programs will automatically take advantage of for
extra speed. If you use X, you will definitely want to include
this.options SYSVSEM #SYSV-style semaphoresSupport for System V semaphores. Less commonly used but only
adds a few hundred bytes to the kernel.options SYSVMSG #SYSV-style message queuesSupport for System V messages. Again, only adds a few hundred
bytes to the kernel.The &man.ipcs.1; command will list any processes using each of
these System V facilities.options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
- Real-time extensions added in the 1993 POSIX. Certain
+ Real-time extensions added in the 1993 &posix;. Certain
applications in the ports collection use these
(such as StarOffice).In &os; 5.0, all of this functionality is now
provided by the _KPOSIX_PRIORITY_SCHEDULING
option, and P1003_1B is no longer
required.kernel optionsICMP_BANDLIMDenial of Service (DoS)options ICMP_BANDLIM #Rate limit bad repliesThis option enables ICMP error response bandwidth limiting. You
typically want this option as it will help protect the machine from
denial of service packet attacks.In &os; 5.0, this feature is enabled by default and
the ICMP_BANDLIM option is not required.
kernel optionsSMP# To make an SMP kernel, the next two are needed
#options SMP # Symmetric MultiProcessor Kernel
#options APIC_IO # Symmetric (APIC) I/OThe above are both required for SMP support.device isaAll PCs supported by &os; have one of these. If you have an
IBM PS/2 (Micro Channel Architecture), &os; provides some
limited support at this time. For more information about the
MCA support, see
/usr/src/sys/i386/conf/LINT.device eisaInclude this if you have an EISA motherboard. This enables
auto-detection and configuration support for all devices on the EISA
bus.device pciInclude this if you have a PCI motherboard. This enables
auto-detection of PCI cards and gatewaying from the PCI to ISA
bus.device agpInclude this if you have an AGP card in the system. This
will enable support for AGP, and AGP GART for boards which
have these features.# Floppy drives
device fdc0 at isa? port IO_FD1 irq 6 drq 2
device fd0 at fdc0 drive 0
device fd1 at fdc0 drive 1This is the floppy drive controller. fd0 is
the A: floppy drive, and
fd1 is the B:
drive.device ataThis driver supports all ATA and ATAPI devices. You only need
one device ata line for the kernel to detect all
PCI ATA/ATAPI devices on modern machines.device atadisk # ATA disk drivesThis is needed along with device ata for
ATA disk drives.
device atapicd # ATAPI CDROM drivesThis is needed along with device ata for
ATAPI CDROM drives.device atapifd # ATAPI floppy drivesThis is needed along with device ata for
ATAPI floppy drives.device atapist # ATAPI tape drivesThis is needed along with device ata for
ATAPI tape drives.options ATA_STATIC_ID #Static device numberingThis makes the controller number static (like the old driver) or
else the device numbers are dynamically allocated.# ATA and ATAPI devices
device ata0 at isa? port IO_WD1 irq 14
device ata1 at isa? port IO_WD2 irq 15Use the above for older, non-PCI systems.# SCSI Controllers
device ahb # EISA AHA1742 family
device ahc # AHA2940 and onboard AIC7xxx devices
device amd # AMD 53C974 (Teckram DC-390(T))
device dpt # DPT Smartcache - See LINT for options!
device isp # Qlogic family
device ncr # NCR/Symbios Logic
device sym # NCR/Symbios Logic (newer chipsets)
device adv0 at isa?
device adw
device bt0 at isa?
device aha0 at isa?
device aic0 at isa?SCSI controllers. Comment out any you do not have in your
system. If you have an IDE only system, you can remove these
altogether.# SCSI peripherals
device scbus # SCSI bus (required)
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct SCSI
access)SCSI peripherals. Again, comment out any you do not have, or if
you have only IDE hardware, you can remove them completely.# RAID controllers
device ida # Compaq Smart RAID
device amr # AMI MegaRAID
device mlx # Mylex DAC960 familySupported RAID controllers. If you do not have any of these,
you can comment them out or remove them.# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc0 at isa? port IO_KBDThe keyboard controller (atkbdc) provides I/O
services for the AT keyboard and PS/2 style pointing devices. This
controller is required by the keyboard driver
(atkbd) and the PS/2 pointing device driver
(psm).device atkbd0 at atkbdc? irq 1The atkbd driver, together with
atkbdc controller, provides access to the AT 84
keyboard or the AT enhanced keyboard which is connected to the AT
keyboard controller.device psm0 at atkbdc? irq 12Use this device if your mouse plugs into the PS/2 mouse
port.device vga0 at isa?The video card driver.# splash screen/screen saver
pseudo-device splashSplash screen at start up! Screen savers require this
too.# syscons is the default console driver, resembling an SCO console
device sc0 at isa?sc0 is the default console driver, which
resembles a SCO console. Since most full-screen programs access the
console through a terminal database library like
termcap, it should not matter whether you use
this or vt0, the VT220
compatible console driver. When you log in, set your
TERM variable to scoansi if
full-screen programs have trouble running under this console.# Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver
#device vt0 at isa?
#options XSERVER # support for X server on a vt console
#options FAT_CURSOR # start with block cursor
# If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines
#options PCVT_SCANSET=2 # IBM keyboards are non-stdThis is a VT220-compatible console driver, backward compatible to
VT100/102. It works well on some laptops which have hardware
incompatibilities with sc0. Also set your
TERM variable to vt100 or
vt220 when you log in. This driver might also
prove useful when connecting to a large number of different machines
over the network, where termcap or
terminfo entries for the sc0
device are often not available — vt100
should be available on virtually any platform.# Power management support (see LINT for more options)
device apm0 at nexus? disable flags 0x20 # Advanced Power ManagementAdvanced Power Management support. Useful for laptops.# PCCARD (PCMCIA) support
device card
device pcic0 at isa? irq 10 port 0x3e0 iomem 0xd0000
device pcic1 at isa? irq 11 port 0x3e2 iomem 0xd4000 disablePCMCIA support. You want this if you are using a
laptop.# Serial (COM) ports
device sio0 at isa? port IO_COM1 flags 0x10 irq 4
device sio1 at isa? port IO_COM2 irq 3
device sio2 at isa? disable port IO_COM3 irq 5
device sio3 at isa? disable port IO_COM4 irq 9These are the four serial ports referred to as COM1 through COM4
- in the MS-DOS/Windows world.
+ in the &ms-dos/&windows; world.If you have an internal modem on COM4 and a serial port at
COM2, you will have to change the IRQ of the modem to 2 (for
obscure technical reasons, IRQ2 = IRQ 9) in order to access it
from &os;. If you have a multiport serial card, check the
manual page for &man.sio.4; for more information on the proper
values for these lines. Some video cards (notably those based on
S3 chips) use IO addresses in the form of
0x*2e8, and since many cheap serial cards do
not fully decode the 16-bit IO address space, they clash with
these cards making the COM4 port practically unavailable.Each serial port is required to have a unique IRQ (unless you
are using one of the multiport cards where shared interrupts are
supported), so the default IRQs for COM3 and COM4 cannot be
used.# Parallel port
device ppc0 at isa? irq 7This is the ISA-bus parallel port interface.device ppbus # Parallel port bus (required)Provides support for the parallel port bus.device lpt # PrinterSupport for parallel port printers.All three of the above are required to enable parallel printer
support.device plip # TCP/IP over parallelThis is the driver for the parallel network interface.device ppi # Parallel port interface deviceThe general-purpose I/O (geek port) + IEEE1284
I/O.#device vpo # Requires scbus and dazip driveThis is for an Iomega Zip drive. It requires
scbus and da support. Best
performance is achieved with ports in EPP 1.9 mode.# PCI Ethernet NICs.
device de # DEC/Intel DC21x4x (Tulip)
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device tx # SMC 9432TX (83c170 EPIC)
device vx # 3Com 3c590, 3c595 (Vortex)
device wx # Intel Gigabit Ethernet Card (Wiseman)Various PCI network card drivers. Comment out or remove any of
these not present in your system.# PCI Ethernet NICs that use the common MII bus controller code.
device miibus # MII bus supportMII bus support is required for some PCI 10/100 Ethernet NICs,
namely those which use MII-compliant transceivers or implement
transceiver control interfaces that operate like an MII. Adding
device miibus to the kernel config pulls in
support for the generic miibus API and all of the PHY drivers,
including a generic one for PHYs that are not specifically handled
by an individual driver.device dc # DEC/Intel 21143 and various workalikes
device rl # RealTek 8129/8139
device sf # Adaptec AIC-6915 (Starfire)
device sis # Silicon Integrated Systems SiS 900/SiS 7016
device ste # Sundance ST201 (D-Link DFE-550TX)
device tl # Texas Instruments ThunderLAN
device vr # VIA Rhine, Rhine II
device wb # Winbond W89C840F
device xl # 3Com 3c90x (Boomerang, Cyclone)Drivers that use the MII bus controller code.# ISA Ethernet NICs.
device ed0 at isa? port 0x280 irq 10 iomem 0xd8000
device ex
device ep
# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really
# exists only as a PCMCIA device, so there is no ISA attachment needed
# and resources will always be dynamically assigned by the pccard code.
device wi
# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will
# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP
# mode (the factory default). If you set the switches on your ISA
# card for a manually chosen I/O address and IRQ, you must specify
# those parameters here.
device an
# The probe order of these is presently determined by i386/isa/isa_compat.c.
device ie0 at isa? port 0x300 irq 10 iomem 0xd0000
device fe0 at isa? port 0x300
device le0 at isa? port 0x300 irq 5 iomem 0xd0000
device lnc0 at isa? port 0x280 irq 10 drq 0
device cs0 at isa? port 0x300
device sn0 at isa? port 0x300 irq 10
# requires PCCARD (PCMCIA) support to be activated
#device xe0 at isa?ISA Ethernet drivers. See
/usr/src/sys/i386/conf/LINT for which cards are
supported by which driver.pseudo-device ether # Ethernet supportether is only needed if you have an Ethernet
card. It includes generic Ethernet protocol code.pseudo-device sl 1 # Kernel SLIPsl is for SLIP support. This has been almost
entirely supplanted by PPP, which is easier to set up, better suited
for modem-to-modem connection, and more powerful. The
number after sl
specifies how many simultaneous SLIP sessions to support.pseudo-device ppp 1 # Kernel PPPThis is for kernel PPP support for dial-up connections. There
is also a version of PPP implemented as a userland application that
uses tun and offers more flexibility and features
such as demand dialing. The number after
ppp specifies how many simultaneous PPP
connections to support.pseudo-device tun # Packet tunnel.This is used by the userland PPP software. A
number after tun
specifies the number of simultaneous PPP sessions to support. See
the PPP section of this book for more
information.
pseudo-device pty # Pseudo-ttys (telnet etc)This is a pseudo-terminal or simulated login port.
It is used by incoming telnet and
rlogin sessions,
xterm, and some other applications such
as Emacs. A
number after pty indicates the number of
ptys to create. If you need more than the
default of 16 simultaneous xterm windows
and/or remote logins, be sure to increase this number accordingly,
up to a maximum of 256.pseudo-device md # Memory disksMemory disk pseudo-devices.pseudo-device giforpseudo-device gif 4 # IPv6 and IPv4 tunnelingThis implements IPv6 over IPv4 tunneling, IPv4 over IPv6 tunneling,
IPv4 over IPv4 tunneling, and IPv6 over IPv6 tunneling. Beginning with
&os; 4.4 the gif device is
auto-cloning, and you should use the first example
(without the number after gif). Earlier versions of
&os; require the number.pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation)This pseudo-device captures packets that are sent to it and
diverts them to the IPv4/IPv6 translation daemon.# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device bpf # Berkeley packet filterThis is the Berkeley Packet Filter. This pseudo-device allows
network interfaces to be placed in promiscuous mode, capturing every
packet on a broadcast network (e.g., an Ethernet). These packets
can be captured to disk and or examined with the &man.tcpdump.1;
program.The bpf pseudo-device is also used by
&man.dhclient.8; to obtain the IP address of the default router
(gateway) and so on. If you use DHCP, leave this
uncommented.# USB support
#device uhci # UHCI PCI->USB interface
#device ohci # OHCI PCI->USB interface
#device usb # USB Bus (required)
#device ugen # Generic
#device uhid # Human Interface Devices
#device ukbd # Keyboard
#device ulpt # Printer
#device umass # Disks/Mass storage - Requires scbus and da
#device ums # Mouse
# USB Ethernet, requires mii
#device aue # ADMtek USB ethernet
#device cue # CATC USB ethernet
#device kue # Kawasaki LSI USB ethernetSupport for various USB devices.For more information and additional devices supported by
&os;, see
/usr/src/sys/i386/conf/LINT.Making Device Nodesdevice nodesMAKEDEVIf you are running &os; 5.0 or later
you can safely skip this section. These versions use
&man.devfs.5; to allocate device nodes transparently for the user.Almost every device in the kernel has a corresponding
node entry in the /dev directory.
These nodes look like regular files, but are actually special
entries into the kernel which programs use to access the device.
The shell script /dev/MAKEDEV, which is
executed when you first install the operating system, creates
nearly all of the device nodes supported. However, it does not
create all of them, so when you add support for
a new device, it pays to make sure that the appropriate entries are
in this directory, and if not, add them. Here is a simple
example:Suppose you add the IDE CD-ROM support to the kernel. The line
to add is:device acd0This means that you should look for some entries that start with
acd0 in the /dev
directory, possibly followed by a letter, such as
c, or preceded by the letter
r, which means a raw device. It
turns out that those files are not there, so you must change to the
/dev directory and type:MAKEDEV&prompt.root; sh MAKEDEV acd0When this script finishes, you will find that there are now
acd0c and racd0c entries
in /dev so you know that it executed
correctly.For sound cards, the following command creates the appropriate
entries:&prompt.root; sh MAKEDEV snd0When creating device nodes for devices such as sound cards, if
other people have access to your machine, it may be desirable to
protect the devices from outside access by adding them to the
/etc/fbtab file. See &man.fbtab.5; for more
information.Follow this simple procedure for any other
non-GENERIC devices which do not have
entries.All SCSI controllers use the same set of
/dev entries, so you do not need to create
these. Also, network cards and SLIP/PPP pseudo-devices do not
have entries in /dev at all, so you do not
have to worry about these either.If Something Goes WrongThere are five categories of trouble that can occur when
building a custom kernel. They are:config fails:If the &man.config.8; command fails when you
give it your kernel description, you have probably made a
simple error somewhere. Fortunately,
&man.config.8; will print the line number that it
had trouble with, so you can quickly skip to it with
vi. For example, if you see:config: line 17: syntax errorYou can skip to the problem in vi by
typing 17G in command mode. Make sure the
keyword is typed correctly, by comparing it to the
GENERIC kernel or another
reference.make fails:If the make command fails, it usually
signals an error in your kernel description, but not severe
enough for &man.config.8; to catch it. Again, look
over your configuration, and if you still cannot resolve the
problem, send mail to the &a.questions; with your kernel
configuration, and it should be diagnosed very quickly.Installing the new kernel fails:If the kernel compiled fine, but failed to install
(the make install or
make installkernel command failed),
the first thing to check is if your system is running at
securelevel 1 or higher (see &man.init.8;). The kernel
installation tries to remove the immutable flag from
your kernel and set the immutable flag on the new one.
Since securelevel 1 or higher prevents unsetting the immutable
flag for any files on the system, the kernel installation needs
to be performed at securelevel 0 or lower.The kernel does not boot:If your new kernel does not boot, or fails to
recognize your devices, do not panic! Fortunately, &os; has
an excellent mechanism for recovering from incompatible
kernels. Simply choose the kernel you want to boot from at
the &os; boot loader. You can access this when the system
counts down from 10. Hit any key except for the
Enter key, type unload
and then type
boot kernel.old,
or the filename of any other kernel that will boot properly.
When reconfiguring a kernel, it is always a good idea to keep
a kernel that is known to work on hand.After booting with a good kernel you can check over your
configuration file and try to build it again. One helpful
resource is the /var/log/messages file
which records, among other things, all of the kernel messages
from every successful boot. Also, the &man.dmesg.8; command
will print the kernel messages from the current boot.If you are having trouble building a kernel, make sure
to keep a GENERIC, or some other kernel
that is known to work on hand as a different name that will
not get erased on the next build. You cannot rely on
kernel.old because when installing a
new kernel, kernel.old is overwritten
with the last installed kernel which may be non-functional.
Also, as soon as possible, move the working kernel to the
proper kernel location or commands such
as &man.ps.1; will not work properly. The proper command to
unlock the kernel file that
make installs (in order to move another
kernel back permanently) is:&prompt.root; chflags noschg /kernelIf you find you cannot do this, you are probably running
at a &man.securelevel.8; greater than zero. Edit
kern_securelevel in
/etc/rc.conf and set it to
-1, then reboot. You can change it back
to its previous setting when you are happy with your new
kernel.And, if you want to lock your new kernel
into place, or any file for that matter, so that it cannot
be moved or tampered with:&prompt.root; chflags schg /kernelIn &os; 5.0, kernels are not installed with the
system immutable flag, so this is unlikely to be the source
of the problem you're experiencing.The kernel works, but &man.ps.1; does not work
any more:If you have installed a different version of the kernel
from the one that the system utilities have been built with,
for example, a 4.X kernel on a 3.X system, many system-status
commands like &man.ps.1; and &man.vmstat.8; will not work any
more. You must recompile the libkvm
library as well as these utilities. This is one reason it is
not normally a good idea to use a different version of the
kernel from the rest of the operating system.
diff --git a/en_US.ISO8859-1/books/handbook/printing/chapter.sgml b/en_US.ISO8859-1/books/handbook/printing/chapter.sgml
index d0c0c7342e..0c3f254859 100644
--- a/en_US.ISO8859-1/books/handbook/printing/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/printing/chapter.sgml
@@ -1,4891 +1,4891 @@
SeanKellyContributed by JimMockRestructured and updated by PrintingSynopsisLPD spooling systemprintingFreeBSD can be used to print to a wide variety of printers, from the
oldest impact printer to the latest laser printers, and everything in
between, allowing you to produce high quality printed output from the
applications you run.FreeBSD can also be configured to act as a print server on a
network; in this capacity FreeBSD can receive print jobs from a variety
- of other computers, including other FreeBSD computers, Windows and MacOS
+ of other computers, including other FreeBSD computers, &windows; and &macos;
hosts. FreeBSD will ensure that one job at a time is printed, and can
keep statistics on which users and machines are doing the most printing,
produce banner pages showing who's printout is who's, and
more.After reading this chapter, you will know:How to configure the FreeBSD print spooler.How to install print filters, to handle special print jobs
differently, including converting incoming documents to print
formats that your printers understand.How to enable header, or banner pages on your printout.How to print to printers connected to other computers.How to print to printers connected directly to the
network.How to control printer restrictions, including limiting the size
of print jobs, and preventing certain users from printing.How to keep printer statistics, and account for printer
usage.How to troubleshoot printing problems.Before reading this chapter, you should:Know how to configure and install a new kernel
().IntroductionIn order to use printers with FreeBSD, you will need to set
them up to work with the Berkeley line printer spooling system,
also known as the LPD spooling system.
It is the standard printer control system in FreeBSD. This
chapter introduces the LPD spooling
system, often simply called LPD, and
will guide you through its configuration.If you are already familiar with
LPD or another printer spooling
system, you may wish to skip to section Setting up the spooling
system.LPD controls everything about a
host's printers. It is responsible for a number of things:It controls access to attached printers and printers
attached to other hosts on the network.print jobsIt enables users to submit files to be printed; these
submissions are known as jobs.It prevents multiple users from accessing a printer at the
same time by maintaining a queue for each
printer.It can print header pages (also known
as banner or burst
pages) so users can easily find jobs they have printed in a
stack of printouts.It takes care of communications parameters for printers
connected on serial ports.It can send jobs over the network to a
LPD spooler on another host.It can run special filters to format jobs to be printed for
various printer languages or printer capabilities.It can account for printer usage.Through a configuration file
(/etc/printcap), and by providing the special
filter programs, you can enable the LPD
system to do all or some
subset of the above for a great variety of printer hardware.Why You Should Use the SpoolerIf you are the sole user of your system, you may be wondering
why you should bother with the spooler when you do not need access
control, header pages, or printer accounting. While it is
possible to enable direct access to a printer, you should use the
spooler anyway since:LPD prints jobs in the background;
you do not have to wait
for data to be copied to the printer.&tex;LPD can conveniently run a job
to be printed through
filters to add date/time headers or convert a special file
format (such as a &tex; DVI file) into a format the printer will
understand. You will not have to do these steps
manually.Many free and commercial programs that provide a print
feature usually expect to talk to the spooler on your system.
By setting up the spooling system, you will more easily
support other software you may later add or already
have.Basic SetupTo use printers with the LPD spooling
system, you will need to
set up both your printer hardware and the
LPD software. This
document describes two levels of setup:See section Simple Printer
Setup to learn how to connect a printer, tell
LPD how to
communicate with it, and print plain text files to the
printer.See section Advanced
Printer Setup to find out how to print a variety of
special file formats, to print header pages, to print across a
network, to control access to printers, and to do printer
accounting.Simple Printer SetupThis section tells how to configure printer hardware and the
LPD software to use the printer.
It teaches the basics:Section Hardware
Setup gives some hints on connecting the printer to a
port on your computer.Section Software
Setup shows how to setup the
LPD spooler configuration
file (/etc/printcap).If you are setting up a printer that uses a network protocol
to accept data to print instead of a serial or parallel interface,
see Printers With
Networked Data Stream Interfaces.Although this section is called Simple Printer
Setup, it is actually fairly complex. Getting the printer
to work with your computer and the LPD
spooler is the hardest
part. The advanced options like header pages and accounting are
fairly easy once you get the printer working.Hardware SetupThis section tells about the various ways you can connect a
printer to your PC. It talks about the kinds of ports and
cables, and also the kernel configuration you may need to enable
FreeBSD to speak to the printer.If you have already connected your printer and have
successfully printed with it under another operating system, you
can probably skip to section Software Setup.Ports and CablesNearly all printers you can get for a PC today support one
or both of the following interfaces:printersserialSerial interfaces use a serial
port on your computer to send data to the printer. Serial
interfaces are common in the computer industry and cables
are readily available and also easy to construct. Serial
interfaces sometimes need special cables and might require
you to configure somewhat complex communications
options.printersparallelParallel interfaces use a
parallel port on your computer to send data to the
printer. Parallel interfaces are common in the PC market.
Cables are readily available but more difficult to
construct by hand. There are usually no communications
options with parallel interfaces, making their
configuration exceedingly simple.centronicsparallel printersParallel interfaces are sometimes known as
Centronics interfaces, named after the
connector type on the printer.In general, serial interfaces are slower than parallel
interfaces. Parallel interfaces usually offer just
one-way communication (computer to printer) while serial
gives you two-way. Many newer parallel ports and printers
can communicate in both directions under FreeBSD when a
IEEE1284 compliant cable is used.PostScriptUsually, the only time you need two-way communication with
- the printer is if the printer speaks PostScript. PostScript
- printers can be very verbose. In fact, PostScript jobs are
+ the printer is if the printer speaks &postscript;. &postscript;
+ printers can be very verbose. In fact, &postscript; jobs are
actually programs sent to the printer; they need not produce
paper at all and may return results directly to the computer.
- PostScript also uses two-way communication to tell the
- computer about problems, such as errors in the PostScript
+ &postscript; also uses two-way communication to tell the
+ computer about problems, such as errors in the &postscript;
program or paper jams. Your users may be appreciative of such
information. Furthermore, the best way to do effective
- accounting with a PostScript printer requires two-way
+ accounting with a &postscript; printer requires two-way
communication: you ask the printer for its page count (how
many pages it has printed in its lifetime), then send the
user's job, then ask again for its page count. Subtract the
two values and you know how much paper to charge the
user.Parallel PortsTo hook up a printer using a parallel interface, connect
the Centronics cable between the printer and the computer.
The instructions that came with the printer, the computer, or
both should give you complete guidance.Remember which parallel port you used on the computer.
The first parallel port is /dev/ppc0 to
FreeBSD; the second is /dev/ppc1, and so
on. The printer device name uses the same scheme:
/dev/lpt0 for the printer on the first
parallel ports etc.Serial PortsTo hook up a printer using a serial interface, connect the
proper serial cable between the printer and the computer. The
instructions that came with the printer, the computer, or both
should give you complete guidance.If you are unsure what the proper serial
cable is, you may wish to try one of the following
alternatives:A modem cable connects each pin
of the connector on one end of the cable straight through
to its corresponding pin of the connector on the other
end. This type of cable is also known as a
DTE-to-DCE cable.null-modem cableA null-modem cable connects some
pins straight through, swaps others (send data to receive
data, for example), and shorts some internally in each
connector hood. This type of cable is also known as a
DTE-to-DTE cable.A serial printer cable, required
for some unusual printers, is like the null-modem cable,
but sends some signals to their counterparts instead of
being internally shorted.baud rateparityflow control protocolYou should also set up the communications parameters for
the printer, usually through front-panel controls or DIP
switches on the printer. Choose the highest
bps (bits per second, sometimes
baud rate) rate that both your computer
and the printer can support. Choose 7 or 8 data bits; none,
even, or odd parity; and 1 or 2 stop bits. Also choose a flow
control protocol: either none, or XON/XOFF (also known as
in-band or software) flow control.
Remember these settings for the software configuration that
follows.Software SetupThis section describes the software setup necessary to print
with the LPD spooling system in FreeBSD.
Here is an outline of the steps involved:Configure your kernel, if necessary, for the port you
are using for the printer; section Kernel Configuration tells
you what you need to do.Set the communications mode for the parallel port, if
you are using a parallel port; section Setting the
Communication Mode for the Parallel Port gives
details.Test if the operating system can send data to the printer.
Section Checking Printer
Communications gives some suggestions on how to do
this.Set up LPD for the printer by
modifying the file
/etc/printcap. You will find out how
to do this later in this chapter.Kernel ConfigurationThe operating system kernel is compiled to work with a
specific set of devices. The serial or parallel interface for
your printer is a part of that set. Therefore, it might be
necessary to add support for an additional serial or parallel
port if your kernel is not already configured for one.To find out if the kernel you are currently using supports
a serial interface, type:&prompt.root; grep sioN /var/run/dmesg.bootWhere N is the number of the
serial port, starting from zero. If you see output similar to
the following:sio2 at port 0x3e8-0x3ef irq 5 on isa
sio2: type 16550Athen the kernel supports the port.To find out if the kernel supports a parallel interface,
type:&prompt.root; grep ppcN /var/run/dmesg.bootWhere N is the number of the
parallel port, starting from zero. If you see output similar
to the following:ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/8 bytes thresholdthen the kernel supports the port.You might have to reconfigure your kernel in order for the
operating system to recognize and use the parallel or serial
port you are using for the printer.To add support for a serial port, see the section on
kernel configuration. To add support for a parallel port, see
that section and the section that
follows.Adding <filename>/dev</filename> Entries for the
PortsFreeBSD 5.0 includes the devfs
filesystem which automatically creates device nodes as
needed. If you are running a version of FreeBSD with
devfs enabled then you can safely skip
this section.Even though the kernel may support communication along a
serial or parallel port, you will still need a software
interface through which programs running on the system can
send and receive data. That is what entries in the
/dev directory are for.To add a /dev entry for a
port:Become root with the &man.su.1; command.
Enter the root password when prompted.Change to the /dev
directory:&prompt.root; cd /devType:&prompt.root; ./MAKEDEV portWhere port is the device
entry for the port you want to make. Use
lpt0 for the printer on the first parallel port,
lpt1 for the printer on the second port, and so on; use
ttyd0 for the first serial port,
ttyd1 for the second, and so on.Type:&prompt.root; ls -l portto make sure the device entry got created.Setting the Communication Mode for the Parallel
PortWhen you are using the parallel interface, you can choose
whether FreeBSD should use interrupt-driven or polled
communication with the printer. The generic printer
device driver (&man.lpt.4;) on FreeBSD 4.X and 5.X
uses the &man.ppbus.4; system, which controls the port
chipset with the &man.ppc.4; driver.The interrupt-driven method is
the default with the GENERIC kernel. With this method,
the operating system uses an IRQ line to determine when
the printer is ready for data.The polled method directs the
operating system to repeatedly ask the printer if it is
ready for more data. When it responds ready, the kernel
sends more data.The interrupt-driven method is usually somewhat faster
but uses up a precious IRQ line. Some newer HP printers
are claimed not to work correctly in interrupt mode,
apparently due to some (not yet exactly understood) timing
problem. These printers need polled mode. You should use
whichever one works. Some printers will work in both
modes, but are painfully slow in interrupt mode.You can set the communications mode in two ways: by
configuring the kernel or by using the &man.lptcontrol.8;
program.To set the communications mode by configuring
the kernel:Edit your kernel configuration file. Look for
an ppc0 entry. If you are setting up
the second parallel port, use ppc1
instead. Use ppc2 for the third port,
and so on.If you want interrupt-driven mode, for FreeBSD 4.X add the
irq specifier:device ppc0 at isa? irq NWhere N is the IRQ
number for your computer's parallel port.For FreeBSD 5.X, edit the following line:hint.ppc.0.irq="N"in the /boot/device.hints file
and replace N with the right
IRQ number. The kernel configuration file must
also contain the &man.ppc.4; driver:device ppcIf you want polled mode, do not add the
irq specifier:For FreeBSD 4.X, use the following line in
your kernel configuration file:device ppc0 at isa?For FreeBSD 5.X, simply remove in your
/boot/device.hints file, the
following line:hint.ppc.0.irq="N"In some cases, this is not enough to put the
port in polled mode under FreeBSD 5.X. Most of
time it comes from &man.acpi.4; driver, this latter
is able to probe and attach devices, and therefore,
control the access mode to the printer port. You
should check your &man.acpi.4; configuration to
correct this problem.Save the file. Then configure, build, and install the
kernel, then reboot. See kernel configuration for
more details.To set the communications mode with
&man.lptcontrol.8;:Type:&prompt.root; lptcontrol -i -d /dev/lptNto set interrupt-driven mode for
lptN.Type:&prompt.root; lptcontrol -p -d /dev/lptNto set polled-mode for
lptN.You could put these commands in your
/etc/rc.local file to set the mode each
time your system boots. See &man.lptcontrol.8; for more
information.Checking Printer CommunicationsBefore proceeding to configure the spooling system, you
should make sure the operating system can successfully send
data to your printer. It is a lot easier to debug printer
communication and the spooling system separately.To test the printer, we will send some text to it. For
printers that can immediately print characters sent to them,
the program &man.lptest.1; is perfect: it generates all 96
printable ASCII characters in 96 lines.PostScript
- For a PostScript (or other language-based) printer, we
- will need a more sophisticated test. A small PostScript
+ For a &postscript; (or other language-based) printer, we
+ will need a more sophisticated test. A small &postscript;
program, such as the following, will suffice:%!PS
100 100 moveto 300 300 lineto stroke
310 310 moveto /Helvetica findfont 12 scalefont setfont
(Is this thing working?) show
showpage
- The above PostScript code can be placed into a file and
+ The above &postscript; code can be placed into a file and
used as shown in the examples appearing in the following
sections.PCLWhen this document refers to a printer language, it is
- assuming a language like PostScript, and not Hewlett
+ assuming a language like &postscript;, and not Hewlett
Packard's PCL. Although PCL has great functionality, you
can intermingle plain text with its escape sequences.
- PostScript cannot directly print plain text, and that is the
+ &postscript; cannot directly print plain text, and that is the
kind of printer language for which we must make special
accommodations.Checking a Parallel PrinterprintersparallelThis section tells you how to check if FreeBSD can
communicate with a printer connected to a parallel
port.To test a printer on a parallel
port:Become root with &man.su.1;.Send data to the printer.If the printer can print plain text, then use
&man.lptest.1;. Type:&prompt.root; lptest > /dev/lptNWhere N is the number
of the parallel port, starting from zero.
- If the printer understands PostScript or other
+ If the printer understands &postscript; or other
printer language, then send a small program to the
printer. Type:&prompt.root; cat > /dev/lptNThen, line by line, type the program
carefully as you cannot edit a
line once you have pressed RETURN
or ENTER. When you have finished
entering the program, press
CONTROL+D, or whatever your end
of file key is.Alternatively, you can put the program in a file
and type:&prompt.root; cat file > /dev/lptNWhere file is the
name of the file containing the program you want to
send to the printer.You should see something print. Do not worry if the
text does not look right; we will fix such things
later.Checking a Serial PrinterprintersserialThis section tells you how to check if FreeBSD can
communicate with a printer on a serial port.To test a printer on a serial
port:Become root with &man.su.1;.Edit the file /etc/remote. Add
the following entry:printer:dv=/dev/port:br#bps-rate:pa=paritybits-per-secondserial portparityWhere port is the device
entry for the serial port (ttyd0,
ttyd1, etc.),
bps-rate is the
bits-per-second rate at which the printer communicates,
and parity is the parity
required by the printer (either even,
odd, none, or
zero).Here is a sample entry for a printer connected via
a serial line to the third serial port at 19200 bps with
no parity:printer:dv=/dev/ttyd2:br#19200:pa=noneConnect to the printer with &man.tip.1;.
Type:&prompt.root; tip printerIf this step does not work, edit the file
/etc/remote again and try using
/dev/cuaaN
instead of
/dev/ttydN.Send data to the printer.If the printer can print plain text, then use
&man.lptest.1;. Type:&prompt.user; $lptest
- If the printer understands PostScript or other
+ If the printer understands &postscript; or other
printer language, then send a small program to the
printer. Type the program, line by line,
very carefully as backspacing
or other editing keys may be significant to the
printer. You may also need to type a special
end-of-file key for the printer so it knows it
- received the whole program. For PostScript
+ received the whole program. For &postscript;
printers, press CONTROL+D.Alternatively, you can put the program in a file
and type:&prompt.user; >fileWhere file is the
name of the file containing the program. After
&man.tip.1; sends the file, press any required
end-of-file key.You should see something print. Do not worry if the
text does not look right; we will fix that later.Enabling the Spooler: the <filename>/etc/printcap</filename>
FileAt this point, your printer should be hooked up, your kernel
configured to communicate with it (if necessary), and you have
been able to send some simple data to the printer. Now, we are
ready to configure LPD to control access
to your printer.You configure LPD by editing the file
/etc/printcap. The
LPD spooling system
reads this file each time the spooler is used, so updates to the
file take immediate effect.printerscapabilitiesThe format of the &man.printcap.5; file is straightforward.
Use your favorite text editor to make changes to
/etc/printcap. The format is identical to
other capability files like
/usr/share/misc/termcap and
/etc/remote. For complete information
about the format, see the &man.cgetent.3;.The simple spooler configuration consists of the following
steps:Pick a name (and a few convenient aliases) for the
printer, and put them in the
/etc/printcap file; see the
Naming the Printer
section for more information on naming.header pagesTurn off header pages (which are on by default) by
inserting the sh capability; see the
Suppressing Header
Pages section for more information.Make a spooling directory, and specify its location with
the sd capability; see the Making the Spooling
Directory section for more information.Set the /dev entry to use for the
printer, and note it in /etc/printcap
with the lp capability; see the Identifying the Printer
Device for more information. Also, if the printer is
on a serial port, set up the communication parameters with
the ms# capability which is discussed in the Configuring Spooler
Communications Parameters section.Install a plain text input filter; see the Installing the Text
Filter section for details.Test the setup by printing something with the
&man.lpr.1; command. More details are available in the
Trying It Out and
Troubleshooting
sections.
- Language-based printers, such as PostScript printers,
+ Language-based printers, such as &postscript; printers,
cannot directly print plain text. The simple setup outlined
above and described in the following sections assumes that if
you are installing such a printer you will print only files
that the printer can understand.Users often expect that they can print plain text to any of
the printers installed on your system. Programs that interface
to LPD to do their printing usually
make the same assumption.
If you are installing such a printer and want to be able to
print jobs in the printer language and
print plain text jobs, you are strongly urged to add an
additional step to the simple setup outlined above: install an
- automatic plain-text-to-PostScript (or other printer language)
+ automatic plain-text-to-&postscript; (or other printer language)
conversion program. The section entitled Accommodating Plain
- Text Jobs on PostScript Printers tells how to do
+ Text Jobs on &postscript; Printers tells how to do
this.Naming the PrinterThe first (easy) step is to pick a name for your printer
It really does not matter whether you choose functional or
whimsical names since you can also provide a number of aliases
for the printer.At least one of the printers specified in the
/etc/printcap should have the alias
lp. This is the default printer's name.
