Page MenuHomeFreeBSD
Differential D12756 Diff 34380 head/zh_TW.UTF-8/books/handbook/book.xml

Changeset View

Standalone View

View Options

head/zh_TW.UTF-8/books/handbook/book.xml

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show All 16 Lines
--><!ENTITY chap.preface SYSTEM "preface/preface.xml"> --><!ENTITY chap.preface SYSTEM "preface/preface.xml">
<!ENTITY % pgpkeys SYSTEM "../../../share/pgpkeys/pgpkeys.ent"> <!ENTITY % pgpkeys SYSTEM "../../../share/pgpkeys/pgpkeys.ent">
<!-- $FreeBSD$ --><!-- PGP keyblocks --><!ENTITY pgpkey.aaron SYSTEM "aaron.key"> <!-- $FreeBSD$ --><!-- PGP keyblocks --><!ENTITY pgpkey.aaron SYSTEM "aaron.key">
<!ENTITY pgpkey.ache SYSTEM "ache.key"> <!ENTITY pgpkey.ache SYSTEM "ache.key">
<!ENTITY pgpkey.achim SYSTEM "achim.key"> <!ENTITY pgpkey.achim SYSTEM "achim.key">
<!ENTITY pgpkey.acm SYSTEM "acm.key"> <!ENTITY pgpkey.acm SYSTEM "acm.key">
<!ENTITY pgpkey.adamw SYSTEM "adamw.key"> <!ENTITY pgpkey.adamw SYSTEM "adamw.key">
<!ENTITY pgpkey.adrian SYSTEM "adrian.key"> <!ENTITY pgpkey.adrian SYSTEM "adrian.key">
<!ENTITY pgpkey.adridg SYSTEM "adridg.key">
<!ENTITY pgpkey.ae SYSTEM "ae.key"> <!ENTITY pgpkey.ae SYSTEM "ae.key">
<!ENTITY pgpkey.ahze SYSTEM "ahze.key"> <!ENTITY pgpkey.ahze SYSTEM "ahze.key">
<!ENTITY pgpkey.ak SYSTEM "ak.key"> <!ENTITY pgpkey.ak SYSTEM "ak.key">
<!ENTITY pgpkey.alc SYSTEM "alc.key"> <!ENTITY pgpkey.alc SYSTEM "alc.key">
<!ENTITY pgpkey.ale SYSTEM "ale.key"> <!ENTITY pgpkey.ale SYSTEM "ale.key">
<!ENTITY pgpkey.alepulver SYSTEM "alepulver.key"> <!ENTITY pgpkey.alepulver SYSTEM "alepulver.key">
<!ENTITY pgpkey.alex SYSTEM "alex.key"> <!ENTITY pgpkey.alex SYSTEM "alex.key">
<!ENTITY pgpkey.alexbl SYSTEM "alexbl.key"> <!ENTITY pgpkey.alexbl SYSTEM "alexbl.key">
Show All 34 Lines
<!ENTITY pgpkey.beat SYSTEM "beat.key"> <!ENTITY pgpkey.beat SYSTEM "beat.key">
<!ENTITY pgpkey.beech SYSTEM "beech.key"> <!ENTITY pgpkey.beech SYSTEM "beech.key">
<!ENTITY pgpkey.ben SYSTEM "ben.key"> <!ENTITY pgpkey.ben SYSTEM "ben.key">
<!ENTITY pgpkey.benjsc SYSTEM "benjsc.key"> <!ENTITY pgpkey.benjsc SYSTEM "benjsc.key">
<!ENTITY pgpkey.benno SYSTEM "benno.key"> <!ENTITY pgpkey.benno SYSTEM "benno.key">
<!ENTITY pgpkey.bf SYSTEM "bf.key"> <!ENTITY pgpkey.bf SYSTEM "bf.key">
<!ENTITY pgpkey.bhaga SYSTEM "bhaga.key"> <!ENTITY pgpkey.bhaga SYSTEM "bhaga.key">
<!ENTITY pgpkey.bhd SYSTEM "bhd.key"> <!ENTITY pgpkey.bhd SYSTEM "bhd.key">
<!ENTITY pgpkey.bhughes SYSTEM "bhughes.key">
<!ENTITY pgpkey.billf SYSTEM "billf.key"> <!ENTITY pgpkey.billf SYSTEM "billf.key">
<!ENTITY pgpkey.bjk SYSTEM "bjk.key"> <!ENTITY pgpkey.bjk SYSTEM "bjk.key">
<!ENTITY pgpkey.bk SYSTEM "bk.key"> <!ENTITY pgpkey.bk SYSTEM "bk.key">
<!ENTITY pgpkey.blackend SYSTEM "blackend.key"> <!ENTITY pgpkey.blackend SYSTEM "blackend.key">
<!ENTITY pgpkey.bland SYSTEM "bland.key"> <!ENTITY pgpkey.bland SYSTEM "bland.key">
<!ENTITY pgpkey.bmah SYSTEM "bmah.key"> <!ENTITY pgpkey.bmah SYSTEM "bmah.key">
<!ENTITY pgpkey.bms SYSTEM "bms.key"> <!ENTITY pgpkey.bms SYSTEM "bms.key">
<!ENTITY pgpkey.bofh SYSTEM "bofh.key"> <!ENTITY pgpkey.bofh SYSTEM "bofh.key">
Show All 13 Lines
<!ENTITY pgpkey.bushman SYSTEM "bushman.key"> <!ENTITY pgpkey.bushman SYSTEM "bushman.key">
<!ENTITY pgpkey.bvs SYSTEM "bvs.key"> <!ENTITY pgpkey.bvs SYSTEM "bvs.key">
<!ENTITY pgpkey.bz SYSTEM "bz.key"> <!ENTITY pgpkey.bz SYSTEM "bz.key">
<!ENTITY pgpkey.carl SYSTEM "carl.key"> <!ENTITY pgpkey.carl SYSTEM "carl.key">
<!ENTITY pgpkey.cel SYSTEM "cel.key"> <!ENTITY pgpkey.cel SYSTEM "cel.key">
<!ENTITY pgpkey.ceri SYSTEM "ceri.key"> <!ENTITY pgpkey.ceri SYSTEM "ceri.key">
<!ENTITY pgpkey.cherry SYSTEM "cherry.key"> <!ENTITY pgpkey.cherry SYSTEM "cherry.key">
<!ENTITY pgpkey.chinsan SYSTEM "chinsan.key"> <!ENTITY pgpkey.chinsan SYSTEM "chinsan.key">
<!ENTITY pgpkey.chuck SYSTEM "chuck.key">
<!ENTITY pgpkey.cjc SYSTEM "cjc.key"> <!ENTITY pgpkey.cjc SYSTEM "cjc.key">
<!ENTITY pgpkey.cjh SYSTEM "cjh.key"> <!ENTITY pgpkey.cjh SYSTEM "cjh.key">
<!ENTITY pgpkey.clement SYSTEM "clement.key"> <!ENTITY pgpkey.clement SYSTEM "clement.key">
<!ENTITY pgpkey.clive SYSTEM "clive.key"> <!ENTITY pgpkey.clive SYSTEM "clive.key">
<!ENTITY pgpkey.clsung SYSTEM "clsung.key"> <!ENTITY pgpkey.clsung SYSTEM "clsung.key">
<!ENTITY pgpkey.cmt SYSTEM "cmt.key"> <!ENTITY pgpkey.cmt SYSTEM "cmt.key">
<!ENTITY pgpkey.cokane SYSTEM "cokane.key"> <!ENTITY pgpkey.cokane SYSTEM "cokane.key">
<!ENTITY pgpkey.core-secretary SYSTEM "core-secretary.key"> <!ENTITY pgpkey.core-secretary SYSTEM "core-secretary.key">
Show All 14 Lines
<!ENTITY pgpkey.dannyboy SYSTEM "dannyboy.key"> <!ENTITY pgpkey.dannyboy SYSTEM "dannyboy.key">
<!ENTITY pgpkey.das SYSTEM "das.key"> <!ENTITY pgpkey.das SYSTEM "das.key">
<!ENTITY pgpkey.davidch SYSTEM "davidch.key"> <!ENTITY pgpkey.davidch SYSTEM "davidch.key">
<!ENTITY pgpkey.davide SYSTEM "davide.key"> <!ENTITY pgpkey.davide SYSTEM "davide.key">
<!ENTITY pgpkey.davidxu SYSTEM "davidxu.key"> <!ENTITY pgpkey.davidxu SYSTEM "davidxu.key">
<!ENTITY pgpkey.db SYSTEM "db.key"> <!ENTITY pgpkey.db SYSTEM "db.key">
<!ENTITY pgpkey.dbaio SYSTEM "dbaio.key"> <!ENTITY pgpkey.dbaio SYSTEM "dbaio.key">
<!ENTITY pgpkey.dbn SYSTEM "dbn.key"> <!ENTITY pgpkey.dbn SYSTEM "dbn.key">
<!ENTITY pgpkey.dch SYSTEM "dch.key">
<!ENTITY pgpkey.dchagin SYSTEM "dchagin.key"> <!ENTITY pgpkey.dchagin SYSTEM "dchagin.key">
<!ENTITY pgpkey.dcs SYSTEM "dcs.key"> <!ENTITY pgpkey.dcs SYSTEM "dcs.key">
<!ENTITY pgpkey.dd SYSTEM "dd.key"> <!ENTITY pgpkey.dd SYSTEM "dd.key">
<!ENTITY pgpkey.deb SYSTEM "deb.key"> <!ENTITY pgpkey.deb SYSTEM "deb.key">
<!ENTITY pgpkey.decke SYSTEM "decke.key"> <!ENTITY pgpkey.decke SYSTEM "decke.key">
<!ENTITY pgpkey.def SYSTEM "def.key"> <!ENTITY pgpkey.def SYSTEM "def.key">
<!ENTITY pgpkey.deischen SYSTEM "deischen.key"> <!ENTITY pgpkey.deischen SYSTEM "deischen.key">
<!ENTITY pgpkey.delphij SYSTEM "delphij.key"> <!ENTITY pgpkey.delphij SYSTEM "delphij.key">
Show All 29 Lines
<!ENTITY pgpkey.fanf SYSTEM "fanf.key"> <!ENTITY pgpkey.fanf SYSTEM "fanf.key">
<!ENTITY pgpkey.farrokhi SYSTEM "farrokhi.key"> <!ENTITY pgpkey.farrokhi SYSTEM "farrokhi.key">
<!ENTITY pgpkey.feld SYSTEM "feld.key"> <!ENTITY pgpkey.feld SYSTEM "feld.key">
<!ENTITY pgpkey.fjoe SYSTEM "fjoe.key"> <!ENTITY pgpkey.fjoe SYSTEM "fjoe.key">
<!ENTITY pgpkey.flo SYSTEM "flo.key"> <!ENTITY pgpkey.flo SYSTEM "flo.key">
<!ENTITY pgpkey.fluffy SYSTEM "fluffy.key"> <!ENTITY pgpkey.fluffy SYSTEM "fluffy.key">
<!ENTITY pgpkey.flz SYSTEM "flz.key"> <!ENTITY pgpkey.flz SYSTEM "flz.key">
<!ENTITY pgpkey.foxfair SYSTEM "foxfair.key"> <!ENTITY pgpkey.foxfair SYSTEM "foxfair.key">
<!ENTITY pgpkey.fsu SYSTEM "fsu.key">
<!ENTITY pgpkey.gabor SYSTEM "gabor.key"> <!ENTITY pgpkey.gabor SYSTEM "gabor.key">
<!ENTITY pgpkey.gad SYSTEM "gad.key"> <!ENTITY pgpkey.gad SYSTEM "gad.key">
<!ENTITY pgpkey.gahr SYSTEM "gahr.key"> <!ENTITY pgpkey.gahr SYSTEM "gahr.key">
<!ENTITY pgpkey.ganbold SYSTEM "ganbold.key"> <!ENTITY pgpkey.ganbold SYSTEM "ganbold.key">
<!ENTITY pgpkey.garga SYSTEM "garga.key"> <!ENTITY pgpkey.garga SYSTEM "garga.key">
<!ENTITY pgpkey.garys SYSTEM "garys.key"> <!ENTITY pgpkey.garys SYSTEM "garys.key">
<!ENTITY pgpkey.gavin SYSTEM "gavin.key"> <!ENTITY pgpkey.gavin SYSTEM "gavin.key">
<!ENTITY pgpkey.gblach SYSTEM "gblach.key"> <!ENTITY pgpkey.gblach SYSTEM "gblach.key">
▲ Show 20 LinesShow All 78 Lines▼ Show 20 Lines
<!ENTITY pgpkey.kaiw SYSTEM "kaiw.key"> <!ENTITY pgpkey.kaiw SYSTEM "kaiw.key">
<!ENTITY pgpkey.kami SYSTEM "kami.key"> <!ENTITY pgpkey.kami SYSTEM "kami.key">
<!ENTITY pgpkey.kan SYSTEM "kan.key"> <!ENTITY pgpkey.kan SYSTEM "kan.key">
<!ENTITY pgpkey.karels SYSTEM "karels.key"> <!ENTITY pgpkey.karels SYSTEM "karels.key">
<!ENTITY pgpkey.kato SYSTEM "kato.key"> <!ENTITY pgpkey.kato SYSTEM "kato.key">
<!ENTITY pgpkey.ken SYSTEM "ken.key"> <!ENTITY pgpkey.ken SYSTEM "ken.key">
<!ENTITY pgpkey.kensmith SYSTEM "kensmith.key"> <!ENTITY pgpkey.kensmith SYSTEM "kensmith.key">
<!ENTITY pgpkey.keramida SYSTEM "keramida.key"> <!ENTITY pgpkey.keramida SYSTEM "keramida.key">
<!ENTITY pgpkey.kevans SYSTEM "kevans.key">
<!ENTITY pgpkey.kevlo SYSTEM "kevlo.key"> <!ENTITY pgpkey.kevlo SYSTEM "kevlo.key">
<!ENTITY pgpkey.keymaster SYSTEM "keymaster.key"> <!ENTITY pgpkey.keymaster SYSTEM "keymaster.key">
<!ENTITY pgpkey.kib SYSTEM "kib.key"> <!ENTITY pgpkey.kib SYSTEM "kib.key">
<!ENTITY pgpkey.kibab SYSTEM "kibab.key">
<!ENTITY pgpkey.kmoore SYSTEM "kmoore.key"> <!ENTITY pgpkey.kmoore SYSTEM "kmoore.key">
<!ENTITY pgpkey.knu SYSTEM "knu.key"> <!ENTITY pgpkey.knu SYSTEM "knu.key">
<!ENTITY pgpkey.koitsu SYSTEM "koitsu.key"> <!ENTITY pgpkey.koitsu SYSTEM "koitsu.key">
<!ENTITY pgpkey.kp SYSTEM "kp.key"> <!ENTITY pgpkey.kp SYSTEM "kp.key">
<!ENTITY pgpkey.krion SYSTEM "krion.key"> <!ENTITY pgpkey.krion SYSTEM "krion.key">
<!ENTITY pgpkey.kris SYSTEM "kris.key"> <!ENTITY pgpkey.kris SYSTEM "kris.key">
<!ENTITY pgpkey.kuriyama SYSTEM "kuriyama.key"> <!ENTITY pgpkey.kuriyama SYSTEM "kuriyama.key">
<!ENTITY pgpkey.kwm SYSTEM "kwm.key"> <!ENTITY pgpkey.kwm SYSTEM "kwm.key">
<!ENTITY pgpkey.landonf SYSTEM "landonf.key"> <!ENTITY pgpkey.landonf SYSTEM "landonf.key">
<!ENTITY pgpkey.laszlof SYSTEM "laszlof.key"> <!ENTITY pgpkey.laszlof SYSTEM "laszlof.key">