If users do not have the PRINTER environment
variable nor specify a printer name on the command line of any
of the LPD commands,
then lp will be the
default printer they get to use.Also, it is common practice to make the last alias for a
printer be a full description of the printer, including make
and model.Once you have picked a name and some common aliases, put
them in the /etc/printcap file. The name
of the printer should start in the leftmost column. Separate
each alias with a vertical bar and put a colon after the last
alias.In the following example, we start with a skeletal
/etc/printcap that defines two printers
- (a Diablo 630 line printer and a Panasonic KX-P4455 PostScript
+ (a Diablo 630 line printer and a Panasonic KX-P4455 &postscript;
laser printer):#
# /etc/printcap for host rose
#
rattan|line|diablo|lp|Diablo 630 Line Printer:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:In this example, the first printer is named
rattan and has as aliases
line, diablo,
lp, and Diablo 630 Line
Printer. Since it has the alias
lp, it is also the default printer. The
second is named bamboo, and has as aliases
ps, PS,
S, panasonic, and
Panasonic KX-P4455 PostScript v51.4.Suppressing Header Pagesprintingheader pagesThe LPD spooling system will
by default print a
header page for each job. The header
page contains the user name who requested the job, the host
from which the job came, and the name of the job, in nice
large letters. Unfortunately, all this extra text gets in the
way of debugging the simple printer setup, so we will suppress
header pages.To suppress header pages, add the sh
capability to the entry for the printer in
/etc/printcap. Here is an example
/etc/printcap with sh
added:#
# /etc/printcap for host rose - no header pages anywhere
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:Note how we used the correct format: the first line starts
in the leftmost column, and subsequent lines are indented with
a single TAB. Every line in an entry except the last ends in
a backslash character.Making the Spooling Directoryprinter spoolprint jobsThe next step in the simple spooler setup is to make a
spooling directory, a directory where
print jobs reside until they are printed, and where a number
of other spooler support files live.Because of the variable nature of spooling directories, it
is customary to put these directories under
/var/spool. It is not necessary to
backup the contents of spooling directories, either.
Recreating them is as simple as running &man.mkdir.1;.It is also customary to make the directory with a name
that is identical to the name of the printer, as shown
below:&prompt.root; mkdir /var/spool/printer-nameHowever, if you have a lot of printers on your network,
you might want to put the spooling directories under a single
directory that you reserve just for printing with
LPD. We
will do this for our two example printers
rattan and
bamboo:&prompt.root; mkdir /var/spool/lpd
&prompt.root; mkdir /var/spool/lpd/rattan
&prompt.root; mkdir /var/spool/lpd/bambooIf you are concerned about the privacy of jobs that
users print, you might want to protect the spooling
directory so it is not publicly accessible. Spooling
directories should be owned and be readable, writable, and
searchable by user daemon and group daemon, and no one else.
We will do this for our example printers:&prompt.root; chown daemon:daemon /var/spool/lpd/rattan
&prompt.root; chown daemon:daemon /var/spool/lpd/bamboo
&prompt.root; chmod 770 /var/spool/lpd/rattan
&prompt.root; chmod 770 /var/spool/lpd/bambooFinally, you need to tell LPD
about these directories
using the /etc/printcap file. You
specify the pathname of the spooling directory with the
sd capability:#
# /etc/printcap for host rose - added spooling directories
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:Note that the name of the printer starts in the first
column but all other entries describing the printer should be
indented with a tab and each line escaped with a
backslash.If you do not specify a spooling directory with
sd, the spooling system will use
/var/spool/lpd as a default.Identifying the Printer DeviceIn the Adding
/dev Entries for the Ports
section, we identified which entry in the
/dev directory FreeBSD will use to
communicate with the printer. Now, we tell
LPD that
information. When the spooling system has a job to print, it
will open the specified device on behalf of the filter program
(which is responsible for passing data to the printer).List the /dev entry pathname in the
/etc/printcap file using the
lp capability.In our running example, let us assume that
rattan is on the first parallel port, and
bamboo is on a sixth serial port; here are
the additions to /etc/printcap:#
# /etc/printcap for host rose - identified what devices to use
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:\
:lp=/dev/lpt0:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:\
:lp=/dev/ttyd5:If you do not specify the lp capability
for a printer in your /etc/printcap file,
LPD uses /dev/lp
as a default.
/dev/lp currently does not exist in
FreeBSD.If the printer you are installing is connected to a
parallel port, skip to the section entitled, Installing the Text
Filter. Otherwise, be sure to follow the instructions
in the next section.Configuring Spooler Communication ParametersprintersserialFor printers on serial ports, LPD
can set up the bps rate,
parity, and other serial communication parameters on behalf of
the filter program that sends data to the printer. This is
advantageous since:It lets you try different communication parameters by
simply editing the /etc/printcap
file; you do not have to recompile the filter
program.It enables the spooling system to use the same filter
program for multiple printers which may have different
serial communication settings.The following /etc/printcap
capabilities control serial communication parameters of the
device listed in the lp capability:br#bps-rateSets the communications speed of the device to
bps-rate, where
bps-rate can be 50, 75, 110,
134, 150, 200, 300, 600, 1200, 1800, 2400, 4800, 9600,
19200, 38400, 57600, or 115200 bits-per-second.ms#stty-modeSets the options for the terminal device after
opening the device. &man.stty.1; explains the
available options.When LPD opens the device
specified by the lp capability, it sets
the characteristics of the device to those specified with
the ms# capability. Of particular
interest will be the parenb,
parodd, cs5,
cs6, cs7,
cs8, cstopb,
crtscts, and ixon
modes, which are explained in the &man.stty.1;
manual page.Let us add to our example printer on the sixth serial
port. We will set the bps rate to 38400. For the mode,
we will set no parity with -parenb,
8-bit characters with cs8,
no modem control with clocal and
hardware flow control with crtscts:bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:Installing the Text FilterprintingfiltersWe are now ready to tell LPD
what text filter to use to
send jobs to the printer. A text filter,
also known as an input filter, is a
program that LPD runs when it
has a job to print. When LPD
runs the text filter for a printer, it sets the filter's
standard input to the job to print, and its standard output to
the printer device specified with the lp
capability. The filter is expected to read the job from
standard input, perform any necessary translation for the
printer, and write the results to standard output, which will
get printed. For more information on the text filter, see
the Filters
section.For our simple printer setup, the text filter can be a
small shell script that just executes
/bin/cat to send the job to the printer.
FreeBSD comes with another filter called
lpf that handles backspacing and
underlining for printers that might not deal with such
character streams well. And, of course, you can use any other
filter program you want. The filter lpf is
described in detail in section entitled lpf: a Text
Filter.First, let us make the shell script
/usr/local/libexec/if-simple be a simple
text filter. Put the following text into that file with your
favorite text editor:#!/bin/sh
#
# if-simple - Simple text input filter for lpd
# Installed in /usr/local/libexec/if-simple
#
# Simply copies stdin to stdout. Ignores all filter arguments.
/bin/cat && exit 0
exit 2Make the file executable:&prompt.root; chmod 555 /usr/local/libexec/if-simpleAnd then tell LPD to use it by specifying it with the
if capability in
/etc/printcap. We will add it to the two
printers we have so far in the example
/etc/printcap:#
# /etc/printcap for host rose - added text filter
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:\ :lp=/dev/lpt0:\
:if=/usr/local/libexec/if-simple:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:\
:if=/usr/local/libexec/if-simple:Turn on <application>LPD</application>&man.lpd.8; is run from /etc/rc,
controlled by the lpd_enable variable. This
variable defaults to NO. If you have not done
so already, add the line:lpd_enable="YES"to /etc/rc.conf, and then either restart
your machine, or just run &man.lpd.8;.&prompt.root; lpdTrying It OutYou have reached the end of the simple
LPD setup.
Unfortunately, congratulations are not quite yet in order,
since we still have to test the setup and correct any
problems. To test the setup, try printing something. To
print with the LPD system, you
use the command &man.lpr.1;,
which submits a job for printing.You can combine &man.lpr.1; with the &man.lptest.1;
program, introduced in section Checking Printer
Communications to generate some test text.To test the simple LPD
setup:Type:&prompt.root; lptest 20 5 | lpr -Pprinter-nameWhere printer-name is a the
name of a printer (or an alias) specified in
/etc/printcap. To test the default
printer, type &man.lpr.1; without any
argument. Again, if you are testing a printer that expects
- PostScript, send a PostScript program in that language instead
+ &postscript;, send a &postscript; program in that language instead
of using &man.lptest.1;. You can do so by putting the program
in a file and typing lpr
file.
- For a PostScript printer, you should get the results of
+ For a &postscript; printer, you should get the results of
the program. If you are using &man.lptest.1;, then your
results should look like the following:!"#$%&'()*+,-./01234
"#$%&'()*+,-./012345
#$%&'()*+,-./0123456
$%&'()*+,-./01234567
%&'()*+,-./012345678To further test the printer, try downloading larger
programs (for language-based printers) or running
&man.lptest.1; with different arguments. For example,
lptest 80 60 will produce 60 lines of 80
characters each.If the printer did not work, see the Troubleshooting
section.Advanced Printer SetupThis section describes filters for printing specially formatted
files, header pages, printing across networks, and restricting and
accounting for printer usage.FiltersprintingfiltersAlthough LPD handles network protocols,
queuing, access control,
and other aspects of printing, most of the real
work happens in the filters. Filters are
programs that communicate with the printer and handle its device
dependencies and special requirements. In the simple printer setup,
we installed a plain text filter—an extremely simple one that
should work with most printers (section Installing the Text
Filter).However, in order to take advantage of format conversion, printer
accounting, specific printer quirks, and so on, you should understand
how filters work. It will ultimately be the filter's responsibility
to handle these aspects. And the bad news is that most of the time
you have to provide filters yourself. The good
news is that many are generally available; when they are not, they are
usually easy to write.Also, FreeBSD comes with one,
/usr/libexec/lpr/lpf, that works with many
printers that can print plain text. (It handles backspacing and tabs
in the file, and does accounting, but that is about all it does.)
There are also several filters and filter components in the FreeBSD
Ports Collection.Here is what you will find in this section:Section How Filters
Work, tries to give an overview of a filter's role in the
printing process. You should read this section to get an
understanding of what is happening under the hood
when LPD uses filters. This knowledge
could help you anticipate
and debug problems you might encounter as you install more and
more filters on each of your printers.LPD expects every printer to be
able to print plain text by
- default. This presents a problem for PostScript (or other
+ default. This presents a problem for &postscript; (or other
language-based printers) which cannot directly print plain text.
Section Accommodating
- Plain Text Jobs on PostScript Printers tells you what you
+ Plain Text Jobs on &postscript; Printers tells you what you
should do to overcome this problem. You should read this
- section if you have a PostScript printer.
+ section if you have a &postscript; printer.
- PostScript is a popular output format for many programs. Even
- some people (myself included) write PostScript code directly. But
- PostScript printers are expensive. Section Simulating PostScript on
- Non-PostScript Printers tells how you can further modify
- a printer's text filter to accept and print PostScript data on a
- non-PostScript printer. You should read
- this section if you do not have a PostScript printer.
+ &postscript; is a popular output format for many programs. Even
+ some people (myself included) write &postscript; code directly. But
+ &postscript; printers are expensive. Section Simulating &postscript; on
+ Non &postscript; Printers tells how you can further modify
+ a printer's text filter to accept and print &postscript; data on a
+ non &postscript; printer. You should read
+ this section if you do not have a &postscript; printer.Section Conversion
Filters tells about a way you can automate the conversion
of specific file formats, such as graphic or typesetting data,
into formats your printer can understand. After reading this
section, you should be able to set up your printers such that
users can type lpr -t to print troff data, or
lpr -d to print &tex; DVI data, or lpr
-v to print raster image data, and so forth. I
recommend reading this section.Section Output
Filters tells all about a not often used feature of
LPD:
output filters. Unless you are printing header pages (see Header Pages),
you can probably skip that section altogether.Section lpf: a Text
Filter describes lpf, a fairly
complete if simple text filter for line printers (and laser
printers that act like line printers) that comes with FreeBSD. If
you need a quick way to get printer accounting working for plain
text, or if you have a printer which emits smoke when it sees
backspace characters, you should definitely consider
lpf.How Filters WorkAs mentioned before, a filter is an executable program started
by LPD to handle the device-dependent part of
communicating with the printer.When LPD wants to print a file in a
job, it starts a filter
program. It sets the filter's standard input to the file to print,
its standard output to the printer, and its standard error to the
error logging file (specified in the lf
capability in /etc/printcap, or
/dev/console by default).troffWhich filter LPD starts and the
filter's arguments depend on
what is listed in the /etc/printcap file and
what arguments the user specified for the job on the
&man.lpr.1; command line. For example, if the user typed
lpr -t, LPD would
start the troff filter, listed
in the tf capability for the destination printer.
If the user wanted to print plain text, it would start the
if filter (this is mostly true: see Output Filters for
details).There are three kinds of filters you can specify in
/etc/printcap:The text filter, confusingly called the
input filter in
LPD documentation, handles
regular text printing. Think of it as the default filter.
LPD
expects every printer to be able to print plain text by default,
and it is the text filter's job to make sure backspaces, tabs,
or other special characters do not confuse the printer. If you
are in an environment where you have to account for printer
usage, the text filter must also account for pages printed,
usually by counting the number of lines printed and comparing
that to the number of lines per page the printer supports. The
text filter is started with the following argument list:
filter-name-c-wwidth-llength-iindent-n login-h hostacct-file
where
appears if the job is submitted with lpr
-lwidthis the value from the pw (page
width) capability specified in
/etc/printcap, default 132lengthis the value from the pl (page
length) capability, default 66indentis the amount of the indentation from lpr
-i, default 0loginis the account name of the user printing the
filehostis the host name from which the job was
submittedacct-fileis the name of the accounting file from the
af capability.printingfiltersA conversion filter converts a specific
file format into one the printer can render onto paper. For
example, ditroff typesetting data cannot be directly printed,
but you can install a conversion filter for ditroff files to
convert the ditroff data into a form the printer can digest and
print. Section Conversion
Filters tells all about them. Conversion filters also
need to do accounting, if you need printer accounting.
Conversion filters are started with the following arguments:
filter-name-xpixel-width-ypixel-height-n login-h hostacct-file
where pixel-width is the value
from the px capability (default 0) and
pixel-height is the value from the
py capability (default 0).The output filter is used only if there
is no text filter, or if header pages are enabled. In my
experience, output filters are rarely used. Section Output Filters describe
them. There are only two arguments to an output filter:
filter-name-wwidth-llength
which are identical to the text filters and
arguments.Filters should also exit with the
following exit status:exit 0If the filter printed the file successfully.exit 1If the filter failed to print the file but wants
LPD to
try to print the file again. LPD
will restart a filter if it exits with this status.exit 2If the filter failed to print the file and does not want
LPD to try again.
LPD will throw out the file.The text filter that comes with the FreeBSD release,
/usr/libexec/lpr/lpf, takes advantage of the
page width and length arguments to determine when to send a form
feed and how to account for printer usage. It uses the login, host,
and accounting file arguments to make the accounting entries.If you are shopping for filters, see if they are LPD-compatible.
If they are, they must support the argument lists described above.
If you plan on writing filters for general use, then have them
support the same argument lists and exit codes.
- Accommodating Plain Text Jobs on PostScript Printers
+ Accommodating Plain Text Jobs on &postscript; Printersprint jobs
- If you are the only user of your computer and PostScript (or
+ If you are the only user of your computer and &postscript; (or
other language-based) printer, and you promise to never send plain
text to your printer and to never use features of various programs
that will want to send plain text to your printer, then you do not
need to worry about this section at all.
- But, if you would like to send both PostScript and plain text
+ But, if you would like to send both &postscript; and plain text
jobs to the printer, then you are urged to augment your printer
setup. To do so, we have the text filter detect if the arriving job
- is plain text or PostScript. All PostScript jobs must start with
+ is plain text or &postscript;. All &postscript; jobs must start with
%! (for other printer languages, see your printer
documentation). If those are the first two characters in the job,
- we have PostScript, and can pass the rest of the job directly. If
+ we have &postscript;, and can pass the rest of the job directly. If
those are not the first two characters in the file, then the filter
- will convert the text into PostScript and print the result.
+ will convert the text into &postscript; and print the result.How do we do this?printersserialIf you have got a serial printer, a great way to do it is to
install lprps. lprps is a
- PostScript printer filter which performs two-way communication with
+ &postscript; printer filter which performs two-way communication with
the printer. It updates the printer's status file with verbose
information from the printer, so users and administrators can see
exactly what the state of the printer is (such as toner
low or paper jam). But more
importantly, it includes a program called psif
which detects whether the incoming job is plain text and calls
textps (another program that comes with
- lprps) to convert it to PostScript. It then uses
+ lprps) to convert it to &postscript;. It then uses
lprps to send the job to the printer.lprps is part of the FreeBSD Ports Collection
(see The Ports Collection). You can
fetch, build and install it yourself, of course. After installing
lprps, just specify the pathname to the
psif program that is part of
lprps. If you installed lprps
from the ports collection, use the following in the serial
- PostScript printer's entry in
+ &postscript; printer's entry in
/etc/printcap::if=/usr/local/libexec/psif:You should also specify the rw capability;
that tells LPD to open the printer in
read-write mode.
- If you have a parallel PostScript printer (and therefore cannot
+ If you have a parallel &postscript; printer (and therefore cannot
use two-way communication with the printer, which
lprps needs), you can use the following shell
script as the text filter:#!/bin/sh
#
# psif - Print PostScript or plain text on a PostScript printer
# Script version; NOT the version that comes with lprps
# Installed in /usr/local/libexec/psif
#
IFS="" read -r first_line
first_two_chars=`expr "$first_line" : '\(..\)'`
if [ "$first_two_chars" = "%!" ]; then
#
# PostScript job, print it.
#
echo "$first_line" && cat && printf "\004" && exit 0
exit 2
else
#
# Plain text, convert it, then print it.
#
( echo "$first_line"; cat ) | /usr/local/bin/textps && printf "\004" && exit 0
exit 2
fiIn the above script, textps is a program we
- installed separately to convert plain text to PostScript. You can
- use any text-to-PostScript program you wish. The FreeBSD Ports
+ installed separately to convert plain text to &postscript;. You can
+ use any text-to-&postscript; program you wish. The FreeBSD Ports
Collection (see The Ports Collection)
- includes a full featured text-to-PostScript program called
+ includes a full featured text-to-&postscript; program called
a2ps that you might want to investigate.
- Simulating PostScript on Non-PostScript Printers
+ Simulating &postscript; on Non &postscript; PrintersPostScriptemulatingGhostscript
- PostScript is the de facto standard for
- high quality typesetting and printing. PostScript is, however, an
+ &postscript; is the de facto standard for
+ high quality typesetting and printing. &postscript; is, however, an
expensive standard. Thankfully, Aladdin
- Enterprises has a free PostScript work-alike called
+ Enterprises has a free &postscript; work-alike called
Ghostscript that runs with FreeBSD.
- Ghostscript can read most PostScript files and can render their
+ Ghostscript can read most &postscript; files and can render their
pages onto a variety of devices, including many brands of
non-PostScript printers. By installing Ghostscript and using a
special text filter for your printer, you can make your
- non-PostScript printer act like a real PostScript printer.
+ non &postscript; printer act like a real &postscript; printer.Ghostscript is in the FreeBSD Ports Collection, if you
would like to install it from there. You can fetch, build, and
install it quite easily yourself, as well.
- To simulate PostScript, we have the text filter detect if it is
- printing a PostScript file. If it is not, then the filter will pass
+ To simulate &postscript;, we have the text filter detect if it is
+ printing a &postscript; file. If it is not, then the filter will pass
the file directly to the printer; otherwise, it will use Ghostscript
to first convert the file into a format the printer will
understand.Here is an example: the following script is a text filter
for Hewlett Packard DeskJet 500 printers. For other printers,
substitute the argument to the
gs (Ghostscript) command. (Type gs
-h to get a list of devices the current installation of
Ghostscript supports.)#!/bin/sh
#
# ifhp - Print Ghostscript-simulated PostScript on a DeskJet 500
# Installed in /usr/local/libexec/ifhp
#
# Treat LF as CR+LF:
#
printf "\033&k2G" || exit 2
#
# Read first two characters of the file
#
IFS="" read -r first_line
first_two_chars=`expr "$first_line" : '\(..\)'`
if [ "$first_two_chars" = "%!" ]; then
#
# It is PostScript; use Ghostscript to scan-convert and print it.
#
# Note that PostScript files are actually interpreted programs,
# and those programs are allowed to write to stdout, which will
# mess up the printed output. So, we redirect stdout to stderr
# and then make descriptor 3 go to stdout, and have Ghostscript
# write its output there. Exercise for the clever reader:
# capture the stderr output from Ghostscript and mail it back to
# the user originating the print job.
#
exec 3>&1 1>&2
/usr/local/bin/gs -dSAFER -dNOPAUSE -q -sDEVICE=djet500 \
-sOutputFile=/dev/fd/3 - && exit 0
else
#
# Plain text or HP/PCL, so just print it directly; print a form feed
# at the end to eject the last page.
#
echo "$first_line" && cat && printf "\033&l0H" &&
exit 0
fi
exit 2Finally, you need to notify LPD of
the filter via the if capability::if=/usr/local/libexec/ifhp:That is it. You can type lpr plain.text and
lpr whatever.ps and both should print
successfully.Conversion FiltersAfter completing the simple setup described in Simple Printer Setup, the first
thing you will probably want to do is install conversion filters for
your favorite file formats (besides plain ASCII text).Why Install Conversion Filters?&tex;printing dvi filesConversion filters make printing various kinds of files easy.
As an example, suppose we do a lot of work with the &tex;
- typesetting system, and we have a PostScript printer. Every time
+ typesetting system, and we have a &postscript; printer. Every time
we generate a DVI file from &tex;, we cannot print it directly until
- we convert the DVI file into PostScript. The command sequence
+ we convert the DVI file into &postscript;. The command sequence
goes like this:&prompt.user; dvips seaweed-analysis.dvi
&prompt.user; lpr seaweed-analysis.psBy installing a conversion filter for DVI files, we can skip
the hand conversion step each time by having
LPD do it for us.
Now, each time we get a DVI file, we are just one step away from
printing it:&prompt.user; lpr -d seaweed-analysis.dviWe got LPD to do the DVI file
conversion for us by specifying
the option. Section Formatting and Conversion
Options lists the conversion options.For each of the conversion options you want a printer to
support, install a conversion filter and
specify its pathname in /etc/printcap. A
conversion filter is like the text filter for the simple printer
setup (see section Installing
the Text Filter) except that instead of printing plain
text, the filter converts the file into a format the printer can
understand.Which Conversions Filters Should I Install?You should install the conversion filters you expect to use.
If you print a lot of DVI data, then a DVI conversion filter is in
order. If you have got plenty of troff to print out, then you
probably want a troff filter.The following table summarizes the filters that
LPD works
with, their capability entries for the
/etc/printcap file, and how to invoke them
with the lpr command:File type/etc/printcap capabilitylpr optioncifplotcfDVIdfplotgfditroffnfFORTRAN textrftrofftfrastervfplain textifnone, , or
In our example, using lpr -d means the
printer needs a df capability in its entry in
/etc/printcap.FORTRANDespite what others might contend, formats like FORTRAN text
and plot are probably obsolete. At your site, you can give new
meanings to these or any of the formatting options just by
installing custom filters. For example, suppose you would like to
directly print Printerleaf files (files from the Interleaf desktop
publishing program), but will never print plot files. You could
install a Printerleaf conversion filter under the
gf capability and then educate your users that
lpr -g mean print Printerleaf
files.Installing Conversion FiltersSince conversion filters are programs you install outside of
the base FreeBSD installation, they should probably go under
/usr/local. The directory
/usr/local/libexec is a popular location,
since they are specialized programs that only
LPD will run;
regular users should not ever need to run them.To enable a conversion filter, specify its pathname under the
appropriate capability for the destination printer in
/etc/printcap.In our example, we will add the DVI conversion filter to the
entry for the printer named bamboo. Here is
the example /etc/printcap file again, with
the new df capability for the printer
bamboo.#
# /etc/printcap for host rose - added df filter for bamboo
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:\
:lp=/dev/lpt0:\
:if=/usr/local/libexec/if-simple:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:\
:if=/usr/local/libexec/psif:\
:df=/usr/local/libexec/psdf:The DVI filter is a shell script named
/usr/local/libexec/psdf. Here is that
script:#!/bin/sh
#
# psdf - DVI to PostScript printer filter
# Installed in /usr/local/libexec/psdf
#
# Invoked by lpd when user runs lpr -d
#
exec /usr/local/bin/dvips -f | /usr/local/libexec/lprps "$@"This script runs dvips in filter mode (the
argument) on standard input, which is the job
- to print. It then starts the PostScript printer filter
+ to print. It then starts the &postscript; printer filter
lprps (see section Accommodating Plain
- Text Jobs on PostScript Printers) with the arguments
+ Text Jobs on &postscript; Printers) with the arguments
LPD
passed to this script. lprps will use those
arguments to account for the pages printed.More Conversion Filter ExamplesSince there is no fixed set of steps to install conversion
filters, let me instead provide more examples. Use these as
guidance to making your own filters. Use them directly, if
appropriate.This example script is a raster (well, GIF file, actually)
conversion filter for a Hewlett Packard LaserJet III-Si
printer:#!/bin/sh
#
# hpvf - Convert GIF files into HP/PCL, then print
# Installed in /usr/local/libexec/hpvf
PATH=/usr/X11R6/bin:$PATH; export PATH
giftopnm | ppmtopgm | pgmtopbm | pbmtolj -resolution 300 \
&& exit 0 \
|| exit 2It works by converting the GIF file into a portable anymap,
converting that into a portable graymap, converting that into a
portable bitmap, and converting that into LaserJet/PCL-compatible
data.Here is the /etc/printcap file with an
entry for a printer using the above filter:#
# /etc/printcap for host orchid
#
teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
:lp=/dev/lpt0:sh:sd=/var/spool/lpd/teak:mx#0:\
:if=/usr/local/libexec/hpif:\
:vf=/usr/local/libexec/hpvf:The following script is a conversion filter for troff data
- from the groff typesetting system for the PostScript printer named
+ from the groff typesetting system for the &postscript; printer named
bamboo:#!/bin/sh
#
# pstf - Convert groff's troff data into PS, then print.
# Installed in /usr/local/libexec/pstf
#
exec grops | /usr/local/libexec/lprps "$@"The above script makes use of lprps again
to handle the communication with the printer. If the printer were
on a parallel port, we would use this script instead:#!/bin/sh
#
# pstf - Convert groff's troff data into PS, then print.
# Installed in /usr/local/libexec/pstf
#
exec gropsThat is it. Here is the entry we need to add to
/etc/printcap to enable the filter::tf=/usr/local/libexec/pstf:Here is an example that might make old hands at FORTRAN blush.
It is a FORTRAN-text filter for any printer that can directly
print plain text. We will install it for the printer
teak:#!/bin/sh
#
# hprf - FORTRAN text filter for LaserJet 3si:
# Installed in /usr/local/libexec/hprf
#
printf "\033&k2G" && fpr && printf "\033&l0H" &&
exit 0
exit 2And we will add this line to the
/etc/printcap for the printer
teak to enable this filter::rf=/usr/local/libexec/hprf:Here is one final, somewhat complex example. We will add a
DVI filter to the LaserJet printer teak
introduced earlier. First, the easy part: updating
/etc/printcap with the location of the DVI
filter::df=/usr/local/libexec/hpdf:Now, for the hard part: making the filter. For that, we need
a DVI-to-LaserJet/PCL conversion program. The FreeBSD Ports
Collection (see The Ports Collection)
has one: dvi2xx is the name of the package.
Installing this package gives us the program we need,
dvilj2p, which converts DVI into LaserJet IIp,
LaserJet III, and LaserJet 2000 compatible codes.dvilj2p makes the filter
hpdf quite complex since
dvilj2p cannot read from standard input. It
wants to work with a filename. What is worse, the filename has to
end in .dvi so using
/dev/fd/0 for standard input is problematic.
We can get around that problem by linking (symbolically) a
temporary file name (one that ends in .dvi)
to /dev/fd/0, thereby forcing
dvilj2p to read from standard input.The only other fly in the ointment is the fact that we cannot
use /tmp for the temporary link. Symbolic
links are owned by user and group bin. The
filter runs as user daemon. And the
/tmp directory has the sticky bit set. The
filter can create the link, but it will not be able clean up when
done and remove it since the link will belong to a different
user.Instead, the filter will make the symbolic link in the current
working directory, which is the spooling directory (specified by
the sd capability in
/etc/printcap). This is a perfect place for
filters to do their work, especially since there is (sometimes)
more free disk space in the spooling directory than under
/tmp.Here, finally, is the filter:#!/bin/sh
#
# hpdf - Print DVI data on HP/PCL printer
# Installed in /usr/local/libexec/hpdf
PATH=/usr/local/bin:$PATH; export PATH
#
# Define a function to clean up our temporary files. These exist
# in the current directory, which will be the spooling directory
# for the printer.
#
cleanup() {
rm -f hpdf$$.dvi
}
#
# Define a function to handle fatal errors: print the given message
# and exit 2. Exiting with 2 tells LPD to do not try to reprint the
# job.
#
fatal() {
echo "$@" 1>&2
cleanup
exit 2
}
#
# If user removes the job, LPD will send SIGINT, so trap SIGINT
# (and a few other signals) to clean up after ourselves.
#
trap cleanup 1 2 15
#
# Make sure we are not colliding with any existing files.
#
cleanup
#
# Link the DVI input file to standard input (the file to print).
#
ln -s /dev/fd/0 hpdf$$.dvi || fatal "Cannot symlink /dev/fd/0"
#
# Make LF = CR+LF
#
printf "\033&k2G" || fatal "Cannot initialize printer"
#
# Convert and print. Return value from dvilj2p does not seem to be
# reliable, so we ignore it.
#
dvilj2p -M1 -q -e- dfhp$$.dvi
#
# Clean up and exit
#
cleanup
exit 0Automated Conversion: an Alternative to Conversion
FiltersAll these conversion filters accomplish a lot for your
printing environment, but at the cost forcing the user to specify
(on the &man.lpr.1; command line) which one to use.
If your users are not particularly computer literate, having to
specify a filter option will become annoying. What is worse,
though, is that an incorrectly specified filter option may run a
filter on the wrong type of file and cause your printer to spew
out hundreds of sheets of paper.Rather than install conversion filters at all, you might want
to try having the text filter (since it is the default filter)
detect the type of file it has been asked to print and then
automatically run the right conversion filter. Tools such as
file can be of help here. Of course, it will
be hard to determine the differences between
some file types—and, of course, you can
still provide conversion filters just for them.apsfilterprintingfiltersapsfilterThe FreeBSD Ports Collection has a text filter that performs
automatic conversion called apsfilter. It can
- detect plain text, PostScript, and DVI files, run the proper
+ detect plain text, &postscript;, and DVI files, run the proper
conversions, and print.Output FiltersThe LPD spooling system supports one
other type of filter that
we have not yet explored: an output filter. An output filter is
intended for printing plain text only, like the text filter, but
with many simplifications. If you are using an output filter but no
text filter, then:LPD starts an output filter once
for the entire job instead
of once for each file in the job.LPD does not make any provision
to identify the start or the
end of files within the job for the output filter.LPD does not pass the user's
login or host to the filter, so
it is not intended to do accounting. In fact, it gets only two
arguments:filter-name-wwidth-llengthWhere width is from the
pw capability and
length is from the
pl capability for the printer in
question.Do not be seduced by an output filter's simplicity. If you
would like each file in a job to start on a different page an output
filter will not work. Use a text filter (also
known as an input filter); see section Installing the Text Filter.
Furthermore, an output filter is actually more
complex in that it has to examine the byte stream being
sent to it for special flag characters and must send signals to
itself on behalf of LPD.However, an output filter is necessary if
you want header pages and need to send escape sequences or other
initialization strings to be able to print the header page. (But it
is also futile if you want to charge header
pages to the requesting user's account, since
LPD does not give any
user or host information to the output filter.)On a single printer, LPD
allows both an output filter and text or other filters. In
such cases, LPD will start the
output filter
to print the header page (see section Header Pages)
only. LPD then expects the
output filter to stop
itself by sending two bytes to the filter: ASCII 031
followed by ASCII 001. When an output filter sees these two bytes
(031, 001), it should stop by sending SIGSTOP
to itself. When
LPD's
done running other filters, it will restart the output filter by
sending SIGCONT to it.If there is an output filter but no text
filter and LPD is working on a plain
text job, LPD uses the output
filter to do the job. As stated before, the output filter will
print each file of the job in sequence with no intervening form
feeds or other paper advancement, and this is probably
not what you want. In almost all cases, you
need a text filter.The program lpf, which we introduced earlier
as a text filter, can also run as an output filter. If you need a
quick-and-dirty output filter but do not want to write the byte
detection and signal sending code, try lpf. You
can also wrap lpf in a shell script to handle any
initialization codes the printer might require.<command>lpf</command>: a Text FilterThe program /usr/libexec/lpr/lpf that comes
with FreeBSD binary distribution is a text filter (input filter)
that can indent output (job submitted with lpr
-i), allow literal characters to pass (job submitted
with lpr -l), adjust the printing position for
backspaces and tabs in the job, and account for pages printed. It
can also act like an output filter.lpf is suitable for many printing
environments. And although it has no capability to send
initialization sequences to a printer, it is easy to write a shell
script to do the needed initialization and then execute
lpf.page accountingaccountingprinterIn order for lpf to do page accounting
correctly, it needs correct values filled in for the
pw and pl capabilities in the
/etc/printcap file. It uses these values to
determine how much text can fit on a page and how many pages were in
a user's job. For more information on printer accounting, see Accounting for Printer
Usage.Header PagesIf you have lots of users, all of them using
various printers, then you probably want to consider header
pages as a necessary evil.banner pagesheader pagesheader pagesHeader pages, also known as banner or
burst pages identify to whom jobs belong after
they are printed. They are usually printed in large, bold letters,
perhaps with decorative borders, so that in a stack of printouts they
stand out from the real documents that comprise users' jobs. They
enable users to locate their jobs quickly. The obvious drawback to a
header page is that it is yet one more sheet that has to be printed
for every job, their ephemeral usefulness lasting not more than a few
minutes, ultimately finding themselves in a recycling bin or rubbish
heap. (Note that header pages go with each job, not each file in a
job, so the paper waste might not be that bad.)The LPD system can provide header
pages automatically for your
printouts if your printer can directly print
- plain text. If you have a PostScript printer, you will need an
+ plain text. If you have a &postscript; printer, you will need an
external program to generate the header page; see Header Pages on
- PostScript Printers.
+ &postscript; Printers.
Enabling Header PagesIn the Simple Printer
Setup section, we turned off header pages by specifying
sh (meaning suppress header) in the
/etc/printcap file. To enable header pages for
a printer, just remove the sh capability.Sounds too easy, right?You are right. You might have to provide
an output filter to send initialization strings to the printer.
Here is an example output filter for Hewlett Packard PCL-compatible
printers:#!/bin/sh
#
# hpof - Output filter for Hewlett Packard PCL-compatible printers
# Installed in /usr/local/libexec/hpof
printf "\033&k2G" || exit 2
exec /usr/libexec/lpr/lpfSpecify the path to the output filter in the
of capability. See the Output Filters section for more
information.Here is an example /etc/printcap file for
the printer teak that we introduced earlier; we
enabled header pages and added the above output filter:#
# /etc/printcap for host orchid
#
teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
:lp=/dev/lpt0:sd=/var/spool/lpd/teak:mx#0:\
:if=/usr/local/libexec/hpif:\
:vf=/usr/local/libexec/hpvf:\
:of=/usr/local/libexec/hpof:Now, when users print jobs to teak, they get
a header page with each job. If users want to spend time searching
for their printouts, they can suppress header pages by submitting
the job with lpr -h; see the Header Page Options section for
more &man.lpr.1; options.LPD prints a form feed character
after the header page. If
your printer uses a different character or sequence of characters
to eject a page, specify them with the ff
capability in /etc/printcap.Controlling Header PagesBy enabling header pages, LPD will
produce a long
header, a full page of large letters identifying the
user, host, and job. Here is an example (kelly printed the job
named outline from host rose): k ll ll
k l l
k l l
k k eeee l l y y
k k e e l l y y
k k eeeeee l l y y
kk k e l l y y
k k e e l l y yy
k k eeee lll lll yyy y
y
y y
yyyy
ll
t l i
t l
oooo u u ttttt l ii n nnn eeee
o o u u t l i nn n e e
o o u u t l i n n eeeeee
o o u u t l i n n e
o o u uu t t l i n n e e
oooo uuu u tt lll iii n n eeee
r rrr oooo ssss eeee
rr r o o s s e e
r o o ss eeeeee
r o o ss e
r o o s s e e
r oooo ssss eeee
Job: outline
Date: Sun Sep 17 11:04:58 1995LPD appends a form feed after this
text so the job starts on a
new page (unless you have sf (suppress form
feeds) in the destination printer's entry in
/etc/printcap).If you prefer, LPD can make a
short header;
specify sb (short banner) in the
/etc/printcap file. The header page will look
like this:rose:kelly Job: outline Date: Sun Sep 17 11:07:51 1995Also by default, LPD prints the
header page first, then the job.
To reverse that, specify hl (header last) in
/etc/printcap.Accounting for Header PagesUsing LPD's built-in header pages
enforces a particular paradigm
when it comes to printer accounting: header pages must be
free of charge.Why?Because the output filter is the only external program that will
have control when the header page is printed that could do
accounting, and it is not provided with any user or
host information or an accounting file, so it has no
idea whom to charge for printer use. It is also not enough to just
add one page to the text filter or any of the
conversion filters (which do have user and host information) since
users can suppress header pages with lpr -h.
They could still be charged for header pages they did not print.
Basically, lpr -h will be the preferred option of
environmentally-minded users, but you cannot offer any incentive to
use it.It is still not enough to have each of the
filters generate their own header pages (thereby being able to
charge for them). If users wanted the option of suppressing the
header pages with lpr -h, they will still get
them and be charged for them since LPD
does not pass any knowledge
of the option to any of the filters.So, what are your options?You can:Accept LPD's paradigm and make
header pages free.Install an alternative to LPD,
such as
LPRng. Section
Alternatives to the
Standard Spooler tells more about other spooling
software you can substitute for LPD.
Write a smart output filter. Normally,
an output filter is not meant to do anything more than
initialize a printer or do some simple character conversion. It
is suited for header pages and plain text jobs (when there is no
text (input) filter). But, if there is a text filter for the
plain text jobs, then LPD will start
the output filter only for
the header pages. And the output filter can parse the header
page text that LPD generates to
determine what user and host to
charge for the header page. The only other problem with this
method is that the output filter still does not know what
accounting file to use (it is not passed the name of the file
from the af capability), but if you have a
well-known accounting file, you can hard-code that into the
output filter. To facilitate the parsing step, use the
sh (short header) capability in
/etc/printcap. Then again, all that might
be too much trouble, and users will certainly appreciate the
more generous system administrator who makes header pages
free.
- Header Pages on PostScript Printers
+ Header Pages on &postscript; PrintersAs described above, LPD can generate
a plain text header page
- suitable for many printers. Of course, PostScript cannot directly
+ suitable for many printers. Of course, &postscript; cannot directly
print plain text, so the header page feature of
LPD is
useless—or mostly so.One obvious way to get header pages is to have every conversion
filter and the text filter generate the header page. The filters
should use the user and host arguments to generate a suitable
header page. The drawback of this method is that users will always
get a header page, even if they submit jobs with lpr
-h.Let us explore this method. The following script takes three
arguments (user login name, host name, and job name) and makes a
- simple PostScript header page:
+ simple &postscript; header page:
#!/bin/sh
#
# make-ps-header - make a PostScript header page on stdout
# Installed in /usr/local/libexec/make-ps-header
#
#
# These are PostScript units (72 to the inch). Modify for A4 or
# whatever size paper you are using:
#
page_width=612
page_height=792
border=72
#
# Check arguments
#
if [ $# -ne 3 ]; then
echo "Usage: `basename $0` <user> <host> <job>" 1>&2
exit 1
fi
#
# Save these, mostly for readability in the PostScript, below.
#
user=$1
host=$2
job=$3
date=`date`
#
# Send the PostScript code to stdout.
#
exec cat <<EOF
%!PS
%
% Make sure we do not interfere with user's job that will follow
%
save
%
% Make a thick, unpleasant border around the edge of the paper.
%
$border $border moveto
$page_width $border 2 mul sub 0 rlineto
0 $page_height $border 2 mul sub rlineto
currentscreen 3 -1 roll pop 100 3 1 roll setscreen
$border 2 mul $page_width sub 0 rlineto closepath
0.8 setgray 10 setlinewidth stroke 0 setgray
%
% Display user's login name, nice and large and prominent
%
/Helvetica-Bold findfont 64 scalefont setfont
$page_width ($user) stringwidth pop sub 2 div $page_height 200 sub moveto
($user) show
%
% Now show the boring particulars
%
/Helvetica findfont 14 scalefont setfont
/y 200 def
[ (Job:) (Host:) (Date:) ] {
200 y moveto show /y y 18 sub def }
forall
/Helvetica-Bold findfont 14 scalefont setfont
/y 200 def
[ ($job) ($host) ($date) ] {
270 y moveto show /y y 18 sub def
} forall
%
% That is it
%
restore
showpage
EOFNow, each of the conversion filters and the text filter can call
this script to first generate the header page, and then print the
user's job. Here is the DVI conversion filter from earlier in this
document, modified to make a header page:#!/bin/sh
#
# psdf - DVI to PostScript printer filter
# Installed in /usr/local/libexec/psdf
#
# Invoked by lpd when user runs lpr -d
#
orig_args="$@"
fail() {
echo "$@" 1>&2
exit 2
}
while getopts "x:y:n:h:" option; do
case $option in
x|y) ;; # Ignore
n) login=$OPTARG ;;
h) host=$OPTARG ;;
*) echo "LPD started `basename $0` wrong." 1>&2
exit 2
;;
esac
done
[ "$login" ] || fail "No login name"
[ "$host" ] || fail "No host name"
( /usr/local/libexec/make-ps-header $login $host "DVI File"
/usr/local/bin/dvips -f ) | eval /usr/local/libexec/lprps $orig_argsNotice how the filter has to parse the argument list in order to
determine the user and host name. The parsing for the other
conversion filters is identical. The text filter takes a slightly
different set of arguments, though (see section How Filters
Work).As we have mentioned before, the above scheme, though fairly
simple, disables the suppress header page option (the
option) to lpr. If users
wanted to save a tree (or a few pennies, if you charge for header
pages), they would not be able to do so, since every filter's going
to print a header page with every job.To allow users to shut off header pages on a per-job basis, you
will need to use the trick introduced in section Accounting for
Header Pages: write an output filter that parses the
- LPD-generated header page and produces a PostScript version. If the
+ LPD-generated header page and produces a &postscript; version. If the
user submits the job with lpr -h, then
LPD will
not generate a header page, and neither will your output filter.
Otherwise, your output filter will read the text from
LPD and send
- the appropriate header page PostScript code to the printer.
+ the appropriate header page &postscript; code to the printer.
- If you have a PostScript printer on a serial line, you can make
+ If you have a &postscript; printer on a serial line, you can make
use of lprps, which comes with an output filter,
psof, which does the above. Note that
psof does not charge for header pages.Networked Printingprintersnetworknetwork printingFreeBSD supports networked printing: sending jobs to remote
printers. Networked printing generally refers to two different
things:Accessing a printer attached to a remote host. You install a
printer that has a conventional serial or parallel interface on
one host. Then, you set up LPD to
enable access to the printer
from other hosts on the network. Section Printers Installed on
Remote Hosts tells how to do this.Accessing a printer attached directly to a network. The
printer has a network interface in addition (or in place of) a
more conventional serial or parallel interface. Such a printer
might work as follows:It might understand the LPD
protocol and can even queue
jobs from remote hosts. In this case, it acts just like a
regular host running LPD. Follow
the same procedure in
section Printers
Installed on Remote Hosts to set up such a
printer.It might support a data stream network connection. In this
case, you attach the printer to one host on the
network by making that host responsible for spooling jobs and
sending them to the printer. Section Printers with
Networked Data Stream Interfaces gives some
suggestions on installing such printers.Printers Installed on Remote HostsThe LPD spooling system has built-in
support for sending jobs to
other hosts also running LPD (or are
compatible with LPD). This
feature enables you to install a printer on one host and make it
accessible from other hosts. It also works with printers that have
network interfaces that understand the
LPD protocol.To enable this kind of remote printing, first install a printer
on one host, the printer host, using the simple
printer setup described in the Simple
Printer Setup section. Do any advanced setup in Advanced Printer Setup that you
need. Make sure to test the printer and see if it works with the
features of LPD you have enabled.
Also ensure that the
local host has authorization to use the
LPD
service in the remote host (see Restricting Jobs
from Remote Printers).printersnetworknetwork printingIf you are using a printer with a network interface that is
compatible with LPD, then the
printer host in
the discussion below is the printer itself, and the
printer name is the name you configured for the
printer. See the documentation that accompanied your printer and/or
printer-network interface.If you are using a Hewlett Packard Laserjet then the printer
name text will automatically perform the LF to
CRLF conversion for you, so you will not require the
hpif script.Then, on the other hosts you want to have access to the printer,
make an entry in their /etc/printcap files with
the following:Name the entry anything you want. For simplicity, though,
you probably want to use the same name and aliases as on the
printer host.Leave the lp capability blank, explicitly
(:lp=:).Make a spooling directory and specify its location in the
sd capability. LPD
will store jobs here
before they get sent to the printer host.Place the name of the printer host in the
rm capability.Place the printer name on the printer
host in the rp
capability.That is it. You do not need to list conversion filters, page
dimensions, or anything else in the
/etc/printcap file.Here is an example. The host rose has two
printers, bamboo and rattan.
We will enable users on the host orchid to print
to those printers.
Here is the /etc/printcap file for
orchid (back from section Enabling Header
Pages). It already had the entry for the printer
teak; we have added entries for the two printers
on the host rose:#
# /etc/printcap for host orchid - added (remote) printers on rose
#
#
# teak is local; it is connected directly to orchid:
#
teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
:lp=/dev/lpt0:sd=/var/spool/lpd/teak:mx#0:\
:if=/usr/local/libexec/ifhp:\
:vf=/usr/local/libexec/vfhp:\
:of=/usr/local/libexec/ofhp:
#
# rattan is connected to rose; send jobs for rattan to rose:
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:lp=:rm=rose:rp=rattan:sd=/var/spool/lpd/rattan:
#
# bamboo is connected to rose as well:
#
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:lp=:rm=rose:rp=bamboo:sd=/var/spool/lpd/bamboo:Then, we just need to make spooling directories on
orchid:&prompt.root; mkdir -p /var/spool/lpd/rattan /var/spool/lpd/bamboo
&prompt.root; chmod 770 /var/spool/lpd/rattan /var/spool/lpd/bamboo
&prompt.root; chown daemon:daemon /var/spool/lpd/rattan /var/spool/lpd/bambooNow, users on orchid can print to
rattan and bamboo. If, for
example, a user on orchid typed
&prompt.user; lpr -P bamboo -d sushi-review.dvi
the LPD system on orchid
would copy the job to the spooling
directory /var/spool/lpd/bamboo and note that it was a
DVI job. As soon as the host rose has room in its
bamboo spooling directory, the two
LPDs would transfer the
file to rose. The file would wait in rose's
queue until it was finally printed. It would be converted from DVI to
- PostScript (since bamboo is a PostScript printer) on
+ &postscript; (since bamboo is a &postscript; printer) on
rose.Printers with Networked Data Stream InterfacesOften, when you buy a network interface card for a printer, you
can get two versions: one which emulates a spooler (the more
expensive version), or one which just lets you send data to it as if
you were using a serial or parallel port (the cheaper version).
This section tells how to use the cheaper version. For the more
expensive one, see the previous section Printers Installed on
Remote Hosts.The format of the /etc/printcap file lets
you specify what serial or parallel interface to use, and (if you
are using a serial interface), what baud rate, whether to use flow
control, delays for tabs, conversion of newlines, and more. But
there is no way to specify a connection to a printer that is
listening on a TCP/IP or other network port.To send data to a networked printer, you need to develop a
communications program that can be called by the text and conversion
filters. Here is one such example: the script
netprint takes all data on standard input and
sends it to a network-attached printer. We specify the hostname of
the printer as the first argument and the port number to which to
connect as the second argument to netprint. Note
that this supports one-way communication only (FreeBSD to printer);
many network printers support two-way communication, and you might
want to take advantage of that (to get printer status, perform
accounting, etc.).#!/usr/bin/perl
#
# netprint - Text filter for printer attached to network
# Installed in /usr/local/libexec/netprint
#
$#ARGV eq 1 || die "Usage: $0 <printer-hostname> <port-number>";
$printer_host = $ARGV[0];
$printer_port = $ARGV[1];
require 'sys/socket.ph';
($ignore, $ignore, $protocol) = getprotobyname('tcp');
($ignore, $ignore, $ignore, $ignore, $address)
= gethostbyname($printer_host);
$sockaddr = pack('S n a4 x8', &AF_INET, $printer_port, $address);
socket(PRINTER, &PF_INET, &SOCK_STREAM, $protocol)
|| die "Can't create TCP/IP stream socket: $!";
connect(PRINTER, $sockaddr) || die "Can't contact $printer_host: $!";
while (<STDIN>) { print PRINTER; }
exit 0;We can then use this script in various filters. Suppose we had
a Diablo 750-N line printer connected to the network. The printer
accepts data to print on port number 5100. The host name of the
printer is scrivener. Here is the text filter for the
printer:#!/bin/sh
#
# diablo-if-net - Text filter for Diablo printer `scrivener' listening
# on port 5100. Installed in /usr/local/libexec/diablo-if-net
#
exec /usr/libexec/lpr/lpf "$@" | /usr/local/libexec/netprint scrivener 5100Restricting Printer Usageprintersrestricting access toThis section gives information on restricting printer usage. The
LPD system lets you control who can access
a printer, both locally or
remotely, whether they can print multiple copies, how large their jobs
can be, and how large the printer queues can get.Restricting Multiple CopiesThe LPD system makes it easy for
users to print multiple copies
of a file. Users can print jobs with lpr -#5
(for example) and get five copies of each file in the job. Whether
this is a good thing is up to you.If you feel multiple copies cause unnecessary wear and tear on
your printers, you can disable the option to
&man.lpr.1; by adding the sc capability to the
/etc/printcap file. When users submit jobs
with the option, they will see:lpr: multiple copies are not allowedNote that if you have set up access to a printer remotely (see
section Printers
Installed on Remote Hosts), you need the
sc capability on the remote
/etc/printcap files as well, or else users will
still be able to submit multiple-copy jobs by using another
host.Here is an example. This is the
/etc/printcap file for the host
rose. The printer rattan is
quite hearty, so we will allow multiple copies, but the laser
printer bamboo is a bit more delicate, so we will
disable multiple copies by adding the sc
capability:#
# /etc/printcap for host rose - restrict multiple copies on bamboo
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:\
:lp=/dev/lpt0:\
:if=/usr/local/libexec/if-simple:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:sc:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:\
:if=/usr/local/libexec/psif:\
:df=/usr/local/libexec/psdf:Now, we also need to add the sc capability on
the host orchid's
/etc/printcap (and while we are at it, let us
disable multiple copies for the printer
teak):#
# /etc/printcap for host orchid - no multiple copies for local
# printer teak or remote printer bamboo
teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
:lp=/dev/lpt0:sd=/var/spool/lpd/teak:mx#0:sc:\
:if=/usr/local/libexec/ifhp:\
:vf=/usr/local/libexec/vfhp:\
:of=/usr/local/libexec/ofhp:
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:lp=:rm=rose:rp=rattan:sd=/var/spool/lpd/rattan:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:lp=:rm=rose:rp=bamboo:sd=/var/spool/lpd/bamboo:sc:By using the sc capability, we prevent the
use of lpr -#, but that still does not prevent
users from running &man.lpr.1;
multiple times, or from submitting the same file multiple times in
one job like this:&prompt.user; lpr forsale.sign forsale.sign forsale.sign forsale.sign forsale.signThere are many ways to prevent this abuse (including ignoring
it) which you are free to explore.Restricting Access to Printers
- You can control who can print to what printers by using the Unix
+ You can control who can print to what printers by using the &unix;
group mechanism and the rg capability in
/etc/printcap. Just place the users you want
to have access to a printer in a certain group, and then name that
group in the rg capability.Users outside the group (including root)
will be greeted with
lpr: Not a member of the restricted group
if they try to print to the controlled printer.As with the sc (suppress multiple copies)
capability, you need to specify rg on remote
hosts that also have access to your printers, if you feel it is
appropriate (see section Printers Installed on
Remote Hosts).For example, we will let anyone access the printer
rattan, but only those in group
artists can use bamboo. Here
is the familiar /etc/printcap for host
rose:#
# /etc/printcap for host rose - restricted group for bamboo
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:\
:lp=/dev/lpt0:\
:if=/usr/local/libexec/if-simple:
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:sc:rg=artists:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:\
:if=/usr/local/libexec/psif:\
:df=/usr/local/libexec/psdf:Let us leave the other example
/etc/printcap file (for the host
orchid) alone. Of course, anyone on
orchid can print to bamboo. It
might be the case that we only allow certain logins on
orchid anyway, and want them to have access to the
printer. Or not.There can be only one restricted group per printer.Controlling Sizes of Jobs Submittedprint jobsIf you have many users accessing the printers, you probably need
to put an upper limit on the sizes of the files users can submit to
print. After all, there is only so much free space on the
filesystem that houses the spooling directories, and you also need
to make sure there is room for the jobs of other users.print jobscontrollingLPD enables you to limit the maximum
byte size a file in a job
can be with the mx capability. The units are in
BUFSIZ blocks, which are 1024 bytes. If you put
a zero for this
capability, there will be no limit on file size; however, if no
mx capability is specified, then a default limit
of 1000 blocks will be used.The limit applies to files in a job, and
not the total job size.LPD will not refuse a file that is
larger than the limit you
place on a printer. Instead, it will queue as much of the file up
to the limit, which will then get printed. The rest will be
discarded. Whether this is correct behavior is up for
debate.Let us add limits to our example printers
rattan and bamboo. Since
- those artists' PostScript files tend to be large, we will limit them
+ those artists' &postscript; files tend to be large, we will limit them
to five megabytes. We will put no limit on the plain text line
printer:#
# /etc/printcap for host rose
#
#
# No limit on job size:
#
rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:mx#0:sd=/var/spool/lpd/rattan:\
:lp=/dev/lpt0:\
:if=/usr/local/libexec/if-simple:
#
# Limit of five megabytes:
#
bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:sc:rg=artists:mx#5000:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:\
:if=/usr/local/libexec/psif:\
:df=/usr/local/libexec/psdf:Again, the limits apply to the local users only. If you have
set up access to your printers remotely, remote users will not get
those limits. You will need to specify the mx
capability in the remote /etc/printcap files as
well. See section Printers Installed on
Remote Hosts for more information on remote
printing.There is another specialized way to limit job sizes from remote
printers; see section Restricting Jobs
from Remote Printers.Restricting Jobs from Remote PrintersThe LPD spooling system provides
several ways to restrict print
jobs submitted from remote hosts:Host restrictionsYou can control from which remote hosts a local
LPD accepts requests with the files
/etc/hosts.equiv and
/etc/hosts.lpd.
LPD checks to see if an
incoming request is from a host listed in either one of these
files. If not, LPD refuses the
request.The format of these files is simple: one host name per
line. Note that the file
/etc/hosts.equiv is also used by the
&man.ruserok.3; protocol, and affects programs like
&man.rsh.1; and &man.rcp.1;, so be careful.For example, here is the
/etc/hosts.lpd file on the host
rose:orchid
violet
madrigal.fishbaum.deThis means rose will accept requests from
the hosts orchid, violet,
and madrigal.fishbaum.de. If any
other host tries to access rose's
LPD, the job will be refused.Size restrictionsYou can control how much free space there needs to remain
on the filesystem where a spooling directory resides. Make a
file called minfree in the spooling
directory for the local printer. Insert in that file a number
representing how many disk blocks (512 bytes) of free space
there has to be for a remote job to be accepted.This lets you insure that remote users will not fill your
filesystem. You can also use it to give a certain priority to
local users: they will be able to queue jobs long after the
free disk space has fallen below the amount specified in the
minfree file.For example, let us add a minfree
file for the printer bamboo. We examine
/etc/printcap to find the spooling
directory for this printer; here is bamboo's
entry:bamboo|ps|PS|S|panasonic|Panasonic KX-P4455 PostScript v51.4:\
:sh:sd=/var/spool/lpd/bamboo:sc:rg=artists:mx#5000:\
:lp=/dev/ttyd5:ms#-parenb cs8 clocal crtscts:rw:mx#5000:\
:if=/usr/local/libexec/psif:\
:df=/usr/local/libexec/psdf:The spooling directory is given in the sd
capability. We will make three megabytes (which is 6144 disk blocks)
the amount of free disk space that must exist on the filesystem for
LPD to accept remote jobs:&prompt.root; echo 6144 > /var/spool/lpd/bamboo/minfree
User restrictionsYou can control which remote users can print to local
printers by specifying the rs capability in
/etc/printcap. When
rs appears in the entry for a
locally-attached printer, LPD will
accept jobs from remote
hosts if the user submitting the job also
has an account of the same login name on the local host.
Otherwise, LPD refuses the job.This capability is particularly useful in an environment
where there are (for example) different departments sharing a
network, and some users transcend departmental boundaries. By
giving them accounts on your systems, they can use your
printers from their own departmental systems. If you would
rather allow them to use only your
printers and not your computer resources, you can give them
token accounts, with no home directory and a
useless shell like /usr/bin/false.Accounting for Printer UsageaccountingprinterSo, you need to charge for printouts. And why not? Paper and ink
cost money. And then there are maintenance costs—printers are
loaded with moving parts and tend to break down. You have examined
your printers, usage patterns, and maintenance fees and have come up
with a per-page (or per-foot, per-meter, or per-whatever) cost. Now,
how do you actually start accounting for printouts?Well, the bad news is the LPD spooling
system does not provide
much help in this department. Accounting is highly dependent on the
kind of printer in use, the formats being printed, and
your requirements in charging for printer
usage.To implement accounting, you have to modify a printer's text
filter (to charge for plain text jobs) and the conversion filters (to
charge for other file formats), to count pages or query the printer
for pages printed. You cannot get away with using the simple output
filter, since it cannot do accounting. See section Filters.Generally, there are two ways to do accounting:Periodic accounting is the more common
way, possibly because it is easier. Whenever someone prints a
job, the filter logs the user, host, and number of pages to an
accounting file. Every month, semester, year, or whatever time
period you prefer, you collect the accounting files for the
various printers, tally up the pages printed by users, and charge
for usage. Then you truncate all the logging files, starting with
a clean slate for the next period.Timely accounting is less common,
probably because it is more difficult. This method has the
filters charge users for printouts as soon as they use the
printers. Like disk quotas, the accounting is immediate. You can
prevent users from printing when their account goes in the red,
and might provide a way for users to check and adjust their
print quotas. But this method requires some database
code to track users and their quotas.The LPD spooling system supports both
methods easily: since you
have to provide the filters (well, most of the time), you also have to
provide the accounting code. But there is a bright side: you have
enormous flexibility in your accounting methods. For example, you
choose whether to use periodic or timely accounting. You choose what
information to log: user names, host names, job types, pages printed,
square footage of paper used, how long the job took to print, and so
forth. And you do so by modifying the filters to save this
information.Quick and Dirty Printer AccountingFreeBSD comes with two programs that can get you set up with
simple periodic accounting right away. They are the text filter
lpf, described in section lpf: a Text Filter, and
&man.pac.8;, a program to gather and total
entries from printer accounting files.As mentioned in the section on filters (Filters),
LPD starts
the text and the conversion filters with the name of the accounting
file to use on the filter command line. The filters can use this
argument to know where to write an accounting file entry. The name
of this file comes from the af capability in
/etc/printcap, and if not specified as an
absolute path, is relative to the spooling directory.LPD starts lpf
with page width and length
arguments (from the pw and pl
capabilities). lpf uses these arguments to
determine how much paper will be used. After sending the file to
the printer, it then writes an accounting entry in the accounting
file. The entries look like this:2.00 rose:andy
3.00 rose:kelly
3.00 orchid:mary
5.00 orchid:mary
2.00 orchid:zhangYou should use a separate accounting file for each printer, as
lpf has no file locking logic built into it, and
two lpfs might corrupt each other's entries if
they were to write to the same file at the same time. An easy way
to insure a separate accounting file for each printer is to use
af=acct in /etc/printcap.
Then, each accounting file will be in the spooling directory for a
printer, in a file named acct.When you are ready to charge users for printouts, run the
&man.pac.8; program. Just change to the spooling directory for
the printer you want to collect on and type pac.
You will get a dollar-centric summary like the following: Login pages/feet runs price
orchid:kelly 5.00 1 $ 0.10
orchid:mary 31.00 3 $ 0.62
orchid:zhang 9.00 1 $ 0.18
rose:andy 2.00 1 $ 0.04
rose:kelly 177.00 104 $ 3.54
rose:mary 87.00 32 $ 1.74
rose:root 26.00 12 $ 0.52
total 337.00 154 $ 6.74These are the arguments &man.pac.8; expects:Which printer to summarize.
This option works only if there is an absolute path in the
af capability in
/etc/printcap.Sort the output by cost instead of alphabetically by user
name.Ignore host name in the accounting files. With this
option, user smith on host
alpha is the same user
smith on host gamma.
Without, they are different users.Compute charges with price
dollars per page or per foot instead of the price from the
pc capability in
/etc/printcap, or two cents (the
default). You can specify price as
a floating point number.Reverse the sort order.Make an accounting summary file and truncate the
accounting file.name…Print accounting information for the given user
names only.In the default summary that &man.pac.8; produces, you see the
number of pages printed by each user from various hosts. If, at
your site, host does not matter (because users can use any host),
run pac -m, to produce the following
summary: Login pages/feet runs price
andy 2.00 1 $ 0.04
kelly 182.00 105 $ 3.64
mary 118.00 35 $ 2.36
root 26.00 12 $ 0.52
zhang 9.00 1 $ 0.18
total 337.00 154 $ 6.74To compute the dollar amount due,
&man.pac.8; uses the pc capability in the
/etc/printcap file (default of 200, or 2 cents
per page). Specify, in hundredths of cents, the price per page or
per foot you want to charge for printouts in this capability. You
can override this value when you run &man.pac.8; with the
option. The units for the
option are in dollars, though, not hundredths of cents. For
example,
&prompt.root; pac -p1.50
makes each page cost one dollar and fifty cents. You can really
rake in the profits by using this option.Finally, running pac -s will save the summary
information in a summary accounting file, which is named the same as
the printer's accounting file, but with _sum
appended to the name. It then truncates the accounting file. When
you run &man.pac.8; again, it rereads the
summary file to get starting totals, then adds information from the
regular accounting file.How Can You Count Pages Printed?In order to perform even remotely accurate accounting, you need
to be able to determine how much paper a job uses. This is the
essential problem of printer accounting.For plain text jobs, the problem is not that hard to solve: you
count how many lines are in a job and compare it to how many lines
per page your printer supports. Do not forget to take into account
backspaces in the file which overprint lines, or long logical lines
that wrap onto one or more additional physical lines.The text filter lpf (introduced in lpf: a Text Filter) takes
into account these things when it does accounting. If you are
writing a text filter which needs to do accounting, you might want
to examine lpf's source code.How do you handle other file formats, though?
- Well, for DVI-to-LaserJet or DVI-to-PostScript conversion, you
+ Well, for DVI-to-LaserJet or DVI-to-&postscript; conversion, you
can have your filter parse the diagnostic output of
dvilj or dvips and look to see
how many pages were converted. You might be able to do similar
things with other file formats and conversion programs.But these methods suffer from the fact that the printer may not
actually print all those pages. For example, it could jam, run out
of toner, or explode—and the user would still get
charged.So, what can you do?There is only one sure way to do
accurate accounting. Get a printer that can
tell you how much paper it uses, and attach it via a serial line or
- a network connection. Nearly all PostScript printers support this
+ a network connection. Nearly all &postscript; printers support this
notion. Other makes and models do as well (networked Imagen laser
printers, for example). Modify the filters for these printers to
get the page usage after they print each job and have them log
accounting information based on that value
only. There is no line counting nor
error-prone file examination required.Of course, you can always be generous and make all printouts
free.Using PrintersprintersusageThis section tells you how to use printers you have setup with
FreeBSD. Here is an overview of the user-level commands:&man.lpr.1;Print jobs&man.lpq.1;Check printer queues&man.lprm.1;Remove jobs from a printer's queueThere is also an administrative command, &man.lpc.8;, described in
the section Administering the
LPD
Spooler, used to control printers and their queues.All three of the commands &man.lpr.1;, &man.lprm.1;, and &man.lpq.1;
accept an option to specify on which
printer/queue to operate, as listed in the
/etc/printcap file. This enables you to submit,
remove, and check on jobs for various printers. If you do not use the
option, then these commands use the printer
specified in the PRINTER environment variable. Finally,
if you do not have a PRINTER environment variable, these
commands default to the printer named lp.Hereafter, the terminology default printer
means the printer named in the PRINTER environment
variable, or the printer named lp when there is no
PRINTER environment variable.Printing JobsTo print files, type:&prompt.user; lpr filename...printingThis prints each of the listed files to the default printer. If
you list no files, &man.lpr.1; reads data to
print from standard input. For example, this command prints some
important system files:&prompt.user; lpr /etc/host.conf /etc/hosts.equivTo select a specific printer, type:&prompt.user; lpr -P printer-namefilename...This example prints a long listing of the current directory to the
printer named rattan:&prompt.user; ls -l | lpr -P rattanBecause no files were listed for the
&man.lpr.1; command, lpr read the data to print
from standard input, which was the output of the ls
-l command.The &man.lpr.1; command can also accept a wide variety of options
to control formatting, apply file conversions, generate multiple
copies, and so forth. For more information, see the section Printing Options.Checking Jobsprint jobsWhen you print with &man.lpr.1;, the data you wish to print is put
together in a package called a print job, which is sent
to the LPD spooling system. Each printer
has a queue of jobs, and
your job waits in that queue along with other jobs from yourself and
from other users. The printer prints those jobs in a first-come,
first-served order.To display the queue for the default printer, type &man.lpq.1;.
For a specific printer, use the option. For
example, the command
&prompt.user; lpq -P bamboo
shows the queue for the printer named bamboo. Here
is an example of the output of the lpq
command:bamboo is ready and printing
Rank Owner Job Files Total Size
active kelly 9 /etc/host.conf, /etc/hosts.equiv 88 bytes
2nd kelly 10 (standard input) 1635 bytes
3rd mary 11 ... 78519 bytesThis shows three jobs in the queue for bamboo.
The first job, submitted by user kelly, got assigned job
number 9. Every job for a printer gets a unique job number.
Most of the time you can ignore the job number, but you will need it
if you want to cancel the job; see section Removing Jobs for details.Job number nine consists of two files; multiple files given on the
&man.lpr.1; command line are treated as part of a single job. It
is the currently active job (note the word active
under the Rank column), which means the printer should
be currently printing that job. The second job consists of data
passed as the standard input to the &man.lpr.1; command. The third
job came from user mary; it is a much larger
job. The pathname of the file she is trying to print is too long to
fit, so the &man.lpq.1; command just shows three dots.The very first line of the output from &man.lpq.1; is also useful:
it tells what the printer is currently doing (or at least what
LPD thinks the printer is doing).The &man.lpq.1; command also support a option
to generate a detailed long listing. Here is an example of
lpq -l:waiting for bamboo to become ready (offline ?)
kelly: 1st [job 009rose]
/etc/host.conf 73 bytes
/etc/hosts.equiv 15 bytes
kelly: 2nd [job 010rose]
(standard input) 1635 bytes
mary: 3rd [job 011rose]
/home/orchid/mary/research/venus/alpha-regio/mapping 78519 bytesRemoving JobsIf you change your mind about printing a job, you can remove the
job from the queue with the &man.lprm.1; command. Often, you can
even use &man.lprm.1; to remove an active job, but some or all of the
job might still get printed.To remove a job from the default printer, first use
&man.lpq.1; to find the job number. Then type:&prompt.user; lprm job-numberTo remove the job from a specific printer, add the
option. The following command removes job number
10 from the queue for the printer bamboo:&prompt.user; lprm -P bamboo 10The &man.lprm.1; command has a few shortcuts:lprm -Removes all jobs (for the default printer) belonging to
you.lprm userRemoves all jobs (for the default printer) belonging to
user. The superuser can remove other
users' jobs; you can remove only your own jobs.lprmWith no job number, user name, or
appearing on the command line,
&man.lprm.1; removes the currently active job on the
default printer, if it belongs to you. The superuser can remove
any active job.Just use the option with the above shortcuts
to operate on a specific printer instead of the default. For example,
the following command removes all jobs for the current user in the
queue for the printer named rattan:&prompt.user; lprm -P rattan -If you are working in a networked environment, &man.lprm.1; will
let you remove jobs only from the
host from which the jobs were submitted, even if the same printer is
available from other hosts. The following command sequence
demonstrates this:&prompt.user; lpr -P rattan myfile
&prompt.user; rlogin orchid
&prompt.user; lpq -P rattan
Rank Owner Job Files Total Size
active seeyan 12 ... 49123 bytes
2nd kelly 13 myfile 12 bytes
&prompt.user; lprm -P rattan 13
rose: Permission denied
&prompt.user; logout
&prompt.user; lprm -P rattan 13
dfA013rose dequeued
cfA013rose dequeued
Beyond Plain Text: Printing OptionsThe &man.lpr.1; command supports a number of options that control
formatting text, converting graphic and other file formats, producing
multiple copies, handling of the job, and more. This section
describes the options.Formatting and Conversion OptionsThe following &man.lpr.1; options control formatting of the
files in the job. Use these options if the job does not contain
plain text or if you want plain text formatted through the
&man.pr.1; utility.&tex;For example, the following command prints a DVI file (from the
&tex; typesetting system) named fish-report.dvi
to the printer named bamboo:&prompt.user; lpr -P bamboo -d fish-report.dviThese options apply to every file in the job, so you cannot mix
(say) DVI and ditroff files together in a job. Instead, submit the
files as separate jobs, using a different conversion option for each
job.All of these options except and
require conversion filters installed for the
destination printer. For example, the option
requires the DVI conversion filter. Section Conversion
Filters gives details.Print cifplot files.Print DVI files.Print FORTRAN text files.Print plot data.Indent the output by number
columns; if you omit number, indent
by 8 columns. This option works only with certain conversion
filters.Do not put any space between the and
the number.Print literal text data, including control
characters.Print ditroff (device independent troff) data.-pFormat plain text with &man.pr.1; before printing. See
&man.pr.1; for more information.Use title on the
&man.pr.1; header instead of the file name. This option has
effect only when used with the
option.Print troff data.Print raster data.Here is an example: this command prints a nicely formatted
version of the &man.ls.1; manual page on the default printer:&prompt.user; zcat /usr/share/man/man1/ls.1.gz | troff -t -man | lpr -tThe &man.zcat.1; command uncompresses the source of the
&man.ls.1; manual page and passes it to the &man.troff.1;
command, which formats that source and makes GNU troff
output and passes it to &man.lpr.1;, which submits the job
to the LPD spooler. Because we
used the
option to &man.lpr.1;, the spooler will convert the GNU
troff output into a format the default printer can
understand when it prints the job.Job Handling OptionsThe following options to &man.lpr.1; tell
LPD to handle the job
specially:-# copiesProduce a number of copies of
each file in the job instead of just one copy. An
administrator may disable this option to reduce printer
wear-and-tear and encourage photocopier usage. See section
Restricting
Multiple Copies.This example prints three copies of
parser.c followed by three copies of
parser.h to the default printer:&prompt.user; lpr -#3 parser.c parser.h-mSend mail after completing the print job. With this
option, the LPD system will send
mail to your account when it
finishes handling your job. In its message, it will tell you
if the job completed successfully or if there was an error,
and (often) what the error was.-sDo not copy the files to the spooling directory, but make
symbolic links to them instead.If you are printing a large job, you probably want to use
this option. It saves space in the spooling directory (your
job might overflow the free space on the filesystem where the
spooling directory resides). It saves time as well since
LPD
will not have to copy each and every byte of your job to the
spooling directory.There is a drawback, though: since
LPD will refer to the
original files directly, you cannot modify or remove them
until they have been printed.If you are printing to a remote printer,
LPD will
eventually have to copy files from the local host to the
remote host, so the option will save
space only on the local spooling directory, not the remote.