<!ENTITY pgpkey.lawrance SYSTEM "lawrance.key"> <!ENTITY pgpkey.lawrance SYSTEM "lawrance.key">
<!ENTITY pgpkey.lbr SYSTEM "lbr.key"> <!ENTITY pgpkey.lbr SYSTEM "lbr.key">
<!ENTITY pgpkey.le SYSTEM "le.key"> <!ENTITY pgpkey.le SYSTEM "le.key">
<!ENTITY pgpkey.leeym SYSTEM "leeym.key"> <!ENTITY pgpkey.leeym SYSTEM "leeym.key">
<!ENTITY pgpkey.ler SYSTEM "ler.key"> <!ENTITY pgpkey.ler SYSTEM "ler.key">
<!ENTITY pgpkey.leres SYSTEM "leres.key">
<!ENTITY pgpkey.lesi SYSTEM "lesi.key"> <!ENTITY pgpkey.lesi SYSTEM "lesi.key">
<!ENTITY pgpkey.lev SYSTEM "lev.key"> <!ENTITY pgpkey.lev SYSTEM "lev.key">
<!ENTITY pgpkey.lidl SYSTEM "lidl.key"> <!ENTITY pgpkey.lidl SYSTEM "lidl.key">
<!ENTITY pgpkey.lifanov SYSTEM "lifanov.key"> <!ENTITY pgpkey.lifanov SYSTEM "lifanov.key">
<!ENTITY pgpkey.linimon SYSTEM "linimon.key"> <!ENTITY pgpkey.linimon SYSTEM "linimon.key">
<!ENTITY pgpkey.lioux SYSTEM "lioux.key"> <!ENTITY pgpkey.lioux SYSTEM "lioux.key">
<!ENTITY pgpkey.lippe SYSTEM "lippe.key"> <!ENTITY pgpkey.lippe SYSTEM "lippe.key">
<!ENTITY pgpkey.lme SYSTEM "lme.key"> <!ENTITY pgpkey.lme SYSTEM "lme.key">
▲ Show 20 LinesShow All 41 Lines▼ Show 20 Lines
<!ENTITY pgpkey.mi SYSTEM "mi.key"> <!ENTITY pgpkey.mi SYSTEM "mi.key">
<!ENTITY pgpkey.mich SYSTEM "mich.key"> <!ENTITY pgpkey.mich SYSTEM "mich.key">
<!ENTITY pgpkey.mikeh SYSTEM "mikeh.key"> <!ENTITY pgpkey.mikeh SYSTEM "mikeh.key">
<!ENTITY pgpkey.milki SYSTEM "milki.key"> <!ENTITY pgpkey.milki SYSTEM "milki.key">
<!ENTITY pgpkey.misha SYSTEM "misha.key"> <!ENTITY pgpkey.misha SYSTEM "misha.key">
<!ENTITY pgpkey.miwi SYSTEM "miwi.key"> <!ENTITY pgpkey.miwi SYSTEM "miwi.key">
<!ENTITY pgpkey.mizhka SYSTEM "mizhka.key"> <!ENTITY pgpkey.mizhka SYSTEM "mizhka.key">
<!ENTITY pgpkey.mjg SYSTEM "mjg.key"> <!ENTITY pgpkey.mjg SYSTEM "mjg.key">
<!ENTITY pgpkey.mjoras SYSTEM "mjoras.key">
<!ENTITY pgpkey.mlaier SYSTEM "mlaier.key"> <!ENTITY pgpkey.mlaier SYSTEM "mlaier.key">
<!ENTITY pgpkey.mm SYSTEM "mm.key"> <!ENTITY pgpkey.mm SYSTEM "mm.key">
<!ENTITY pgpkey.mmel SYSTEM "mmel.key"> <!ENTITY pgpkey.mmel SYSTEM "mmel.key">
<!ENTITY pgpkey.mmokhi SYSTEM "mmokhi.key"> <!ENTITY pgpkey.mmokhi SYSTEM "mmokhi.key">
<!ENTITY pgpkey.mmoll SYSTEM "mmoll.key"> <!ENTITY pgpkey.mmoll SYSTEM "mmoll.key">
<!ENTITY pgpkey.mnag SYSTEM "mnag.key"> <!ENTITY pgpkey.mnag SYSTEM "mnag.key">
<!ENTITY pgpkey.mp SYSTEM "mp.key"> <!ENTITY pgpkey.mp SYSTEM "mp.key">
<!ENTITY pgpkey.mr SYSTEM "mr.key"> <!ENTITY pgpkey.mr SYSTEM "mr.key">
<!ENTITY pgpkey.mtm SYSTEM "mtm.key"> <!ENTITY pgpkey.mtm SYSTEM "mtm.key">
<!ENTITY pgpkey.murray SYSTEM "murray.key"> <!ENTITY pgpkey.murray SYSTEM "murray.key">
<!ENTITY pgpkey.mux SYSTEM "mux.key"> <!ENTITY pgpkey.mux SYSTEM "mux.key">
<!ENTITY pgpkey.mva SYSTEM "mva.key"> <!ENTITY pgpkey.mva SYSTEM "mva.key">
<!ENTITY pgpkey.mw SYSTEM "mw.key">
<!ENTITY pgpkey.mwlucas SYSTEM "mwlucas.key"> <!ENTITY pgpkey.mwlucas SYSTEM "mwlucas.key">
<!ENTITY pgpkey.naddy SYSTEM "naddy.key"> <!ENTITY pgpkey.naddy SYSTEM "naddy.key">
<!ENTITY pgpkey.nate SYSTEM "nate.key"> <!ENTITY pgpkey.nate SYSTEM "nate.key">
<!ENTITY pgpkey.nectar SYSTEM "nectar.key"> <!ENTITY pgpkey.nectar SYSTEM "nectar.key">
<!ENTITY pgpkey.neel SYSTEM "neel.key"> <!ENTITY pgpkey.neel SYSTEM "neel.key">
<!ENTITY pgpkey.nemoliu SYSTEM "nemoliu.key"> <!ENTITY pgpkey.nemoliu SYSTEM "nemoliu.key">
<!ENTITY pgpkey.nemysis SYSTEM "nemysis.key"> <!ENTITY pgpkey.nemysis SYSTEM "nemysis.key">
<!ENTITY pgpkey.netchild SYSTEM "netchild.key"> <!ENTITY pgpkey.netchild SYSTEM "netchild.key">
Show All 33 Lines
<!ENTITY pgpkey.pgollucci SYSTEM "pgollucci.key"> <!ENTITY pgpkey.pgollucci SYSTEM "pgollucci.key">
<!ENTITY pgpkey.phantom SYSTEM "phantom.key"> <!ENTITY pgpkey.phantom SYSTEM "phantom.key">
<!ENTITY pgpkey.phil SYSTEM "phil.key"> <!ENTITY pgpkey.phil SYSTEM "phil.key">
<!ENTITY pgpkey.philip SYSTEM "philip.key"> <!ENTITY pgpkey.philip SYSTEM "philip.key">
<!ENTITY pgpkey.phk SYSTEM "phk.key"> <!ENTITY pgpkey.phk SYSTEM "phk.key">
<!ENTITY pgpkey.pho SYSTEM "pho.key"> <!ENTITY pgpkey.pho SYSTEM "pho.key">
<!ENTITY pgpkey.pi SYSTEM "pi.key"> <!ENTITY pgpkey.pi SYSTEM "pi.key">
<!ENTITY pgpkey.pirzyk SYSTEM "pirzyk.key"> <!ENTITY pgpkey.pirzyk SYSTEM "pirzyk.key">
<!ENTITY pgpkey.pizzamig SYSTEM "pizzamig.key">
<!ENTITY pgpkey.pjd SYSTEM "pjd.key"> <!ENTITY pgpkey.pjd SYSTEM "pjd.key">
<!ENTITY pgpkey.pkelsey SYSTEM "pkelsey.key"> <!ENTITY pgpkey.pkelsey SYSTEM "pkelsey.key">
<!ENTITY pgpkey.plosher SYSTEM "plosher.key"> <!ENTITY pgpkey.plosher SYSTEM "plosher.key">
<!ENTITY pgpkey.pluknet SYSTEM "pluknet.key"> <!ENTITY pgpkey.pluknet SYSTEM "pluknet.key">
<!ENTITY pgpkey.portmgr-secretary SYSTEM "portmgr-secretary.key"> <!ENTITY pgpkey.portmgr-secretary SYSTEM "portmgr-secretary.key">
<!ENTITY pgpkey.pstef SYSTEM "pstef.key"> <!ENTITY pgpkey.pstef SYSTEM "pstef.key">
<!ENTITY pgpkey.qingli SYSTEM "qingli.key"> <!ENTITY pgpkey.qingli SYSTEM "qingli.key">
<!ENTITY pgpkey.rafan SYSTEM "rafan.key"> <!ENTITY pgpkey.rafan SYSTEM "rafan.key">
<!ENTITY pgpkey.rakuco SYSTEM "rakuco.key"> <!ENTITY pgpkey.rakuco SYSTEM "rakuco.key">
<!ENTITY pgpkey.ray SYSTEM "ray.key"> <!ENTITY pgpkey.ray SYSTEM "ray.key">
<!ENTITY pgpkey.rcyu SYSTEM "rcyu.key"> <!ENTITY pgpkey.rcyu SYSTEM "rcyu.key">
<!ENTITY pgpkey.rdivacky SYSTEM "rdivacky.key"> <!ENTITY pgpkey.rdivacky SYSTEM "rdivacky.key">
<!ENTITY pgpkey.rea SYSTEM "rea.key"> <!ENTITY pgpkey.rea SYSTEM "rea.key">
<!ENTITY pgpkey.rees SYSTEM "rees.key"> <!ENTITY pgpkey.rees SYSTEM "rees.key">
<!ENTITY pgpkey.remko SYSTEM "remko.key"> <!ENTITY pgpkey.remko SYSTEM "remko.key">
<!ENTITY pgpkey.rene SYSTEM "rene.key"> <!ENTITY pgpkey.rene SYSTEM "rene.key">
<!ENTITY pgpkey.rezny SYSTEM "rezny.key"> <!ENTITY pgpkey.rezny SYSTEM "rezny.key">
<!ENTITY pgpkey.rgrimes SYSTEM "rgrimes.key"> <!ENTITY pgpkey.rgrimes SYSTEM "rgrimes.key">
<!ENTITY pgpkey.rich SYSTEM "rich.key"> <!ENTITY pgpkey.rich SYSTEM "rich.key">
<!ENTITY pgpkey.riggs SYSTEM "riggs.key"> <!ENTITY pgpkey.riggs SYSTEM "riggs.key">
<!ENTITY pgpkey.rik SYSTEM "rik.key"> <!ENTITY pgpkey.rik SYSTEM "rik.key">
<!ENTITY pgpkey.rink SYSTEM "rink.key"> <!ENTITY pgpkey.rink SYSTEM "rink.key">
<!ENTITY pgpkey.rlibby SYSTEM "rlibby.key">
<!ENTITY pgpkey.rm SYSTEM "rm.key"> <!ENTITY pgpkey.rm SYSTEM "rm.key">
<!ENTITY pgpkey.rmacklem SYSTEM "rmacklem.key"> <!ENTITY pgpkey.rmacklem SYSTEM "rmacklem.key">
<!ENTITY pgpkey.rmh SYSTEM "rmh.key"> <!ENTITY pgpkey.rmh SYSTEM "rmh.key">
<!ENTITY pgpkey.rnoland SYSTEM "rnoland.key"> <!ENTITY pgpkey.rnoland SYSTEM "rnoland.key">
<!ENTITY pgpkey.roam SYSTEM "roam.key"> <!ENTITY pgpkey.roam SYSTEM "roam.key">
<!ENTITY pgpkey.robak SYSTEM "robak.key"> <!ENTITY pgpkey.robak SYSTEM "robak.key">
<!ENTITY pgpkey.roberto SYSTEM "roberto.key"> <!ENTITY pgpkey.roberto SYSTEM "roberto.key">
<!ENTITY pgpkey.rodrigc SYSTEM "rodrigc.key"> <!ENTITY pgpkey.rodrigc SYSTEM "rodrigc.key">
▲ Show 20 LinesShow All 71 Lines▼ Show 20 Lines
<!ENTITY pgpkey.trhodes SYSTEM "trhodes.key"> <!ENTITY pgpkey.trhodes SYSTEM "trhodes.key">
<!ENTITY pgpkey.trociny SYSTEM "trociny.key"> <!ENTITY pgpkey.trociny SYSTEM "trociny.key">
<!ENTITY pgpkey.truckman SYSTEM "truckman.key"> <!ENTITY pgpkey.truckman SYSTEM "truckman.key">
<!ENTITY pgpkey.tsoome SYSTEM "tsoome.key"> <!ENTITY pgpkey.tsoome SYSTEM "tsoome.key">
<!ENTITY pgpkey.tuexen SYSTEM "tuexen.key"> <!ENTITY pgpkey.tuexen SYSTEM "tuexen.key">
<!ENTITY pgpkey.twinterg SYSTEM "twinterg.key"> <!ENTITY pgpkey.twinterg SYSTEM "twinterg.key">
<!ENTITY pgpkey.tz SYSTEM "tz.key"> <!ENTITY pgpkey.tz SYSTEM "tz.key">
<!ENTITY pgpkey.ue SYSTEM "ue.key"> <!ENTITY pgpkey.ue SYSTEM "ue.key">
<!ENTITY pgpkey.ultima SYSTEM "ultima.key">
<!ENTITY pgpkey.ume SYSTEM "ume.key"> <!ENTITY pgpkey.ume SYSTEM "ume.key">
<!ENTITY pgpkey.ups SYSTEM "ups.key"> <!ENTITY pgpkey.ups SYSTEM "ups.key">
<!ENTITY pgpkey.uqs SYSTEM "uqs.key"> <!ENTITY pgpkey.uqs SYSTEM "uqs.key">
<!ENTITY pgpkey.vangyzen SYSTEM "vangyzen.key"> <!ENTITY pgpkey.vangyzen SYSTEM "vangyzen.key">
<!ENTITY pgpkey.vanilla SYSTEM "vanilla.key"> <!ENTITY pgpkey.vanilla SYSTEM "vanilla.key">
<!ENTITY pgpkey.vd SYSTEM "vd.key"> <!ENTITY pgpkey.vd SYSTEM "vd.key">
<!ENTITY pgpkey.versus SYSTEM "versus.key"> <!ENTITY pgpkey.versus SYSTEM "versus.key">
<!ENTITY pgpkey.vg SYSTEM "vg.key"> <!ENTITY pgpkey.vg SYSTEM "vg.key">
Show All 13 Lines
<!ENTITY pgpkey.wma SYSTEM "wma.key"> <!ENTITY pgpkey.wma SYSTEM "wma.key">
<!ENTITY pgpkey.wollman SYSTEM "wollman.key"> <!ENTITY pgpkey.wollman SYSTEM "wollman.key">
<!ENTITY pgpkey.woodsb02 SYSTEM "woodsb02.key"> <!ENTITY pgpkey.woodsb02 SYSTEM "woodsb02.key">
<!ENTITY pgpkey.wosch SYSTEM "wosch.key"> <!ENTITY pgpkey.wosch SYSTEM "wosch.key">
<!ENTITY pgpkey.wulf SYSTEM "wulf.key"> <!ENTITY pgpkey.wulf SYSTEM "wulf.key">
<!ENTITY pgpkey.wxs SYSTEM "wxs.key"> <!ENTITY pgpkey.wxs SYSTEM "wxs.key">
<!ENTITY pgpkey.xmj SYSTEM "xmj.key"> <!ENTITY pgpkey.xmj SYSTEM "xmj.key">
<!ENTITY pgpkey.xride SYSTEM "xride.key"> <!ENTITY pgpkey.xride SYSTEM "xride.key">
<!ENTITY pgpkey.ygy SYSTEM "ygy.key">
<!ENTITY pgpkey.yoichi SYSTEM "yoichi.key"> <!ENTITY pgpkey.yoichi SYSTEM "yoichi.key">