It is still useful, though.-rRemove the files in the job after copying them to the
spooling directory, or after printing them with the
option. Be careful with this
option!Header Page OptionsThese options to &man.lpr.1; adjust the text that normally
appears on a job's header page. If header pages are suppressed for
the destination printer, these options have no effect. See section
Header Pages
for information about setting up header pages.-C textReplace the hostname on the header page with
text. The hostname is normally the
name of the host from which the job was submitted.-J textReplace the job name on the header page with
text. The job name is normally the
name of the first file of the job, or
stdin if you are printing standard
input.-hDo not print any header page.At some sites, this option may have no effect due to the
way header pages are generated. See Header
Pages for details.Administering PrintersAs an administrator for your printers, you have had to install,
set up, and test them. Using the &man.lpc.8; command, you
can interact with your printers in yet more ways. With &man.lpc.8;,
you canStart and stop the printersEnable and disable their queuesRearrange the order of the jobs in each queue.First, a note about terminology: if a printer is
stopped, it will not print anything in its queue.
Users can still submit jobs, which will wait in the queue until the
printer is started or the queue is
cleared.If a queue is disabled, no user (except
root) can submit jobs for the printer. An
enabled queue allows jobs to be submitted. A
printer can be started for a disabled queue, in
which case it will continue to print jobs in the queue until the queue
is empty.In general, you have to have root privileges
to use the &man.lpc.8; command. Ordinary users can use the &man.lpc.8;
command to get printer status and to restart a hung printer only.Here is a summary of the &man.lpc.8; commands. Most of the
commands take a printer-name argument to
tell on which printer to operate. You can use all
for the printer-name to mean all printers
listed in /etc/printcap.abort
printer-nameCancel the current job and stop the printer. Users can
still submit jobs if the queue is enabled.clean
printer-nameRemove old files from the printer's spooling directory.
Occasionally, the files that make up a job are not properly
removed by LPD, particularly if
there have been errors during
printing or a lot of administrative activity. This command
finds files that do not belong in the spooling directory and
removes them.disable
printer-nameDisable queuing of new jobs. If the printer is running, it
will continue to print any jobs remaining in the queue. The
superuser (root) can always submit jobs,
even to a disabled queue.This command is useful while you are testing a new printer
or filter installation: disable the queue and submit jobs as
root. Other users will not be able to submit
jobs until you complete your testing and re-enable the queue with
the enable command.down printer-namemessageTake a printer down. Equivalent to
disable followed by stop.
The message appears as the printer's
status whenever a user checks the printer's queue with
&man.lpq.1; or status with lpc
status.enable
printer-nameEnable the queue for a printer. Users can submit jobs but
the printer will not print anything until it is started.help
command-namePrint help on the command
command-name. With no
command-name, print a summary of the
commands available.restart
printer-nameStart the printer. Ordinary users can use this command if
some extraordinary circumstance hangs
LPD, but they cannot start
a printer stopped with either the stop or
down commands. The
restart command is equivalent to
abort followed by
start.start
printer-nameStart the printer. The printer will print jobs in its
queue.stop
printer-nameStop the printer. The printer will finish the current job
and will not print anything else in its queue. Even though the
printer is stopped, users can still submit jobs to an enabled
queue.topq printer-namejob-or-usernameRearrange the queue for
printer-name by placing the jobs with
the listed job numbers or the jobs
belonging to username at the top of
the queue. For this command, you cannot use
all as the
printer-name.up
printer-nameBring a printer up; the opposite of the
down command. Equivalent to
start followed by
enable.&man.lpc.8; accepts the above commands on the command line. If
you do not enter any commands, &man.lpc.8; enters an interactive mode,
where you can enter commands until you type exit,
quit, or end-of-file.Alternatives to the Standard SpoolerIf you have been reading straight through this manual, by now you
have learned just about everything there is to know about the
LPD
spooling system that comes with FreeBSD. You can probably appreciate
many of its shortcomings, which naturally leads to the question:
What other spooling systems are out there (and work with
FreeBSD)?LPRngLPRngLPRng, which purportedly means
LPR: the Next
Generation is a complete rewrite of PLP. Patrick Powell
and Justin Mason (the principal maintainer of PLP) collaborated to
make LPRng. The main site for
LPRng is .TroubleshootingAfter performing the simple test with &man.lptest.1;, you might
have gotten one of the following results instead of the correct
printout:It worked, after awhile; or, it did not eject a full
sheet.The printer printed the above, but it sat for awhile and
did nothing. In fact, you might have needed to press a
PRINT REMAINING or FORM FEED button on the printer to get any
results to appear.If this is the case, the printer was probably waiting to
see if there was any more data for your job before it printed
anything. To fix this problem, you can have the text filter
send a FORM FEED character (or whatever is necessary) to the
printer. This is usually sufficient to have the printer
immediately print any text remaining in its internal buffer.
It is also useful to make sure each print job ends on a full
sheet, so the next job does not start somewhere on the middle
of the last page of the previous job.The following replacement for the shell script
/usr/local/libexec/if-simple prints a
form feed after it sends the job to the printer:#!/bin/sh
#
# if-simple - Simple text input filter for lpd
# Installed in /usr/local/libexec/if-simple
#
# Simply copies stdin to stdout. Ignores all filter arguments.
# Writes a form feed character (\f) after printing job.
/bin/cat && printf "\f" && exit 0
exit 2It produced the staircase effect.You got the following on paper:!"#$%&'()*+,-./01234
"#$%&'()*+,-./012345
#$%&'()*+,-./0123456MS-DOSOS/2ASCIIYou have become another victim of the staircase
effect, caused by conflicting interpretations of
- what characters should indicate a new line. Unix-style
+ what characters should indicate a new line. &unix; style
operating systems use a single character: ASCII code 10, the
- line feed (LF). MS-DOS, OS/2, and others uses a pair of
+ line feed (LF). &ms-dos;, &os2;, and others uses a pair of
characters, ASCII code 10 and ASCII code
- 13 (the carriage return or CR). Many printers use the MS-DOS
+ 13 (the carriage return or CR). Many printers use the &ms-dos;
convention for representing new-lines.When you print with FreeBSD, your text used just the line
feed character. The printer, upon seeing a line feed
character, advanced the paper one line, but maintained the
same horizontal position on the page for the next character
to print. That is what the carriage return is for: to move
the location of the next character to print to the left edge
of the paper.Here is what FreeBSD wants your printer to do:Printer received CRPrinter prints CRPrinter received LFPrinter prints CR + LFHere are some ways to achieve this:Use the printer's configuration switches or control
panel to alter its interpretation of these characters.
Check your printer's manual to find out how to do
this.If you boot your system into other operating systems
besides FreeBSD, you may have to
reconfigure the printer to use a an
interpretation for CR and LF characters that those other
operating systems use. You might prefer one of the other
solutions, below.Have FreeBSD's serial line driver automatically
convert LF to CR+LF. Of course, this works with printers
on serial ports only. To enable this
feature, use the ms# capability and
set the onlcr mode
in the /etc/printcap file
for the printer.Send an escape code to the
printer to have it temporarily treat LF characters
differently. Consult your printer's manual for escape
codes that your printer might support. When you find the
proper escape code, modify the text filter to send the
code first, then send the print job.PCLHere is an example text filter for printers that
understand the Hewlett-Packard PCL escape codes. This
filter makes the printer treat LF characters as a LF and
CR; then it sends the job; then it sends a form feed to
eject the last page of the job. It should work with
nearly all Hewlett Packard printers.#!/bin/sh
#
# hpif - Simple text input filter for lpd for HP-PCL based printers
# Installed in /usr/local/libexec/hpif
#
# Simply copies stdin to stdout. Ignores all filter arguments.
# Tells printer to treat LF as CR+LF. Ejects the page when done.
printf "\033&k2G" && cat && printf "\033&l0H" && exit 0
exit 2Here is an example /etc/printcap
from a host called orchid. It has a single printer
attached to its first parallel port, a Hewlett Packard
LaserJet 3Si named teak. It is using the
above script as its text filter:#
# /etc/printcap for host orchid
#
teak|hp|laserjet|Hewlett Packard LaserJet 3Si:\
:lp=/dev/lpt0:sh:sd=/var/spool/lpd/teak:mx#0:\
:if=/usr/local/libexec/hpif:It overprinted each line.The printer never advanced a line. All of the lines of
text were printed on top of each other on one line.This problem is the opposite of the
staircase effect, described above, and is much rarer.
Somewhere, the LF characters that FreeBSD uses to end a line
are being treated as CR characters to return the print
location to the left edge of the paper, but not also down a
line.Use the printer's configuration switches or control panel
to enforce the following interpretation of LF and CR
characters:Printer receivesPrinter printsCRCRLFCR + LFThe printer lost characters.While printing, the printer did not print a few characters
in each line. The problem might have gotten worse as the
printer ran, losing more and more characters.The problem is that the printer cannot keep up with the
speed at which the computer sends data over a serial line
(this problem should not occur with printers on parallel
ports). There are two ways to overcome the problem:If the printer supports XON/XOFF flow control, have
FreeBSD use it by specifying the ixon mode
in the ms# capability.If the printer supports carrier flow control, specify
the crtscts mode in the
ms# capability.
Make sure the cable connecting the printer to the computer
is correctly wired for carrier flow control.It printed garbage.The printer printed what appeared to be random garbage,
but not the desired text.This is usually another symptom of incorrect
communications parameters with a serial printer. Double-check
the bps rate in the br capability, and the
parity setting in the
ms# capability; make sure the printer is
using the same settings as specified in the
/etc/printcap file.Nothing happened.If nothing happened, the problem is probably within
FreeBSD and not the hardware. Add the log file
(lf) capability to the entry for the
printer you are debugging in the
/etc/printcap file. For example, here is
the entry for rattan, with the
lf capability:rattan|line|diablo|lp|Diablo 630 Line Printer:\
:sh:sd=/var/spool/lpd/rattan:\
:lp=/dev/lpt0:\
:if=/usr/local/libexec/if-simple:\
:lf=/var/log/rattan.logThen, try printing again. Check the log file (in our
example, /var/log/rattan.log) to see any
error messages that might appear. Based on the messages you
see, try to correct the problem.If you do not specify a lf capability,
LPD uses
/dev/console as a default.
diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
index ca5612eaea..a7f5dc9f70 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@@ -1,4558 +1,4558 @@
MatthewDillonMuch of this chapter has been taken from the
security(7) manual page by SecuritysecuritySynopsisThis chapter will provide a basic introduction to system security
concepts, some general good rules of thumb, and some advanced topics
under FreeBSD. A lot of the topics covered here can be applied
to system and Internet security in general as well. The Internet
is no longer a friendly place in which everyone
wants to be your kind neighbor. Securing your system is imperative
to protect your data, intellectual property, time, and much more
from the hands of hackers and the like.FreeBSD provides an array of utilities and mechanisms to
ensure the integrity and security of your system and
network.After reading this chapter, you will know:Basic system security concepts, in respect to FreeBSD.About the various crypt mechanisms available in FreeBSD,
such as DES and MD5.How to set up one-time password authentication.How to set up Kerberos, another alternative
authentication system.How to create firewalls using IPFW.How to configure IPsec and create a VPN between
- FreeBSD/Windows machines.
+ FreeBSD/&windows; machines.
How to configure and use OpenSSH, FreeBSD's SSH
implementation.How to configure and load access control extension
modules using the TrustedBSD MAC Framework.What file system ACLs are and how to use them.Before reading this chapter, you should:Understand basic FreeBSD and Internet concepts.IntroductionSecurity is a function that begins and ends with the system
- administrator. While all BSD Unix multi-user systems have some
+ administrator. While all BSD &unix; multi-user systems have some
inherent security, the job of building and maintaining additional
security mechanisms to keep those users honest is
probably one of the single largest undertakings of the sysadmin.
Machines are only as secure as you make them, and security concerns
- are ever competing with the human necessity for convenience. Unix
+ are ever competing with the human necessity for convenience. &unix;
systems, in general, are capable of running a huge number of
simultaneous processes and many of these processes operate as
servers – meaning that external entities can connect and talk
to them. As yesterday's mini-computers and mainframes become
today's desktops, and as computers become networked and
internetworked, security becomes an even bigger issue.Security is best implemented through a layered
onion approach. In a nutshell, what you want to do is
to create as many layers of security as are convenient and then
carefully monitor the system for intrusions. You do not want to
overbuild your security or you will interfere with the detection
side, and detection is one of the single most important aspects of
any security mechanism. For example, it makes little sense to set
the schg flags (see &man.chflags.1;) on every
system binary because
while this may temporarily protect the binaries, it prevents an
attacker who has broken in from making an easily detectable change
that may result in your security mechanisms not detecting the attacker
at all.System security also pertains to dealing with various forms of
attack, including attacks that attempt to crash, or otherwise make a
system unusable, but do not attempt to compromise the
root account (break root).
Security concerns
can be split up into several categories:Denial of service attacks.User account compromises.Root compromise through accessible servers.Root compromise via user accounts.Backdoor creation.DoS attacksDenial of Service (DoS)securityDoS attacksDenial of Service (DoS)Denial of Service (DoS)A denial of service attack is an action that deprives the
machine of needed resources. Typically, DoS attacks are
brute-force mechanisms that attempt to crash or otherwise make a
machine unusable by overwhelming its servers or network stack. Some
DoS attacks try to take advantage of bugs in the networking
stack to crash a machine with a single packet. The latter can only
be fixed by applying a bug fix to the kernel. Attacks on servers
can often be fixed by properly specifying options to limit the load
the servers incur on the system under adverse conditions.
Brute-force network attacks are harder to deal with. A
spoofed-packet attack, for example, is nearly impossible to stop,
short of cutting your system off from the Internet. It may not be
able to take your machine down, but it can saturate your
Internet connection.securityaccount compromisesA user account compromise is even more common than a DoS
attack. Many sysadmins still run standard
telnetd, rlogind,
rshd,
and ftpd servers on their machines.
These servers, by default, do
not operate over encrypted connections. The result is that if you
have any moderate-sized user base, one or more of your users logging
into your system from a remote location (which is the most common
and convenient way to login to a system) will have his or her
password sniffed. The attentive system admin will analyze his
remote access logs looking for suspicious source addresses even for
successful logins.One must always assume that once an attacker has access to a
user account, the attacker can break root.
However, the reality is that in a well secured and maintained system,
access to a user account does not necessarily give the attacker
access to root. The distinction is important
because without access to root the attacker
cannot generally hide his tracks and may, at best, be able to do
nothing more than mess with the user's files, or crash the machine.
User account compromises are very common because users tend not to
take the precautions that sysadmins take.securitybackdoorsSystem administrators must keep in mind that there are
potentially many ways to break root on a machine.
The attacker may know the root password,
the attacker may find a bug in a root-run server and be able
to break root over a network
connection to that server, or the attacker may know of a bug in
a suid-root program that allows the attacker to break
root once he has broken into a user's account.
If an attacker has found a way to break root
on a machine, the attacker may not have a need
to install a backdoor. Many of the root holes
found and closed to date involve a considerable amount of work
by the attacker to cleanup after himself, so most attackers install
backdoors. A backdoor provides the attacker with a way to easily
regain root access to the system, but it
also gives the smart system administrator a convenient way
to detect the intrusion.
Making it impossible for an attacker to install a backdoor may
actually be detrimental to your security, because it will not
close off the hole the attacker found to break in the first
place.Security remedies should always be implemented with a
multi-layered onion peel approach and can be
categorized as follows:Securing root and staff accounts.Securing root – root-run servers
and suid/sgid binaries.Securing user accounts.Securing the password file.Securing the kernel core, raw devices, and
filesystems.Quick detection of inappropriate changes made to the
system.Paranoia.The next section of this chapter will cover the above bullet
items in greater depth.Securing FreeBSDsecuritysecuring FreeBSDCommand vs. ProtocolThroughout this document, we will use
bold text to refer to a command or
application. This is used for instances such as ssh, since it is
a protocol as well as command.The sections that follow will cover the methods of securing your
FreeBSD system that were mentioned in the last section of this chapter.Securing the <username>root</username> Account and
Staff AccountssuFirst off, do not bother securing staff accounts if you have
not secured the root account.
Most systems have a password assigned to the root
account. The first thing you do is assume
that the password is always compromised.
This does not mean that you should remove the password. The
password is almost always necessary for console access to the
machine. What it does mean is that you should not make it
possible to use the password outside of the console or possibly
even with the &man.su.1; command. For example, make sure that
your pty's are specified as being insecure in the
/etc/ttys file so that direct
root logins
via telnet or rlogin are
disallowed. If using other login services such as
sshd, make sure that direct
root logins are disabled there as well.
You can do this by editing
your /etc/ssh/sshd_config file, and making
sure that PermitRootLogin is set to
NO. Consider every access method –
services such as FTP often fall through the cracks.
Direct root logins should only be allowed
via the system console.wheelOf course, as a sysadmin you have to be able to get to
root, so we open up a few holes.
But we make sure these holes require additional password
verification to operate. One way to make root
accessible is to add appropriate staff accounts to the
wheel group (in
/etc/group). The staff members placed in the
wheel group are allowed to
su to root.
You should never give staff
members native wheel access by putting them in the
wheel group in their password entry. Staff
accounts should be placed in a staff group, and
then added to the wheel group via the
/etc/group file. Only those staff members
who actually need to have root access
should be placed in the
wheel group. It is also possible, when using
an authentication method such as Kerberos, to use Kerberos'
.k5login file in the root
account to allow a &man.ksu.1; to root
without having to place anyone at all in the
wheel group. This may be the better solution
since the wheel mechanism still allows an
intruder to break root if the intruder
has gotten hold of your
password file and can break into a staff account. While having
the wheel mechanism is better than having
nothing at all, it is not necessarily the safest option.An indirect way to secure staff accounts, and ultimately
root access is to use an alternative
login access method and
do what is known as starring out the encrypted
password for the staff accounts. Using the &man.vipw.8;
command, one can replace each instance of an encrypted password
with a single * character.
This command will update the /etc/master.passwd
file and user/password database to disable password-authenticated
logins.A staff account entry such as:foobar:R9DT/Fa1/LV9U:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcshShould be changed to this:foobar:*:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcshThis change will prevent normal logins from occurring,
since the encrypted password will never match
*. With this done,
staff members must use
another mechanism to authenticate themselves such as
&man.kerberos.1; or &man.ssh.1; using a public/private key
pair. When using something like Kerberos, one generally must
secure the machines which run the Kerberos servers and your
desktop workstation. When using a public/private key pair
with ssh, one must generally secure
the machine used to login from (typically
one's workstation). An additional layer of protection can be
added to the key pair by password protecting the key pair when
creating it with &man.ssh-keygen.1;. Being able to
star out the passwords for staff accounts also
guarantees that staff members can only login through secure
access methods that you have set up. This forces all staff
members to use secure, encrypted connections for all of their
sessions, which closes an important hole used by many
intruders: sniffing the network from an unrelated,
less secure machine.The more indirect security mechanisms also assume that you are
logging in from a more restrictive server to a less restrictive
server. For example, if your main box is running all sorts of
servers, your workstation should not be running any. In order for
your workstation to be reasonably secure you should run as few
servers as possible, up to and including no servers at all, and
you should run a password-protected screen blanker. Of course,
given physical access to a workstation an attacker can break any
sort of security you put on it. This is definitely a problem that
you should consider, but you should also consider the fact that the
vast majority of break-ins occur remotely, over a network, from
people who do not have physical access to your workstation or
servers.KerberosUsing something like Kerberos also gives you the ability to
disable or change the password for a staff account in one place,
and have it immediately effect all the machines on which the staff
member may have an account. If a staff member's account gets
compromised, the ability to instantly change his password on all
machines should not be underrated. With discrete passwords,
changing a password on N machines can be a mess. You can also
impose re-passwording restrictions with Kerberos: not only can a
Kerberos ticket be made to timeout after a while, but the Kerberos
system can require that the user choose a new password after a
certain period of time (say, once a month).Securing Root-run Servers and SUID/SGID BinariesntalkcomsatfingersandboxessshdtelnetdrshdrlogindThe prudent sysadmin only runs the servers he needs to, no
more, no less. Be aware that third party servers are often the
most bug-prone. For example, running an old version of
imapd or
popper is like giving a universal
root ticket out to the entire world.
Never run a server that you have not checked out carefully.
Many servers do not need to be run as root.
For example, the ntalk,
comsat, and
finger daemons can be run in special
user sandboxes. A sandbox is not perfect,
unless you go through a large amount of trouble, but the onion
approach to security still stands: If someone is able to break
in through a server running in a sandbox, they still have to
break out of the sandbox. The more layers the attacker must
break through, the lower the likelihood of his success. Root
holes have historically been found in virtually every server
ever run as root, including basic system servers.
If you are running a machine through which people only login via
sshd and never login via
telnetd or
rshd or
rlogind, then turn off those
services!FreeBSD now defaults to running
ntalkd,
comsat, and
finger in a sandbox. Another program
which may be a candidate for running in a sandbox is &man.named.8;.
/etc/defaults/rc.conf includes the arguments
necessary to run named in a sandbox in a
commented-out form. Depending on whether you are installing a new
system or upgrading an existing system, the special user accounts
used by these sandboxes may not be installed. The prudent
sysadmin would research and implement sandboxes for servers
whenever possible.sendmailThere are a number of other servers that typically do not run
in sandboxes: sendmail,
popper,
imapd, ftpd,
and others. There are alternatives to some of these, but
installing them may require more work than you are willing to
perform (the convenience factor strikes again). You may have to
run these servers as root and rely on other
mechanisms to detect break-ins that might occur through them.The other big potential root holes in a
system are the
suid-root and sgid binaries installed on the system. Most of
these binaries, such as rlogin, reside
in /bin, /sbin,
/usr/bin, or /usr/sbin.
While nothing is 100% safe, the system-default suid and sgid
binaries can be considered reasonably safe. Still,
root holes are occasionally found in these
binaries. A root hole was found in
Xlib in 1998 that made
xterm (which is typically suid)
vulnerable. It is better to be safe than sorry and the prudent
sysadmin will restrict suid binaries, that only staff should run,
to a special group that only staff can access, and get rid of
(chmod 000) any suid binaries that nobody uses.
A server with no display generally does not need an
xterm binary. Sgid binaries can be
almost as dangerous. If an intruder can break an sgid-kmem binary,
the intruder might be able to read /dev/kmem
and thus read the encrypted password file, potentially compromising
any passworded account. Alternatively an intruder who breaks
group kmem can monitor keystrokes sent through
pty's, including pty's used by users who login through secure
methods. An intruder that breaks the tty
group can write to
almost any user's tty. If a user is running a terminal program or
emulator with a keyboard-simulation feature, the intruder can
potentially generate a data stream that causes the user's terminal
to echo a command, which is then run as that user.Securing User AccountsUser accounts are usually the most difficult to secure. While
you can impose Draconian access restrictions on your staff and
star out their passwords, you may not be able to
do so with any general user accounts you might have. If you do
have sufficient control, then you may win out and be able to secure
the user accounts properly. If not, you simply have to be more
vigilant in your monitoring of those accounts. Use of
ssh and Kerberos for user accounts is
more problematic, due to the extra administration and technical
support required, but still a very good solution compared to a
crypted password file.Securing the Password FileThe only sure fire way is to * out as many
passwords as you can and use ssh or
Kerberos for access to those accounts. Even though the encrypted
password file (/etc/spwd.db) can only be read
by root, it may be possible for an intruder
to obtain read access to that file even if the attacker cannot
obtain root-write access.Your security scripts should always check for and report
changes to the password file (see the Checking file integrity section
below).Securing the Kernel Core, Raw Devices, and
FilesystemsIf an attacker breaks root he can do
just about anything, but
there are certain conveniences. For example, most modern kernels
have a packet sniffing device driver built in. Under FreeBSD it
is called the bpf device. An intruder
will commonly attempt to run a packet sniffer on a compromised
machine. You do not need to give the intruder the capability and
most systems do not have the need for the
bpf device compiled in.sysctlBut even if you turn off the bpf
device, you still have
/dev/mem and
/dev/kmem
to worry about. For that matter, the intruder can still write to
raw disk devices. Also, there is another kernel feature called
the module loader, &man.kldload.8;. An enterprising intruder can
use a KLD module to install his own bpf
device, or other sniffing
device, on a running kernel. To avoid these problems you have to
run the kernel at a higher secure level, at least securelevel 1.
The securelevel can be set with a sysctl on
the kern.securelevel variable. Once you have
set the securelevel to 1, write access to raw devices will be
denied and special chflags flags,
such as schg,
will be enforced. You must also ensure that the
schg flag is set on critical startup binaries,
directories, and script files – everything that gets run up
to the point where the securelevel is set. This might be overdoing
it, and upgrading the system is much more difficult when you
operate at a higher secure level. You may compromise and run the
system at a higher secure level but not set the
schg flag for every system file and directory
under the sun. Another possibility is to simply mount
/ and /usr read-only.
It should be noted that being too Draconian in what you attempt to
protect may prevent the all-important detection of an
intrusion.Checking File Integrity: Binaries, Configuration Files,
Etc.When it comes right down to it, you can only protect your core
system configuration and control files so much before the
convenience factor rears its ugly head. For example, using
chflags to set the schg bit
on most of the files in / and
/usr is probably counterproductive, because
while it may protect the files, it also closes a detection window.
The last layer of your security onion is perhaps the most
important – detection. The rest of your security is pretty
much useless (or, worse, presents you with a false sense of
safety) if you cannot detect potential incursions. Half the job
of the onion is to slow down the attacker, rather than stop him, in
order to give the detection side of the equation a chance to catch
him in the act.The best way to detect an incursion is to look for modified,
missing, or unexpected files. The best way to look for modified
files is from another (often centralized) limited-access system.
Writing your security scripts on the extra-secure limited-access
system makes them mostly invisible to potential attackers, and this
is important. In order to take maximum advantage you generally
have to give the limited-access box significant access to the
other machines in the business, usually either by doing a
read-only NFS export of the other machines to the limited-access
box, or by setting up ssh key-pairs to
allow the limited-access box to ssh to
the other machines. Except for its network traffic, NFS is the
least visible method – allowing you to monitor the
filesystems on each client box virtually undetected. If your
limited-access server is connected to the client boxes through a
switch, the NFS method is often the better choice. If your
limited-access server is connected to the client boxes through a
hub, or through several layers of routing, the NFS method may be
too insecure (network-wise) and using
ssh may be the better choice even with
the audit-trail tracks that ssh
lays.Once you give a limited-access box, at least read access to the
client systems it is supposed to monitor, you must write scripts
to do the actual monitoring. Given an NFS mount, you can write
scripts out of simple system utilities such as &man.find.1; and
&man.md5.1;. It is best to physically md5 the client-box files
at least once a day, and to test control files such as those
found in /etc and
/usr/local/etc even more often. When
mismatches are found, relative to the base md5 information the
limited-access machine knows is valid, it should scream at a
sysadmin to go check it out. A good security script will also
check for inappropriate suid binaries and for new or deleted files
on system partitions such as / and
/usr.When using ssh rather than NFS,
writing the security script is much more difficult. You
essentially have to scp the scripts to the client
box in order to
run them, making them visible, and for safety you also need to
scp the binaries (such as find) that those
scripts use. The ssh client on the
client box may already be compromised. All in all, using
ssh may be necessary when running over
insecure links, but it is also a lot harder to deal with.A good security script will also check for changes to user and
staff members access configuration files:
.rhosts, .shosts,
.ssh/authorized_keys and so forth…
files that might fall outside the purview of the
MD5 check.If you have a huge amount of user disk space, it may take too
long to run through every file on those partitions. In this case,
setting mount flags to disallow suid binaries and devices on those
partitions is a good idea. The nodev and
nosuid options (see &man.mount.8;) are what you
want to look into. You should probably scan them anyway, at least
once a week, since the object of this layer is to detect a break-in
whether or not the break-in is effective.Process accounting (see &man.accton.8;) is a relatively
low-overhead feature of the operating system which might help
as a post-break-in evaluation mechanism. It is especially
useful in tracking down how an intruder has actually broken into
a system, assuming the file is still intact after the break-in
occurs.Finally, security scripts should process the log files, and the
logs themselves should be generated in as secure a manner as
possible – remote syslog can be very useful. An intruder
tries to cover his tracks, and log files are critical to the
sysadmin trying to track down the time and method of the initial
break-in. One way to keep a permanent record of the log files is
to run the system console to a serial port and collect the
information on a continuing basis through a secure machine
monitoring the consoles.ParanoiaA little paranoia never hurts. As a rule, a sysadmin can add
any number of security features, as long as they do not effect
convenience, and can add security features that
do effect convenience with some added thought.
Even more importantly, a security administrator should mix it up a
bit – if you use recommendations such as those given by this
document verbatim, you give away your methodologies to the
prospective attacker who also has access to this document.Denial of Service AttacksDenial of Service (DoS)This section covers Denial of Service attacks. A DoS attack
is typically a packet attack. While there is not much you can do
about modern spoofed packet attacks that saturate your network,
you can generally limit the damage by ensuring that the attacks
cannot take down your servers.Limiting server forks.Limiting springboard attacks (ICMP response attacks, ping
broadcast, etc.).Kernel Route Cache.A common DoS attack is against a forking server that attempts
to cause the server to eat processes, file descriptors, and memory,
until the machine dies. inetd
(see &man.inetd.8;) has several
options to limit this sort of attack. It should be noted that
while it is possible to prevent a machine from going down, it is
not generally possible to prevent a service from being disrupted
by the attack. Read the inetd manual
page carefully and pay
specific attention to the , ,
and options. Note that spoofed-IP attacks
will circumvent the option to
inetd, so
typically a combination of options must be used. Some standalone
servers have self-fork-limitation parameters.Sendmail has its
option, which tends to work
much better than trying to use sendmail's load limiting options
due to the load lag. You should specify a
MaxDaemonChildren parameter, when you start
sendmail, high enough to handle your
expected load, but not so high that the computer cannot handle that
number of sendmails without falling on
its face. It is also prudent to run sendmail in queued mode
() and to run the daemon
(sendmail -bd) separate from the queue-runs
(sendmail -q15m). If you still want real-time
delivery you can run the queue at a much lower interval, such as
, but be sure to specify a reasonable
MaxDaemonChildren option for
that sendmail to prevent cascade failures.Syslogd can be attacked directly
and it is strongly recommended that you use the
option whenever possible, and the option
otherwise.You should also be fairly careful with connect-back services
such as tcpwrapper's reverse-identd,
which can be attacked directly. You generally do not want to use
the reverse-ident feature of
tcpwrappers for this reason.It is a very good idea to protect internal services from
external access by firewalling them off at your border routers.
The idea here is to prevent saturation attacks from outside your
LAN, not so much to protect internal services from network-based
root compromise.
Always configure an exclusive firewall, i.e.,
firewall everything except ports A, B,
C, D, and M-Z. This way you can firewall off all of your
low ports except for certain specific services such as
named (if you are primary for a zone),
ntalkd,
sendmail, and other Internet-accessible
services. If you try to configure the firewall the other way
– as an inclusive or permissive firewall, there is a good
chance that you will forget to close a couple of
services, or that you will add a new internal service and forget
to update the firewall. You can still open up the high-numbered
port range on the firewall, to allow permissive-like operation,
without compromising your low ports. Also take note that FreeBSD
allows you to control the range of port numbers used for dynamic
binding, via the various net.inet.ip.portrangesysctl's (sysctl -a | fgrep
portrange), which can also ease the complexity of your
firewall's configuration. For example, you might use a normal
first/last range of 4000 to 5000, and a hiport range of 49152 to
65535, then block off everything under 4000 in your firewall
(except for certain specific Internet-accessible ports, of
course).ICMP_BANDLIMAnother common DoS attack is called a springboard attack
– to attack a server in a manner that causes the server to
generate responses which overloads the server, the local
network, or some other machine. The most common attack of this
nature is the ICMP ping broadcast attack.
The attacker spoofs ping packets sent to your LAN's broadcast
address with the source IP address set to the actual machine they
wish to attack. If your border routers are not configured to
stomp on ping's to broadcast addresses, your LAN winds up
generating sufficient responses to the spoofed source address to
saturate the victim, especially when the attacker uses the same
trick on several dozen broadcast addresses over several dozen
different networks at once. Broadcast attacks of over a hundred
and twenty megabits have been measured. A second common
springboard attack is against the ICMP error reporting system.
By constructing packets that generate ICMP error responses, an
attacker can saturate a server's incoming network and cause the
server to saturate its outgoing network with ICMP responses. This
type of attack can also crash the server by running it out of
mbuf's, especially if the server cannot drain the ICMP responses
it generates fast enough. The FreeBSD kernel has a new kernel
compile option called
which limits the effectiveness
of these sorts of attacks. The last major class of springboard
attacks is related to certain internal
inetd services such as the
udp echo service. An attacker simply spoofs a UDP packet with the
source address being server A's echo port, and the destination
address being server B's echo port, where server A and B are both
on your LAN. The two servers then bounce this one packet back and
forth between each other. The attacker can overload both servers
and their LANs simply by injecting a few packets in this manner.
Similar problems exist with the internal
chargen port. A
competent sysadmin will turn off all of these inetd-internal test
services.Spoofed packet attacks may also be used to overload the kernel
route cache. Refer to the net.inet.ip.rtexpire,
rtminexpire, and rtmaxcachesysctl parameters. A spoofed packet attack
that uses a random source IP will cause the kernel to generate a
temporary cached route in the route table, viewable with
netstat -rna | fgrep W3. These routes
typically timeout in 1600 seconds or so. If the kernel detects
that the cached route table has gotten too big it will dynamically
reduce the rtexpire but will never decrease it
to less than rtminexpire. There are two
problems:The kernel does not react quickly enough when a lightly
loaded server is suddenly attacked.The rtminexpire is not low enough for
the kernel to survive a sustained attack.If your servers are connected to the Internet via a T3 or
better, it may be prudent to manually override both
rtexpire and rtminexpire
via &man.sysctl.8;. Never set either parameter to zero (unless
you want to crash the machine). Setting both
parameters to 2 seconds should be sufficient to protect the route
table from attack.Access Issues with Kerberos and SSHsshKerberosThere are a few issues with both Kerberos and
ssh that need to be addressed if
you intend to use them. Kerberos V is an excellent
authentication protocol, but there are bugs in the kerberized
telnet and
rlogin applications that make them
unsuitable for dealing with binary streams. Also, by default
Kerberos does not encrypt a session unless you use the
option. ssh
encrypts everything by default.ssh works quite well in every
respect except that it forwards encryption keys by default. What
this means is that if you have a secure workstation holding keys
that give you access to the rest of the system, and you
ssh to an insecure machine, your keys
are usable. The actual keys themselves are not exposed, but
ssh installs a forwarding port for the
duration of your login, and if an attacker has broken
root on the
insecure machine he can utilize that port to use your keys to gain
access to any other machine that your keys unlock.We recommend that you use ssh in
combination with Kerberos whenever possible for staff logins.
ssh can be compiled with Kerberos
support. This reduces your reliance on potentially exposable
ssh keys while at the same time
protecting passwords via Kerberos. ssh
keys should only be used for automated tasks from secure machines
(something that Kerberos is unsuited to do). We also recommend that
you either turn off key-forwarding in the
ssh configuration, or that you make use
of the from=IP/DOMAIN option that
ssh allows in its
authorized_keys file to make the key only
usable to entities logging in from specific machines.BillSwingleParts rewritten and updated by DES, MD5, and CryptsecuritycryptcryptDESMD5
- Every user on a Unix system has a password associated with
+ Every user on a &unix; system has a password associated with
their account. It seems obvious that these passwords need to be
known only to the user and the actual operating system. In
order to keep these passwords secret, they are encrypted with
what is known as a one-way hash, that is, they can
only be easily encrypted but not decrypted. In other words, what
we told you a moment ago was obvious is not even true: the
operating system itself does not really know
the password. It only knows the encrypted
form of the password. The only way to get the
plain-text password is by a brute force search of the
space of possible passwords.Unfortunately the only secure way to encrypt passwords when
- Unix came into being was based on DES, the Data Encryption
+ &unix; came into being was based on DES, the Data Encryption
Standard. This was not such a problem for users resident in
the US, but since the source code for DES could not be exported
outside the US, FreeBSD had to find a way to both comply with
- US law and retain compatibility with all the other Unix
+ US law and retain compatibility with all the other &unix;
variants that still used DES.The solution was to divide up the encryption libraries
so that US users could install the DES libraries and use
DES but international users still had an encryption method
that could be exported abroad. This is how FreeBSD came to
use MD5 as its default encryption method. MD5 is believed to
be more secure than DES, so installing DES is offered primarily
for compatibility reasons.Recognizing Your Crypt MechanismBefore FreeBSD 4.4 libcrypt.a was a
symbolic link pointing to the library which was used for
encryption. FreeBSD 4.4 changed libcrypt.a to
provide a configurable password authentication hash library.