<!ENTITY pgpkey.yongari SYSTEM "yongari.key"> <!ENTITY pgpkey.yongari SYSTEM "yongari.key">
<!ENTITY pgpkey.yzlin SYSTEM "yzlin.key"> <!ENTITY pgpkey.yzlin SYSTEM "yzlin.key">
<!ENTITY pgpkey.zack SYSTEM "zack.key"> <!ENTITY pgpkey.zack SYSTEM "zack.key">
<!ENTITY pgpkey.zbb SYSTEM "zbb.key"> <!ENTITY pgpkey.zbb SYSTEM "zbb.key">
<!ENTITY pgpkey.zeising SYSTEM "zeising.key"> <!ENTITY pgpkey.zeising SYSTEM "zeising.key">
<!ENTITY pgpkey.zi SYSTEM "zi.key"> <!ENTITY pgpkey.zi SYSTEM "zi.key">
<!ENTITY pgpkey.zml SYSTEM "zml.key"> <!ENTITY pgpkey.zml SYSTEM "zml.key">
▲ Show 20 LinesShow All 52 Lines▼ Show 20 Lines<!--
Each entity is named txt.dir.foo, where dir is the directory in Each entity is named txt.dir.foo, where dir is the directory in
which it is stored, and foo is its filename, without the '.txt' which it is stored, and foo is its filename, without the '.txt'
extension. extension.
Entities should be listed in alphabetical order. Entities should be listed in alphabetical order.
$FreeBSD$ $FreeBSD$
-->]> -->]>
<book xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:lang="zh_TW"> <book xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:its="http://www.w3.org/2005/11/its" version="5.0" xml:lang="zh_TW">
<info> <info>
<its:rules xmlns:db="http://docbook.org/ns/docbook" version="1.0">
<its:translateRule translate="no" selector="//db:programlisting[@role='pgpfingerprint']"/>
<its:translateRule translate="no" selector="//db:programlisting[@role='pgpkey']"/>
<its:translateRule translate="no" selector="//db:sect2[starts-with(@xml:id,'pgpkey-')]"/>
</its:rules>
<title>FreeBSD 使用手冊</title> <title>FreeBSD 使用手冊</title>
<author><orgname>FreeBSD 文件計劃</orgname></author> <author><orgname>FreeBSD 文件計劃</orgname></author>
<pubdate xml:lang="en">$FreeBSD$</pubdate> <pubdate its:translate="no">$FreeBSD$</pubdate>
<releaseinfo xml:lang="en">$FreeBSD$</releaseinfo> <releaseinfo its:translate="no">$FreeBSD$</releaseinfo>
<copyright xml:lang="en"> <copyright xml:lang="en">
<year>1995</year> <year>1995</year>
<year>1996</year> <year>1996</year>
<year>1997</year> <year>1997</year>
<year>1998</year> <year>1998</year>
<year>1999</year> <year>1999</year>
<year>2000</year> <year>2000</year>
▲ Show 20 LinesShow All 86 Lines▼ Show 20 Lines <legalnotice xml:id="trademarks" role="trademarks">
<para>VMware 是 VMware, Inc. 的商標。</para> <para>VMware 是 VMware, Inc. 的商標。</para>
<para>Mathematica 是 Wolfram Research, Inc 的註冊商標。</para> <para>Mathematica 是 Wolfram Research, Inc 的註冊商標。</para>
<para>XFree86 是 The XFree86 Project, Inc 的商標。</para> <para>XFree86 是 The XFree86 Project, Inc 的商標。</para>
<para>Ogg Vorbis 以及 Xiph.Org 是 Xiph.Org 的商標。</para> <para>Ogg Vorbis 以及 Xiph.Org 是 Xiph.Org 的商標。</para>
<para>許多製造商和經銷商使用一些稱為商標的圖案或文字設計來區別自己的產品。 本文件中出現的眾多商標,以及 FreeBSD Project 本身廣所人知的商標,後面將以 <quote>™</quote> 或 <quote>®</quote> 符號來標示。</para> <para>許多製造商和經銷商使用一些稱為商標的圖案或文字設計來區別自己的產品。 本文件中出現的眾多商標,以及 FreeBSD Project 本身廣所人知的商標,後面將以 <quote>™</quote> 或 <quote>®</quote> 符號來標示。</para>
</legalnotice> </legalnotice>
<abstract> <abstract>
<para>歡迎使用 FreeBSD! 本使用手冊涵蓋範圍包括了 <emphasis>FreeBSD 11.0-RELEASE</emphasis>, <emphasis>FreeBSD 10.3-RELEASE</emphasis> 以及 <emphasis>FreeBSD 9.3-RELEASE</emphasis> 的安裝與平日操作的說明。 這份使用手冊是很多人的集體創作,而且仍然『持續不斷』的進行中,因此部份章節可能尚未仍未完成,如果您有興趣協助本計畫的話,請寄電子郵件至 <link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-doc">FreeBSD 文件專案郵遞論壇</link>。</para> <para>歡迎使用 FreeBSD! 本使用手冊涵蓋範圍包括了 <emphasis>FreeBSD 11.1-RELEASE</emphasis>, <emphasis>FreeBSD 11.0-RELEASE</emphasis> <emphasis>FreeBSD 10.4-RELEASE</emphasis> 的安裝與平日操作的說明。 這份使用手冊是很多人的集體創作,而且仍然『持續不斷』的進行中,因此部份章節可能尚未仍未完成,如果您有興趣協助本計畫的話,請寄電子郵件至 <link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-doc">FreeBSD 文件專案郵遞論壇</link>。</para>
<para>在 <link xlink:href="http://www.FreeBSD.org/">FreeBSD 網站</link> 可以找到本文件的最新版本,舊版文件可從 <uri xlink:href="http://docs.FreeBSD.org/doc/">http://docs.FreeBSD.org/doc/</uri> 取得。本文件也提供各種格式與不同壓縮方式的版本可自 <link xlink:href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">FreeBSD FTP 伺服器</link> 或是其中一個 <link linkend="mirrors-ftp">鏡像網站</link> 下載。 列印出來的實體書面資料可在 <link xlink:href="http://www.freebsdmall.com/">FreeBSD 商城</link> 購買。 此外,您可在 <link xlink:href="@@URL_RELPREFIX@@/search/index.html">搜尋頁面</link> 中搜尋本文件或其他文件的資料。</para> <para>在 <link xlink:href="https://www.FreeBSD.org/">FreeBSD 網站</link> 可以找到本文件的最新版本,舊版文件可從 <uri xlink:href="https://docs.FreeBSD.org/doc/">https://docs.FreeBSD.org/doc/</uri> 取得。本文件也提供各種格式與不同壓縮方式的版本可自 <link xlink:href="https://download.freebsd.org/ftp/doc/">FreeBSD FTP 伺服器</link> 或是其中一個 <link linkend="mirrors-ftp">鏡像網站</link> 下載。 列印出來的實體書面資料可在 <link xlink:href="http://www.freebsdmall.com/">FreeBSD 商城</link> 購買。 此外,您可在 <link xlink:href="@@URL_RELPREFIX@@/search/index.html">搜尋頁面</link> 中搜尋本文件或其他文件的資料。</para>
</abstract> </abstract>
</info> </info>
<!-- <!--
$FreeBSD$ $FreeBSD$
--> -->
<preface version="5.0" xml:id="book-preface"> <preface version="5.0" xml:id="book-preface">
▲ Show 20 LinesShow All 603 Lines▼ Show 20 Lines <para>當然囉,還有 <quote>FreeBSD</quote> 這名字的由來。</para>
</itemizedlist> </itemizedlist>
</sect1> </sect1>
<sect1 xml:id="nutshell"> <sect1 xml:id="nutshell">
<title>歡迎使用 FreeBSD!</title> <title>歡迎使用 FreeBSD!</title>
<indexterm xml:lang="en"><primary>4.4BSD-Lite</primary></indexterm> <indexterm xml:lang="en"><primary>4.4BSD-Lite</primary></indexterm>
<para>FreeBSD 是一個從 4.4BSD-Lite 衍生出而能在以 Intel (x86 與 <trademark class="registered">Itanium</trademark>), AMD64, Sun <trademark class="registered">UltraSPARC</trademark> 為基礎的電腦上執行的作業系統。同時,移植到其他平台的工作也在進行中。 對於本計劃歷史的介紹,請看 <link linkend="history">FreeBSD 歷史</link>, 對於 FreeBSD 的最新版本介紹,請看 <link xlink:href="@@URL_RELPREFIX@@/releases">最新的發行版</link>。 若打算對於 FreeBSD 計劃有所貢獻的話 (程式碼、硬體、經費), 請看 <link xlink:href="@@URL_RELPREFIX@@/doc/zh_TW.UTF-8/articles/contributing/index.html">如何對 FreeBSD 貢獻</link>。</para> <para>FreeBSD 是一個從 4.4BSD-Lite 衍生出而能在以 Intel (x86 與 <trademark class="registered">Itanium</trademark>), AMD64, <trademark class="registered">ARM</trademark>, Sun <trademark class="registered">UltraSPARC</trademark> 為基礎的電腦上執行的作業系統。同時,移植到其他平台的工作也在進行中。 對於本計劃歷史的介紹,請看 <link linkend="history">FreeBSD 歷史</link>, 對於 FreeBSD 的最新版本介紹,請看 <link xlink:href="@@URL_RELPREFIX@@/releases">最新的發行版</link>。 若打算對於 FreeBSD 計劃有所貢獻的話 (程式碼、硬體、經費), 請看 <link xlink:href="@@URL_RELPREFIX@@/doc/zh_TW.UTF-8/articles/contributing/index.html">如何對 FreeBSD 貢獻</link>。</para>
<sect2 xml:id="os-overview"> <sect2 xml:id="os-overview">
<title>FreeBSD 能做什麼?</title> <title>FreeBSD 能做什麼?</title>
<para>FreeBSD 提供給你許多先進功能。這些功能包括:</para> <para>FreeBSD 提供給你許多先進功能。這些功能包括:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
▲ Show 20 LinesShow All 260 Lines▼ Show 20 Lines<chapter version="5.0" xml:id="introduction">
<listitem> <listitem>
<para><link xlink:href="http://www.netflix.com/">Netflix</link> <indexterm> <para><link xlink:href="http://www.netflix.com/">Netflix</link> <indexterm>
<primary>Netflix</primary> <primary>Netflix</primary>
</indexterm> - Netflix 用來以串流傳送電影到客戶的 OpenConnect 設備是以 FreeBSD 為基礎。 Netflix 也做了大量貢獻到程式碼庫,並致力於維持與主線 FreeBSD 的零修正關係。Netflix 的 OpenConnect 設備負責了北美所有的網路流量 32% 以上。</para> </indexterm> - Netflix 用來以串流傳送電影到客戶的 OpenConnect 設備是以 FreeBSD 為基礎。 Netflix 也做了大量貢獻到程式碼庫,並致力於維持與主線 FreeBSD 的零修正關係。Netflix 的 OpenConnect 設備負責了北美所有的網路流量 32% 以上。</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en"><link xlink:href="http://www.sandvine.com/">Sandvine</link> <para><link xlink:href="http://www.sandvine.com/">Sandvine</link> <indexterm>
<indexterm xml:lang="en">
<primary>Sandvine</primary> <primary>Sandvine</primary>
</indexterm> - Sandvine uses FreeBSD as the basis of their </indexterm> - Sandvine 使用 FreeBSD 作為它的高性能即時網路處理平台的基礎來建立它們的智慧網路策略控制產品。</para>
high performance real-time network processing platforms
that make up their intelligent network policy control
products.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><link xlink:href="http://www.sony.com/">Sony</link> <indexterm> <para><link xlink:href="http://www.sony.com/">Sony</link> <indexterm>
<primary>Sony</primary> <primary>Sony</primary>
</indexterm> - PlayStation 4 遊戲主機使用了修改過的 FreeBSD 版本來運作。</para> </indexterm> - PlayStation 4 遊戲主機使用了修改過的 FreeBSD 版本來運作。</para>
</listitem> </listitem>
▲ Show 20 LinesShow All 86 Lines▼ Show 20 Lines<chapter version="5.0" xml:id="introduction">
<listitem> <listitem>
<para><link xlink:href="http://www.opnsense.org/">OPNSense</link> <indexterm> <para><link xlink:href="http://www.opnsense.org/">OPNSense</link> <indexterm>
<primary>OPNsense</primary> <primary>OPNsense</primary>
</indexterm> - OPNsense 是一個以 FreeBSD 為基礎的開源、易於使用及易於建置的防火牆和路由平台。OPNsense 有大多數在昂貴的商業防火牆上才有的功能。它帶來了商業產品的豐富功能集,同時擁有開放和安全的來源。</para> </indexterm> - OPNsense 是一個以 FreeBSD 為基礎的開源、易於使用及易於建置的防火牆和路由平台。OPNsense 有大多數在昂貴的商業防火牆上才有的功能。它帶來了商業產品的豐富功能集,同時擁有開放和安全的來源。</para>
</listitem> </listitem>
<listitem> <listitem>
<para><link xlink:href="http://www.pcbsd.org/">TrueOS</link> <indexterm> <para><link xlink:href="https://www.trueos.org">TrueOS</link> <indexterm>
<primary>TrueOS</primary> <primary>TrueOS</primary>
</indexterm> - 訂製版本的 FreeBSD,裝備了給桌面使用者使用的圖型化工具來展示 FreeBSD 強大的功能給所有使用者,專門設計來緩解使用者在 Windows 與 OS X 間的過渡。</para> </indexterm> - 訂製版本的 FreeBSD,裝備了給桌面使用者使用的圖型化工具來展示 FreeBSD 強大的功能給所有使用者,專門設計來緩解使用者在 Windows 與 OS X 間的過渡。</para>
</listitem> </listitem>
<listitem> <listitem>
<para><link xlink:href="http://www.pfsense.org/">pfSense</link> <indexterm> <para><link xlink:href="http://www.pfsense.org/">pfSense</link> <indexterm>
<primary>pfSense</primary> <primary>pfSense</primary>
</indexterm> - 以 FreeBSD 為基礎的防火牆發行版,支援巨型陣列及大規模 IPv6。</para> </indexterm> - 以 FreeBSD 為基礎的防火牆發行版,支援巨型陣列及大規模 IPv6。</para>
▲ Show 20 LinesShow All 280 Lines▼ Show 20 Lines <varlistentry>
<term>FreeBSD 常見問答集</term> <term>FreeBSD 常見問答集</term>
<listitem> <listitem>
<para xml:lang="en"><link xlink:href="file://localhost/usr/local/share/doc/freebsd/faq/index.html"><filename>/usr/local/share/doc/freebsd/faq/index.html</filename></link></para> <para xml:lang="en"><link xlink:href="file://localhost/usr/local/share/doc/freebsd/faq/index.html"><filename>/usr/local/share/doc/freebsd/faq/index.html</filename></link></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para>此外,可在下列網址找到最新版 (也是更新最頻繁的版本):<uri xlink:href="http://www.FreeBSD.org/">http://www.FreeBSD.org/</uri>。</para> <para>此外,可在下列網址找到最新版 (也是更新最頻繁的版本):<uri xlink:href="https://www.FreeBSD.org/">https://www.FreeBSD.org/</uri>。</para>
</sect2> </sect2>
</sect1> </sect1>
</chapter> </chapter>
<!-- <!--
The FreeBSD Documentation Project The FreeBSD Documentation Project
▲ Show 20 LinesShow All 121 Lines▼ Show 20 Lines也有建議如何正確的選擇在不同架構使用的映像檔。</para>
<para>每一種架構的處理器需求概述如下:</para> <para>每一種架構的處理器需求概述如下:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term xml:lang="en">amd64</term> <term xml:lang="en">amd64</term>
<listitem> <listitem>
<para>桌面電腦與筆記型電腦最常見的處理器類型,運用在近代的系統。<trademark class="registered">Intel</trademark> 稱該類型為 <acronym>Intel64</acronym>,其他製造商則稱該類型為 <acronym>x86-64</acronym>。</para> <para>桌面電腦與筆記型電腦最常見的處理器類型,運用在近代的系統。<trademark class="registered">Intel</trademark> 稱該類型為 <acronym>Intel64</acronym>,其他製造商則稱該類型為 <acronym>x86-64</acronym>。</para>
<para>與 amd64 相容的處理器包含:<trademark>AMD!Athlon</trademark>64, <trademark>AMD!Opteron</trademark>, 多核心 <trademark class="registered">Intel</trademark>!<trademark>Xeon</trademark> 以及 <trademark class="registered">Intel</trademark>!<trademark>Core</trademark>!2 與之後的處理器。</para> <para>與 amd64 相容的處理器範例包含:<trademark>AMD!Athlon</trademark>64, <trademark>AMD!Opteron</trademark>, 多核心 <trademark class="registered">Intel</trademark>!<trademark>Xeon</trademark> 以及 <trademark class="registered">Intel</trademark>!<trademark>Core</trademark>!2 與之後的處理器。</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en">i386</term> <term xml:lang="en">i386</term>
<listitem> <listitem>
<para>舊型的桌面電腦與筆記型電腦常使用此 32-bit, x86 架構。</para> <para>舊型的桌面電腦與筆記型電腦常使用此 32-bit, x86 架構。</para>
▲ Show 20 LinesShow All 103 Lines▼ Show 20 Lines <listitem>
<para>網路 <acronym>DNS</acronym> 伺服器 <acronym>IP</acronym> 位址</para> <para>網路 <acronym>DNS</acronym> 伺服器 <acronym>IP</acronym> 位址</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</step> </step>
<step> <step>
<title>檢查 FreeBSD 勘誤表</title> <title>檢查 FreeBSD 勘誤表</title>
<para>儘管 FreeBSD Project 努力確保每個 FreeBSD 發行版能夠儘可能地穩定,但錯誤偶爾還是會悄悄出現,並有極小的可能會發生影響安裝流程的錯誤,當這些問題被發現並修正後,會被紀錄在 FreeBSD 網站的 FreeBSD 勘誤表 (<link xlink:href="@@URL_RELPREFIX@@/releases/11.0R/errata.html">http://www.freebsd.org/releases/11.0R/errata.html</link>)。 安裝前先檢查勘誤表,以確保沒有會影響到安裝的問題。</para> <para>儘管 FreeBSD 計劃努力確保每個 FreeBSD 發行版能夠儘可能地穩定,但錯誤偶爾還是會悄悄出現,並有極小的可能會發生影響安裝流程的錯誤,當這些問題被發現並修正後,會被紀錄在 FreeBSD 網站的 FreeBSD 勘誤表 (<link xlink:href="@@URL_RELPREFIX@@/releases/11.1R/errata.html">https://www.freebsd.org/releases/11.1R/errata.html</link>)。 安裝前先檢查勘誤表,以確保沒有會影響到安裝的問題。</para>
<para>所有發行版的資訊和勘誤表可以在 FreeBSD 網站的發行資訊找到 (<link xlink:href="@@URL_RELPREFIX@@/releases/index.html">http://www.freebsd.org/releases/index.html</link>)。</para> <para>所有發行版的資訊和勘誤表可以在 FreeBSD 網站的發行資訊找到 (<link xlink:href="@@URL_RELPREFIX@@/releases/index.html">https://www.freebsd.org/releases/index.html</link>)。</para>
</step> </step>
</procedure> </procedure>
<sect2 xml:id="bsdinstall-installation-media"> <sect2 xml:id="bsdinstall-installation-media">
<title>準備安裝的媒體</title> <title>準備安裝的媒體</title>
<para>FreeBSD 安裝程式並不是一個可以在其他作業系統上執行的應用程式,反而您需要下載 FreeBSD 安裝檔,燒錄安裝檔到符合其檔案類型與大小的媒體 (<acronym>CD</acronym>, <acronym>DVD</acronym> 或 <acronym>USB</acronym>),然後開機從插入的媒體來安裝。</para> <para>FreeBSD 安裝程式並不是一個可以在其他作業系統上執行的應用程式,反而您需要下載 FreeBSD 安裝檔,燒錄安裝檔到符合其檔案類型與大小的媒體 (<acronym>CD</acronym>, <acronym>DVD</acronym> 或 <acronym>USB</acronym>),然後開機從插入的媒體來安裝。</para>
▲ Show 20 LinesShow All 1,390 Lines▼ Show 20 Lines <sect1 xml:id="bsdinstall-install-trouble">
<title>疑難排解</title> <title>疑難排解</title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>installation</primary> <primary>installation</primary>
<secondary>troubleshooting</secondary> <secondary>troubleshooting</secondary>
</indexterm> </indexterm>
<para>本節涵蓋基礎的安裝疑難排解,例如一些已有人回報的常見問題。</para> <para>本節涵蓋基礎的安裝疑難排解,例如一些已有人回報的常見問題。</para>
<para>查看該 FreeBSD 版本的 Hardware Notes (<link xlink:href="@@URL_RELPREFIX@@/releases/index.html">http://www.freebsd.org/releases/index.html</link>) 文件來確認是否支援該硬體。若確定有支援該硬體但仍然卡住或發生其他問題,請依照 <xref linkend="kernelconfig"/> 的指示編譯自訂核心來加入未在 <filename>GENERIC</filename> 核心的裝置。預設的核心會假設大部份的硬體裝置會使用原廠預設的 <acronym>IRQ</acronym>s, <acronym>I/O</acronym> 位址,及 <acronym>DMA</acronym> 通道,若硬體已經被重新設定過,自訂的核心設定檔可以告訴 FreeBSD 到那找到這些裝置。</para> <para>查看該 FreeBSD 版本的 Hardware Notes (<link xlink:href="@@URL_RELPREFIX@@/releases/index.html">https://www.freebsd.org/releases/index.html</link>) 文件來確認是否支援該硬體。若確定有支援該硬體但仍然卡住或發生其他問題,請依照 <xref linkend="kernelconfig"/> 的指示編譯自訂核心來加入未在 <filename>GENERIC</filename> 核心的裝置。預設的核心會假設大部份的硬體裝置會使用原廠預設的 <acronym>IRQ</acronym>s, <acronym>I/O</acronym> 位址,及 <acronym>DMA</acronym> 通道,若硬體已經被重新設定過,自訂的核心設定檔可以告訴 FreeBSD 到那找到這些裝置。</para>
<note> <note>
<para>部份安裝問題可以透過更各種硬體元件的韌體來避免或緩解,特別是主機板。主機板的韌體通常稱為 <acronym>BIOS</acronym>,大部份主機板與電腦製造商會有網站可以取得升級程式與升級資訊。</para> <para>部份安裝問題可以透過更各種硬體元件的韌體來避免或緩解,特別是主機板。主機板的韌體通常稱為 <acronym>BIOS</acronym>,大部份主機板與電腦製造商會有網站可以取得升級程式與升級資訊。</para>
<para>製造商通常會建議若沒有特殊原因盡量避免升級主機板 <acronym>BIOS</acronym></para> <para>製造商通常會建議若沒有特殊原因盡量避免升級主機板 <acronym>BIOS</acronym></para>
</note> </note>
<para>若系統在開機偵測硬體時卡住或安裝時運作異常,可能主因為 <acronym>ACPI</acronym>,FreeBSD 在 i386, amd64 及 ia64 平台廣泛的使用了系統 <acronym>ACPI</acronym> 服務來協助設定系統組態,若在開機時有偵測到該功能。不幸的是,<acronym>ACPI</acronym> 驅動程式與系統主機板及 <acronym>BIOS</acronym> 韌體之間仍存在部份問題。可於開機載入程式的第三階段設定 <literal>hint.acpi.0.disabled</literal> Hint 來關閉 <acronym>ACPI</acronym>:</para> <para>若系統在開機偵測硬體時卡住或安裝時運作異常,可能主因為 <acronym>ACPI</acronym>,FreeBSD 在 i386, amd64 及 ia64 平台廣泛的使用了系統 <acronym>ACPI</acronym> 服務來協助設定系統組態,若在開機時有偵測到該功能。不幸的是,<acronym>ACPI</acronym> 驅動程式與系統主機板及 <acronym>BIOS</acronym> 韌體之間仍存在部份問題。可於開機載入程式的第三階段設定 <literal>hint.acpi.0.disabled</literal> Hint 來關閉 <acronym>ACPI</acronym>:</para>
▲ Show 20 LinesShow All 2,389 Lines▼ Show 20 Lines<chapter version="5.0" xml:id="ports">
<sect1 xml:id="ports-finding-applications"> <sect1 xml:id="ports-finding-applications">
<title>搜尋軟體</title> <title>搜尋軟體</title>
<para>FreeBSD 上可安裝的軟體清單不斷在增加, 有幾種方式可以來找你想安裝的軟體:</para> <para>FreeBSD 上可安裝的軟體清單不斷在增加, 有幾種方式可以來找你想安裝的軟體:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>FreeBSD 網站有維護一份可搜尋的最新應用程式清單,在 <link xlink:href="@@URL_RELPREFIX@@/ports/index.html">http://www.FreeBSD.org/ports/</link>。 可以依應用程式名稱或軟體分類來搜尋 Port。</para> <para>FreeBSD 網站有維護一份可搜尋的最新應用程式清單,在 <link xlink:href="@@URL_RELPREFIX@@/ports/index.html">https://www.FreeBSD.org/ports/</link>。 可以依應用程式名稱或軟體分類來搜尋 Port。</para>
</listitem> </listitem>
<listitem> <listitem>
<indexterm xml:lang="en"><primary>FreshPorts</primary></indexterm> <indexterm xml:lang="en"><primary>FreshPorts</primary></indexterm>
<para>由 Dan Langille 維護的 <link xlink:href="http://www.FreshPorts.org/">FreshPorts.org</link>,提供完整的搜尋工具並且可追蹤在 Port 套件集中的應用程式變更。註冊的使用者可以建立自訂的監視清單會自動寄發電子郵件通知 Port 的更新資訊。</para> <para>由 Dan Langille 維護的 <link xlink:href="http://www.FreshPorts.org/">FreshPorts.org</link>,提供完整的搜尋工具並且可追蹤在 Port 套件集中的應用程式變更。註冊的使用者可以建立自訂的監視清單會自動寄發電子郵件通知 Port 的更新資訊。</para>
</listitem> </listitem>
▲ Show 20 LinesShow All 799 Lines▼ Show 20 Lines...</programlisting>
<para>要取得更多使用 <application>poudriere</application> 的資訊,請參考 <citerefentry vendor="ports"><refentrytitle>poudriere</refentrytitle><manvolnum>8</manvolnum></citerefentry> 及主網站 <link xlink:href="https://github.com/freebsd/poudriere/wiki"/>。</para> <para>要取得更多使用 <application>poudriere</application> 的資訊,請參考 <citerefentry vendor="ports"><refentrytitle>poudriere</refentrytitle><manvolnum>8</manvolnum></citerefentry> 及主網站 <link xlink:href="https://github.com/freebsd/poudriere/wiki"/>。</para>
</sect2> </sect2>
<sect2> <sect2>
<title>設定 pkg 客戶端使用 Poudriere 檔案庫</title> <title>設定 pkg 客戶端使用 Poudriere 檔案庫</title>
<para>雖然可以同時使用自訂的檔案庫與官方檔案庫,但有時關閉官方檔案庫會有幫助。這可以透過建立一個設定檔覆蓋並關閉官方的設定檔來完成。建立 <filename>/usr/local/etc/pkg/repos/FreeBSD.conf</filename> 包含以下內容:</para> <para>雖然可以同時使用自訂的檔案庫與官方檔案庫,但有時關閉官方檔案庫會有幫助。這可以透過建立一個設定檔覆蓋並關閉官方的設定檔來完成。建立 <filename>/usr/local/etc/pkg/repos/FreeBSD.conf</filename> 包含以下內容:</para>
<screen xml:lang="en">FreeBSD: { <programlisting xml:lang="en">FreeBSD: {
enabled: no enabled: no
}</screen> }</programlisting>