Currently the library supports DES, MD5 and Blowfish hash
functions. By default FreeBSD uses MD5 to encrypt
passwords.It is pretty easy to identify which encryption method
FreeBSD is set up to use. Examining the encrypted passwords in
the /etc/master.passwd file is one way.
Passwords encrypted with the MD5 hash are longer than those
encrypted with the DES hash and also begin with the characters
$1$. Passwords starting with
$2$ are encrypted with the
Blowfish hash function. DES password strings do not
have any particular identifying characteristics, but they are
shorter than MD5 passwords, and are coded in a 64-character
alphabet which does not include the $
character, so a relatively short string which does not begin with
a dollar sign is very likely a DES password.The password format used for new passwords is controlled
by the passwd_format login capability in
/etc/login.conf, which takes values of
des, md5 or
blf. See the &man.login.conf.5; manual page
for more information about login capabilities.One-time Passwordsone-time passwordssecurityone-time passwordsS/Key is a one-time password scheme based on a one-way hash
function. FreeBSD uses the MD4 hash for compatibility but other
systems have used MD5 and DES-MAC. S/Key has been part of the
FreeBSD base system since version 1.1.5 and is also used on a
growing number of other operating systems. S/Key is a registered
trademark of Bell Communications Research, Inc.From version 5.0 of FreeBSD, S/Key has been replaced with
the functionally equivalent OPIE (One-time Passwords In
Everything). OPIE uses the MD5 hash by default.There are three different sorts of passwords which we will discuss
- below. The first is your usual Unix-style or
- Kerberos password; we will call this a Unix password.
+ below. The first is your usual &unix; style or
+ Kerberos password; we will call this a &unix; password.
The second sort is the one-time password which is generated by the
S/Key key program or the OPIE
&man.opiekey.1; program and accepted by the
keyinit or &man.opiepasswd.1; programs
and the login prompt; we will
call this a one-time password. The final sort of
password is the secret password which you give to the
key/opiekey programs (and
sometimes the
keyinit/opiepasswd programs)
which it uses to generate
one-time passwords; we will call it a secret password
or just unqualified password.
- The secret password does not have anything to do with your Unix
+ The secret password does not have anything to do with your &unix;
password; they can be the same but this is not recommended. S/Key
and OPIE secret passwords are not limited to 8 characters like old
- Unix passwordsUnder &os; the standard login
+ &unix; passwordsUnder &os; the standard login
password may be up to 128 characters in length.,
they can be as long as you like. Passwords of six or
seven word long phrases are fairly common. For the most part, the
- S/Key or OPIE system operates completely independently of the Unix
+ S/Key or OPIE system operates completely independently of the &unix;
password system.Besides the password, there are two other pieces of data that
are important to S/Key and OPIE. One is what is known as the
seed or key, consisting of two letters
and five digits. The other is what is called the iteration
count, a number between 1 and 100. S/Key creates the
one-time password by concatenating the seed and the secret password,
then applying the MD4/MD5 hash as many times as specified by the
iteration count and turning the result into six short English words.
These six English words are your one-time password. The
authentication system (primarily PAM) keeps
track of the last one-time password used, and the user is
authenticated if the hash of the user-provided password is equal to
the previous password. Because a one-way hash is used it is
impossible to generate future one-time passwords if a successfully
used password is captured; the iteration count is decremented after
each successful login to keep the user and the login program in
sync. When the iteration count gets down to 1, S/Key and OPIE must be
reinitialized.There are three programs involved in each system
which we will discuss below. The key and
opiekey programs accept an iteration
count, a seed, and a secret password, and generate a one-time
password or a consecutive list of one-time passwords. The
keyinit and opiepasswd
programs are used to initialize S/Key and OPIE respectively,
and to change passwords, iteration counts, or seeds; they
take either a secret passphrase, or an iteration count,
seed, and one-time password. The keyinfo
and opieinfo programs examine the
relevant credentials files (/etc/skeykeys or
/etc/opiekeys) and print out the invoking user's
current iteration count and seed.There are four different sorts of operations we will cover. The
first is using keyinit or
opiepasswd over a secure connection to set up
one-time-passwords for the first time, or to change your password
or seed. The second operation is using keyinit
or opiepasswd over an insecure connection, in
conjunction with key or opiekey
over a secure connection, to do the same. The third is using
key/opiekey to log in over
an insecure connection. The fourth is using key
or opiekey to generate a number of keys which
can be written down or printed out to carry with you when going to
some location without secure connections to anywhere.Secure Connection InitializationTo initialize S/Key for the first time, change your password,
or change your seed while logged in over a secure connection
(e.g., on the console of a machine or via ssh), use the
keyinit command without any parameters while
logged in as yourself:&prompt.user; keyinit
Adding unfurl:
Reminder - Only use this method if you are directly connected.
If you are using telnet or rlogin exit with no password and use keyinit -s.
Enter secret password:
Again secret password:
ID unfurl s/key is 99 to17757
DEFY CLUB PRO NASH LACE SOFTFor OPIE, opiepasswd is used instead:&prompt.user; opiepasswd -c
[grimreaper] ~ $ opiepasswd -f -c
Adding unfurl:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase:
Again new secret pass phrase:
ID unfurl OTP key is 499 to4268
MOS MALL GOAT ARM AVID COED
At the Enter new secret pass phrase: or
Enter secret password: prompts, you
should enter a password or phrase. Remember, this is not the
password that you will use to login with, this is used to generate
your one-time login keys. The ID line gives the
parameters of your particular instance: your login name, the
iteration count, and seed. When logging in the system
will remember these parameters and present them back to you so you
do not have to remember them. The last line gives the particular
one-time password which corresponds to those parameters and your
secret password; if you were to re-login immediately, this
one-time password is the one you would use.Insecure Connection InitializationTo initialize or change your secret password over an
insecure connection, you will need to already have a secure
connection to some place where you can run key
or opiekey; this might be in the form of a
- desk accessory on a Macintosh, or a shell prompt on a machine you
+ desk accessory on a &macintosh;, or a shell prompt on a machine you
trust. You will also need to make up an iteration count (100 is
probably a good value), and you may make up your own seed or use a
randomly-generated one. Over on the insecure connection (to the
machine you are initializing), use the keyinit
-s command:&prompt.user; keyinit -s
Updating unfurl:
Old key: to17758
Reminder you need the 6 English words from the key command.
Enter sequence count from 1 to 9999: 100
Enter new key [default to17759]:
s/key 100 to 17759
s/key access password:
s/key access password:CURE MIKE BANE HIM RACY GOREFor OPIE, you need to use opiepasswd:&prompt.user; opiepasswd
Updating unfurl:
You need the response from an OTP generator.
Old secret pass phrase:
otp-md5 498 to4268 ext
Response: GAME GAG WELT OUT DOWN CHAT
New secret pass phrase:
otp-md5 499 to4269
Response: LINE PAP MILK NELL BUOY TROY
ID mark OTP key is 499 gr4269
LINE PAP MILK NELL BUOY TROY
To accept the default seed (which the
keyinit program confusingly calls a
key), press Return.
Then before entering an
access password, move over to your secure connection or S/Key desk
accessory, and give it the same parameters:&prompt.user; key 100 to17759
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <secret password>
CURE MIKE BANE HIM RACY GOREOr for OPIE:&prompt.user; opiekey 498 to4268
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
GAME GAG WELT OUT DOWN CHAT
Now switch back over to the insecure connection, and copy the
one-time password generated over to the relevant program.Generating a Single One-time PasswordOnce you have initialized S/Key or OPIE, when you login you will be
presented with a prompt like this:&prompt.user; telnet example.com
Trying 10.0.0.1...
Connected to example.com
Escape character is '^]'.
FreeBSD/i386 (example.com) (ttypa)
login: <username>
s/key 97 fw13894
Password: Or for OPIE:&prompt.user; telnet example.com
Trying 10.0.0.1...
Connected to example.com
Escape character is '^]'.
FreeBSD/i386 (example.com) (ttypa)
login: <username>
otp-md5 498 gr4269 ext
Password: As a side note, the S/Key and OPIE prompts have a useful feature
(not shown here): if you press Return
at the password prompt, the
prompter will turn echo on, so you can see what you are
typing. This can be extremely useful if you are attempting to
type in a password by hand, such as from a printout.MS-DOSWindowsMacOSAt this point you need to generate your one-time password to
answer this login prompt. This must be done on a trusted system
that you can run key or
opiekey on. (There are versions of these for DOS,
- Windows and MacOS as well.) They need both the iteration count and
+ &windows; and &macos; as well.) They need both the iteration count and
the seed as command line options. You can cut-and-paste these
right from the login prompt on the machine that you are logging
in to.On the trusted system:&prompt.user; key 97 fw13894
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password:
WELD LIP ACTS ENDS ME HAAGFor OPIE:&prompt.user; opiekey 498 to4268
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
GAME GAG WELT OUT DOWN CHATNow that you have your one-time password you can continue
logging in:login: <username>
s/key 97 fw13894
Password: <return to enable echo>
s/key 97 fw13894
Password [echo on]: WELD LIP ACTS ENDS ME HAAG
Last login: Tue Mar 21 11:56:41 from 10.0.0.2 ... Generating Multiple One-time PasswordsSometimes you have to go places where you do not have
access to a trusted machine or secure connection. In this case,
it is possible to use the key and
opiekey commands to
generate a number of one-time passwords beforehand to be printed
out and taken with you. For example:&prompt.user; key -n 5 30 zz99999
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <secret password>
26: SODA RUDE LEA LIND BUDD SILT
27: JILT SPY DUTY GLOW COWL ROT
28: THEM OW COLA RUNT BONG SCOT
29: COT MASH BARR BRIM NAN FLAG
30: CAN KNEE CAST NAME FOLK BILKOr for OPIE:&prompt.user; opiekey -n 5 30 zz99999
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: <secret password>
26: JOAN BORE FOSS DES NAY QUIT
27: LATE BIAS SLAY FOLK MUCH TRIG
28: SALT TIN ANTI LOON NEAL USE
29: RIO ODIN GO BYE FURY TIC
30: GREW JIVE SAN GIRD BOIL PHIThe requests five keys in sequence, the
specifies what the last iteration number
should be. Note that these are printed out in
reverse order of eventual use. If you are
really paranoid, you might want to write the results down by hand;
otherwise you can cut-and-paste into lpr. Note
that each line shows both the iteration count and the one-time
password; you may still find it handy to scratch off passwords as
you use them.
- Restricting Use of Unix Passwords
+ Restricting Use of &unix; Passwords
- S/Key can place restrictions on the use of Unix passwords based
+ S/Key can place restrictions on the use of &unix; passwords based
on the host name, user name, terminal port, or IP address of a
login session. These restrictions can be found in the
configuration file /etc/skey.access. The
&man.skey.access.5; manual page has more information on the complete
format of the file and also details some security cautions to be
aware of before depending on this file for security.If there is no /etc/skey.access file
(this is the default on FreeBSD 4.X systems), then all users will
- be allowed to use Unix passwords. If the file exists, however,
+ be allowed to use &unix; passwords. If the file exists, however,
then all users will be required to use S/Key unless explicitly
permitted to do otherwise by configuration statements in the
- skey.access file. In all cases, Unix
+ skey.access file. In all cases, &unix;
passwords are permitted on the console.Here is a sample skey.access configuration
file which illustrates the three most common sorts of configuration
statements:permit internet 192.168.0.0 255.255.0.0
permit user fnord
permit port ttyd0The first line (permit internet) allows
users whose IP source address (which is vulnerable to spoofing)
- matches the specified value and mask, to use Unix passwords. This
+ matches the specified value and mask, to use &unix; passwords. This
should not be considered a security mechanism, but rather, a means
to remind authorized users that they are using an insecure network
and need to use S/Key for authentication.The second line (permit user) allows the
specified username, in this case fnord, to use
- Unix passwords at any time. Generally speaking, this should only
+ &unix; passwords at any time. Generally speaking, this should only
be used for people who are either unable to use the
key program, like those with dumb terminals, or
those who are uneducable.The third line (permit port) allows all
- users logging in on the specified terminal line to use Unix
+ users logging in on the specified terminal line to use &unix;
passwords; this would be used for dial-ups.
- OPIE can restrict the use of Unix passwords based on the IP
+ OPIE can restrict the use of &unix; passwords based on the IP
address of a login session just like S/Key does. The relevant file
is /etc/opieaccess, which is present by default
on FreeBSD 5.0 and newer systems. Please check &man.opieaccess.5;
for more information on this file and which security considerations
you should be aware of when using it.Here is a sample opieaccess file:permit 192.168.0.0 255.255.0.0This line allows users whose IP source address (which is
vulnerable to spoofing) matches the specified value and mask,
- to use Unix passwords at any time.
+ to use &unix; passwords at any time.If no rules in opieaccess are matched,
the default is to deny non-OPIE logins.MarkMurrayContributed by MarkDapozBased on a contribution by KerberosKerberosKerberos is a network add-on system/protocol that allows users to
authenticate themselves through the services of a secure server.
Services such as remote login, remote copy, secure inter-system file
copying and other high-risk tasks are made considerably safer and more
controllable.The following instructions can be used as a guide on how to set up
Kerberos as distributed for FreeBSD. However, you should refer to the
relevant manual pages for a complete description.Installing KerberosMITKerberosinstallingKerberos is an optional component of FreeBSD. The easiest
way to install this software is by selecting the krb4 or
krb5 distribution in sysinstall
during the initial installation of FreeBSD. This will install
the eBones (KerberosIV) or Heimdal (Kerberos5)
implementation of Kerberos. These implementations are
included because they are developed outside the USA/Canada and
were thus available to system owners outside those countries
during the era of restrictive export controls on cryptographic
code from the USA.Alternatively, the MIT implementation of Kerberos is
available from the ports collection as
security/krb5.Creating the Initial DatabaseThis is done on the Kerberos server only. First make sure that
you do not have any old Kerberos databases around. You should change
to the directory /etc/kerberosIV and check that
only the following files are present:&prompt.root; cd /etc/kerberosIV
&prompt.root; ls
README krb.conf krb.realmsIf any additional files (such as principal.*
or master_key) exist, then use the
kdb_destroy command to destroy the old Kerberos
database, or if Kerberos is not running, simply delete the extra
files.You should now edit the krb.conf and
krb.realms files to define your Kerberos realm.
In this case the realm will be EXAMPLE.COM and the
server is grunt.example.com. We edit
or create the krb.conf file:&prompt.root; cat krb.conf
EXAMPLE.COM
EXAMPLE.COM grunt.example.com admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.govIn this case, the other realms do not need to be there. They are
here as an example of how a machine may be made aware of multiple
realms. You may wish to not include them for simplicity.The first line names the realm in which this system works. The
other lines contain realm/host entries. The first item on a line is a
realm, and the second is a host in that realm that is acting as a
key distribution center. The words admin
server following a host's name means that host also
provides an administrative database server. For further explanation
of these terms, please consult the Kerberos manual pages.Now we have to add grunt.example.com
to the EXAMPLE.COM realm and also add an entry to
put all hosts in the .example.com
domain in the EXAMPLE.COM realm. The
krb.realms file would be updated as
follows:&prompt.root; cat krb.realms
grunt.example.com EXAMPLE.COM
.example.com EXAMPLE.COM
.berkeley.edu CS.BERKELEY.EDU
.MIT.EDU ATHENA.MIT.EDU
.mit.edu ATHENA.MIT.EDUAgain, the other realms do not need to be there. They are here as
an example of how a machine may be made aware of multiple realms. You
may wish to remove them to simplify things.The first line puts the specific system into
the named realm. The rest of the lines show how to default systems of
a particular subdomain to a named realm.Now we are ready to create the database. This only needs to run
on the Kerberos server (or Key Distribution Center). Issue the
kdb_init command to do this:&prompt.root; kdb_initRealm name [default ATHENA.MIT.EDU ]:EXAMPLE.COM
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter Kerberos master key:Now we have to save the key so that servers on the local machine
can pick it up. Use the kstash command to do
this:&prompt.root; kstashEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!This saves the encrypted master password in
/etc/kerberosIV/master_key.Making It All RunTwo principals need to be added to the database for
each system that will be secured with Kerberos.
Their names are kpasswd and rcmd.
These two principals are made for each system, with the instance being
the name of the individual system.These daemons, kpasswd and
rcmd allow other systems to change Kerberos
passwords and run commands like &man.rcp.1;,
&man.rlogin.1; and &man.rsh.1;.Now let us add these entries:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:passwdInstance:grunt
<Not found>, Create [y] ?y
Principal: passwd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?y
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name:rcmdInstance:grunt
<Not found>, Create [y] ?
Principal: rcmd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitCreating the Server FileWe now have to extract all the instances which define the
services on each machine. For this we use the
ext_srvtab command. This will create a file
which must be copied or moved by secure
means to each Kerberos client's
/etc/kerberosIV directory. This file must
be present on each server and client, and is crucial to the
operation of Kerberos.&prompt.root; ext_srvtab gruntEnter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Generating 'grunt-new-srvtab'....Now, this command only generates a temporary file which must be
renamed to srvtab so that all the servers can pick
it up. Use the &man.mv.1; command to move it into place on
the original system:&prompt.root; mv grunt-new-srvtab srvtabIf the file is for a client system, and the network is not deemed
safe, then copy the
client-new-srvtab to
removable media and transport it by secure physical means. Be sure to
rename it to srvtab in the client's
/etc/kerberosIV directory, and make sure it is
mode 600:&prompt.root; mv grumble-new-srvtab srvtab
&prompt.root; chmod 600 srvtabPopulating the DatabaseWe now have to add some user entries into the database. First
let us create an entry for the user jane. Use the
kdb_edit command to do this:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:
<Not found>, Create [y] ?y
Principal: jane, Instance: , kdc_key_ver: 1
New Password: <---- enter a secure password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitTesting It All OutFirst we have to start the Kerberos daemons. Note that if you
have correctly edited your /etc/rc.conf then this
will happen automatically when you reboot. This is only necessary on
the Kerberos server. Kerberos clients will automatically get what
they need from the /etc/kerberosIV
directory.&prompt.root; kerberos &
Kerberos server starting
Sleep forever on error
Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Current Kerberos master key version is 1
Local realm: EXAMPLE.COM
&prompt.root; kadmind -n &
KADM Server KADM0.0A initializing
Please do not use 'kill -9' to kill this job, use a
regular kill instead
Current Kerberos master key version is 1.
Master key entered. BEWARE!Now we can try using the kinit command to get a
ticket for the ID jane that we created
above:&prompt.user; kinit jane
MIT Project Athena (grunt.example.com)
Kerberos Initialization for "jane"
Password:Try listing the tokens using klist to see if we
really have them:&prompt.user; klist
Ticket file: /tmp/tkt245
Principal: jane@EXAMPLE.COM
Issued Expires Principal
Apr 30 11:23:22 Apr 30 19:23:22 krbtgt.EXAMPLE.COM@EXAMPLE.COMNow try changing the password using &man.passwd.1; to
check if the kpasswd daemon can get
authorization to the Kerberos database:&prompt.user; passwd
realm EXAMPLE.COM
Old password for jane:New Password for jane:
Verifying password
New Password for jane:
Password changed.Adding <command>su</command> PrivilegesKerberos allows us to give each user
who needs root privileges their own
separate &man.su.1; password.
We could now add an ID which is authorized to
&man.su.1; to root. This is
controlled by having an instance of root
associated with a principal. Using kdb_edit
we can create the entry jane.root in the
Kerberos database:&prompt.root; kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name:janeInstance:root
<Not found>, Create [y] ? y
Principal: jane, Instance: root, kdc_key_ver: 1
New Password: <---- enter a SECURE password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?Max ticket lifetime (*5 minutes) [ 255 ] ?12 <--- Keep this short!
Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitNow try getting tokens for it to make sure it works:&prompt.root; kinit jane.root
MIT Project Athena (grunt.example.com)
Kerberos Initialization for "jane.root"
Password:Now we need to add the user to root's
.klogin file:&prompt.root; cat /root/.klogin
jane.root@EXAMPLE.COMNow try doing the &man.su.1;:&prompt.user; suPassword:and take a look at what tokens we have:&prompt.root; klist
Ticket file: /tmp/tkt_root_245
Principal: jane.root@EXAMPLE.COM
Issued Expires Principal
May 2 20:43:12 May 3 04:43:12 krbtgt.EXAMPLE.COM@EXAMPLE.COMUsing Other CommandsIn an earlier example, we created a principal called
jane with an instance root.
This was based on a user with the same name as the principal, and this
is a Kerberos default; that a
<principal>.<instance> of the form
<username>.root will allow
that <username> to &man.su.1; to
root if the necessary entries are in the
.klogin file in root's
home directory:&prompt.root; cat /root/.klogin
jane.root@EXAMPLE.COMLikewise, if a user has in their own home directory lines of the
form:&prompt.user; cat ~/.klogin
jane@EXAMPLE.COM
jack@EXAMPLE.COMThis allows anyone in the EXAMPLE.COM realm
who has authenticated themselves as jane or
jack (via kinit, see above)
to access to jane's
account or files on this system (grunt) via
&man.rlogin.1;, &man.rsh.1; or
&man.rcp.1;.For example, jane now logs into another system using
Kerberos:&prompt.user; kinit
MIT Project Athena (grunt.example.com)
Password:
&prompt.user; rlogin grunt
Last login: Mon May 1 21:14:47 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995Or jack logs into jane's account on the same machine
(jane having
set up the .klogin file as above, and the person
in charge of Kerberos having set up principal
jack with a null instance):&prompt.user; kinit
&prompt.user; rlogin grunt -l jane
MIT Project Athena (grunt.example.com)
Password:
Last login: Mon May 1 21:16:55 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995GaryPalmerContributed by AlexNashFirewallsfirewallsecurityfirewallsFirewalls are an area of increasing interest for people who are
connected to the Internet, and are even finding applications on private
networks to provide enhanced security. This section will hopefully
explain what firewalls are, how to use them, and how to use the
facilities provided in the FreeBSD kernel to implement them.People often think that having a firewall between your
internal network and the Big Bad Internet will solve all
your security problems. It may help, but a poorly set up firewall
system is more of a security risk than not having one at all. A
firewall can add another layer of security to your systems, but it
cannot stop a really determined cracker from penetrating your internal
network. If you let internal security lapse because you believe your
firewall to be impenetrable, you have just made the crackers job that
much easier.What Is a Firewall?There are currently two distinct types of firewalls in common use
on the Internet today. The first type is more properly called a
packet filtering router. This type of
firewall utilizes a multi-homed machine and a set of rules to
determine whether to forward or block individual packets. A
multi-homed machine is simply a device with multiple network
interfaces.
The second type, known as a proxy
server, relies on daemons to provide authentication and to
forward packets, possibly on a multi-homed machine which has kernel
packet forwarding disabled.Sometimes sites combine the two types of firewalls, so that only a
certain machine (known as a bastion host) is
allowed to send packets through a packet filtering router onto an
internal network. Proxy services are run on the bastion host, which
are generally more secure than normal authentication
mechanisms.FreeBSD comes with a kernel packet filter (known as
IPFW), which is what the rest of this
section will concentrate on. Proxy servers can be built on FreeBSD
from third party software, but there is such a variety of proxy
servers available that it would be impossible to cover them in this
section.Packet Filtering RoutersA router is a machine which forwards packets between two or more
networks. A packet filtering router is programmed to
compare each packet to a list of rules before
deciding if it should be forwarded or not. Most modern IP routing
software includes packet filtering functionality that defaults to
forwarding all packets. To enable the filters, you need to define a
set of rules.To decide whether a packet should be passed on, the firewall looks
through its set of rules for a rule which matches the contents of
the packet's headers. Once a match is found, the rule action is
obeyed. The rule action could be to drop the packet, to forward the
packet, or even to send an ICMP message back to the originator.
Only the first match counts, as the rules are searched in order.
Hence, the list of rules can be referred to as a rule
chain.The packet-matching criteria varies depending on the software
used, but typically you can specify rules which depend on the source
IP address of the packet, the destination IP address, the source
port number, the destination port number (for protocols which
support ports), or even the packet type (UDP, TCP, ICMP,
etc).Proxy ServersProxy servers are machines which have had the normal system
daemons (telnetd,
ftpd, etc) replaced with special servers.
These
servers are called proxy servers, as they
normally only allow onward connections to be made. This enables you
to run (for example) a proxy telnet server on your firewall host,
and people can telnet in to your firewall from the outside, go
through some authentication mechanism, and then gain access to the
internal network (alternatively, proxy servers can be used for
signals coming from the internal network and heading out).Proxy servers are normally more secure than normal servers, and
often have a wider variety of authentication mechanisms available,
including one-shot password systems so that even if
someone manages to discover what password you used, they will not be
able to use it to gain access to your systems as the password
expires immediately after the first use. As they do not actually give users access to the
host machine, it becomes a lot more difficult for someone to install
backdoors around your security system.Proxy servers often have ways of restricting access further, so
that only certain hosts can gain access to the servers.
Most will also allow the administrator to specify which
users can talk to which destination machines.
Again, what facilities are available
depends largely on what proxy software you choose.What Does IPFW Allow Me to Do?ipfwIPFW, the software supplied with
FreeBSD, is a packet filtering and accounting system which resides in
the kernel, and has a user-land control utility,
&man.ipfw.8;. Together, they allow you to define and query the
rules used by the kernel in its routing decisions.There are two related parts to IPFW.
The firewall section performs packet filtering. There is
also an IP accounting section which tracks usage of the
router, based on rules similar to those used in the firewall
section. This allows
the administrator to monitor how much traffic the router is
getting from a certain machine, or how much WWW traffic it is
forwarding, for example.As a result of the way that IPFW is
designed, you can use IPFW on non-router
machines to perform packet filtering on incoming and outgoing
connections. This is a special case of the more general use of
IPFW, and the same commands and techniques
should be used in this situation.Enabling IPFW on FreeBSDipfwenablingAs the main part of the IPFW system
lives in the kernel, you will need to add one or more options to your
kernel configuration file, depending on what facilities you want, and
recompile your kernel. See "Reconfiguring your Kernel" ()
for more details on how to recompile your
kernel.IPFW defaults to a policy of deny ip from any to
any. If you do not add other rules during startup to
allow access, you will lock yourself out of the
server upon rebooting into a firewall-enabled kernel. We suggest
that you set firewall_type=open in your
/etc/rc.conf file when first enabling this
feature, then refining the firewall rules in
/etc/rc.firewall after you have tested that the
new kernel feature works properly. To be on the safe side, you may
wish to consider performing the initial firewall configuration from
the local console rather than via
ssh. Another option is to build a kernel
using both the IPFIREWALL and
IPFIREWALL_DEFAULT_TO_ACCEPT options. This will
change the default rule of IPFW to allow ip from any to
any and avoid the possibility of a lockout.There are currently four kernel configuration options relevant to
IPFW:options IPFIREWALLCompiles into the kernel the code for packet
filtering.options IPFIREWALL_VERBOSEEnables code to allow logging of packets through
&man.syslogd.8;. Without this option, even if you specify
that packets should be logged in the filter rules, nothing will
happen.options IPFIREWALL_VERBOSE_LIMIT=10Limits the number of packets logged through
&man.syslogd.8; on a per entry basis. You may wish to use
this option in hostile environments in which you want to log
firewall activity, but do not want to be open to a denial of
service attack via syslog flooding.When a chain entry reaches the packet limit specified,
logging is turned off for that particular entry. To resume
logging, you will need to reset the associated counter using the
&man.ipfw.8; utility:&prompt.root; ipfw zero 4500Where 4500 is the chain entry you wish to continue
logging.options IPFIREWALL_DEFAULT_TO_ACCEPTThis changes the default rule action from deny
to allow. This avoids the possibility of locking
yourself out if you happen to boot a kernel with
IPFIREWALL support but have not configured
your firewall yet. It is also very useful if you often use
&man.ipfw.8; as a filter for specific problems as they arise.
Use with care though, as this opens up the firewall and changes
the way it works.Previous versions of FreeBSD contained an
IPFIREWALL_ACCT option. This is now obsolete as
the firewall code automatically includes accounting
facilities.Configuring IPFWipfwconfiguringThe configuration of the IPFW software
is done through the &man.ipfw.8; utility. The syntax for this
command looks quite complicated, but it is relatively simple once you
understand its structure.There are currently four different command categories used by the
utility: addition/deletion, listing, flushing, and clearing.
Addition/deletion is used to build the rules that control how packets
are accepted, rejected, and logged. Listing is used to examine the
contents of your rule set (otherwise known as the chain) and packet
counters (accounting). Flushing is used to remove all entries from
the chain. Clearing is used to zero out one or more accounting
entries.Altering the IPFW RulesThe syntax for this form of the command is:
ipfw-NcommandindexactionlogprotocoladdressesoptionsThere is one valid flag when using this form of the
command:-NResolve addresses and service names in output.The command given can be shortened to the
shortest unique form. The valid commands
are:addAdd an entry to the firewall/accounting rule listdeleteDelete an entry from the firewall/accounting rule
listPrevious versions of IPFW used
separate firewall and accounting entries. The present version
provides packet accounting with each firewall entry.If an index value is supplied, it is used to
place the entry at a specific point in the chain. Otherwise, the
entry is placed at the end of the chain at an index 100 greater than
the last chain entry (this does not include the default policy, rule
65535, deny).The log option causes matching rules to be
output to the system console if the kernel was compiled with
IPFIREWALL_VERBOSE.Valid actions are:rejectDrop the packet, and send an ICMP host or port unreachable
(as appropriate) packet to the source.allowPass the packet on as normal. (aliases:
pass, permit, and
accept)denyDrop the packet. The source is not notified via an
ICMP message (thus it appears that the packet never
arrived at the destination).countUpdate packet counters but do not allow/deny the packet
based on this rule. The search continues with the next chain
entry.Each action will be recognized by the
shortest unambiguous prefix.The protocols which can be specified
are:allMatches any IP packeticmpMatches ICMP packetstcpMatches TCP packetsudpMatches UDP packetsThe address specification is:fromaddress/maskporttoaddress/maskportvia interfaceYou can only specify port in
conjunction with protocols which support ports
(UDP and TCP).The is optional and may specify the IP
address or domain name of a local IP interface, or an interface name
(e.g. ed0) to match only packets coming
through this interface. Interface unit numbers can be specified
with an optional wildcard. For example, ppp*
would match all kernel PPP interfaces.The syntax used to specify an
address/mask is:
address
or
address/mask-bits
or
address:mask-patternA valid hostname may be specified in place of the IP address.
is a decimal
number representing how many bits in the address mask should be set.
e.g. specifying 192.216.222.1/24
will create a
mask which will allow any address in a class C subnet (in this case,
192.216.222) to be matched.
is an IP
address which will be logically AND'ed with the address given. The
keyword any may be used to specify any IP
address.The port numbers to be blocked are specified as:
port,port,port…
to specify either a single port or a list of ports, or
port-port
to specify a range of ports. You may also combine a single range
with a list, but the range must always be specified first.The options available are:fragMatches if the packet is not the first fragment of the
datagram.inMatches if the packet is on the way in.outMatches if the packet is on the way out.ipoptions specMatches if the IP header contains the comma separated list
of options specified in spec. The
supported IP options are: ssrr
(strict source route), lsrr (loose source
route), rr (record packet route), and
ts (time stamp). The absence of a
particular option may be specified with a leading
!.establishedMatches if the packet is part of an already established
TCP connection (i.e. it has the RST or ACK bits set). You can
optimize the performance of the firewall by placing
established rules early in the
chain.setupMatches if the packet is an attempt to establish a TCP
connection (the SYN bit is set but the ACK bit is
not).tcpflags flagsMatches if the TCP header contains the comma separated
list of flags. The supported flags
are fin, syn,
rst, psh,
ack, and urg. The
absence of a particular flag may be indicated by a leading
!.icmptypes typesMatches if the ICMP type is present in the list
types. The list may be specified
as any combination of ranges and/or individual types separated
by commas. Commonly used ICMP types are: 0
echo reply (ping reply), 3 destination
unreachable, 5 redirect,
8 echo request (ping request), and
11 time exceeded (used to indicate TTL
expiration as with &man.traceroute.8;).Listing the IPFW RulesThe syntax for this form of the command is:
ipfw-a-c-d-e-t-N-SlistThere are seven valid flags when using this form of the
command:-aWhile listing, show counter values. This option is the
only way to see accounting counters.-cList rules in compact form.-dShow dynamic rules in addition to static rules.-eIf was specified, also show expired
dynamic rules.-tDisplay the last match times for each chain entry. The
time listing is incompatible with the input syntax used by the
&man.ipfw.8; utility.-NAttempt to resolve given addresses and service
names.-SShow the set each rule belongs to. If this flag is not
specified, disabled rules will not be listed.Flushing the IPFW RulesThe syntax for flushing the chain is:
ipfwflushThis causes all entries in the firewall chain to be removed
except the fixed default policy enforced by the kernel (index
65535). Use caution when flushing rules; the default deny policy
will leave your system cut off from the network until allow entries
are added to the chain.Clearing the IPFW Packet CountersThe syntax for clearing one or more packet counters is:
ipfwzeroindexWhen used without an index argument,
all packet counters are cleared. If an
index is supplied, the clearing operation
only affects a specific chain entry.Example Commands for <application>ipfw</application>This command will deny all packets from the host evil.crackers.org to the telnet port of the
host nice.people.org:&prompt.root; ipfw add deny tcp from evil.crackers.org to nice.people.org 23The next example denies and logs any TCP traffic from the entire
crackers.org network (a class C) to
the nice.people.org machine (any
port).&prompt.root; ipfw add deny log tcp from evil.crackers.org/24 to nice.people.orgIf you do not want people sending X sessions to your internal
network (a subnet of a class C), the following command will do the
necessary filtering:&prompt.root; ipfw add deny tcp from any to my.org/28 6000 setupTo see the accounting records:
&prompt.root; ipfw -a list
or in the short form
&prompt.root; ipfw -a lYou can also see the last time a chain entry was matched
with:&prompt.root; ipfw -at lBuilding a Packet Filtering FirewallThe following suggestions are just that: suggestions. The
requirements of each firewall are different and we cannot tell you
how to build a firewall to meet your particular requirements.When initially setting up your firewall, unless you have a test
bench setup where you can configure your firewall host in a controlled
environment, it is strongly recommend you use the logging version of the
commands and enable logging in the kernel. This will allow you to
quickly identify problem areas and cure them without too much
disruption. Even after the initial setup phase is complete, I
recommend using the logging for `deny' as it allows tracing of
possible attacks and also modification of the firewall rules if your
requirements alter.If you use the logging versions of the accept
command, be aware that it can generate
large amounts of log data. One log
entry will be generated for every packet that passes
through the firewall, so large FTP/http transfers, etc, will really
slow the system down. It also increases the latencies on those
packets as it requires more work to be done by the kernel before the
packet can be passed on. syslogd will
also start using up a lot
more processor time as it logs all the extra data to disk, and it
could quite easily fill the partition /var/log
is located on.You should enable your firewall from
/etc/rc.conf.local or
/etc/rc.conf. The associated manual page explains
which knobs to fiddle and lists some preset firewall configurations.