<para>通常最簡單要提供 poudriere 檔案庫給客戶端的方式是透過 HTTP。安裝一個網頁伺服器來提供套件目錄,通常會像:<filename>/usr/local/poudriere/data/packages/<replaceable>10amd64</replaceable></filename>,其中 <filename>10amd64</filename> 是編譯的名稱。</para> <para>通常最簡單要提供 poudriere 檔案庫給客戶端的方式是透過 HTTP。安裝一個網頁伺服器來提供套件目錄,通常會像:<filename>/usr/local/poudriere/data/packages/<replaceable>10amd64</replaceable></filename>,其中 <filename>10amd64</filename> 是編譯的名稱。</para>
<para>若要連往套件檔案庫的 URL 是:<literal>http://pkg.example.com/10amd64</literal>,則在 <filename>/usr/local/etc/pkg/repos/custom.conf</filename> 的檔案庫設定檔為:</para> <para>若要連往套件檔案庫的 URL 是:<literal>http://pkg.example.com/10amd64</literal>,則在 <filename>/usr/local/etc/pkg/repos/custom.conf</filename> 的檔案庫設定檔為:</para>
<screen xml:lang="en">custom: { <programlisting xml:lang="en">custom: {
url: "<replaceable>http://pkg.example.com/10amd64</replaceable>", url: "<replaceable>http://pkg.example.com/10amd64</replaceable>",
enabled: yes, enabled: yes,
}</screen> }</programlisting>
</sect2> </sect2>
</sect1> </sect1>
<sect1 xml:id="ports-nextsteps"> <sect1 xml:id="ports-nextsteps">
<title>安裝後的注意事項</title> <title>安裝後的注意事項</title>
<para>不論軟體是從套件或 Port 安裝,大部份的第三方應用程式安裝完後需要做某種程度的設定,下列指令與位置可以用來協助找到應用程式安裝了什麼。</para> <para>不論軟體是從套件或 Port 安裝,大部份的第三方應用程式安裝完後需要做某種程度的設定,下列指令與位置可以用來協助找到應用程式安裝了什麼。</para>
▲ Show 20 LinesShow All 985 Lines▼ Show 20 Lines </author>
</info> </info>
<para>本節將介紹如何在 FreeBSD 系統安裝三種熱門的桌面環境。一套桌面環境的範圍可從簡單的視窗管理程式到完整的桌面應用程式集。有上百套的桌面環境可在 Port 套件集的 <filename>x11-wm</filename> 分類取得。</para> <para>本節將介紹如何在 FreeBSD 系統安裝三種熱門的桌面環境。一套桌面環境的範圍可從簡單的視窗管理程式到完整的桌面應用程式集。有上百套的桌面環境可在 Port 套件集的 <filename>x11-wm</filename> 分類取得。</para>
<sect2 xml:id="x11-wm-gnome"> <sect2 xml:id="x11-wm-gnome">
<title xml:lang="en">GNOME</title> <title xml:lang="en">GNOME</title>
<indexterm xml:lang="en"><primary>GNOME</primary></indexterm> <indexterm xml:lang="en"><primary>GNOME</primary></indexterm>
<para><application>GNOME</application> 是一個擁有友善使用者介面的的桌面環境,它包括用於啟動應用程式和顯示狀態的面板、一系列工具與應用程序及一套可讓應用程式更容易進行合作、相互一致的協定。更多有關 FreeBSD <application>GNOME</application> 的訊息可在 <link xlink:href="http://www.FreeBSD.org/gnome">http://www.FreeBSD.org/gnome</link> 取得,該網站包含了有關在 FreeBSD 安裝、設定和管理 <application>GNOME</application> 的額外文件。</para> <para><application>GNOME</application> 是一個擁有友善使用者介面的的桌面環境,它包括用於啟動應用程式和顯示狀態的面板、一系列工具與應用程序及一套可讓應用程式更容易進行合作、相互一致的協定。更多有關 FreeBSD <application>GNOME</application> 的訊息可在 <link xlink:href="https://www.FreeBSD.org/gnome">https://www.FreeBSD.org/gnome</link> 取得,該網站包含了有關在 FreeBSD 安裝、設定和管理 <application>GNOME</application> 的額外文件。</para>
<para>這套桌面環境可以從套件安裝:</para> <para>這套桌面環境可以從套件安裝:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install gnome3</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install gnome3</userinput></screen>
<para>也可使用以下指令從 Port 編譯 <application>GNOME</application>,<application>GNOME</application> 是一套大型的應用程式,即使在速度較快的電腦上,也會需要花費一些時間編譯。</para> <para>也可使用以下指令從 Port 編譯 <application>GNOME</application>,<application>GNOME</application> 是一套大型的應用程式,即使在速度較快的電腦上,也會需要花費一些時間編譯。</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/x11/gnome3</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/x11/gnome3</userinput>
▲ Show 20 LinesShow All 523 Lines▼ Show 20 Lines<chapter version="5.0" xml:id="desktop">
<sect1 xml:id="desktop-browsers"> <sect1 xml:id="desktop-browsers">
<title>瀏覽器</title> <title>瀏覽器</title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>browsers</primary> <primary>browsers</primary>
<secondary>web</secondary> <secondary>web</secondary>
</indexterm> </indexterm>
<para>在 FreeBSD 中並未預先安裝好網頁瀏覽器。 但在 Port 套件集中的 <link xlink:href="http://www.FreeBSD.org/ports/www.html">www</link> 分類中有許多瀏覽器可以採 Binary 套件安裝或自 Port 套件集編譯的方式安裝。</para> <para>在 FreeBSD 中並未預先安裝好網頁瀏覽器。 但在 Port 套件集中的 <link xlink:href="https://www.FreeBSD.org/ports/www.html">www</link> 分類中有許多瀏覽器可以採 Binary 套件安裝或自 Port 套件集編譯的方式安裝。</para>
<para><application>KDE</application> 和 <application>GNOME</application> 桌面環境都有提供自有的 HTML 瀏覽器。請參考 <xref linkend="x11-wm"/> 來了解更多有關如何設定完整桌面環境的資訊。</para> <para><application>KDE</application> 和 <application>GNOME</application> 桌面環境都有提供自有的 HTML 瀏覽器。請參考 <xref linkend="x11-wm"/> 來了解更多有關如何設定完整桌面環境的資訊。</para>
<para>有一些輕量化的瀏覽器可使用,包含 <package>www/dillo2</package>, <package>www/links</package> 以及 <package>www/w3m</package>。</para> <para>有一些輕量化的瀏覽器可使用,包含 <package>www/dillo2</package>, <package>www/links</package> 以及 <package>www/w3m</package>。</para>
<para>本章節將示範如何安裝下列常見的網頁瀏覽器並說明該應用程式是否需要用到大量資源、花費大量時間自 Port 編譯或何主要的相依套件。</para> <para>本章節將示範如何安裝下列常見的網頁瀏覽器並說明該應用程式是否需要用到大量資源、花費大量時間自 Port 編譯或何主要的相依套件。</para>
<informaltable frame="none" pgwide="1"> <informaltable frame="none" pgwide="1">
▲ Show 20 LinesShow All 72 Lines▼ Show 20 Lines <sect3 xml:id="moz-java-plugin">
<para>或由 Port 套件集編譯:</para> <para>或由 Port 套件集編譯:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/java/icedtea-web</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/java/icedtea-web</userinput>
<prompt>#</prompt> <userinput>make install clean</userinput></screen> <prompt>#</prompt> <userinput>make install clean</userinput></screen>
<para>編譯 Port 時使用預設設定選項。</para> <para>編譯 Port 時使用預設設定選項。</para>
<para>安裝完成時,啟動 <application>firefox</application>,在網址列輸入 <literal>about:plugins</literal> 並按 <keycap>Enter</keycap> 鍵。 會出現一個頁面列出已安裝的附加元件。 <application><trademark>Java</trademark></application> 附加元件應該會列在其中。</para> <para>安裝完成後,啟動 <application>firefox</application>,在網址列輸入 <literal>about:plugins</literal> 並按 <keycap>Enter</keycap> 鍵,便會出現一個列出已安裝附加元件的頁面,清單中應該要有 <application><trademark>Java</trademark></application> 附加元件。</para>
<para>若瀏覽器無法找到附加元件,每位使用者則須執行以下指令並重新執行瀏覽器:</para> <para>若瀏覽器無法找到附加元件,每位使用者則須執行以下指令並重新執行瀏覽器:</para>
<screen xml:lang="en"><prompt>%</prompt> <userinput>ln -s /usr/local/lib/IcedTeaPlugin.so \ <screen xml:lang="en"><prompt>%</prompt> <userinput>ln -s /usr/local/lib/IcedTeaPlugin.so \
$HOME/.mozilla/plugins/</userinput></screen> $HOME/.mozilla/plugins/</userinput></screen>
</sect3> </sect3>
<sect3 xml:id="moz-flash-plugin"> <sect3 xml:id="moz-flash-plugin">
Show All 9 Lines <primary>Flash</primary>
<para>要安裝並開啟此附加元件,可執行以下步驟:</para> <para>要安裝並開啟此附加元件,可執行以下步驟:</para>
<procedure> <procedure>
<step> <step>
<para>自 Port 安裝 <package role="port">www/nspluginwrapper</package> ,受到授權條款的限制,該套件無 Binary 版本。此 Port 需安裝 <package>emulators/linux_base-c6</package>。</para> <para>自 Port 安裝 <package role="port">www/nspluginwrapper</package> ,受到授權條款的限制,該套件無 Binary 版本。此 Port 需安裝 <package>emulators/linux_base-c6</package>。</para>
</step> </step>
<step> <step>
<para>自 Port 安裝 <package role="port">www/linux-c6-flashplugin11</package> ,受到授權條款的限制,該套件無 Binary 版本。</para> <para>自 Port 安裝 <package role="port">www/linux-flashplayer</package> ,受到授權條款的限制,該套件無 Binary 版本。</para>
</step> </step>
<step> <step>
<para>第一次使用附加元件前,每位使用者需要先執行:</para> <para>第一次使用附加元件前,每位使用者需要先執行:</para>
<screen xml:lang="en"><prompt>%</prompt> <userinput>nspluginwrapper -v -a -i</userinput></screen> <screen xml:lang="en"><prompt>%</prompt> <userinput>nspluginwrapper -v -a -i</userinput></screen>
<para>當附加元件 Port 完成更新並且重新安裝後,每位使用者需要執行:</para> <para>當附加元件 Port 完成更新並且重新安裝後,每位使用者需要執行:</para>
▲ Show 20 LinesShow All 64 Lines▼ Show 20 Lines <primary><application>Konqueror</application></primary>
</indexterm> </indexterm>
<para><application>Konqueror</application> 不只是個網頁瀏覽器, 它同時也是檔案管理器和多媒體瀏覽器。它包含在 <package>x11/kde4-baseapps</package> 套件或 Port 中。</para> <para><application>Konqueror</application> 不只是個網頁瀏覽器, 它同時也是檔案管理器和多媒體瀏覽器。它包含在 <package>x11/kde4-baseapps</package> 套件或 Port 中。</para>
<para><application>Konqueror</application> 使用支援 WebKit 以及它自有的 KTHML。WebKit 是一套被許多現代瀏覽器所使用的繪圖引擎,包含 Chromium。要在 FreeBSD 的 <application>Konqueror</application> 使用 WebKit 需安裝 <package>www/kwebkitpart</package> 套件或 Port。此範例示範使用 Binary 套件安裝:</para> <para><application>Konqueror</application> 使用支援 WebKit 以及它自有的 KTHML。WebKit 是一套被許多現代瀏覽器所使用的繪圖引擎,包含 Chromium。要在 FreeBSD 的 <application>Konqueror</application> 使用 WebKit 需安裝 <package>www/kwebkitpart</package> 套件或 Port。此範例示範使用 Binary 套件安裝:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install kwebkitpart</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install kwebkitpart</userinput></screen>
<para> Port 套件集安裝:</para> <para> Port 套件集安裝:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/www/kwebkitpart</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/www/kwebkitpart</userinput>
<prompt>#</prompt> <userinput>make install clean</userinput></screen> <prompt>#</prompt> <userinput>make install clean</userinput></screen>
<para>要啟動 <application>Konqueror</application> 中的 WebKit 點選 <quote>Settings</quote>、<quote>Configure Konqueror</quote>。在 <quote>General</quote> 設定頁面內點選 <quote>Default web browser engine</quote> 旁的下拉示選單並變更 <quote>KHTML</quote> 為 <quote>WebKit</quote>。</para> <para>要啟動 <application>Konqueror</application> 中的 WebKit 點選 <quote>Settings</quote>、<quote>Configure Konqueror</quote>。在 <quote>General</quote> 設定頁面內點選 <quote>Default web browser engine</quote> 旁的下拉示選單並變更 <quote>KHTML</quote> 為 <quote>WebKit</quote>。</para>