If you do not use a preset configuration, ipfw list
will output the current ruleset into a file that you can
pass to rc.conf. If you do not use
/etc/rc.conf.local or
/etc/rc.conf to enable your firewall,
it is important to make sure your firewall is enabled before
any IP interfaces are configured.The next problem is what your firewall should actually
do! This is largely dependent on what access to
your network you want to allow from the outside, and how much access
to the outside world you want to allow from the inside. Some general
rules are:Block all incoming access to ports below 1024 for TCP. This is
where most of the security sensitive services are, like finger,
SMTP (mail) and telnet.Block all incoming UDP traffic. There
are very few useful services that travel over UDP, and what useful
traffic there is, is normally a security threat (e.g. Suns RPC and
NFS protocols). This has its disadvantages also, since UDP is a
connectionless protocol, denying incoming UDP traffic also blocks
the replies to outgoing UDP traffic. This can cause a problem for
people (on the inside) using external archie (prospero) servers.
If you want to allow access to archie, you will have to allow
packets coming from ports 191 and 1525 to any internal UDP port
through the firewall. ntp is another
service you may consider allowing through, which comes from port
123.Block traffic to port 6000 from the outside. Port 6000 is the
port used for access to X11 servers, and can be a security threat
(especially if people are in the habit of doing xhost
+ on their workstations). X11 can actually use a
range of ports starting at 6000, the upper limit being how many X
displays you can run on the machine. The upper limit as defined
by RFC 1700 (Assigned Numbers) is 6063.Check what ports any internal servers use (e.g. SQL servers,
etc). It is probably a good idea to block those as well, as they
normally fall outside the 1-1024 range specified above.Another checklist for firewall configuration is available from
CERT at As stated above, these are only guidelines.
You will have to decide what filter rules you want to use on your
firewall yourself. We cannot accept ANY responsibility if someone
breaks into your network, even if you follow the advice given
above.IPFW Overhead and OptimizationMany people want to know how much overhead IPFW adds to a
system. The answer to this depends mostly on your rule set and
processor speed. For most applications dealing with Ethernet
and small rule sets, the answer is
negligible. For those of you that need actual
measurements to satisfy your curiosity, read on.The following measurements were made using 2.2.5-STABLE on
a 486-66. (While IPFW has changed slightly in later releases
of FreeBSD, it still performs with similar speed.) IPFW was
modified to measure the time spent within the
ip_fw_chk routine, displaying the results
to the console every 1000 packets.Two rule sets, each with 1000 rules, were tested. The
first set was designed to demonstrate a worst case scenario by
repeating the rule:&prompt.root; ipfw add deny tcp from any to any 55555This demonstrates a worst case scenario by causing most of IPFW's
packet check routine to be executed before finally deciding
that the packet does not match the rule (by virtue of the port
number). Following the 999th iteration of this rule was an
allow ip from any to any.The second set of rules were designed to abort the rule
check quickly:&prompt.root; ipfw add deny ip from 1.2.3.4 to 1.2.3.4The non-matching source IP address for the above rule
causes these rules to be skipped very quickly. As before, the
1000th rule was an allow ip from any to
any.The per-packet processing overhead in the former case was
approximately 2.703 ms/packet, or roughly 2.7 microseconds per
rule. Thus the theoretical packet processing limit with these
rules is around 370 packets per second. Assuming 10 Mbps
Ethernet and a ~1500 byte packet size, we would only be able
to achieve 55.5% bandwidth utilization.For the latter case each packet was processed in
approximately 1.172 ms, or roughly 1.2 microseconds per rule.
The theoretical packet processing limit here would be about
853 packets per second, which could consume 10 Mbps Ethernet
bandwidth.The excessive number of rules tested and the nature of
those rules do not provide a real-world scenario -- they were
used only to generate the timing information presented here.
Here are a few things to keep in mind when building an
efficient rule set:Place an established rule early on
to handle the majority of TCP traffic. Do not put any
allow tcp statements before this
rule.Place heavily triggered rules earlier in the rule set
than those rarely used (without changing the
permissiveness of the firewall, of course).
You can see which rules are used most often by examining
the packet counting statistics with ipfw -a
l.OpenSSLsecurityOpenSSLOpenSSLAs of FreeBSD 4.0, the OpenSSL toolkit is a part of the base
system. OpenSSL
provides a general-purpose cryptography library, as well as the
Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer
Security v1 (TLSv1) network security protocols.However, one of the algorithms (specifically IDEA)
included in OpenSSL is protected by patents in the USA and
elsewhere, and is not available for unrestricted use.
IDEA is included in the OpenSSL sources in FreeBSD, but it is not
built by default. If you wish to use it, and you comply with the
license terms, enable the MAKE_IDEA switch in
/etc/make.conf and
rebuild your sources using make world.Today, the RSA algorithm is free for use in USA and other
countries. In the past it was protected by a patent.OpenSSLinstallSource Code InstallationsOpenSSL is part of the src-crypto and
src-secureCVSup collections. See the Obtaining FreeBSD section for more
information about obtaining and updating FreeBSD source
code.NikClaytonnik@FreeBSD.orgWritten by VPN over IPsecCreating a VPN between two networks, separated by the
Internet, using FreeBSD gateways.Hiten M.Pandyahmp@FreeBSD.orgWritten by Understanding IPsecThis section will guide you through the process of setting
up IPsec, and to use it in an environment which consists of
- FreeBSD and Microsoft Windows 2000/XP
+ FreeBSD and µsoft.windows; 2000/XP
machines, to make them communicate securely. In order to set up
IPsec, it is necessary that you are familiar with the concepts
of building a custom kernel (see
).IPsec is a protocol which sits on top
of the Internet Protocol (IP) layer. It allows two or more
hosts to communicate in a secure manner (hence the name). The
FreeBSD IPsec network stack is based on the
KAME implementation,
which has support for both protocol families, IPv4 and
IPv6.FreeBSD 5.0 contains a hardware
accelerated IPsec stack, known as Fast
IPsec, that was obtained from OpenBSD. It employs
cryptographic hardware (whenever possible) via the
&man.crypto.4; subsystem to optimize the performance of IPsec.
This subsystem is new, and does not support all the features
that are available in the KAME version of IPsec. However, in
order to enable hardware-accelerated IPsec, the following
kernel option has to be added to your kernel configuration
file:
options FAST_IPSEC # new IPsec (cannot define w/ IPSEC)
Note, that it is not currently possible to use the
Fast IPsec subsystem in lue with the KAME
implementation of IPsec. Consult the &man.fast.ipsec.4;
manual page for more information.IPsec consists of two sub-protocols:Encapsulated Security Payload
(ESP), protects the IP packet data from third
party interference, by encrypting the contents using
symmetric cryptography algorithms (like Blowfish,
3DES).Authentication Header (AH),
protects the IP packet header from third party interference
and spoofing, by computing a cryptographic checksum and
hashing the IP packet header fields with a secure hashing
function. This is then followed by an additional header
that contains the hash, to allow the information in the
packet to be authenticated.ESP and AH can
either be used together or seperately, depending on the
environment.IPsec can either be used to directly encrypt the traffic
between two hosts (known as Transport
Mode); or to build virtual tunnels
between two subnets, which could be used for secure
communication between two corporate networks (known as
Tunnel Mode). The latter is more commonly
known as a Virtual Private Network (VPN).
The &man.ipsec.4; manual page should be consulted for detailed
information on the IPsec subsystem in FreeBSD.To add IPsec support to your kernel, add the following
options to your kernel configuration file:
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
If IPsec debugging support is desired, the following
kernel option should also be added:
options IPSEC_DEBUG #debug for IP security
The ProblemThere's no standard for what constitutes a VPN. VPNs can
be implemented using a number of different technologies, each of
which have their own strengths and weaknesses. This article
presents a number of scenarios, and strategies for implementing a
VPN for each scenario.Scenario #1: Two networks, connected to the Internet, to
behave as oneThis is the scenario that caused me to first investigating
VPNs. The premise is as follows:You have at least two sitesBoth sites are using IP internallyBoth sites are connected to the Internet, through a
gateway that is running FreeBSD.The gateway on each network has at least one public IP
address.The internal addresses of the two networks can be
public or private IP addresses, it doesn't matter. You can
be running NAT on the gateway machine if necessary.The internal IP addresses of the two networks
do not collide. While I expect it is
theoretically possible to use a combination of VPN
technology and NAT to get this to work, I expect it to be a
configuration nightmare.If you find that you are trying to connect two networks,
both of which, internally, use the same private IP address range
(e.g., both of them use 192.168.1.x), then one of the networks will
have to be renumbered.The network topology might look something like this:Network #1 [ Internal Hosts ] Private Net, 192.168.1.2-254
[ Win9x/NT/2K ]
- [ Unix ]
+ [ UNIX ]
|
|
.---[fxp1]---. Private IP, 192.168.1.1
| FreeBSD |
`---[fxp0]---' Public IP, A.B.C.D
|
|
-=-=- Internet -=-=-
|
|
.---[fxp0]---. Public IP, W.X.Y.Z
| FreeBSD |
`---[fxp1]---' Private IP, 192.168.2.1
|
|
Network #2 [ Internal Hosts ]
[ Win9x/NT/2K ] Private Net, 192.168.2.2-254
- [ Unix ]
+ [ UNIX ]
Notice the two public IP addresses. I'll use the letters to
refer to them in the rest of this article. Anywhere you see those
letters in this article, replace them with your own public IP
addresses. Note also that that internally, the two gateway
machines have .1 IP addresses, and that the two networks have
different private IP address (192.168.1.x and 192.168.2.x respectively). All the
machines on the private networks have been configured to use the
.1 machine as their default
gateway.The intention is that, from a network point of view, each
network should view the machines on the other network as though
they were directly attached the same router -- albeit a slightly
slow router with an occasional tendency to drop packets.This means that (for example), machine 192.168.1.20 should be able to runping 192.168.2.34
- and have it work, transparently. Windows machines should
+ and have it work, transparently. &windows; machines should
be able to see the machines on the other network, browse file
shares, and so on, in exactly the same way that they can browse
machines on the local network.And the whole thing has to be secure. This means that
traffic between the two networks has to be encrypted.Creating a VPN between these two networks is a multi-step
process. The stages are as follows:Create a virtual network link between the two
networks, across the Internet. Test it, using tools like
&man.ping.8;, to make sure it works.Apply security policies to ensure that traffic between
the two networks is transparently encrypted and decrypted as
necessary. Test this, using tools like &man.tcpdump.1;, to
ensure that traffic is encrypted.Configure additional software on the FreeBSD gateways,
- to allow Windows machines to see one another across the
+ to allow &windows; machines to see one another across the
VPN.Step 1: Creating and testing a <quote>virtual</quote>
network linkSuppose that you were logged in to the gateway machine on
network #1 (with public IP address A.B.C.D, private IP address 192.168.1.1), and you ran ping
192.168.2.1, which is the private address of the machine
with IP address W.X.Y.Z. What
needs to happen in order for this to work?The gateway machine needs to know how to reach 192.168.2.1. In other words, it needs
to have a route to 192.168.2.1.Private IP addresses, such as those in the 192.168.x range are not supposed to
appear on the Internet at large. Instead, each packet you
send to 192.168.2.1 will need
to be wrapped up inside another packet. This packet will need
to appear to be from A.B.C.D,
and it will have to be sent to W.X.Y.Z. This process is called
encapsulation.Once this packet arrives at W.X.Y.Z it will need to
unencapsulated, and delivered to 192.168.2.1.
You can think of this as requiring a tunnel
between the two networks. The two tunnel mouths are the IP
addresses A.B.C.D and W.X.Y.Z, and the tunnel must be told the
addresses of the private IP addresses that will be allowed to pass
through it. The tunnel is used to transfer traffic with private
IP addresses across the public Internet.This tunnel is created by using the generic interface, or
gif devices on FreeBSD. As you can
imagine, the gif interface on each
gateway host must be configured with four IP addresses; two for
the public IP addresses, and two for the private IP
addresses.Support for the gif device must be compiled in to the
FreeBSD kernel on both machines. You can do this by adding the
line:pseudo-device gifto the kernel configuration files on both machines, and
then compile, install, and reboot as normal.Configuring the tunnel is a two step process. First the
tunnel must be told what the outside (or public) IP addresses
are, using &man.gifconfig.8;. Then the private IP addresses must be
configured using &man.ifconfig.8;.On the gateway machine on network #1 you would run the
following two commands to configure the tunnel.gifconfig gif0 A.B.C.D W.X.Y.Z
ifconfig gif0 inet 192.168.1.1 192.168.2.1 netmask 0xffffffff
On the other gateway machine you run the same commands,
but with the order of the IP addresses reversed.gifconfig gif0 W.X.Y.Z A.B.C.D
ifconfig gif0 inet 192.168.2.1 192.168.1.1 netmask 0xffffffff
You can then run:gifconfig gif0to see the configuration. For example, on the network #1
gateway, you would see this:&prompt.root; gifconfig gif0
gif0: flags=8011<UP,POINTTOPOINT,MULTICAST> mtu 1280
inet 192.168.1.1 --> 192.168.2.1 netmask 0xffffffff
physical address inet A.B.C.D --> W.X.Y.Z
As you can see, a tunnel has been created between the
physical addresses A.B.C.D and
W.X.Y.Z, and the traffic allowed
through the tunnel is that between 192.168.1.1 and 192.168.2.1.This will also have added an entry to the routing table
on both machines, which you can examine with the command netstat -rn.
This output is from the gateway host on network #1.&prompt.root; netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
...
192.168.2.1 192.168.1.1 UH 0 0 gif0
...
As the Flags value indicates, this is a
host route, which means that each gateway knows how to reach the
other gateway, but they do not know how to reach the rest of
their respective networks. That problem will be fixed
shortly.It is likely that you are running a firewall on both
machines. This will need to be circumvented for your VPN
traffic. You might want to allow all traffic between both
networks, or you might want to include firewall rules that
protect both ends of the VPN from one another.It greatly simplifies testing if you configure the
firewall to allow all traffic through the VPN. You can always
tighten things up later. If you are using &man.ipfw.8; on the
gateway machines then a command likeipfw add 1 allow ip from any to any via gif0will allow all traffic between the two end points of the
VPN, without affecting your other firewall rules. Obviously
you will need to run this command on both gateway hosts.This is sufficient to allow each gateway machine to ping
the other. On 192.168.1.1, you
should be able to runping 192.168.2.1and get a response, and you should be able to do the same
thing on the other gateway machine.However, you will not be able to reach internal machines
on either network yet. This is because of the routing --
although the gateway machines know how to reach one another,
they do not know how to reach the network behind each one.To solve this problem you must add a static route on each
gateway machine. The command to do this on the first gateway
would be:route add 192.168.2.0 192.168.2.1 netmask 0xffffff00
This says In order to reach the hosts on the
network 192.168.2.0, send the
packets to the host 192.168.2.1. You will need to
run a similar command on the other gateway, but with the
192.168.1.x addresses
instead.IP traffic from hosts on one network will now be able to
reach hosts on the other network.That has now created two thirds of a VPN between the two
networks, in as much as it's virtual and it's a
network. It's not private yet. You can test
this using &man.ping.8; and &man.tcpdump.1;. Log in to the
gateway host and runtcpdump dst host 192.168.2.1In another log in session on the same host runping 192.168.2.1You will see output that looks something like this.
16:10:24.018080 192.168.1.1 > 192.168.2.1: icmp: echo request
16:10:24.018109 192.168.1.1 > 192.168.2.1: icmp: echo reply
16:10:25.018814 192.168.1.1 > 192.168.2.1: icmp: echo request
16:10:25.018847 192.168.1.1 > 192.168.2.1: icmp: echo reply
16:10:26.028896 192.168.1.1 > 192.168.2.1: icmp: echo request
16:10:26.029112 192.168.1.1 > 192.168.2.1: icmp: echo reply
As you can see, the ICMP messages are going back and forth
unencrypted. If you had used the parameter to
&man.tcpdump.1; to grab more bytes of data from the packets you
would see more information.Obviously this is unacceptable. The next section will
discuss securing the link between the two networks so that it
all traffic is automatically encrypted.Summary:Configure both kernels with pseudo-device
gifEdit /etc/rc.conf on gateway host
#1 and add the following lines (replacing IP addresses as
necessary).gifconfig_gif0="A.B.C.D W.X.Y.Z"
ifconfig_gif0="inet 192.168.1.1 192.168.2.1 netmask 0xffffffff"
static_routes="vpn"
route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00"
Edit your firewall script
(/etc/rc.firewall, or similar) on both
hosts, and addipfw add 1 allow ip from any to any via gif0Make similar changes to
/etc/rc.conf on gateway host #2,
reversing the order of IP addresses.Step 2: Securing the linkTo secure the link we will be using IPsec. IPsec provides
a mechanism for two hosts to agree on an encryption key, and to
then use this key in order to encrypt data between the two
hosts.The are two areas of configuration to be considered here.There must be a mechanism for two hosts to agree on the
encryption mechanism to use. Once two hosts have agreed on
this mechanism there is said to be a security association
between them.There must be a mechanism for specifying which traffic
should be encrypted. Obviously, you don't want to encrypt
all your outgoing traffic -- you only want to encrypt the
traffic that is part of the VPN. The rules that you put in
place to determine what traffic will be encrypted are called
security policies.Security associations and security policies are both
maintained by the kernel, and can be modified by userland
programs. However, before you can do this you must configure the
kernel to support IPsec and the Encapsulated Security Payload
(ESP) protocol. This is done by configuring a kernel with:options IPSEC
options IPSEC_ESP
and recompiling, reinstalling, and rebooting. As before
you will need to do this to the kernels on both of the gateway
hosts.You have two choices when it comes to setting up security
associations. You can configure them by hand between two hosts,
which entails choosing the encryption algorithm, encryption keys,
and so forth, or you can use daemons that implement the Internet
Key Exchange protocol (IKE) to do this for you.I recommend the latter. Apart from anything else, it's
easier to set up.Editing and displaying security policies is carried out
using &man.setkey.8;. By analogy, setkey is
to the kernel's security policy tables as &man.route.8; is to
the kernel's routing tables. setkey can
also display the current security associations, and to continue
the analogy further, is akin to netstat -r
in that respect.There are a number of choices for daemons to manage
security associations with FreeBSD. This article will describe
how to use one of these, racoon. racoon is in the FreeBSD ports
collection, in the security/ category, and is installed in the
usual way.racoon must be run on both gateway hosts. On each host it
is configured with the IP address of the other end of the VPN,
and a secret key (which you choose, and must be the same on both
gateways).The two daemons then contact one another, confirm that they
are who they say they are (by using the secret key that you
configured). The daemons then generate a new secret key, and use
this to encrypt the traffic over the VPN. They periodically
change this secret, so that even if an attacker were to crack one
of the keys (which is as theoretically close to unfeasible as it
gets) it won't do them much good -- by the time they've cracked
the key the two daemons have chosen another one.racoon's configuration is stored in
${PREFIX}/etc/racoon. You should find a
configuration file there, which should not need to be changed
too much. The other component of racoon's configuration,
which you will need to change, is the pre-shared
key.The default racoon configuration expects to find this in
the file ${PREFIX}/etc/racoon/psk.txt. It is important to note
that the pre-shared key is not the key that will be used to
encrypt your traffic across the VPN link, it is simply a token
that allows the key management daemons to trust one another.psk.txt contains a line for each
remote site you are dealing with. In this example, where there
are two sites, each psk.txt file will contain one line (because
each end of the VPN is only dealing with one other end).On gateway host #1 this line should look like this:W.X.Y.Z secretThat is, the public IP address of the remote end,
whitespace, and a text string that provides the secret.
Obviously, you shouldn't use secret as your key -- the normal
rules for choosing a password apply.On gateway host #2 the line would look like thisA.B.C.D secretThat is, the public IP address of the remote end, and the
same secret key. psk.txt must be mode 0600
(i.e., only read/write to root) before racoon will run.You must run racoon on both gateway machines. You will
also need to add some firewall rules to allow the IKE traffic,
which is carried over UDP to the isakmp (kmp == key
management protocol) port. Again, this should be fairly early in
your firewall ruleset.ipfw add 1 allow udp from A.B.C.D to W.X.Y.Z isakmp
ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
Once racoon is running you can try pinging one gateway host
from the other. The connection is still not encrypted, but
racoon will then set up the security associations between the two
hosts -- this might take a moment, and you may see this as a
short delay before the ping commands start responding.Once the security association has been set up you can
view it using &man.setkey.8;. Runsetkey -Don either host to view the security association information.That's one half of the problem. They other half is setting
your security policies.To create a sensible security policy, let's review what's
been set up so far. This discussions hold for both ends of the
link.Each IP packet that you send out has a header that contains
data about the packet. The header includes the IP addresses of
both the source and destination. As we already know, private IP
addresses, such as the 192.168.x.y
range are not supposed to appear on the public Internet.
Instead, they must first be encapsulated inside another packet.
This packet must have the public source and destination IP
addresses substituted for the private addresses.So if your outgoing packet started looking like this:
.----------------------.
| Src: 192.168.1.1 |
| Dst: 192.168.2.1 |
| <other header info> |
+----------------------+
| <packet data> |
`----------------------'Then it will be encapsulated inside another packet, looking
something like this:
.--------------------------.
| Src: A.B.C.D |
| Dst: W.X.Y.Z |
| <other header info> |
+--------------------------+
| .----------------------. |
| | Src: 192.168.1.1 | |
| | Dst: 192.168.2.1 | |
| | <other header info> | |
| +----------------------+ |
| | <packet data> | |
| `----------------------' |
`--------------------------'This encapsulation is carried out by the gif device. As
you can see, the packet now has real IP addresses on the outside,
and our original packet has been wrapped up as data inside the
packet that will be put out on the Internet.Obviously, we want all traffic between the VPNs to be
encrypted. You might try putting this in to words, as:If a packet leaves from A.B.C.D, and it is destined for W.X.Y.Z, then encrypt it, using the
necessary security associations.If a packet arrives from W.X.Y.Z, and it is destined for A.B.C.D, then decrypt it, using the
necessary security associations.That's close, but not quite right. If you did this, all
traffic to and from W.X.Y.Z, even
traffic that was not part of the VPN, would be encrypted. That's
not quite what you want. The correct policy is as followsIf a packet leaves from A.B.C.D, and that packet is encapsulating
another packet, and it is destined for W.X.Y.Z, then encrypt it, using the
necessary security associations.If a packet arrives from W.X.Y.Z, and that packet is encapsulating
another packet, and it is destined for A.B.C.D, then encrypt it, using the
necessary security associations.A subtle change, but a necessary one.Security policies are also set using &man.setkey.8;.
&man.setkey.8; features a configuration language for defining the
policy. You can either enter configuration instructions via
stdin, or you can use the option to specify a
filename that contains configuration instructions.The configuration on gateway host #1 (which has the public
IP address A.B.C.D) to force all
outbound traffic to W.X.Y.Z to be
encrypted is:
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;
Put these commands in a file (e.g.,
/etc/ipsec.conf) and then run&prompt.root; setkey -f /etc/ipsec.conf tells &man.setkey.8; that we want
to add a rule to the secure policy database. The rest of this
line specifies which packets will match this policy. A.B.C.D/32 and W.X.Y.Z/32 are the IP addresses and
netmasks that identify the network or hosts that this policy will
apply to. In this case, we want it to apply to traffic between
these two hosts. tells the kernel that
this policy should only apply to packets that encapsulate other
packets. says that this policy applies
to outgoing packets, and says that the
packet will be secured.The second line specifies how this packet will be
encrypted. is the protocol that will be
used, while indicates that the packet
will be further encapsulated in an IPsec packet. The repeated
use of A.B.C.D and W.X.Y.Z is used to select the security
association to use, and the final
mandates that packets must be encrypted if they match this
rule.This rule only matches outgoing packets. You will need a
similar rule to match incoming packets.spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;Note the instead of
in this case, and the necessary reversal of
the IP addresses.The other gateway host (which has the public IP address
W.X.Y.Z) will need similar rules.spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;Finally, you need to add firewall rules to allow ESP and
IPENCAP packets back and forth. These rules will need to be
added to both hosts.ipfw add 1 allow esp from A.B.C.D to W.X.Y.Z
ipfw add 1 allow esp from W.X.Y.Z to A.B.C.D
ipfw add 1 allow ipencap from A.B.C.D to W.X.Y.Z
ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
Because the rules are symmetric you can use the same rules
on each gateway host.Outgoing packets will now look something like this:
.------------------------------. --------------------------.
| Src: A.B.C.D | |
| Dst: W.X.Y.Z | |
| <other header info> | | Encrypted
+------------------------------+ | packet.
| .--------------------------. | -------------. | contents
| | Src: A.B.C.D | | | | are
| | Dst: W.X.Y.Z | | | | completely
| | <other header info> | | | |- secure
| +--------------------------+ | | Encap'd | from third
| | .----------------------. | | -. | packet | party
| | | Src: 192.168.1.1 | | | | Original |- with real | snooping
| | | Dst: 192.168.2.1 | | | | packet, | IP addr |
| | | <other header info> | | | |- private | |
| | +----------------------+ | | | IP addr | |
| | | <packet data> | | | | | |
| | `----------------------' | | -' | |
| `--------------------------' | -------------' |
`------------------------------' --------------------------'
When they are received by the far end of the VPN they will
first be decrypted (using the security associations that have
been negotiated by racoon). Then they will enter the gif
interface, which will unwrap the second layer, until you are left
with the innermost packet, which can then travel in to the inner
network.You can check the security using the same &man.ping.8; test from
earlier. First, log in to the A.B.C.D gateway machine, and
run:tcpdump dst host 192.168.2.1In another log in session on the same host runping 192.168.2.1This time you should see output like the following:XXX tcpdump outputNow, as you can see, &man.tcpdump.1; shows the ESP packets. If
you try and examine them with the option you will see
(apparently) gibberish, because of the encryption.Congratulations. You have just set up a VPN between two
remote sites.SummaryConfigure both kernels with:options IPSEC
options IPSEC_ESP
Install security/racoon. Edit
${PREFIX}/etc/racoon/psk.txt on both
gateway hosts, adding an entry for the remote host's IP
address and a secret key that they both know. Make sure
this file is mode 0600.Add the following lines to
/etc/rc.conf on each host:ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
Create an /etc/ipsec.conf on each
host that contains the necessary spdadd lines. On gateway
host #1 this would be:
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec
esp/tunnel/A.B.C.D-W.X.Y.Z/require;
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec
esp/tunnel/W.X.Y.Z-A.B.C.D/require;
On gateway host #2 this would be:
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec
esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec
esp/tunnel/A.B.C.D-W.X.Y.Z/require;
Add firewall rules to allow IKE, ESP, and IPENCAP
traffic to both hosts:
ipfw add 1 allow udp from A.B.C.D to W.X.Y.Z isakmp
ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
ipfw add 1 allow esp from A.B.C.D to W.X.Y.Z
ipfw add 1 allow esp from W.X.Y.Z to A.B.C.D
ipfw add 1 allow ipencap from A.B.C.D to W.X.Y.Z
ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
The previous two steps should suffice to get the VPN up and
running. Machines on each network will be able to refer to one
another using IP addresses, and all traffic across the link will
be automatically and securely encrypted.ChernLeeContributed by OpenSSHOpenSSHsecurityOpenSSHOpenSSH is a set of network connectivity tools used to
access remote machines securely. It can be used as a direct
replacement for rlogin,
rsh, rcp, and
telnet. Additionally, any other TCP/IP
connections can be tunneled/forwarded securely through SSH.
OpenSSH encrypts all traffic to effectively eliminate eavesdropping,
connection hijacking, and other network-level attacks.OpenSSH is maintained by the OpenBSD project, and is based
upon SSH v1.2.12 with all the recent bug fixes and updates. It
is compatible with both SSH protocols 1 and 2. OpenSSH has been
in the base system since FreeBSD 4.0.Advantages of Using OpenSSHNormally, when using &man.telnet.1; or &man.rlogin.1;,
data is sent over the network in an clear, un-encrypted form.
Network sniffers anywhere in between the client and server can
steal your user/password information or data transferred in
your session. OpenSSH offers a variety of authentication and
encryption methods to prevent this from happening.Enabling sshdOpenSSHenablingBe sure to make the following addition to your
rc.conf file:sshd_enable="YES"This will load &man.sshd.8;, the daemon program for OpenSSH,
the next time your system initializes. Alternatively, you can
simply run directly the sshd daemon by typing sshd on the command line.SSH ClientOpenSSHclientThe &man.ssh.1; utility works similarly to
&man.rlogin.1;.&prompt.root; ssh user@example.com
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? yes
Host 'example.com' added to the list of known hosts.
user@example.com's password: *******The login will continue just as it would have if a session was
created using rlogin or
telnet. SSH utilizes a key fingerprint
system for verifying the authenticity of the server when the
client connects. The user is prompted to enter
yes only when
connecting for the first time. Future attempts to login are all
verified against the saved fingerprint key. The SSH client
will alert you if the saved fingerprint differs from the
received fingerprint on future login attempts. The fingerprints
are saved in ~/.ssh/known_hosts, or
~/.ssh/known_hosts2 for SSH v2
fingerprints.By default, OpenSSH servers are configured to accept both
SSH v1 and SSH v2 connections. The client, however, can choose
between the two. Version 2 is known to be more robust and
secure than its predecessor.The &man.ssh.1; command can be forced to use either protocol
by passing it the or argument
for v1 and v2, respectively.Secure CopyOpenSSHsecure copyscpThe &man.scp.1; command works similarly to
&man.rcp.1;; it copies a file to or from a remote machine,
except in a secure fashion.&prompt.root; scp user@example.com:/COPYRIGHT COPYRIGHT
user@example.com's password: *******
COPYRIGHT 100% |*****************************| 4735
00:00
&prompt.root;Since the fingerprint was already saved for this host in the
previous example, it is verified when using &man.scp.1;
here.The arguments passed to &man.scp.1; are similar
to &man.cp.1;, with the file or files in the first
argument, and the destination in the second. Since the file is
fetched over the network, through SSH, one or more of the file
arguments takes on the form
.ConfigurationOpenSSHconfigurationThe system-wide configuration files for both the OpenSSH
daemon and client reside within the /etc/ssh
directory.ssh_config configures the client
settings, while sshd_config configures the
daemon.Additionally, the
(/usr/sbin/sshd by default), and
rc.conf
options can provide more levels of configuration.ssh-keygenInstead of using passwords, &man.ssh-keygen.1; can
be used to generate RSA keys to authenticate a user:&prompt.user; ssh-keygen -t rsa1
Initializing random number generator...
Generating p: .++ (distance 66)
Generating q: ..............................++ (distance 498)
Computing the keys...
Key generation complete.
Enter file in which to save the key (/home/user/.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/user/.ssh/identity.
...&man.ssh-keygen.1; will create a public and private
key pair for use in authentication. The private key is stored in
~/.ssh/identity, whereas the public key is
stored in ~/.ssh/identity.pub. The public
key must be placed in ~/.ssh/authorized_keys
of the remote machine in order for the setup to work.This will allow connection to the remote machine based upon
RSA authentication instead of passwords.The option will create RSA
keys for use by SSH protocol version 1. If you want to use
RSA keys with the SSH protocol version 2, you have to use the
command .If a passphrase is used in &man.ssh-keygen.1;, the user
will be prompted for a password each time in order to use the private
key.A SSH protocol version 2 DSA key can be created for the same purpose by using
the ssh-keygen -t dsa command.
This will
create a public/private DSA key for use in SSH protocol version 2 sessions only.
The public key is stored in ~/.ssh/id_dsa.pub,
while the private key is in ~/.ssh/id_dsa.DSA public keys are also placed in
~/.ssh/authorized_keys on the remote
machine.&man.ssh-agent.1; and &man.ssh-add.1; are
utilities used in managing multiple passworded private keys.The various options and files can be different
according to the OpenSSH version you have on your system, to
avoid problems you should consult the &man.ssh-keygen.1;
manual page.SSH TunnelingOpenSSHtunnelingOpenSSH has the ability to create a tunnel to encapsulate
another protocol in an encrypted session.The following command tells &man.ssh.1; to create a tunnel
for telnet:&prompt.user; ssh -2 -N -f -L 5023:localhost:23 user@foo.example.com
&prompt.user;The ssh command is used with the
following options:Forces ssh to use version 2 of
the protocol. (Do not use if you are working with older
SSH servers)Indicates no command, or tunnel only. If omitted,
ssh would initiate a normal
session.Forces ssh to run in the
background.Indicates a local tunnel in
localport:remotehost:remoteport
fashion.The remote SSH server.An SSH tunnel works by creating a listen socket on
localhost on the specified port.
It then forwards any connection received
on the local host/port via the SSH connection to the specified
remote host and port.In the example, port 5023 on
localhost is being forwarded to port
23 on localhost
of the remote machine. Since 23 is telnet,
this would create a secure telnet session through an SSH tunnel.This can be used to wrap any number of insecure TCP protocols
such as SMTP, POP3, FTP, etc.Using SSH to Create a Secure Tunnel for SMTP&prompt.user; ssh -2 -N -f -L 5025:localhost:25 user@mailserver.example.com
user@mailserver.example.com's password: *****
&prompt.user; telnet localhost 5025
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mailserver.example.com ESMTPThis can be used in conjunction with an
&man.ssh-keygen.1; and additional user accounts to create a
more seamless/hassle-free SSH tunneling environment. Keys
can be used in place of typing a password, and the tunnels
can be run as a separate user.Practical SSH Tunneling ExamplesSecure Access of a POP3 ServerAt work, there is an SSH server that accepts
connections from the outside. On the same office network
resides a mail server running a POP3 server. The network,
or network path between your home and office may or may not
be completely trustable. Because of this, you need to check
your e-mail in a secure manner. The solution is to create
an SSH connection to your office's SSH server, and tunnel
through to the mail server.&prompt.user; ssh -2 -N -f -L 2110:mail.example.com:110 user@ssh-server.example.com
user@ssh-server.example.com's password: ******When the tunnel is up and running, you can point your
mail client to send POP3 requests to localhost
port 2110. A connection here will be forwarded securely across
the tunnel to mail.example.com.Bypassing a Draconian FirewallSome network administrators impose extremely draconian
firewall rules, filtering not only incoming connections,
but outgoing connections. You may be only given access
to contact remote machines on ports 22 and 80 for SSH
and web surfing.You may wish to access another (perhaps non-work
related) service, such as an Ogg Vorbis server to stream
music. If this Ogg Vorbis server is streaming on some other
port than 22 or 80, you will not be able to access it.The solution is to create an SSH connection to a machine
outside of your network's firewall, and use it to tunnel to
the Ogg Vorbis server.&prompt.user; ssh -2 -N -f -L 8888:music.example.com:8000 user@unfirewalled-system.example.org
user@unfirewalled-system.example.org's password: *******Your streaming client can now be pointed to
localhost port 8888, which will be
forwarded over to music.example.com port
8000, successfully evading the firewall.Further ReadingOpenSSH&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
&man.ssh-agent.1; &man.ssh-add.1;&man.sshd.8; &man.sftp-server.8;RobertWatsonSponsored by DARPA and Network Associates Laboratories.
Contributed by MACMandatory Access Control (MAC)FreeBSD 5.0 includes a new kernel security framework, the
TrustedBSD MAC Framework. The MAC Framework permits compile-time,
boot-time, and run-time extension of the kernel access control
policy, and can be used to load support for Mandatory Access
Control (MAC), and custom security modules
such as hardening modules. The MAC Framework is currently
considered to be an experimental feature, and should not yet
be used in production environments without careful consideration.