<para><application>Konqueror</application> 也支援 <application><trademark class="registered">Flash</trademark></application>,<quote>如何</quote>在 <application>Konqueror</application> 上安裝 <application><trademark class="registered">Flash</trademark></application> 的說明可參考 <uri xlink:href="http://freebsd.kde.org/howtos/konqueror-flash.php">http://freebsd.kde.org/howtos/konqueror-flash.php</uri>。</para> <para><application>Konqueror</application> 也支援 <application><trademark class="registered">Flash</trademark></application>,<quote>如何</quote>在 <application>Konqueror</application> 上安裝 <application><trademark class="registered">Flash</trademark></application> 的說明可參考 <uri xlink:href="http://freebsd.kde.org/howtos/konqueror-flash.php">http://freebsd.kde.org/howtos/konqueror-flash.php</uri>。</para>
</sect2> </sect2>
▲ Show 20 LinesShow All 157 Lines▼ Show 20 Lines <primary><application>The GIMP</application></primary>
<screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install gimp</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install gimp</userinput></screen>
<para>或使用 Port 套件集安裝:</para> <para>或使用 Port 套件集安裝:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/graphics/gimp</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/graphics/gimp</userinput>
<prompt>#</prompt> <userinput>make install clean</userinput></screen> <prompt>#</prompt> <userinput>make install clean</userinput></screen>
<para> 在 Port 套件集的 graphics 分類 (<link xlink:href="http://www.FreeBSD.org/ports/graphics.html">freebsd.org/ports/graphics.html</link>) 下也包含了許多 <application>GIMP</application> 相關的附加元件,說明檔及使用手冊。</para> <para>在 Port 套件集的 graphics 分類 (<link xlink:href="https://www.FreeBSD.org/ports/graphics.html">freebsd.org/ports/graphics.html</link>) 下也包含了許多 <application>GIMP</application> 相關的附加元件,說明檔及使用手冊。</para>
</sect2> </sect2>
<sect2> <sect2>
<title xml:lang="en">Apache OpenOffice</title> <title xml:lang="en">Apache OpenOffice</title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary> <primary>
▲ Show 20 LinesShow All 49 Lines▼ Show 20 Lines <secondary><application>LibreOffice</application></secondary>
<para><application>LibreOffice</application> 是一套自由的辦公軟體由 <link xlink:href="http://www.documentfoundation.org/">documentfoundation.org</link> 所開發。它可相容其他主流的辦公軟體以及可在各種平台上使用。它是 <application>Apache OpenOffice</application> 品牌重塑後的分支,含有可在完整辦公生產力軟體中找到的應用程式:文件處理程式、試算表、簡報管理程式、繪圖程式、資料庫管理程式以及建立與編輯數學公式的工具。它也支援數種語言與國際化一直延伸到介面、拼字檢查程式與字典。</para> <para><application>LibreOffice</application> 是一套自由的辦公軟體由 <link xlink:href="http://www.documentfoundation.org/">documentfoundation.org</link> 所開發。它可相容其他主流的辦公軟體以及可在各種平台上使用。它是 <application>Apache OpenOffice</application> 品牌重塑後的分支,含有可在完整辦公生產力軟體中找到的應用程式:文件處理程式、試算表、簡報管理程式、繪圖程式、資料庫管理程式以及建立與編輯數學公式的工具。它也支援數種語言與國際化一直延伸到介面、拼字檢查程式與字典。</para>
<para><application>LibreOffice</application> 的文件處理程式使用了原生的 XML 檔案格式來增加可攜性與彈性,試算表程式支援可與外部資料庫連接的巨集語言。<application>LibreOffice</application> 非常穩定且可直接在 <trademark class="registered">Windows</trademark>, <trademark class="registered">Linux</trademark>, FreeBSD 以及 <trademark class="registered">Mac!OS</trademark>!X 上執行。更多有關 <application>LibreOffice</application> 的資訊可在 <link xlink:href="http://www.libreoffice.org/">libreoffice.org</link> 找到。</para> <para><application>LibreOffice</application> 的文件處理程式使用了原生的 XML 檔案格式來增加可攜性與彈性,試算表程式支援可與外部資料庫連接的巨集語言。<application>LibreOffice</application> 非常穩定且可直接在 <trademark class="registered">Windows</trademark>, <trademark class="registered">Linux</trademark>, FreeBSD 以及 <trademark class="registered">Mac!OS</trademark>!X 上執行。更多有關 <application>LibreOffice</application> 的資訊可在 <link xlink:href="http://www.libreoffice.org/">libreoffice.org</link> 找到。</para>
<para>要安裝英文版本的 <application>LibreOffice</application> 套件:</para> <para>要安裝英文版本的 <application>LibreOffice</application> 套件:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install libreoffice</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install libreoffice</userinput></screen>
<para>Port 套件集的編輯器分類 (<link xlink:href="http://www.FreeBSD.org/ports/editors.html">freebsd.org/ports/editors.html</link>) 中含有數個 <application>LibreOffice</application> 的語系。安裝在地化套件時,請替換 <literal>libreoffice</literal> 為在地化套件的名稱。</para> <para>Port 套件集的編輯器分類 (<link xlink:href="https://www.FreeBSD.org/ports/editors.html">freebsd.org/ports/editors.html</link>) 中含有數個 <application>LibreOffice</application> 的語系。安裝在地化套件時,請替換 <literal>libreoffice</literal> 為在地化套件的名稱。</para>
<para>套件安裝之後,輸入以下指令來執行 <application>LibreOffice</application>:</para> <para>套件安裝之後,輸入以下指令來執行 <application>LibreOffice</application>:</para>
<screen xml:lang="en"><prompt>%</prompt> <userinput>libreoffice</userinput></screen> <screen xml:lang="en"><prompt>%</prompt> <userinput>libreoffice</userinput></screen>
<para>第一次啟動的過程中會詢問一些問題並在使用者的家目錄建立 <filename>.libreoffice</filename> 資料夾。</para> <para>第一次啟動的過程中會詢問一些問題並在使用者的家目錄建立 <filename>.libreoffice</filename> 資料夾。</para>
<para>若找不到想使用的 <application>LibreOffice</application> 套件,也可從 Port 編譯,但這會要大量的磁碟空間及漫長的時間編譯。以下例子示範編譯英文版本:</para> <para>若找不到想使用的 <application>LibreOffice</application> 套件,也可從 Port 編譯,但這會要大量的磁碟空間及漫長的時間編譯。以下例子示範編譯英文版本:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/editors/libreoffice</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/editors/libreoffice</userinput>
<prompt>#</prompt> <userinput>make install clean</userinput></screen> <prompt>#</prompt> <userinput>make install clean</userinput></screen>
<note> <note>
<para>要編譯在地化版本,則需 <command>cd</command> 進入想要的語言 Port 目錄。支援的語言可在 Port 套件集的編輯器分類 (<link xlink:href="http://www.FreeBSD.org/ports/editors.html">freebsd.org/ports/editors.html</link>) 中找到。</para> <para>要編譯在地化版本,則需 <command>cd</command> 進入想要的語言 Port 目錄。支援的語言可在 Port 套件集的編輯器分類 (<link xlink:href="https://www.FreeBSD.org/ports/editors.html">freebsd.org/ports/editors.html</link>) 中找到。</para>
</note> </note>
</sect2> </sect2>
</sect1> </sect1>
<sect1 xml:id="desktop-viewers"> <sect1 xml:id="desktop-viewers">
<title>文件閱覽程式</title> <title>文件閱覽程式</title>
<para><trademark class="registered">UNIX</trademark> 出現之後,有一些新的文件格式才越來越熱門,這些文件所需的檢視程式可能並不在基礎系統中。本節將示範如何安裝以下文件檢視程式:</para> <para><trademark class="registered">UNIX</trademark> 出現之後,有一些新的文件格式才越來越熱門,這些文件所需的檢視程式可能並不在基礎系統中。本節將示範如何安裝以下文件檢視程式:</para>
▲ Show 20 LinesShow All 369 Lines▼ Show 20 Lines <author xml:lang="en">
</personname> </personname>
<contrib>Enhanced by </contrib> <!--in September 2004--> <contrib>Enhanced by </contrib> <!--in September 2004-->
</author> </author>
</authorgroup> </authorgroup>
</info> </info>
<indexterm xml:lang="en"><primary>PCI</primary></indexterm> <indexterm xml:lang="en"><primary>PCI</primary></indexterm>
<indexterm xml:lang="en"><primary>sound cards</primary></indexterm> <indexterm xml:lang="en"><primary>sound cards</primary></indexterm>
<para>開始設定之前,必須先知道你的音效卡型號、晶片為何。 FreeBSD 支援許多種音效卡,請檢查支援的音效硬體表 <link xlink:href="http://www.FreeBSD.org/releases/11.0R/hardware.html">Hardware Notes</link>,以確認你的音效卡是否支援以及如何在 FreeBSD 上驅動。</para> <para>開始設定之前,必須先知道你的音效卡型號、晶片為何。 FreeBSD 支援許多種音效卡,請檢查支援的音效硬體表 <link xlink:href="https://www.FreeBSD.org/releases/11.1R/hardware.html">Hardware Notes</link>,以確認你的音效卡是否支援以及如何在 FreeBSD 上驅動。</para>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>kernel</primary> <primary>kernel</primary>
<secondary>configuration</secondary> <secondary>configuration</secondary>
</indexterm> </indexterm>
<para>要使用音效裝置,必須要載入正確的驅動程式才行。最簡單方式就是以 <citerefentry><refentrytitle>kldload</refentrytitle><manvolnum>8</manvolnum></citerefentry> 來載入核心模組。以下範例示範載入 Intel 規格內建的音效晶片驅動程式。</para> <para>要使用音效裝置,必須要載入正確的驅動程式才行。最簡單方式就是以 <citerefentry><refentrytitle>kldload</refentrytitle><manvolnum>8</manvolnum></citerefentry> 來載入核心模組。以下範例示範載入 Intel 規格內建的音效晶片驅動程式。</para>
▲ Show 20 LinesShow All 349 Lines▼ Show 20 Lines<prompt>#</prompt> <userinput>sysctl hw.snd.maxautovchans=4</userinput></screen>
<application>XMMS</application> simple to use. On FreeBSD, <application>XMMS</application> simple to use. On FreeBSD,
<application>XMMS</application> can be installed from the <application>XMMS</application> can be installed from the
<package>multimedia/xmms</package> port or package.</para> <package>multimedia/xmms</package> port or package.</para>
<para xml:lang="en">The <package>audio/mpg123</package> package or port <para xml:lang="en">The <package>audio/mpg123</package> package or port
provides an alternative, command-line <acronym>MP3</acronym> provides an alternative, command-line <acronym>MP3</acronym>
player. Once installed, specify the <acronym>MP3</acronym> player. Once installed, specify the <acronym>MP3</acronym>
file to play on the command line. If the system has multiple file to play on the command line. If the system has multiple
audio devices, the sound device can also be specifed:</para> audio devices, the sound device can also be specified:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>mpg123 <replaceable>-a /dev/dsp1.0 Foobar-GreatestHits.mp3</replaceable></userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>mpg123 <replaceable>-a /dev/dsp1.0 Foobar-GreatestHits.mp3</replaceable></userinput>
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3 High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
version 1.18.1; written and copyright by Michael Hipp and others version 1.18.1; written and copyright by Michael Hipp and others
free software (LGPL) without any warranty but with best wishes free software (LGPL) without any warranty but with best wishes
Playing MPEG stream from Foobar-GreatestHits.mp3 ... Playing MPEG stream from Foobar-GreatestHits.mp3 ...
MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo</screen> MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo</screen>
▲ Show 20 LinesShow All 783 Lines▼ Show 20 Lines drivers.</para>
<sect2> <sect2>
<title>設定 MythTV 後端</title> <title>設定 MythTV 後端</title>
<para>要使用 Binary 套件安裝 MythTV 可:</para> <para>要使用 Binary 套件安裝 MythTV 可:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install mythtv</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install mythtv</userinput></screen>
<para>或 Port 套件集安裝:</para> <para>或 Port 套件集安裝:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/multimedia/mythtv</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/multimedia/mythtv</userinput>
<prompt>#</prompt> <userinput>make install</userinput></screen> <prompt>#</prompt> <userinput>make install</userinput></screen>
<para xml:lang="en">Once installed, set up the MythTV database:</para> <para xml:lang="en">Once installed, set up the MythTV database:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>mysql -uroot -p &lt; /usr/local/share/mythtv/database/mc.sql</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>mysql -uroot -p &lt; /usr/local/share/mythtv/database/mc.sql</userinput></screen>
▲ Show 20 LinesShow All 418 Lines▼ Show 20 Linesath0@pci0:3:0:0: class=0x020000 card=0x058a1014 chip=0x1014168c rev=0x01 hdr=0x00
device = 'AR5212 Atheros AR5212 802.11abg wireless' device = 'AR5212 Atheros AR5212 802.11abg wireless'
class = network class = network
subclass = ethernet</screen> subclass = ethernet</screen>
<para>以上輸出資訊說明 <filename>ath</filename> 驅動程式已經找到一個無線乙太網路裝置。</para> <para>以上輸出資訊說明 <filename>ath</filename> 驅動程式已經找到一個無線乙太網路裝置。</para>
<para>在 <citerefentry><refentrytitle>man</refentrytitle><manvolnum>1</manvolnum></citerefentry> 指令加上 <option>-k</option> 旗標可提供有用的資訊,例如,這可列出有包含指定裝置品牌或名稱的手冊頁面清單:</para> <para>在 <citerefentry><refentrytitle>man</refentrytitle><manvolnum>1</manvolnum></citerefentry> 指令加上 <option>-k</option> 旗標可提供有用的資訊,例如,這可列出有包含指定裝置品牌或名稱的手冊頁面清單:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>man -k <replaceable>Atheros</replaceable></userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>man -k <replaceable>Atheros</replaceable></userinput>
ath(4) - Atheros IEEE 802.11 wireless network driver
ath_hal(4) - Atheros Hardware Access Layer (HAL)</screen>
<programlisting xml:lang="en">ath(4) - Atheros IEEE 802.11 wireless network driver
ath_hal(4) - Atheros Hardware Access Layer (HAL)</programlisting>
<para>準備好硬體清單之後,參考該清單來確認已安裝的硬體驅動程式在編輯自訂核心設定時沒有被移除。</para> <para>準備好硬體清單之後,參考該清單來確認已安裝的硬體驅動程式在編輯自訂核心設定時沒有被移除。</para>
</sect1> </sect1>
<sect1 xml:id="kernelconfig-config"> <sect1 xml:id="kernelconfig-config">
<!-- <!--
<sect1info> <sect1info>
<authorgroup> <authorgroup>
<author> <author>
▲ Show 20 LinesShow All 2,022 Lines▼ Show 20 Lines <sect1 xml:id="linuxemu-lbc-install">
<screen xml:lang="en"><prompt>%</prompt> <userinput>kldstat</userinput> <screen xml:lang="en"><prompt>%</prompt> <userinput>kldstat</userinput>
Id Refs Address Size Name Id Refs Address Size Name
1 2 0xc0100000 16bdb8 kernel 1 2 0xc0100000 16bdb8 kernel
7 1 0xc24db000 d000 linux.ko</screen> 7 1 0xc24db000 d000 linux.ko</screen>
<para>在 FreeBSD 安裝基本的 <trademark class="registered">Linux</trademark> 程式庫和 Binary 最簡單的方式是安裝 <package>emulators/linux_base-c6</package> 套件或是 Port 。要安裝 Port:</para> <para>在 FreeBSD 安裝基本的 <trademark class="registered">Linux</trademark> 程式庫和 Binary 最簡單的方式是安裝 <package>emulators/linux_base-c6</package> 套件或是 Port 。要安裝 Port:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>printf "compat.linux.osrelease=2.6.18\n" &gt;&gt; /etc/sysctl.conf</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install emulators/linux_base-c6</userinput></screen>
<prompt>#</prompt> <userinput>sysctl compat.linux.osrelease=2.6.18</userinput>
<prompt>#</prompt> <userinput>pkg install emulators/linux_base-c6</userinput></screen>
<para>要在開機時開啟 <trademark class="registered">Linux</trademark> 相容性,可以加入這行到 <filename>/etc/rc.conf</filename>:</para> <para>要在開機時開啟 <trademark class="registered">Linux</trademark> 相容性,可以加入這行到 <filename>/etc/rc.conf</filename>:</para>
<programlisting xml:lang="en">linux_enable="YES"</programlisting> <programlisting xml:lang="en">linux_enable="YES"</programlisting>
<para>在 64-位元的機器上,<filename>/etc/rc.d/abi</filename> 會自動載入用來做 64-位元模擬的模組。</para> <para>在 64-位元的機器上,<filename>/etc/rc.d/abi</filename> 會自動載入用來做 64-位元模擬的模組。</para>
<indexterm><primary>核心選項</primary> <secondary>COMPAT_LINUX</secondary></indexterm> <indexterm><primary>核心選項</primary> <secondary>COMPAT_LINUX</secondary></indexterm>
<para>想要靜態連結 <trademark class="registered">Linux</trademark> Binary 相容性到自訂核心的使用者應加入 <literal>options COMPAT_LINUX</literal> 到自訂核心設定檔。 編譯並安裝新核心的方法,如 <xref linkend="kernelconfig"/> 所述。</para> <para xml:lang="en">Since the Linux binary compatibility layer has gained support
for running both 32- and 64-bit Linux binaries (on 64-bit x86 hosts),
it is no longer possible to link the emulation functionality statically
into a custom kernel.</para>
<sect2 xml:id="linuxemu-libs-manually"> <sect2 xml:id="linuxemu-libs-manually">
<title>手動安裝其他程式庫</title> <title>手動安裝其他程式庫</title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>shared libraries</primary> <primary>shared libraries</primary>
</indexterm> </indexterm>
▲ Show 20 LinesShow All 1,231 Lines▼ Show 20 Lines </author>
<para>這裡使用了兩種類型的設定檔:其一是系統 crontab,系統 crontab 不應該被修改,其二為使用者 crontab,使用者 crontab 可以依需要建立與編輯。這兩種檔案的格式在 <citerefentry><refentrytitle>crontab</refentrytitle><manvolnum>5</manvolnum></citerefentry> 有說明。系統 crontab <filename>/etc/crontab</filename> 的格式含有在使用者 crontab 所沒有的 <literal>who</literal> 欄位,在系統 crontab,<application>cron</application> 會依據該欄位所指定的使用者來執行指令,而在使用者 crontab,會以建立 crontab 的使用者來執行指令。</para> <para>這裡使用了兩種類型的設定檔:其一是系統 crontab,系統 crontab 不應該被修改,其二為使用者 crontab,使用者 crontab 可以依需要建立與編輯。這兩種檔案的格式在 <citerefentry><refentrytitle>crontab</refentrytitle><manvolnum>5</manvolnum></citerefentry> 有說明。系統 crontab <filename>/etc/crontab</filename> 的格式含有在使用者 crontab 所沒有的 <literal>who</literal> 欄位,在系統 crontab,<application>cron</application> 會依據該欄位所指定的使用者來執行指令,而在使用者 crontab,會以建立 crontab 的使用者來執行指令。</para>
<para>使用者 crontab 讓個別使用者可以安排自己的工作,<systemitem class="username">root</systemitem> 使用者也可有自己的使用者 <filename>crontab</filename> 來安排不在系統 <filename>crontab</filename> 中的工作。</para> <para>使用者 crontab 讓個別使用者可以安排自己的工作,<systemitem class="username">root</systemitem> 使用者也可有自己的使用者 <filename>crontab</filename> 來安排不在系統 <filename>crontab</filename> 中的工作。</para>
<para>以下為系統 crontab <filename>/etc/crontab</filename> 的範例項目:</para> <para>以下為系統 crontab <filename>/etc/crontab</filename> 的範例項目:</para>
<programlisting xml:lang="en"># /etc/crontab - root's crontab for FreeBSD <programlisting xml:lang="en"># /etc/crontab - root's crontab for FreeBSD
# #
# $FreeBSD$ # <phrase its:translate="no">$FreeBSD$</phrase>
# <co xml:id="co-comments"/> # <co xml:id="co-comments"/>
SHELL=/bin/sh SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin <co xml:id="co-env"/> PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin <co xml:id="co-env"/>
# #
#minute hour mday month wday who command <co xml:id="co-field-descr"/> #minute hour mday month wday who command <co xml:id="co-field-descr"/>
# #
*/5 * * * * root /usr/libexec/atrun <co xml:id="co-main"/></programlisting> */5 * * * * root /usr/libexec/atrun <co xml:id="co-main"/></programlisting>
▲ Show 20 LinesShow All 581 Lines▼ Show 20 Lines <sect2>
<title>設定本地日誌</title> <title>設定本地日誌</title>
<indexterm xml:lang="en"><primary>syslog.conf</primary></indexterm> <indexterm xml:lang="en"><primary>syslog.conf</primary></indexterm>
<para>設定檔 <filename>/etc/syslog.conf</filename> 控制 <application>syslogd</application> 收到日誌項目時要做的事情,有數個參數可以用來控制接收到事件時的處理方式。<firstterm>設施 (facility)</firstterm> 用來描述記錄產生訊息的子系統 (subsystem),如核心或者 Daemon,而 <firstterm>層級 (level)</firstterm> 用來描述所發生的事件嚴重性。也可以依據應用程式所發出的訊息及產生日誌事件機器的主機名稱來決定後續處置的動作。</para> <para>設定檔 <filename>/etc/syslog.conf</filename> 控制 <application>syslogd</application> 收到日誌項目時要做的事情,有數個參數可以用來控制接收到事件時的處理方式。<firstterm>設施 (facility)</firstterm> 用來描述記錄產生訊息的子系統 (subsystem),如核心或者 Daemon,而 <firstterm>層級 (level)</firstterm> 用來描述所發生的事件嚴重性。也可以依據應用程式所發出的訊息及產生日誌事件機器的主機名稱來決定後續處置的動作。</para>
<para>此設定檔中一行代表一個動作,每一行的格式皆為一個選擇器欄位 (Selector field) 接著一個動作欄位 (Action field)。選擇器欄位的格式為 <replaceable>facility.level</replaceable> 可以用來比對來自 <replaceable>facility</replaceable> 於層級 <replaceable>level</replaceable> 或更高層的日誌訊息,也可以在層級前加入選擇性的比對旗標來更確切的指定記錄的內容。同樣一個動作可以使用多個選擇器欄位並使用分號 (<literal>;</literal>) 來分隔。用 <literal>*</literal> 可以比對任何東西。動作欄位可用來指定傳送日誌訊息的目標,如一個檔案或遠端日誌主機。範例為以下為 FreeBSD 預設的 <filename>syslog.conf</filename>:</para> <para>此設定檔中一行代表一個動作,每一行的格式皆為一個選擇器欄位 (Selector field) 接著一個動作欄位 (Action field)。選擇器欄位的格式為 <replaceable>facility.level</replaceable> 可以用來比對來自 <replaceable>facility</replaceable> 於層級 <replaceable>level</replaceable> 或更高層的日誌訊息,也可以在層級前加入選擇性的比對旗標來更確切的指定記錄的內容。同樣一個動作可以使用多個選擇器欄位並使用分號 (<literal>;</literal>) 來分隔。用 <literal>*</literal> 可以比對任何東西。動作欄位可用來指定傳送日誌訊息的目標,如一個檔案或遠端日誌主機。範例為以下為 FreeBSD 預設的 <filename>syslog.conf</filename>:</para>
<programlisting xml:lang="en"># $FreeBSD$ <programlisting xml:lang="en"># <phrase its:translate="no">$FreeBSD$</phrase>
# #
# Spaces ARE valid field separators in this file. However, # Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field # other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you # separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here. # may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manpage. # Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit /dev/console *.err;kern.warning;auth.notice;mail.crit /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
▲ Show 20 LinesShow All 63 Lines▼ Show 20 Lines <sect2>
<indexterm xml:lang="en"><primary>log rotation</primary></indexterm> <indexterm xml:lang="en"><primary>log rotation</primary></indexterm>
<indexterm xml:lang="en"><primary>log management</primary></indexterm> <indexterm xml:lang="en"><primary>log management</primary></indexterm>
<para>日誌檔案會成長的非常快速,這會消耗磁碟空間並且會更難在日誌中找到有用的資訊,日誌管理便是為了嘗試減緩這種問題。在 FreeBSD 可以使用 <application>newsyslog</application> 來管理日誌檔案,這個內建的程式會定期翻轉 (Rotate) 與壓縮日誌檔案,並且可選擇性的建立遺失的日誌檔案並在日誌檔案被移動位置時通知程式。日誌檔案可能會由 <application>syslogd</application> 產生或由其他任何會產生日誌檔案的程式。<application>newsyslog</application> 正常會由 <citerefentry><refentrytitle>cron</refentrytitle><manvolnum>8</manvolnum></citerefentry> 來執行,它並非一個系統 Daemon,預設會每個小時執行一次。</para> <para>日誌檔案會成長的非常快速,這會消耗磁碟空間並且會更難在日誌中找到有用的資訊,日誌管理便是為了嘗試減緩這種問題。在 FreeBSD 可以使用 <application>newsyslog</application> 來管理日誌檔案,這個內建的程式會定期翻轉 (Rotate) 與壓縮日誌檔案,並且可選擇性的建立遺失的日誌檔案並在日誌檔案被移動位置時通知程式。日誌檔案可能會由 <application>syslogd</application> 產生或由其他任何會產生日誌檔案的程式。<application>newsyslog</application> 正常會由 <citerefentry><refentrytitle>cron</refentrytitle><manvolnum>8</manvolnum></citerefentry> 來執行,它並非一個系統 Daemon,預設會每個小時執行一次。</para>
<para><application>newsyslog</application> 會讀取其設定檔 <filename>/etc/newsyslog.conf</filename> 來決定其要採取的動作,每個要由 <application>newsyslog</application> 所管理的日誌檔案會在此設定檔中設定一行,每一行要說明檔案的擁有者、權限、何時要翻轉該檔案、選用的日誌翻轉旗標,如:壓縮,以及日誌翻轉時要通知的程式。以下為 FreeBSD 的預設設定:</para> <para><application>newsyslog</application> 會讀取其設定檔 <filename>/etc/newsyslog.conf</filename> 來決定其要採取的動作,每個要由 <application>newsyslog</application> 所管理的日誌檔案會在此設定檔中設定一行,每一行要說明檔案的擁有者、權限、何時要翻轉該檔案、選用的日誌翻轉旗標,如:壓縮,以及日誌翻轉時要通知的程式。以下為 FreeBSD 的預設設定:</para>
<programlisting xml:lang="en"># configuration file for newsyslog <programlisting xml:lang="en"># configuration file for newsyslog
# $FreeBSD$ # <phrase its:translate="no">$FreeBSD$</phrase>
# #
# Entries which do not specify the '/pid_file' field will cause the # Entries which do not specify the '/pid_file' field will cause the
# syslogd process to be signalled when that log file is rotated. This # syslogd process to be signalled when that log file is rotated. This
# action is only appropriate for log files which are written to by the # action is only appropriate for log files which are written to by the
# syslogd process (ie, files listed in /etc/syslog.conf). If there # syslogd process (ie, files listed in /etc/syslog.conf). If there
# is no process which needs to be signalled when a given log file is # is no process which needs to be signalled when a given log file is
# rotated, then the entry for that file should include the 'N' flag. # rotated, then the entry for that file should include the 'N' flag.