It is anticipated that the MAC Framework will be appropriate for
more widespread production use by FreeBSD 5.2.When configured into a kernel, the MAC Framework permits
security modules to augment the existing kernel access control
model, restricting access to system services and objects. For
example, the &man.mac.bsdextended.4; module augments file system
access control, permitting administrators to provide a
firewall-like ruleset constraining access to file system objects
based on user ids and group membership. Some modules require
little or no configuration, such as &man.mac.seeotheruids.4,
whereas others perform ubiquitous object labeling, such as
&man.mac.biba.4; and &man.mac.mls.4;, and require extensive
configuration.To enable the MAC Framework in your system kernel, you must
add the following entry to your kernel configuration:options MACSecurity policy modules shipped with the base system may
be loaded using &man.kldload.8; or in the boot &man.loader.8;
They may also be compiled directly into the kernel using the
following options, if the use of modules is not desired.Different MAC policies may be configured in different ways;
frequently, MAC policy modules export configuration parameters
using the &man.sysctl.8; MIB using the
security.mac namespace. Policies relying on
file system or other labels may require a configuration step
that involves assigning initial labels to system objects or
creating a policy configuration file. For information on how to
configure and use each policy module, see its man page.A variety of tools are available to configure the MAC Framework
and labels maintained by various policies. Extensions have been
made to the login and credential management mechanisms
(&man.setusercontext.3;) to support initial user labeling using
&man.login.conf.5;. In addition, modifications have been made
to &man.su.1;, &man.ps.1;, &man.ls.1;, and &man.ifconfig.8; to
inspect and set labels on processes, files, and interfaces. In
addition, several new tools have been added to manage labels
on objects, including &man.getfmac.8;, &man.setfmac.8;, and
&man.setfsmac.8; to manage labels on files, and &man.getpmac.8; and
&man.setpmac.8;.What follows is a list of policy modules shipped with FreeBSD
5.0.Biba Integrity Policy (mac_biba)Biba Integrity PolicyVendor: TrustedBSD ProjectModule name: mac_biba.koKernel option: MAC_BIBATCBThe Biba Integrity Policy (&man.mac.biba.4;) provides
for hierarchical and non-hierarchical labeling of all system
objects with integrity data, and the strict enforcement of
an information flow policy to prevent corruption of high
integrity subjects and data by low-integrity subjects.
Integrity is enforced by preventing high integrity
subjects (generally processes) from reading low integrity
objects (often files), and preventing low integrity
subjects from writing to high integrity objects.
This security policy is frequently used in commercial
trusted systems to provide strong protection for the
Trusted Code Base (TCB). Because it
provides ubiquitous labeling, the Biba integrity policy
must be compiled into the kernel or loaded at boot.File System Firewall Policy (mac_bsdextended)File System Firewall PolicyVendor: TrustedBSD ProjectModule name: mac_bsdextended.koKernel option: MAC_BSDEXTENDED The File System Firewall Policy (&man.mac.bsdextended.4;)
provides an extension to the BSD file system permission model,
permitting the administrator to define a set of firewall-like
rules for limiting access to file system objects owned by
other users and groups. Managed using &man.ugidfw.8;, rules
may limit access to files and directories based on the uid
and gids of the process attempting the access, and the owner
and group of the target of the access attempt. All rules
are restrictive, so they may be placed in any order. This policy
requires no prior configuration or labeling, and may be
appropriate in multi-user environments where mandatory limits
on inter-user data exchange are required. Caution should be
exercised in limiting access to files owned by the super-user or
other system user ids, as many useful programs and directories
are owned by these users. As with a network firewall,
improper application of file system firewall rules may render
the system unusable. New tools to manage the rule set may be
easily written using the &man.libugidfw.3; library.Interface Silencing Policy (mac_ifoff)Interface Silencing PolicyVendor: TrustedBSD ProjectModule name: mac_ifoff.koKernel option: MAC_IFOFFThe interface silencing policy (&man.mac.ifoff.4;)
prohibits the use of network interfaces during the boot
until explicitly enabled, preventing spurious stack output
stack response to incoming packets. This is appropriate
for use in environments where the monitoring of packets
is required, but no traffic may be generated.Low-Watermark Mandatory Access Control (LOMAC)
(mac_lomac)MACLow-WatermarkLOMACVendor: Network Associates LaboratoriesModule name: mac_lomac.koKernel option: MAC_LOMACSimilar to the Biba Integrity Policy, the LOMAC
policy (&man.mac.lomac.4;) relies on the ubiquitous
labeling of all system objects with integrity labels.
Unlike Biba, LOMAC permits high integrity subjects to
read from low integrity objects, but then downgrades the
label on the subject to prevent future writes to high
integrity objects. This policy may provide for greater
compatibility, as well as require less initial
configuration than Biba. However, as with Biba, it
ubiquitously labels objects and must therefore be
compiled into the kernel or loaded at boot.Multi-Level Security Policy (MLS) (mac_mls)Multi-Level Security PolicyMACMulti-LevelVendor: TrustedBSD ProjectModule name: mac_mls.koKernel option: MAC_MLSMulti-Level Security (MLS)
(&man.mac.mls.4;) provides for hierarchical and non-hierarchical
labeling of all system objects with sensitivity data, and the
strict enforcement of an information flow policy to prevent
the leakage of confidential data to untrusted parties. The
logical conjugate of the Biba Integrity Policy,
MLS is frequently shipped in commercial
trusted operating systems to protect data secrecy in
multi-user environments. Hierarchal labels provide support
for the notion of clearances and classifications in
traditional parlance; non-hierarchical labels provide support
for need-to-know. As with Biba, ubiquitous
labeling of objects occurs, and it must therefore be compiled
into the kernel or loaded at boot. As with Biba, extensive
initial configuration may be required.MAC Stub Policy (mac_none)MAC Stub PolicyVendor: TrustedBSD ProjectModule name: mac_none.koKernel option: MAC_NONEThe None policy (&man.mac.none.4;) provides a stub
sample policy for developers, implementing all entry
points, but not changing the system access control
policy. Running this on a production system would
not be highly beneficial.Process Partition Policy (mac_partition)Process Partition PolicyVendor: TrustedBSD ProjectModule name: mac_partition.koKernel option: MAC_PARTITIONThe Partition policy (&man.mac.partition.4;) provides for a
simple process visibility limitation, assigning labels to
processes identifying what numeric system partition they
are present in. If none, all other processes are visible
using standard monitoring tools; if a partition identifier
is present, then only other processes in the same
partition are visible. This policy may be compiled into
the kernel, loaded at boot, or loaded at run-time.See Other Uids Policy (mac_seeotheruids)See Other Uids PolicyVendor: TrustedBSD ProjectModule name: mac_seeotheruids.koKernel option: MAC_SEEOTHERUIDSThe See Other Uids policy (&man.mac.seeotheruids.4;)
implements a similar process visibility model to
mac_partition, except that it relies on process credentials to
control visibility of processes, rather than partition labels.
This policy may be configured to exempt certain users and
groups, including permitting system operators to view all
processes without special privilege. This policy may be
compiled into the kernel, loaded at boot, or loaded at
run-time.MAC Framework Test Policy (mac_test)MAC Framework Test PolicyVendor: TrustedBSD ProjectModule name: mac_test.koKernel option: MAC_TESTThe Test policy (&man.mac.test.4;) provides a regression
test environment for the MAC Framework, and will cause a
fail-stop in the event that internal MAC Framework assertions
about proper data labeling fail. This module can be used to
detect failures to properly label system objects in the kernel
implementation. This policy may be compiled into the kernel,
loaded at boot, or loaded at run-time.TomRhodesContributed by ACLFile System Access Control ListsIn conjunction with file system enhancements like snapshots, FreeBSD 5.0
and later offers the security of File System Access Control Lists
(ACLs).
- Access Control Lists extend the standard UNIX
- permission model in a highly compatible (POSIX.1e) way. This feature
+ Access Control Lists extend the standard &unix;
+ permission model in a highly compatible (&posix;.1e) way. This feature
permits an administrator to make use of and take advantage of a
more sophisticated security model.To enable ACL support for UFS
file systems, the following:options UFS_ACLmust be compiled into the kernel. If this option has
not been compiled in, a warning message will be displayed
when attempting to mount a file system supporting ACLs.
This option is included in the GENERIC kernel.
ACLs rely on extended attributes being enabled on
the file system. Extended attributes are natively supported in the next generation
- UNIX file system, UFS2.
+ &unix; file system, UFS2.A higher level of administrative overhead is required to
configure extended attributes on UFS1 than on
UFS2. The performance of extended attributes
on UFS2 is also substantially higher. As a
result, UFS2 is generally recommended in preference
to UFS1 for use with access control lists.ACLs are enabled by the mount-time administrative
flag, , which may be added to /etc/fstab.
The mount-time flag can also be automatically set in a persistent manner using
&man.tunefs.8; to modify a superblock ACLs flag in the
file system header. In general, it is preferred to use the superblock flag
for several reasons:The mount-time ACLs flag cannot be changed by a
remount (&man.mount.8; ), only by means of a complete
&man.umount.8; and fresh &man.mount.8;. This means that
ACLs cannot be enabled on the root file system after boot.
It also means that you cannot change the disposition of a file system once
it is in use.Setting the superblock flag will cause the file system to always be
mounted with ACLs enabled even if there is not an
fstab entry or if the devices re-order. This prevents
accidental mounting of the file system without ACLs
enabled, which can result in ACLs being improperly enforced,
and hence security problems.We may change the ACLs behavior to allow the flag to
be enabled without a complete fresh &man.mount.8;, but we consider it desirable to
discourage accidental mounting without ACLs enabled, because you
can shoot your feet quite nastily if you enable ACLs, then disable
them, then re-enable them without flushing the extended attributes. In general, once
you have enabled ACLs on a file system, they should not be disabled,
as the resulting file protections may not be compatible with those intended by the
users of the system, and re-enabling ACLs may re-attach the previous
ACLs to files that have since had their permissions changed,
resulting in other unpredictable behavior.File systems with ACLs enabled will show a +
(plus) sign in their permission settings when viewed. For example:drwx------ 2 robert robert 512 Dec 27 11:54 private
drwxrwx---+ 2 robert robert 512 Dec 23 10:57 directory1
drwxrwx---+ 2 robert robert 512 Dec 22 10:20 directory2
drwxrwx---+ 2 robert robert 512 Dec 27 11:57 directory3
drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_htmlHere we see that the directory1,
directory2, and directory3
directories are all taking advantage of ACLs. The
public_html directory is not.
diff --git a/en_US.ISO8859-1/books/handbook/users/chapter.sgml b/en_US.ISO8859-1/books/handbook/users/chapter.sgml
index 5d154d3ce4..bb6e31b60f 100644
--- a/en_US.ISO8859-1/books/handbook/users/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/users/chapter.sgml
@@ -1,1067 +1,1067 @@
NeilBlakey-MilnerContributed by Users and Basic Account ManagementSynopsisFreeBSD allows multiple users to use the computer at the same time.
Obviously, only one of those users can be sitting in front of the screen and
keyboard at any one time
Well, unless you hook up multiple terminals, but we will
save that for ., but any number of users can log in through the
network to get their work done. To use the system every user must have
an account.After reading this chapter, you will know:The differences between the various user accounts on a FreeBSD
system.How to add user accounts.How to remove user accounts.How to change account details, such as the user's full name, or
preferred shell.How to set limits on a per-account basis, to control the
resources such as memory and CPU time that accounts and groups of
accounts are allowed to access.How to use groups to make account management easier.Before reading this chapter, you should:
- Understand the basics of Unix and FreeBSD (Understand the basics of &unix; and FreeBSD ().IntroductionAll access to the system is achieved via accounts, and all
processes are run by users, so user and account management are
of integral importance on FreeBSD systems.Every account on a FreeBSD system has certain information associated
with it to identify the account.User nameThe user name as it would be typed at the
login: prompt. User names must be unique across
the computer; you may not have two users with the same
user name. There are a number of rules for creating valid user
names, documented in &man.passwd.5;; you would typically use user
names that consist of eight or fewer all lower case
characters.PasswordEach account has a password associated with it. The password
may be blank, in which case no password will be required to access
the system. This is normally a very bad idea; every account
should have a password.User ID (UID)The UID is a number from 0 to 65536 used to uniquely identify
the user to the system. Internally, FreeBSD uses the UID to
identify users—any FreeBSD commands that allow you to
specify a user name will convert it to the UID before working with
it. This means that you can have several accounts with different
user names but the same UID. As far as FreeBSD is concerned these
accounts are one user. It is unlikely you will ever need to do
this.Group ID (GID)The GID is a number from 0 to 65536 used to uniquely identify
the primary group that the user belongs to. Groups are a
mechanism for controlling access to resources based on a user's
GID rather than their UID. This can significantly reduce the size
of some configuration files. A user may also be in more than one
group.Login classLogin classes are an extension to the group mechanism that
provide additional flexibility when tailoring the system to
different users.Password change timeBy default FreeBSD does not force users to change their
passwords periodically. You can enforce this on a per-user basis,
forcing some or all of your users to change their passwords after
a certain amount of time has elapsed.Account expiry timeBy default FreeBSD does not expire accounts. If you are
creating accounts that you know have a limited lifespan, for
example, in a school where you have accounts for the students,
then you can specify when the account expires. After the expiry
time has elapsed the account cannot be used to log in to the
system, although the account's directories and files will
remain.User's full nameThe user name uniquely identifies the account to FreeBSD, but
does not necessarily reflect the user's real name. This
information can be associated with the account.Home directoryThe home directory is the full path to a directory on the
system in which the user will start when logging on to the
system. A common convention is to put all user home directories
under
/home/username
or /usr/home/username.
The user would store their personal files in their home directory,
and any directories they may create in there.User shellThe shell provides the default environment users use to
interact with the system. There are many different kinds of
shells, and experienced users will have their own preferences,
which can be reflected in their account settings.There are three main types of accounts: the Superuser, system users, and user accounts. The Superuser
account, usually called root, is used to
manage the system with no limitations on privileges. System
users run services. Finally, user accounts are used by real
people, who log on, read mail, and so forth.The Superuser Accountaccountssuperuser (root)The superuser account, usually called
root, comes preconfigured to facilitate
system administration, and should not be used for day-to-day
tasks like sending and receiving mail, general exploration of
the system, or programming.This is because the superuser, unlike normal user accounts,
can operate without limits, and misuse of the superuser account
may result in spectacular disasters. User accounts are unable
to destroy the system by mistake, so it is generally best to use
normal user accounts whenever possible, unless you especially
need the extra privilege.You should always double and triple-check commands you issue
as the superuser, since an extra space or missing character can
mean irreparable data loss.So, the first thing you should do after reading this
chapter is to create an unprivileged user account for yourself
for general usage if you have not already. This applies equally
whether you are running a multi-user or single-user machine.
Later in this chapter, we discuss how to create additional
accounts, and how to change between the normal user and
superuser.System AccountsaccountssystemSystem users are those used to run services such as DNS,
mail, web servers, and so forth. The reason for this is
security; if all services ran as the superuser, they could
act without restriction.accountsdaemonaccountsoperatorExamples of system users are daemon,
operator, bind (for
the Domain Name Service), and news. Often
sysadmins create httpd to run web servers
they install.accountsnobodynobody is the generic unprivileged
system user. However, it is important to keep in mind that the
more services that use nobody, the more
files and processes that user will become associated with, and
hence the more privileged that user becomes.User AccountsaccountsuserUser accounts are the primary means of access for real
people to the system, and these accounts insulate the user and
the environment, preventing the users from damaging the system
or other users, and allowing users to customize their
environment without affecting others.Every person accessing your system should have a unique user
account. This allows you to find out who is doing what, prevent
people from clobbering each others' settings or reading each
others' mail, and so forth.Each user can set up their own environment to accommodate
their use of the system, by using alternate shells, editors, key
bindings, and language.Modifying AccountsaccountsmodifyingThere are a variety of different commands available in the
- Unix environment to manipulate user accounts. The most common
+ &unix; environment to manipulate user accounts. The most common
commands are summarized below, followed by more detailed
examples of their usage.CommandSummary&man.adduser.8;The recommended command-line application for adding
new users.&man.rmuser.8;The recommended command-line application for
removing users.&man.chpass.1;A flexible tool to change user database information.&man.passwd.1;The simple command-line tool to change user
passwords.&man.pw.8;A powerful and flexible tool to modify all aspects
of user accounts.<command>adduser</command>accountsaddingadduser/usr/share/skelskeleton directory&man.adduser.8; is a simple program for
adding new users. It creates entries in the system
passwd and group
files. It will also create a home directory for the new user,
copy in the default configuration files (dotfiles) from
/usr/share/skel, and can optionally mail
the new user a welcome message.To create the initial configuration file, use
adduser -s -config_create.
The makes &man.adduser.8;
default to
quiet. We use later when we want to
change defaults.
Next, we configure &man.adduser.8;
defaults, and create our first user account, since using
root for normal usage is evil and
nasty.Configuring <command>adduser</command>&prompt.root; adduser -v
Use option ``-silent'' if you don't want to see all warnings and questions.
Check /etc/shells
Check /etc/master.passwd
Check /etc/group
Enter your default shell: csh date no sh tcsh zsh [sh]: zsh
Your default shell is: zsh -> /usr/local/bin/zsh
Enter your default HOME partition: [/home]:
Copy dotfiles from: /usr/share/skel no [/usr/share/skel]:
Send message from file: /etc/adduser.message no
[/etc/adduser.message]: no
Do not send message
Use passwords (y/n) [y]: y
Write your changes to /etc/adduser.conf? (y/n) [n]: y
Ok, let's go.
Don't worry about mistakes. I will give you the chance later to correct any input.
Enter username [a-z0-9_-]: jru
Enter full name []: J. Random User
Enter shell csh date no sh tcsh zsh [zsh]:
Enter home directory (full path) [/home/jru]:
Uid [1001]:
Enter login class: default []:
Login group jru [jru]:
Login group is ``jru''. Invite jru into other groups: guest no
[no]: wheel
Enter password []:
Enter password again []:
Name: jru
Password: ****
Fullname: J. Random User
Uid: 1001
Gid: 1001 (jru)
Class:
Groups: jru wheel
HOME: /home/jru
Shell: /usr/local/bin/zsh
OK? (y/n) [y]: y
Added user ``jru''
Copy files from /usr/share/skel to /home/jru
Add another user? (y/n) [y]: n
Goodbye!
&prompt.root;In summary, we changed the default shell to
zsh (an additional shell found in
the Ports Collection), and turned off the sending of a welcome mail to
added users. We then saved the configuration,
created an account for jru, and made
sure jru is in wheel
group (so that she may assume the role of
root with the &man.su.1;
command.)The password you type in is not echoed, nor are asterisks
displayed. Make sure you do not mistype the password twice.
Just use &man.adduser.8; without arguments
from now on, and you will not have to go through changing the
defaults. If the program asks you to change the defaults,
exit the program, and try the
option.<command>rmuser</command>rmuseraccountsremovingYou can use &man.rmuser.8; to
completely remove a user from the system.
&man.rmuser.8; performs the following
steps:Removes the user's &man.crontab.1; entry (if
any).Removes any &man.at.1; jobs belonging to the
user.Kills all processes owned by the user.Removes the user from the system's local password
file.Removes the user's home directory (if it is owned by
the user).Removes the incoming mail files belonging to the user
from /var/mail.Removes all files owned by the user from temporary
file storage areas such as /tmp.Finally, removes the username from all groups to which
it belongs in /etc/group.
If a group becomes empty and the group name is the
same as the username, the group is removed; this
complements the per-user unique groups created by
&man.adduser.8;.&man.rmuser.8; cannot be used to remove
superuser accounts, since that is almost always an indication
of massive destruction.By default, an interactive mode is used, which attempts to
make sure you know what you are doing.<command>rmuser</command> Interactive Account Removal&prompt.root; rmuser jru
Matching password entry:
jru:*:1001:1001::0:0:J. Random User:/home/jru:/usr/local/bin/zsh
Is this the entry you wish to remove? y
Remove user's home directory (/home/jru)? y
Updating password file, updating databases, done.
Updating group file: trusted (removing group jru -- personal group is empty) done.
Removing user's incoming mail file /var/mail/jru: done.
Removing files belonging to jru from /tmp: done.
Removing files belonging to jru from /var/tmp: done.
Removing files belonging to jru from /var/tmp/vi.recover: done.
&prompt.root;<command>chpass</command>chpass&man.chpass.1; changes user database
information such as passwords, shells, and personal
information.Only system administrators, as the superuser, may change
other users' information and passwords with
&man.chpass.1;.When passed no options, aside from an optional username,
&man.chpass.1; displays an editor
containing user information. When the user exists from the
editor, the user database is updated with the new
information.Interactive <command>chpass</command> by Superuser#Changing user database information for jru.
Login: jru
Password: *
Uid [#]: 1001
Gid [# or name]: 1001
Change [month day year]:
Expire [month day year]:
Class:
Home directory: /home/jru
Shell: /usr/local/bin/zsh
Full Name: J. Random User
Office Location:
Office Phone:
Home Phone:
Other information:The normal user can change only a small subset of this
information, and only for themselves.Interactive <command>chpass</command> by Normal User#Changing user database information for jru.
Shell: /usr/local/bin/zsh
Full Name: J. Random User
Office Location:
Office Phone:
Home Phone:
Other information:&man.chfn.1; and &man.chsh.1; are
just links to &man.chpass.1;, as
are &man.ypchpass.1;,
&man.ypchfn.1;, and
&man.ypchsh.1;. NIS support is automatic, so
specifying the yp before the command is
not necessary. If this is confusing to you, do not worry, NIS will
be covered in .<command>passwd</command>passwdaccountschanging password&man.passwd.1; is the usual way to
change your own password as a user, or another user's password
as the superuser.Users must type in their original password before
changing their password, to prevent an unauthorized person
from changing their password when the user is away from
their console.Changing Your Password&prompt.user; passwd
Changing local password for jru.
Old password:
New password:
Retype new password:
passwd: updating the database...
passwd: doneChanging Another User's Password as the Superuser&prompt.root; passwd jru
Changing local password for jru.
New password:
Retype new password:
passwd: updating the database...
passwd: doneAs with &man.chpass.1;,
&man.yppasswd.1; is just a link to
&man.passwd.1;, so NIS works with either
command.<command>pw</command>pw&man.pw.8; is a command line utility to create, remove,
modify, and display users and groups. It functions as a front
end to the system user and group files. &man.pw.8;
has a very powerful set of command line options that make it
suitable for use in shell scripts, but new users may find it
more complicated than the other commands presented
here.Limiting Userslimiting usersaccountslimitingIf you have users, the ability to limit their system use may
have come to mind. FreeBSD provides
several ways an administrator can limit the amount of system
resources an individual may use. These limits are
divided into two sections: disk quotas, and other resource
limits.quotaslimiting usersquotasdisk quotasDisk quotas limit disk usage to users, and
they
provide a way to quickly check that usage without
calculating it every time. Quotas are discussed in .The other resource limits include ways to limit the amount of
CPU, memory, and other resources a user may consume. These are
defined using login classes and are discussed here./etc/login.confLogin classes are defined in
/etc/login.conf. The precise semantics are
beyond the scope of this section, but are described in detail in the
&man.login.conf.5; manual page. It is sufficient to say that each
user is assigned to a login class (default by
default), and that each login class has a set of login capabilities
associated with it. A login capability is a
name=value
pair, where name is a well-known
identifier and value is an arbitrary
string processed accordingly depending on the name. Setting up login
classes and capabilities is rather straight-forward and is also
described in &man.login.conf.5;.Resource limits are different from plain vanilla login
capabilities in two ways. First, for every limit, there is a soft
(current) and hard limit. A soft limit may be adjusted by the user
or application, but may be no higher than the hard limit. The latter
may be lowered by the user, but never raised. Second, most resource
limits apply per process to a specific user, not the user as a whole.
Note, however, that these differences are mandated by the specific
handling of the limits, not by the implementation of the login
capability framework (i.e., they are not really
a special case of login capabilities).And so, without further ado, below are the most commonly used
resource limits (the rest, along with all the other login
capabilities, may be found in &man.login.conf.5;).coredumpsizecoredumpsizelimiting userscoredumpsizeThe limit on the size of a core file generated by a program
is, for obvious reasons, subordinate to other limits on disk
usage (e.g., filesize, or disk quotas).
Nevertheless, it is often used as a less-severe method of
controlling disk space consumption: since users do not generate
core files themselves, and often do not delete them, setting this
may save them from running out of disk space should a large
program (e.g., emacs) crash.cputimecputimelimiting userscputimeThis is the maximum amount of CPU time a user's process may
consume. Offending processes will be killed by the kernel.
This is a limit on CPU time
consumed, not percentage of the CPU as displayed in some
fields by &man.top.1; and &man.ps.1;. A limit on the
latter is, at the time of this writing, not possible, and
would be rather useless: a compiler—probably a
legitimate task—can easily use almost 100% of a CPU
for some time.filesizefilesizelimiting usersfilesizeThis is the maximum size of a file the user may possess.
Unlike disk quotas, this limit is
enforced on individual files, not the set of all files a user
owns.maxprocmaxproclimiting usersmaxprocThis is the maximum number of processes a user may be
running. This includes foreground and background processes
alike. For obvious reasons, this may not be larger than the
system limit specified by the kern.maxproc
&man.sysctl.8;. Also note that setting this
too small may hinder a
user's productivity: it is often useful to be logged in
multiple times or execute pipelines. Some tasks, such as
compiling a large program, also spawn multiple processes (e.g.,
&man.make.1;, &man.cc.1;, and other intermediate
preprocessors).memorylockedmemorylockedlimiting usersmemorylockedThis is the maximum amount a memory a process may have
requested to be locked into main memory (e.g., see
&man.mlock.2;). Some system-critical programs, such as
&man.amd.8;, lock into main memory such that in the event
of being swapped out, they do not contribute to
a system's trashing in time of trouble.memoryusememoryuselimiting usersmemoryuseThis is the maximum amount of memory a process may consume
at any given time. It includes both core memory and swap
usage. This is not a catch-all limit for restricting memory
consumption, but it is a good start.openfilesopenfileslimiting usersopenfilesThis is the maximum amount of files a process may have
open. In FreeBSD, files are also used to represent sockets and
IPC channels; thus, be careful not to set this too low. The
system-wide limit for this is defined by the
kern.maxfiles &man.sysctl.8;.sbsizesbsizelimiting userssbsizeThis is the limit on the amount of network memory, and thus
mbufs, a user may consume. This originated as a response to an
old DoS attack by creating a lot of sockets, but can be
generally used to limit network communications.stacksizestacksizelimiting usersstacksizeThis is the maximum size a process' stack may grow to.
This alone is not sufficient to limit the amount of memory a
program may use; consequently, it should be used in conjunction
with other limits.There are a few other things to remember when setting resource
limits. Following are some general tips, suggestions, and
miscellaneous comments.Processes started at system startup by
/etc/rc are assigned to the
daemon login class.Although the /etc/login.conf that comes
with the system is a good source of reasonable values for most
limits, only you, the administrator, can know what is appropriate
for your system. Setting a limit too high may open your system
up to abuse, while setting it too low may put a strain on
productivity.Users of the X Window System (X11) should probably be granted
more resources than other users. X11 by itself takes a lot of
resources, but it also encourages users to run more programs
simultaneously.Remember that many limits apply to individual processes, not
the user as a whole. For example, setting
openfiles to 50 means
that each process the user runs may open up to 50 files. Thus,
the gross amount of files a user may open is the value of
openfiles multiplied by the value of
maxproc. This also applies to memory
consumption.For further information on resource limits and login classes and
capabilities in general, please consult the relevant manual pages:
&man.cap.mkdb.1;, &man.getrlimit.2;, &man.login.conf.5;.Personalizing UsersLocalization is an environment set up by the system
administrator or user to accommodate different languages,
character sets, date and time standards, and so on. This is
discussed in the localization
chapter.Groupsgroups/etc/groupsaccountsgroupsA group is simply a list of users. Groups are identified by
- their group name and GID (Group ID). In FreeBSD (and most other Unix
+ their group name and GID (Group ID). In FreeBSD (and most other &unix; like
systems), the two factors the kernel uses to decide whether a process
is allowed to do something is its user ID and list of groups it
belongs to. Unlike a user ID, a process has a list of groups
associated with it. You may hear some things refer to the group ID
of a user or process; most of the time, this just means the first
group in the list.The group name to group ID map is in
/etc/group. This is a plain text file with four
colon-delimited fields. The first field is the group name, the
second is the encrypted password, the third the group ID, and the
fourth the comma-delimited list of members. It can safely be edited
by hand (assuming, of course, that you do not make any syntax
errors!). For a more complete description of the syntax, see the
&man.group.5; manual page.If you do not want to edit /etc/group
manually, you can use the &man.pw.8; command to add and edit groups.
For example, to add a group called teamtwo and
then confirm that it exists you can use:Adding a Group Using &man.pw.8;&prompt.root; pw groupadd teamtwo
&prompt.root; pw groupshow teamtwo
teamtwo:*:1100:The number 1100 above is the group ID of the
group teamtwo. Right now,
teamtwo has no members, and is thus rather
useless. Let's change that by inviting jru to
the teamtwo group.Adding Somebody to a Group Using &man.pw.8;&prompt.root; pw groupmod teamtwo -M jru
&prompt.root; pw groupshow teamtwo
teamtwo:*:1100:jruThe argument to the option is a
comma-delimited list of users who are members of the group. From the
preceding sections, we know that the password file also contains a
group for each user. The latter (the user) is automatically added to
the group list by the system; the user will not show up as a member
when using the command to &man.pw.8;,
but will show up when the information is queried via &man.id.1; or
similar tool. In other words, &man.pw.8; only manipulates the
/etc/group file; it will never attempt to read
additionally data from /etc/passwd.Using &man.id.1; to Determine Group Membership&prompt.user; id jru
uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)As you can see, jru is a member of the
groups jru and
teamtwo.For more information about &man.pw.8;, see its manual page, and
for more information on the format of
/etc/group, consult the &man.group.5; manual
page.
diff --git a/en_US.ISO8859-1/books/handbook/x11/chapter.sgml b/en_US.ISO8859-1/books/handbook/x11/chapter.sgml
index d74d4a602e..1af18da813 100644
--- a/en_US.ISO8859-1/books/handbook/x11/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/x11/chapter.sgml
@@ -1,1660 +1,1660 @@
The X Window SystemSynopsisFreeBSD uses XFree86 to provide users with
a powerful graphical user interface. XFree86
is an open-source implementation of the X Window System. This chapter
will cover installation and configuration of
XFree86 on a FreeBSD system. For more
information on XFree86 and video hardware that
it supports, check the XFree86 web site.After reading this chapter, you will know:The various components of the X Window System, and how they
interoperate.How to install and configure
XFree86.How to install and use different window managers.
- How to use TrueType fonts in
+ How to use &truetype; fonts in
XFree86.How to setup your system for graphical logins
(XDM).Before reading this chapter, you should:Know how to install additional third-party
software ().Understanding XUsing X for the first time can be somewhat of a shock to someone
- familiar with other graphical environments, such as Microsoft Windows or
- MacOS.
+ familiar with other graphical environments, such as µsoft.windows; or
+ &macos;.
It is not necessary to understand all of the details of various
X components and how they interact; however, some basic knowledge makes
it possible to take advantage of X's strengths.Why X?
- X is not the first window system written for Unix, but it is the
+ X is not the first window system written for &unix;, but it is the
most popular. X's original development team had worked on another
window system before writing X. That system's name was
W (for Window). X is just the next
letter in the Roman alphabet.X can be called X, X Window System,
X11, and other terms. Calling X11
X Windows can offend some people;
see &man.X.7; for a bit more insight on this.The X Client/Server ModelX was designed from the beginning to be network-centric, and
adopts a client-server model. In the X model, the
X server runs on the computer that has the keyboard,
monitor, and mouse attached. The server is responsible for managing
the display, handling input from the keyboard and mouse, and so on.
Each X application (such as XTerm, or
- Netscape) is a client. A
+ &netscape;) is a client. A
client sends messages to the server such as Please draw a
window at these coordinates, and the server sends back
messages such as The user just clicked on the OK
button.If there is only one computer involved, such as in a home or small
office environment, the X server and the X clients will be running on
the same computer. However, it is perfectly possible to run the X
server on a less powerful desktop computer, and run X applications
(the clients) on, say, the powerful and expensive machine that serves
the office. In this scenario the communication between the X client
and server takes place over the network.This confuses some people, because the X terminology is
exactly backward to what they expect. They expect the X
server to be the big powerful machine down the hall, and
the X client to be the machine on their desk.Remember that the X server is the machine with the monitor and
keyboard, and the X clients are the programs that display the
windows.There is nothing in the protocol that forces the client and
server machines to be running the same operating system, or even to
be running on the same type of computer. It is certainly possible to
- run an X server on Microsoft Windows or Apple's MacOS, and there are
+ run an X server on µsoft.windows; or Apple's &macos;, and there are
various free and commercial applications available that do exactly
that.The X server that ships with FreeBSD is called
XFree86, and is available for free, under a
license very similar to the FreeBSD license. Commercial X servers for
FreeBSD are also available.The Window Manager
- The X design philosophy is much like the Unix design philosophy,
+ The X design philosophy is much like the &unix; design philosophy,
tools, not policy. This means that X does not try to
dictate how a task is to be accomplished. Instead, tools are provided
to the user, and it is the user's responsibility to decide how to use
those tools.This philosophy extends to X not dictating what windows should
look like on screen, how to move them around with the mouse, what
keystrokes should be used to move between windows (i.e.,
AltTab
- , in the case of Microsoft Windows), what the title bars
+ , in the case of µsoft.windows;), what the title bars
on each window should look like, whether or not they have close
buttons on them, and so on.Instead, X delegates this responsibility to an application called
a Window Manager. There are dozens of window
managers available for X: AfterStep,
Blackbox, ctwm,
Enlightenment,
fvwm, Sawfish,
twm,
Window Maker, and more. Each of these
window managers provides a different look and feel; some of them
support virtual desktops; some of them allow customized
keystrokes to manage the desktop; some have a Start
button or similar device; some are themeable, allowing
a complete change of look-and-feel by applying a new theme. These
window managers, and many more, are available in the
x11-wm category of the Ports Collection.In addition, the KDE and
GNOME desktop environments both have their
own window managers which integrate with the desktop.Each window manager also has a different configuration mechanism;
some expect configuration file written by hand, others feature
GUI tools for most of the configuration tasks; at least one
(sawfish) has a configuration file written
in a dialect of the Lisp language.Focus PolicyAnother feature the window manager is responsible for is the
mouse focus policy. Every windowing system
needs some means of choosing a window to be actively receiving
keystrokes, and should visibly indicate which window is active as
well.A familiar focus policy is called click-to-focus.
- This is the model utilized by Microsoft Windows, in which a window
+ This is the model utilized by µsoft.windows;, in which a window
becomes active upon receiving a mouse click.X does not support any particular focus policy. Instead, the
window manager controls which window has the focus at any one time.
Different window managers will support different focus methods. All
of them support click to focus, and the majority of them support
several others.The most popular focus policies are:focus-follows-mouseThe window that is under the mouse pointer is the
window that has the focus. This may not necessarily be
the window that is on top of all the other windows.
The focus is changed by pointing at another window, there
is no need to click in it as well.sloppy-focusThis policy is a small extension to focus-follows-mouse.
With focus-follows-mouse, if the mouse is moved over the
root window (or background) then no window has the focus,
and keystrokes are simply lost. With sloppy-focus, focus is
only changed when the cursor enters a new window, and not
when exiting the current window.click-to-focusThe active window is selected by mouse click. The
window may then be raised, and appear in
front of all other windows. All keystrokes will now be
directed to this window, even if the cursor is moved to
another window.Many window managers support other policies, as well as
variations on these. Be sure to consult the documentation for
the window manager itself.WidgetsThe X approach of providing tools and not policy extends to the
widgets that seen on screen in each application.Widget is a term for all the items in the user
interface that can be clicked or manipulated in some way; buttons,
- check boxes, radio buttons, icons, lists, and so on. Microsoft
- Windows calls these controls.
+ check boxes, radio buttons, icons, lists, and so on. µsoft.windows;
+ calls these controls.
- Microsoft Windows and Apple's MacOS both have a very rigid widget
+ µsoft.windows; and Apple's &macos; both have a very rigid widget
policy. Application developers are supposed to ensure that their
applications share a common look and feel. With X, it was not
considered sensible to mandate a particular graphical style, or set
of widgets to adhere to.As a result, do not expect X applications to have a common
look and feel. There are several popular widget sets and
variations, including the original Athena widget set from MIT,
- Motif (on which the widget set in
- Microsoft Windows was modeled, all bevelled edges and three shades of
+ &motif; (on which the widget set in
+ µsoft.windows; was modeled, all bevelled edges and three shades of
grey), OpenLook, and others.Most newer X applications today will use a modern-looking widget
set, either Qt, used by KDE, or
GTK, used by the
GNOME
project. In this respect, there is some convergence in
- look-and-feel of the Unix desktop, which certainly makes things
+ look-and-feel of the &unix; desktop, which certainly makes things
easier for the novice user.Installing XFree86Before installing XFree86, decide on which
version to run. XFree86 3.X is a maintenance
branch of XFree86 development. It is very
stable, and it supports a huge number of graphics cards. However, no new
development is being done on the software. XFree86
4.X is a complete redesign of the system with many new
features such as better support for fonts and anti-aliasing.
Unfortunately this new architecture requires that the video drivers be
rewritten, and some of the older cards that were supported in 3.X are not
yet supported in 4.X. As all new developments and support for new
graphics cards are done on that branch, XFree86
4.X is now the default version of the X Window System on
FreeBSD.The FreeBSD setup program offers users the opportunity to install
and configure XFree86 4.X during installation
(covered in ). To install and run
XFree86 3.X, wait until after the base
FreeBSD system is installed, and then install
XFree86. For example, to build and install
XFree86 3.X from the ports collection:&prompt.root; cd /usr/ports/x11/XFree86
&prompt.root; make all install cleanAlternatively, either version of XFree86
can be installed directly from the FreeBSD binaries provided on the
XFree86 web site. A binary
package to use with &man.pkg.add.1; tool is also available for
XFree86 4.X. When the remote fetching
feature of &man.pkg.add.1; is used, the version number of the
package must be removed. &man.pkg.add.1; will automatically fetch
the latest version of the application. So to fetch and install the
package of XFree86 4.X, simply type:&prompt.root; pkg_add -r XFree86You can also use the ports collection to install
XFree86 4.X, for that you simply need
to type the following commands:&prompt.root; cd /usr/ports/x11/XFree86-4
&prompt.root; make install cleanThe examples above will install the complete
XFree86 distribution including the
servers, clients, fonts etc. Separate packages and ports for
different parts of XFree86 4.X are also
available.The rest of this chapter will explain how to configure
XFree86, and how to setup a productive desktop
environment.ChristopherShumwayContributed by XFree86 ConfigurationXFree86 4.XXFree86Before StartingBefore configuration of XFree86 4.X,
the following information about the target system is needed:Monitor specificationsVideo Adapter chipsetVideo Adapter memoryhorizontal scan ratevertical scan rateThe specifications for the monitor are used by
XFree86 to determine the resolution and
refresh rate to run at. These specifications can usually be
obtained from the documentation that came with the monitor or from
the manufacturer's website. There are two ranges of numbers that
are needed, the horizontal scan rate and the vertical synchronization
rate.The video adapter's chipset defines what driver module
XFree86 uses to talk to the graphics
hardware. With most chipsets, this can be automatically
determined, but it is still useful to know in case the automatic
detection does not work correctly.Video memory on the graphic adapter determines the
resolution and color depth which the system can run at. This is
important to know so the user knows the limitations of the
system.Configuring XFree86 4.XConfiguration of XFree86 4.X is
a multi-step process. The first step is to build an initial
configuration file with the option to
XFree86. As the super user, simply
run:&prompt.root; XFree86 -configureThis will generate a skeleton
XFree86 configuration file in the
/root directory called
XF86Config.new (in fact the directory used
is the one covered by the environment variable $HOME,
and it will depend from the way you got the superuser rights). The
XFree86 program will attempt to probe
the graphics hardware on the system and will write a
configuration file to load the proper drivers for the detected
hardware on the target system.The next step is to test the existing
configuration to verify that XFree86
can work with the graphics
hardware on the target system. To perform this task, the user
needs to run:&prompt.root; XFree86 -xf86config XF86Config.newIf a black and grey grid and an X mouse cursor appear,
the configuration was successful. To exit the test, just press
CtrlAltBackspace simultaneously.If the mouse does not work, be sure the device
has been configured. See
in the &os; install chapter.XFree86 4 TuningNext, tune the XF86Config.new
configuration file to taste. Open the file in a text editor such
as &man.emacs.1; or &man.ee.1;. First, add the
frequencies for the target system's monitor. These are usually
expressed as a horizontal and vertical synchronization rate. These
values are added to the XF86Config.new file
under the "Monitor" section:Section "Monitor"
Identifier "Monitor0"
VendorName "Monitor Vendor"
ModelName "Monitor Model"
HorizSync 30-107
VertRefresh 48-120
EndSectionThe HorizSync and
VertRefresh keywords may not exist in the
configuration file. If they do not, they need to be added, with
the correct horizontal synchronization rate placed after the
Horizsync keyword and the vertical
synchronization rate after the VertRefresh
keyword. In the example above the target monitor's rates were
entered.X allows DPMS (Energy Star) features to be used with capable
monitors. The &man.xset.1; program controls the time-outs and can force
standby, suspend, or off modes. If you wish to enable DPMS features
for your monitor, you must add the following line to the monitor
section:
Option "DPMS"XF86ConfigWhile the XF86Config.new
configuration file is still open in an editor, select
the default resolution and color depth desired. This is
defined in the "Screen" section:Section "Screen"
Identifier "Screen0"
Device "Card0"
Monitor "Monitor0"
DefaultDepth 24
SubSection "Display"
Depth 24
Modes "1024x768"
EndSubSection
EndSectionThe DefaultDepth keyword describes
the color depth to run at by default. This can be overridden
with the -bpp command line switch to
&man.XFree86.1;.
The Modes keyword
describes the resolution to run at for the given color depth.
Note that only VESA standard modes are supported as defined by
the target system's graphics hardware.
In the example above, the default color depth is twenty-four
bits per pixel. At this color depth, the accepted resolution is
one thousand twenty-four pixels by seven hundred and sixty-eight
pixels.Finally, write the configuration file and test it using
the test mode given above. If all is well, the configuration
file needs to be installed in a common location where
&man.XFree86.1;
can find it.
This is typically /etc/X11/XF86Config or
/usr/X11R6/etc/X11/XF86Config.&prompt.root; cp XF86Config.new /etc/X11/XF86ConfigOnce the configuration file has been placed in a common
location, configuration is complete. In order to start
XFree86 4.X with &man.startx.1;,
install the x11/wrapper port.
XFree86 4.X can also be started with
&man.xdm.1;.There is also a graphical tool for configuration,
&man.xf86cfg.1;, that comes with the
XFree86 4.X distribution. It
allows to interactively define your configuration by choosing
the appropiate drivers and settings. This program can be used under console as well, just use the command xf86cfg -textmode. For more details,
refer to the &man.xf86cfg.1; manual page.Advanced Configuration Topics
- Configuration with Intel i810 Graphics Chipsets
+ Configuration with &intel; i810 Graphics ChipsetsIntel i810 graphic chipset
- Configuration with Intel i810 integrated chipsets
+ Configuration with &intel; i810 integrated chipsets
requires the agpgart
AGP programming interface for XFree86
to drive the card. The &man.agp.4; driver is in the
GENERIC kernel since releases
4.8-RELEASE and 5.0-RELEASE. On prior releases, you will
have to add the following line:device agpin your kernel configuration file and rebuild a new
kernel. Instead, you may want to load
the agp.ko kernel module
automatically with the &man.loader.8; at boot time.
For that, simply add this line to
/boot/loader.conf:agp_load="YES"Next, if you are running FreeBSD 4.X or earlier, a
device node needs to be created for the
programming interface. To create the AGP device node, run
&man.MAKEDEV.8; in the /dev
directory:&prompt.root; cd /dev
&prompt.root; sh MAKEDEV agpgartFreeBSD 5.X or later will use &man.devfs.5; to allocate
device nodes transparently, therefore the
&man.MAKEDEV.8; step is not required.This will allow configuration of the hardware as any other
graphics board. Note on systems without the &man.agp.4;
driver compiled in the kernel, trying to load the module
with &man.kldload.8; will not work. This driver has to be
in the kernel at boot time through being compiled in or
using /boot/loader.conf.If you are using XFree86 4.1.0 (or
later) and messages about unresolved symbols like
fbPictureInit appear, try adding the
following line after Driver "i810" in the
XFree86 configuration file:Option "NoDDC"MurrayStokelyContributed by Using Fonts in XFree86Type1 FontsThe default fonts that ship with
XFree86 are less than ideal for typical
desktop publishing applications. Large presentation fonts show up
jagged and unprofessional looking, and small fonts in
- Netscape are almost completely unintelligible.
- However, there are several free, high quality Type1 (PostScript) fonts
+ &netscape; are almost completely unintelligible.
+ However, there are several free, high quality Type1 (&postscript;) fonts
available which can be readily used
with XFree86, either version 3.X or
version 4.X. For instance, the URW font collection
(x11-fonts/urwfonts) includes
high quality versions of standard type1 fonts (Times Roman,
Helvetica, Palatino and others). The Freefonts collection
(x11-fonts/freefonts) includes
many more fonts, but most of them are intended for use in
graphics software such as the Gimp, and are not
complete enough to serve as screen fonts. In addition,
XFree86 can be configured to use
- TrueType fonts with a minimum of effort: see the
- section on TrueType fonts later.
+ &truetype; fonts with a minimum of effort: see the
+ section on &truetype; fonts later.
To install the above Type1 font collections from the ports
collection, run the following commands:&prompt.root; cd /usr/ports/x11-fonts/urwfonts
&prompt.root; make install cleanAnd likewise with the freefont or other collections. To tell the X
server that these fonts exist, add an appropriate line to the
XF86Config file (in /etc/ for
XFree86 version 3, or in
/etc/X11/ for version 4), which reads:FontPath "/usr/X11R6/lib/X11/fonts/URW/"Alternatively, at the command line in the X session
run:&prompt.user; xset fp+ /usr/X11R6/lib/X11/fonts/URW
&prompt.user; xset fp rehashThis will work but will be lost when the X session is closed,
unless it is added to the startup file (~/.xinitrc
for a normal startx session,
or ~/.xsession when logging in through a
graphical login manager like XDM).
A third way is to use the new
XftConfig file: see the
section on anti-aliasing.
- TrueType Fonts
+ &truetype; FontsTrueType FontsfontsTrueTypeXFree86 4.X has built in support
- for rendering TrueType fonts. There are two different modules
+ for rendering &truetype; fonts. There are two different modules
that can enable this functionality. The freetype module is used
in this example because it is more consistent with the other font
rendering back-ends. To enable the freetype module just add the
following line to the "Module" section of the
/etc/X11/XF86Config file.Load "freetype"For XFree86 3.3.X, a separate
- TrueType font server is needed.
+ &truetype; font server is needed.
Xfstt is commonly used for
this purpose. To install Xfstt,
simply install the port
x11-servers/Xfstt.
- Now make a directory for the TrueType fonts (for example,
+ Now make a directory for the &truetype; fonts (for example,
/usr/X11R6/lib/X11/fonts/TrueType)
- and copy all of the TrueType fonts into this directory. Keep in
- mind that TrueType fonts cannot be directly taken from a
- Macintosh; they must be in Unix/DOS/Windows format for use by
+ and copy all of the &truetype; fonts into this directory. Keep in
+ mind that &truetype; fonts cannot be directly taken from a
+ &macintosh;; they must be in &unix;/DOS/&windows; format for use by
XFree86. Once the files have been
copied into this directory, use
ttmkfdir to create a
fonts.dir file, so that the X font renderer
knows that these new files have been installed.
ttmkfdir is available from the FreeBSD
Ports Collection as
x11-fonts/ttmkfdir.&prompt.root; cd /usr/X11R6/lib/X11/fonts/TrueType
&prompt.root; ttmkfdir > fonts.dir
- Now add the TrueType directory to the font
+ Now add the &truetype; directory to the font
path. This is just the same as described above for Type1 fonts, that is, use&prompt.user; xset fp+ /usr/X11R6/lib/X11/fonts/TrueType
&prompt.user; xset fp rehashor add a line to the
XF86Config file.
- That's it. Now Netscape,
+ That's it. Now &netscape;,
Gimp,
- StarOffice, and all of the other X
- applications should now recognize the installed TrueType
+ &staroffice;, and all of the other X
+ applications should now recognize the installed &truetype;
fonts. Extremely small fonts (as with text in a high resolution
display on a web page) and extremely large fonts (within
StarOffice) will look much better
now.Joe MarcusClarkeUpdated for XFree86 4.3 by Anti-Aliased Fontsanti-aliased fontsfontsanti-aliasedAnti-aliasing has been available in
XFree86 since 4.0.2. However, font
configuration was cumbersome before the introduction of
XFree86 4.3.0. Starting in version 4.3.0,
all fonts in /usr/X11R6/lib/X11/fonts/ and
~/.fonts/ are automatically
made available for anti-aliasing to Xft-aware applications. Not
all applications are Xft-aware yet, but many have received Xft support.
Examples of Xft-aware applications include Qt 2.3 and higher (the
toolkit for the KDE desktop),
Gtk+ 2.0 and higher (the toolkit for the
GNOME desktop), and
Mozilla 1.2 and higher.
In order to control which fonts are anti-aliased, or to
configure anti-aliasing properties, create (or edit, if it
already exists) the file
/usr/X11R6/etc/fonts/local.conf. Several
advanced features of the Xft font system can be tuned using
this file; this section describes only some simple
possibilities. For more details, please see
&man.fonts-conf.5;.XMLThis file must be in XML format. Pay careful attention to
case, and make sure all tags are properly closed. The file
begins with the usual XML header followed by a DOCTYPE
definition, and then the <fontconfig> tag:
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
As previously stated, all fonts in
/usr/X11R6/lib/X11/fonts/ as well as
~/.fonts/ are already made available to
Xft-aware applications. If you wish to add another directory
outside of these two directory trees, add a line similar to the
following to
/usr/X11R6/etc/fonts/local.conf:<dir>/path/to/my/fonts</dir>After adding new fonts, and especially new font directories,
you should run the following command to rebuild the font
caches:&prompt.root; fc-cache -fAnti-aliasing makes borders slightly fuzzy, which makes very
small text more readable and removes staircases from
large text, but can cause eyestrain if applied to normal text. To
exclude point sizes smaller than 14 point from anti-aliasing, include
these lines: <match target="font">
<test name="size" compare="less">
<double>14</double>
</test>
<edit name="antialias" mode="assign">
<bool>false</bool>
</edit>
</match>fontsspacingSpacing for some monospaced fonts may also be inappropriate
with anti-aliasing. This seems to be an issue with
KDE, in particular. One possible fix for
this is to force the spacing for such fonts to be 100. Add the
following lines: <match target="pattern" name="family">
<test qual="any" name="family">
<string>fixed</string>
</test>
<edit name="family" mode="assign">
<string>mono</string>
</edit>
</match>
<match target="pattern" name="family">
<test qual="any" name="family">
<string>console</string>
</test>
<edit name="family" mode="assign">
<string>mono</string>
</edit>
</match>(this aliases the other common names for fixed fonts as
"mono"), and then add: <match target="pattern" name="family">
<test qual="any" name="family">
<string>mono</string>
</test>
<edit name="spacing" mode="assign">
<int>100</int>
</edit>
</match> Certain fonts, such as Helvetica, may have a problem when
anti-aliased. Usually this manifests itself as a font that
seems cut in half vertically. At worst, it may cause
applications such as Mozilla to
crash. To avoid this, consider adding the following to
local.conf: <match target="pattern" name="family">
<test qual="any" name="family">
<string>Helvetica</string>
</test>
<edit name="family" mode="assign">
<string>sans-serif</string>
</edit>
</match> Once you have finished editing
local.conf make sure you end the file
with the </fontconfig> tag. Not doing this will cause
your changes to be ignored.The default font set that comes with
XFree86 is not very
desirable when it comes to anti-aliasing. A much better
set of default fonts can be found in the
x11-fonts/bitstream-vera
port. This port will install a
/usr/X11R6/etc/fonts/local.conf file
if one does not exist already. If the file does exist,
the port will create a /usr/X11R6/etc/fonts/local.conf-vera
file. Merge the contents of this file into
/usr/X11R6/etc/fonts/local.conf, and the
Bitstream fonts will automatically replace the default
XFree86 Serif, Sans Serif, and Monospaced
fonts.Finally, users can add their own settings via their personal
.fonts.conf files. To do this, each user should
simply create a ~/.fonts.conf. This file must
also be in XML format.LCD screenFontsLCD screenOne last point: with an LCD screen, sub-pixel sampling may be
desired. This basically treats the (horizontally separated)
red, green and blue components separately to improve the horizontal
resolution; the results can be dramatic. To enable this, add the
line somewhere in the local.conf file:
<match target="font">
<test qual="all" name="rgba">
<const>unknown</const>
</test>
<edit name="rgba" mode="assign">
<const>rgb</const>
</edit>
</match>
Depending on the sort of display,
rgb may need to be changed to bgr,
vrgb or vbgr: experiment and
see which works best.Mozillaweb browsersMozillaMozillaAnti-aliasing should be enabled the next time the X
server is started. However, programs must know how to take
advantage of it. At present, the Qt toolkit does,
so the entire KDE environment can
use anti-aliased fonts (see on
KDE for details). Gtk+ and
GNOME can also be made to use
anti-aliasing via the Font capplet (see for details). By default,
Mozilla 1.2 and greater will
automatically use anti-aliasing. To disable this, rebuild
Mozilla with the
-DWITHOUT_XFT flag.SethKingsleyContributed by The X Display ManagerOverviewX Display ManagerThe X Display Manager (XDM) is
an optional part of the X Window System that is used for login
session management. This is useful for several types of
situations, including minimal X Terminals,
desktops, and large network display
servers. Since the X Window System is network and protocol
independent, there are a wide variety of possible configurations
for running X clients and servers on different machines
connected by a network. XDM provides
a graphical interface for choosing which display server to
connect to, and entering authorization information such as a
login and password combination.Think of XDM as
providing the same functionality to the user as the
&man.getty.8; utility (see for
details). That is, it performs system logins to the display
being connected to and then runs a session manager on behalf of
the user (usually an X window
manager). XDM then waits for this
program to exit, signaling that the user is done and should be
logged out of the display. At this point,
XDM can display the login and display
chooser screens for the next user to login.Using XDMThe XDM daemon program is
located in /usr/X11R6/bin/xdm. This program
can be run at any time as root and it will
start managing the X display on the local machine. If
XDM is to be run every
time the machine boots up, a convenient way to do this is by
adding an entry to /etc/ttys. For more
information about the format and usage of this file, see . There is a line in the default
/etc/ttys file for running the
XDM daemon on a virtual terminal:ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secureBy default this entry is disabled; in order to enable it
change field 5 from off to
on and restart &man.init.8; using the
directions in . The first field, the
name of the terminal this program will manage, is
ttyv8. This means that
XDM will start running on the 9th
virtual terminal.Configuring XDMThe XDM configuration directory
is located in /usr/X11R6/lib/X11/xdm. In
this directory there are several files used to change the
behavior and appearance of
XDM. Typically these files will
be found:FileDescriptionXaccessClient authorization ruleset.XresourcesDefault X resource values.XserversList of remote and local displays to manage.XsessionDefault session script for logins.Xsetup_*Script to launch applications before the login
interface.xdm-configGlobal configuration for all displays running on
this machine.xdm-errorsErrors generated by the server program.xdm-pidThe process ID of the currently running XDM.Also in this directory are a few scripts and programs used
to setup the desktop when XDM is
running. The purpose of each of these files will be briefly
described. The exact syntax and usage of all of these files is
described in &man.xdm.1;.The default configuration is a simple rectangular login
window with the hostname of the machine displayed at the top in
a large font and Login: and
Password: prompts below. This is a good starting
point for changing the look and feel of
XDM screens.XaccessThe protocol for connecting to
XDM controlled displays is called
the X Display Manager Connection Protocol (XDMCP). This file
is a ruleset for controlling XDMCP connections from remote
machines. By default, it allows any client to connect, but
that does not matter unless the xdm-config
is changed to listen for remote connections.XresourcesThis is an application-defaults file for the display
chooser and the login screens. This is where the appearance
of the login program can be modified. The format is identical
to the app-defaults file described in the
XFree86 documentation.XserversThis is a list of the remote displays the chooser should
provide as choices.XsessionThis is the default session script for
XDM to run after a user has logged
in. Normally each user will have a customized session script
in ~/.xsession that overrides this
script.Xsetup_*These will be run automatically before displaying the
chooser or login interfaces. There is a script for each
display being used, named Xsetup_ followed
by the local display number (for instance
Xsetup_0). Typically these scripts will
run one or two programs in the background such as
xconsole.xdm-configThis contains settings in the form of app-defaults
that are applicable to every display that this installation
manages.xdm-errorsThis contains the output of the X servers that
XDM is trying to run. If a display
that XDM is trying to start hangs
for some reason, this is a good place to look for error
messages. These messages are also written to the user's
~/.xsession-errors file on a per-session
basis.Running a Network Display ServerIn order for other clients to connect to the display
server, edit the access control rules, and enable the connection
listener. By default these are set to conservative values.
To make XDM listen for connections,
first comment out a line in the xdm-config
file:! SECURITY: do not listen for XDMCP or Chooser requests
! Comment out this line if you want to manage X terminals with xdm
DisplayManager.requestPort: 0and then restart XDM. Remember that
comments in app-defaults files begin with a !
character, not the usual #. More strict
access controls may be desired. Look at the example
entries in Xaccess, and refer to the
&man.xdm.1; manual page.Replacements for XDMSeveral replacements for the default
XDM program exist. One of them,
KDM (bundled with
KDE) is described later in this
chapter. KDM offers many visual
improvements and cosmetic frills, as well as the
functionality to allow users to choose their window manager
of choice at login time.ValentinoVaschettoContributed by Desktop EnvironmentsThis section describes the different desktop environments
available for X on FreeBSD. A desktop environment
can mean anything ranging from a simple window manager to a
complete suite of desktop applications, such as
KDE or GNOME.
GNOMEAbout GNOMEGNOMEGNOME is a user-friendly
desktop environment that enables users to easily use and
configure their computers. GNOME
includes a panel (for starting applications and displaying
status), a desktop (where data and applications can be
placed), a set of standard desktop tools and applications, and
a set of conventions that make it easy for applications to
cooperate and be consistent with each other. Users of other
operating systems or environments should feel right at home
using the powerful graphics-driven environment that
GNOME provides. More
information regarding GNOME on
FreeBSD can be found on the FreeBSD GNOME
Project's web site.Installing GNOMEThe easiest way to install
GNOME is through the
Desktop Configuration menu during the FreeBSD
installation process as described in of Chapter 2. It can also
be easily installed from a package or the ports
collection:To install the GNOME package
from the network, simply type:&prompt.root; pkg_add -r gnome2To build GNOME from source, use
the ports tree:&prompt.root; cd /usr/ports/x11/gnome2
&prompt.root; make install cleanOnce GNOME is installed,
the X server must be told to start
GNOME instead of a default window
manager. If a custom .xinitrc is already in
place, simply replace the line that starts the current window
manager with one that starts
/usr/X11R6/bin/gnome-session instead.
If nothing special has been done to configuration file,
then it is enough to simply type:&prompt.user; echo "/usr/X11R6/bin/gnome-session" > ~/.xinitrcNext, type startx, and the
GNOME desktop environment will be
started.If a display manager, like
XDM, is being used, this will not work.
Instead, create an executable .xsession
file with the same command in it. To do this, edit the file
and replace the existing window manager command with
/usr/X11R6/bin/gnome-session:
&prompt.user; echo "#!/bin/sh" > ~/.xsession
&prompt.user; echo "/usr/X11R6/bin/gnome-session" >> ~/.xsession
&prompt.user; chmod +x ~/.xsessionAnother option is to configure the display manager to
allow choosing the window manager at login time; the section on
KDE details
explains how to do this for kdm, the
display manager of KDE.Anti-aliased Fonts with GNOMEGNOMEanti-aliased fontsStarting with version 4.0.2, XFree86
supports anti-aliasing via its RENDER extension.
Gtk+ 2.0 and greater (the toolkit used by
GNOME) can make use of this
functionality. Configuring anti-aliasing is described in
. So, with up-to-date software,
anti-aliasing is possible within the
GNOME desktop. Just go to
ApplicationsDesktop PreferencesFont, and select either
Best shapes,
Best contrast, or
Subpixel smoothing (LCDs). For a
Gtk+ application that is not part of the
GNOME desktop, set the
environment variable GDK_USE_XFT to
1 before launching the program.KDEKDEAbout KDEKDE is an easy to use
contemporary desktop environment. Some of the things that
KDE brings to the user are:A beautiful contemporary desktopA desktop exhibiting complete network transparencyAn integrated help system allowing for convenient,
consistent access to help on the use of the
KDE desktop and its
applicationsConsistent look and feel of all
KDE applicationsStandardized menu and toolbars, keybindings, color-schemes,
etc.Internationalization: KDE
is available in more than 40 languagesCentralized consisted dialog driven desktop
configurationA great number of useful
KDE applicationsKDE has an office application
suite based on KDE's
KParts technology consisting
of a spread-sheet, a presentation application, an organizer, a
news client and more. KDE also
comes with a web browser called
Konqueror, which represents
- a solid competitor to other existing web browsers on Unix
+ a solid competitor to other existing web browsers on &unix;
systems. More information on KDE
can be found on the KDE
website. For FreeBSD specific informations and
resources on KDE, consult
the FreeBSD-KDE
team's website.Installing KDEJust as with GNOME or any
other desktop environment, the easiest way to install
KDE is through the Desktop
Configuration menu during the FreeBSD installation
process as described in of Chapter
2. Once again, the software can be easily installed from a package
or from the ports collection:To install the KDE package
from the network, simply type:&prompt.root; pkg_add -r kde&man.pkg.add.1; will automatically fetch the latest version
of the application.To build KDE from source,
use the ports tree:&prompt.root; cd /usr/ports/x11/kde3
&prompt.root; make install cleanAfter KDE has been installed,
the X server must be told to launch this application
instead of the default window manager. This is accomplished
by editing the .xinitrc file:&prompt.user; echo "exec startkde" > ~/.xinitrcNow, whenever the X Window System is invoked with
startx,
KDE will be the desktop.If a display manager such as
xdm is being used, the
configuration is slightly different. Edit the
.xsession file instead. Instructions
for kdm are described later in
this chapter.More Details on KDENow that KDE is installed on
the system, most things can be discovered through the
help pages, or just by pointing and clicking at various menus.
- Windows or Mac users will feel quite at home.
+ &windows; or &mac; users will feel quite at home.
The best reference for KDE is
the on-line documentation. KDE
comes with its own web browser,
Konqueror, dozens of useful
applications, and extensive documentation. The remainder of
this section discusses the technical items that are
difficult to learn by random exploration.The KDE Display ManagerKDEdisplay managerAn administrator of a multi-user system may wish to have
a graphical login screen to welcome users.
xdm can be
used, as described earlier. However,
KDE includes an
alternative, kdm, which is designed
to look more attractive and include more login-time options.
In particular, users can easily choose (via a menu) which
desktop environment (KDE,
GNOME, or something else) to run
after logging on.To begin with, run the KDE
control panel, kcontrol, as
root. It is generally considered
unsafe to run the entire X environment as
root. Instead, run the window manager
as a normal user, open a terminal window (such as
xterm or KDE's
konsole), become root
with su (the user must be in the
wheel
group in /etc/group for this), and then
type kcontrol.Click on the icon on the left marked
System, then on Login
manager. On the right there are
various configurable options, which the
KDE manual will explain in greater
detail. Click on sessions on the right.
Click New type to add various window
managers and desktop environments. These are just labels,
so they can say KDE and
GNOME rather than
startkde or
gnome-session.
Include a label failsafe.Play with the other menus as well, they are mainly
cosmetic and self-explanatory. When you are done, click on
Apply at the bottom, and quit the
control center.To make sure kdm understands
what the labels (KDE,
GNOME etc) mean, edit the files used
by xdm.
In KDE 2.2 this has
changed: kdm now uses its own
configuration files. Please see the KDE
2.2 documentation for details.
In a terminal window, as root,
edit the file
/usr/X11R6/lib/X11/xdm/Xsession. There is
a section in the middle like this:case $# in
1)
case $1 in
failsafe)
exec xterm -geometry 80x24-0-0
;;
esac
esacA few lines need to be added to this section.
Assuming the labels from used were KDE and
GNOME,
use the following:case $# in
1)
case $1 in
kde)
exec /usr/local/bin/startkde
;;
GNOME)
exec /usr/X11R6/bin/gnome-session
;;
failsafe)
exec xterm -geometry 80x24-0-0
;;
esac
esacFor the KDE
login-time desktop background to be honored,
the following line needs to be added to
/usr/X11R6/lib/X11/xdm/Xsetup_0:/usr/local/bin/kdmdesktopNow, make sure kdm is listed in
/etc/ttys to be started at the next bootup.
To do this, simply follow the instructions from the previous
section on xdm and replace
references to the /usr/X11R6/bin/xdm
program with /usr/local/bin/kdm.Anti-aliased FontsKDEanti-aliased fontsStarting with version 4.0.2,
XFree86 supports anti-aliasing via
its RENDER extension, and starting with version 2.3,
Qt (the toolkit used by KDE) supports
this extension. Configuring this is described in on antialiasing X11 fonts. So, with
up-to-date software, anti-aliasing is possible on a
KDE desktop. Just go to the KDE
menu, go to
PreferencesLook and FeelFonts, and click on the check box
Use Anti-Aliasing for Fonts and Icons.
For a Qt application which is not part of
KDE, the environment variable
QT_XFT needs to be set to true
before starting the program.XFceAbout XFceXFce is a desktop environment
based on the GTK
toolkit used by GNOME, but is much
more lightweight and meant for those who want a simple,
efficient desktop which is nevertheless easy to use and
configure. Visually, it looks very much like
- CDE, found on commercial Unix
+ CDE, found on commercial &unix;
systems. Some of XFce's features
are:A simple, easy-to-handle desktopFully configurable via mouse, with drag and
drop, etc Main panel similar to CDE, with
menus, applets and app launchersIntegrated window manager, file manager, sound manager,
GNOME compliance module, and other
thingsThemeable (since it uses GTK)Fast, light and efficient: ideal for older/slower machines
or machines with memory limitationsMore information on XFce
can be found on the XFce
website.Installing XFceA binary package for XFce
exists (at the time of writing). To install, simply type:&prompt.root; pkg_add -r xfceAlternatively, to build from source, use the ports
collection:&prompt.root; cd /usr/ports/x11-wm/xfce
&prompt.root; make install cleanNow, tell the X server to launch
XFce the next time X is started.
Simply type this:&prompt.user; echo "/usr/X11R6/bin/startxfce" > ~/.xinitrcThe next time X is started,
XFce will be the desktop.
As before, if a display manager like
xdm is being used, create an
.xsession, as described in the
section on GNOME, but
with the /usr/X11R6/bin/startxfce
command; or, configure the display manager to allow
choosing a desktop at login time, as explained in
the section on kdm.
diff --git a/share/sgml/trademarks.ent b/share/sgml/trademarks.ent
index faa130408e..af8b4c7ea9 100644
--- a/share/sgml/trademarks.ent
+++ b/share/sgml/trademarks.ent
@@ -1,213 +1,244 @@
3Com and HomeConnect are registered
trademarks of 3Com Corporation.">
3Com">
+3ware and Escalade are registered
+ trademarks of 3ware Inc.">
+3ware">
+Escalade">
+
Adobe, Acrobat, Acrobat Reader, and
PostScript are either registered trademarks or trademarks of Adobe
Systems Incorporated in the United States and/or other
countries.">
Acrobat">
Acrobat Reader">
PostScript">
-Apple, FireWire, Macintosh, Mac OS,
+
+Adaptec is registered trademark of
+ Adaptec, Inc.">
+Adaptec">
+
+Apple, FireWire, Mac, Macintosh, Mac OS,
Quicktime, and TrueType are trademarks of Apple Computer, Inc.,
registered in the United States and other countries.">
FireWire">
+Mac">
Macintosh">
Mac OS">
TrueType">
Check Point, Firewall-1, and
VPN-1 are trademarks of Check Point Software Technologies
Ltd..">
Corel and WordPerfect are trademarks
or registered trademarks of Corel Corporation and/or its
subsidiaries in Canada, the United States and/or other
countries.">
Sound Blaster is a trademark of
Creative Technology Ltd. in the United States and/or other
countries.">
SoundBlaster">
+
+Dell, Dell Precision, Latitude,
+ Optiplex, PowerEdge are trademarks or registered trademarks of Dell
+ Computer Corporation">
+
FreeBSD is a registered trademark of
Wind River Systems, Inc. This is expected to change soon.">
IBM, AIX, OS/2, PowerPC, and S/390 are
trademarks of International Business Machines Corporation in the
United States, other countries, or both.">
AIX">
OS/2">
PowerPC">
S/390">
IEEE, POSIX, and 802 are registered
trademarks of Institute of Electrical and Electronics Engineers,
Inc. in the United States.">
POSIX">
Intel, Celeron, EtherExpress, i386,
i486, Itanium, Pentium, and Xeon are trademarks or registered
trademarks of Intel Corporation or its subsidiaries in the United
States and other countries.">
Celeron">
EtherExpress">
i386">
i486">
Intel">
Itanium">
Pentium">
Xeon">
Intuit and Quicken are registered
trademarks and/or registered service marks of Intuit Inc., or one of
its subsidiaries, in the United States and other countries.">
Iomega, Zip, and Jaz are either
registered trademarks or trademarks of Iomega Corporation in the
United States and/or other countries.">
Zip">
Jaz">
Linux is a registered trademarks of
Linus Torvalds in the United States.">
+
+LSI Logic, AcceleRAID, eXtremeRAID,
+ MegaRAID and Mylex are trademarks or registered trademarks of LSI
+ Logic Corp.">
+MegaRAID">
+Mylex">
+
Macromedia and Flash are
trademarks or registered trademarks of Macromedia, Inc. in the
United States and/or other countries.">
Microsoft, FrontPage, MS-DOS,
Outlook, Windows, Windows Media, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.">
Microsoft">
MS-DOS">
Outlook">
Windows">
Windows NT">
MIPS and R4000 are registered
trademarks of MIPS Technologies, Inc. in the United States and other
countries.">
MIPS">
+
+M-Systems and, DiskOnChip are
+ trademarks or registered trademarks of M-Systems Flash Disk
+ Pioneers, Ltd.">
+DiskOnChip">
+
Netscape and the Netscape Navigator
are registered trademarks of Netscape Communications Corporation in
the U.S. and other countries.">
Netscape">
Netscape Navigator">
NetWare, NetWare Loadable Module, and
NLM are either registered trademarks or trademarks of Novell,
Inc. in the United States and other countries.">
Motif, OSF/1, and UNIX are
registered trademarks and IT DialTone and The Open Group are
trademarks of The Open Group in the United States and other
countries.">
UNIX">
Motif">
Oracle is a registered trademark is a
of Oracle Corporation.">
Oracle">
PowerQuest and PartitionMagic are
registered trademarks of PowerQuest Corporation in the United States
and/or other countries.">
PartitionMagic">
RealNetworks, RealPlayer, and
RealAudio are the registered trademarks of RealNetworks,
Inc.">
Red Hat, RPM, are trademarks or
registered trademarks of Red Hat, Inc. in the United States and
other countries.">
SAP, R/3, and mySAP are trademarks or
registered trademarks of SAP AG in Germany and in several other
countries all over the world.">
+SAP
+ R/3">
Silicon Graphics, SGI, and OpenGL are
registered trademarks of Silicon Graphics, Inc., in the United
States and/or other countries worldwide.">
OpenGL">
Sparc, Sparc64, SPARCEngine, and
UltraSPARC are trademarks of SPARC International, Inc in the United
States and other countries. Products bearing SPARC trademarks are
based upon architecture developed by Sun Microsystems, Inc.">
Sparc">
Sparc64">
UltraSPARC">
Sun, Sun Microsystems, StarOffice,
SunOS, Solaris, and Java are trademarks or registered trademarks of
Sun Microsystems, Inc. in the United States and other
countries.">
Java">
Java Virtual Machine">
JDK">
JVM">
StarOffice">
Solaris">
SunOS">
Symantec and Ghost are registered
trademarks of Symantec Corporation in the United States and other
countries.">
MATLAB is a registered trademark
of The MathWorks, Inc.">
MATLAB">
QUALCOMM and Eudora are registered
trademarks of QUALCOMM Incorporated.">
Eudora">
Waterloo Maple and Maple are
trademarks or registered trademarks of Waterloo Maple Inc.">
Mathematica is a registered
trademark of Wolfram Research, Inc.">
Many of the designations used by
manufacturers and sellers to distinguish their products are claimed
as trademarks. Where those designations appear in this document,
and the FreeBSD Project was aware of the trademark claim, the
designations have been followed by the ™ or the
® symbol.">