# #
▲ Show 20 LinesShow All 400 Lines▼ Show 20 Lines <para>當使用 <acronym>DHCP</acronym> 時,<citerefentry><refentrytitle>dhclient</refentrytitle><manvolnum>8</manvolnum></citerefentry> 通常會使用從 <acronym>DHCP</acronym> 伺服器所接收到的資訊覆寫 <filename>/etc/resolv.conf</filename>。</para>
<sect3> <sect3>
<title xml:lang="en"><filename>/etc/hosts</filename></title> <title xml:lang="en"><filename>/etc/hosts</filename></title>
<indexterm xml:lang="en"><primary>hosts</primary></indexterm> <indexterm xml:lang="en"><primary>hosts</primary></indexterm>
<para><filename>/etc/hosts</filename> 是簡單的文字資料庫,會與 <acronym>DNS</acronym> 及 <acronym>NIS</acronym> 一併使用來提供主機名稱與 <acronym>IP</acronym> 位址的對應。可將透過 <acronym>LAN</acronym> 所連結的在地電腦項目加入到這個檔案做最簡單的命名,來替代設定一個 <citerefentry><refentrytitle>named</refentrytitle><manvolnum>8</manvolnum></citerefentry> 伺服器。除此之外 <filename>/etc/hosts</filename> 可以用來提供本地的網際網路名稱記錄,來減少常用名稱向外部 <acronym>DNS</acronym> 伺服器查詢的需求。</para> <para><filename>/etc/hosts</filename> 是簡單的文字資料庫,會與 <acronym>DNS</acronym> 及 <acronym>NIS</acronym> 一併使用來提供主機名稱與 <acronym>IP</acronym> 位址的對應。可將透過 <acronym>LAN</acronym> 所連結的在地電腦項目加入到這個檔案做最簡單的命名,來替代設定一個 <citerefentry><refentrytitle>named</refentrytitle><manvolnum>8</manvolnum></citerefentry> 伺服器。除此之外 <filename>/etc/hosts</filename> 可以用來提供本地的網際網路名稱記錄,來減少常用名稱向外部 <acronym>DNS</acronym> 伺服器查詢的需求。</para>
<programlisting xml:lang="en"># $FreeBSD$ <programlisting xml:lang="en"># <phrase its:translate="no">$FreeBSD$</phrase>
# #
# #
# Host Database # Host Database
# #
# This file should contain the addresses and aliases for local hosts that # This file should contain the addresses and aliases for local hosts that
# share this file. Replace 'my.domain' below with the domainname of your # share this file. Replace 'my.domain' below with the domainname of your
# machine. # machine.
# #
▲ Show 20 LinesShow All 2,182 Lines▼ Show 20 LinesEnter new password:</screen>
<para>如這個例子,有效日期的格式為天、月以及年。要取得更多資訊可參考 <citerefentry><refentrytitle>pw</refentrytitle><manvolnum>8</manvolnum></citerefentry>。</para> <para>如這個例子,有效日期的格式為天、月以及年。要取得更多資訊可參考 <citerefentry><refentrytitle>pw</refentrytitle><manvolnum>8</manvolnum></citerefentry>。</para>
</sect2> </sect2>
<sect2 xml:id="security-rkhunter"> <sect2 xml:id="security-rkhunter">
<title>偵測 Root 工具 (Rootkit)</title> <title>偵測 Root 工具 (Rootkit)</title>
<para><firstterm>rootkit</firstterm> 指的是嘗試未經授權取得系統 <systemitem class="username">root</systemitem> 存取權的軟體。一旦安裝之後,這個惡意軟體將可以光明正大的開啟給另一個給攻擊者進入的大門。現實上,一但系統已被 rootkit 滲透且執行了搜索動作之後,該系統就應該從頭重新安裝,因為即使非常謹真的資安或系統工程式也可能會遺漏攻擊者留下的動西。</para> <para><firstterm>rootkit</firstterm> 指的是嘗試未經授權取得系統 <systemitem class="username">root</systemitem> 存取權的軟體。一旦安裝之後,這個惡意軟體將可以光明正大的開啟給另一個給攻擊者進入的大門。現實上,一但系統已被 rootkit 滲透且執行了搜索動作之後,該系統就應該從頭重新安裝,因為即使非常謹真的資安或系統工程式也可能會遺漏攻擊者留下的動西。</para>
<para>rootkit 所做過的事可提供管理者一個非常有用的資訊:一但偵測到,便代表某處已經被滲透,但這類的應用程式躲藏的非常好,本節將會示範一個可以用來偵測 rootkit 的工具,<package>security/rkhunter</package>。</para> <para>rootkit 對管理者而言唯一有幫助的是:一但偵測到,便代表某處已經被滲透,但這類的應用程式躲藏的非常好,本節將會示範一個可以用來偵測 rootkit 的工具,<package>security/rkhunter</package>。</para>
<para>安裝此套件或 Port 之後,系統便可使用以下指令檢查。該指令提供許多資訊且會需要手動按下 <keycap>ENTER</keycap> 確認:</para> <para>安裝此套件或 Port 之後,系統便可使用以下指令檢查。該指令提供許多資訊且會需要手動按下 <keycap>ENTER</keycap> 確認:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>rkhunter -c</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>rkhunter -c</userinput></screen>
<para>該程序完成之後,目前狀態的訊息便會顯示在畫面上。這個訊息包含了已檢查過多少檔案、可疑的檔案、可能的 rootkit 以及其他更多資訊。在檢查的過程中,可能會產生一些有關隱藏檔案、<application>OpenSSH</application> 通訊協定選擇及已安裝軟體已知漏洞版本的通用的安全性警告、這些問題可以立即處理或在更詳細的分析之後再處理。</para> <para>該程序完成之後,目前狀態的訊息便會顯示在畫面上。這個訊息包含了已檢查過多少檔案、可疑的檔案、可能的 rootkit 以及其他更多資訊。在檢查的過程中,可能會產生一些有關隱藏檔案、<application>OpenSSH</application> 通訊協定選擇及已安裝軟體已知漏洞版本的通用的安全性警告、這些問題可以立即處理或在更詳細的分析之後再處理。</para>
<para>每位管理者應了解在系統上執行了那些程式以及這些程式的用途。第三方工具如 <application>rkhunter</application> 與 <package>sysutils/lsof</package> 以及原生指令如 <command>netstat</command> 與 <command>ps</command> 可以系統上大量的資訊,記錄下那一些是正常的,當有不適當的程式出現時提出疑問,然後找出答案。雖然理想要避免滲透,但也必須偵測是否已被滲透了。</para> <para>每位管理者應了解在系統上執行了那些程式以及這些程式的用途。第三方工具如 <application>rkhunter</application> 與 <package>sysutils/lsof</package> 以及原生指令如 <command>netstat</command> 與 <command>ps</command> 可以系統上大量的資訊,記錄下那一些是正常的,當有不適當的程式出現時提出疑問,然後找出答案。雖然理想要避免滲透,但也必須偵測是否已被滲透了。</para>
▲ Show 20 LinesShow All 748 Lines▼ Show 20 Lineskadmin&gt;<userinput> exit</userinput></screen>
<citerefentry><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, which supports <citerefentry><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, which supports
<application>Kerberos</application> via the <application>Kerberos</application> via the
<acronym>GSS-API</acronym>. In <acronym>GSS-API</acronym>. In
<filename>/etc/ssh/sshd_config</filename>, add the <filename>/etc/ssh/sshd_config</filename>, add the
line:</para> line:</para>
<programlisting xml:lang="en">GSSAPIAuthentication yes</programlisting> <programlisting xml:lang="en">GSSAPIAuthentication yes</programlisting>
<para xml:lang="en">After making this change, <citerefentry><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> must be restared <para>做完了這個變更之後,必須重新啟動 <citerefentry><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> 來使新的設定值生效:<command>service sshd restart</command>。</para>
for the new configuration to take effect:
<command>service sshd restart</command>.</para>
</sect2> </sect2>
<sect2> <sect2>
<title>設定客戶端使用 <application>Kerberos</application></title> <title>設定客戶端使用 <application>Kerberos</application></title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>Kerberos5</primary> <primary>Kerberos5</primary>
<secondary>configure clients</secondary> <secondary>configure clients</secondary>
▲ Show 20 LinesShow All 652 Lines▼ Show 20 Lines <para xml:lang="en"><acronym>IPsec</acronym> supports two modes of operation.
The first mode, <firstterm>Transport Mode</firstterm>, protects The first mode, <firstterm>Transport Mode</firstterm>, protects
communications between two hosts. The second mode, communications between two hosts. The second mode,
<firstterm>Tunnel Mode</firstterm>, is used to build virtual <firstterm>Tunnel Mode</firstterm>, is used to build virtual
tunnels, commonly known as Virtual Private Networks tunnels, commonly known as Virtual Private Networks
(<acronym>VPN</acronym>s). Consult <citerefentry><refentrytitle>ipsec</refentrytitle><manvolnum>4</manvolnum></citerefentry> for detailed (<acronym>VPN</acronym>s). Consult <citerefentry><refentrytitle>ipsec</refentrytitle><manvolnum>4</manvolnum></citerefentry> for detailed
information on the <acronym>IPsec</acronym> subsystem in information on the <acronym>IPsec</acronym> subsystem in
FreeBSD.</para> FreeBSD.</para>
<para xml:lang="en">To add <acronym>IPsec</acronym> support to the kernel, add <para>在 FreeBSD 11 與之後的版本預設會開啟 <acronym>IPsec</acronym> 功能,先前版本的 FreeBSD 可在自訂核心設定檔中加入以下選項然後依 <xref linkend="kernelconfig"/> 的指示來重新編譯核心:</para>
the following options to the custom kernel configuration file
and rebuild the kernel using the instructions in <xref linkend="kernelconfig"/>:</para>
<indexterm><primary>核心選項</primary> <secondary>IPSEC</secondary></indexterm> <indexterm><primary>核心選項</primary> <secondary>IPSEC</secondary></indexterm>
<screen xml:lang="en">options IPSEC #IP security <screen xml:lang="en">options IPSEC #IP security
device crypto</screen> device crypto</screen>
<indexterm><primary>核心選項</primary> <secondary>IPSEC_DEBUG</secondary></indexterm> <indexterm><primary>核心選項</primary> <secondary>IPSEC_DEBUG</secondary></indexterm>
▲ Show 20 LinesShow All 112 Lines▼ Show 20 Linesround-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms</programlisting>
<para xml:lang="en">As expected, both sides have the ability to send and <para xml:lang="en">As expected, both sides have the ability to send and
receive <acronym>ICMP</acronym> packets from the privately receive <acronym>ICMP</acronym> packets from the privately
configured addresses. Next, both gateways must be told how to configured addresses. Next, both gateways must be told how to
route packets in order to correctly send traffic from either route packets in order to correctly send traffic from either
network. The following commands will achieve this network. The following commands will achieve this
goal:</para> goal:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>corp-net# route add <replaceable>10.0.0.0 10.0.0.5 255.255.255.0</replaceable></userinput> <screen xml:lang="en">corp-net<prompt>#</prompt> <userinput>route add <replaceable>10.0.0.0 10.0.0.5 255.255.255.0</replaceable></userinput>
<prompt>#</prompt> <userinput>corp-net# route add net <replaceable>10.0.0.0: gateway 10.0.0.5</replaceable></userinput> corp-net<prompt>#</prompt> <userinput>route add net <replaceable>10.0.0.0: gateway 10.0.0.5</replaceable></userinput>
<prompt>#</prompt> <userinput>priv-net# route add <replaceable>10.246.38.0 10.246.38.1 255.255.255.0</replaceable></userinput> priv-net<prompt>#</prompt> <userinput>route add <replaceable>10.246.38.0 10.246.38.1 255.255.255.0</replaceable></userinput>
<prompt>#</prompt> <userinput>priv-net# route add host <replaceable>10.246.38.0: gateway 10.246.38.1</replaceable></userinput></screen> priv-net<prompt>#</prompt> <userinput>route add host <replaceable>10.246.38.0: gateway 10.246.38.1</replaceable></userinput></screen>
<para xml:lang="en">At this point, internal machines should be reachable from <para xml:lang="en">At this point, internal machines should be reachable from
each gateway as well as from machines behind the gateways. each gateway as well as from machines behind the gateways.
Again, use <citerefentry><refentrytitle>ping</refentrytitle><manvolnum>8</manvolnum></citerefentry> to confirm:</para> Again, use <citerefentry><refentrytitle>ping</refentrytitle><manvolnum>8</manvolnum></citerefentry> to confirm:</para>
<programlisting xml:lang="en">corp-net# ping 10.0.0.8 <programlisting xml:lang="en">corp-net# ping 10.0.0.8
PING 10.0.0.8 (10.0.0.8): 56 data bytes PING 10.0.0.8 (10.0.0.8): 56 data bytes
64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms 64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms
▲ Show 20 LinesShow All 294 Lines▼ Show 20 Lines+----[SHA256]-----+</screen>
<para>不同版本 <application>OpenSSH</application> 的選項與檔案會不同,要避免發生問題請參考 <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>。</para> <para>不同版本 <application>OpenSSH</application> 的選項與檔案會不同,要避免發生問題請參考 <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>。</para>
<para>若使用了密碼,在每次連線到伺服器時都會提示使用者輸入密碼。要將 <acronym>SSH</acronym> 金鑰載入到記憶體並讓每次連線時不必再輸入密碼,可使用 <citerefentry><refentrytitle>ssh-agent</refentrytitle><manvolnum>1</manvolnum></citerefentry> 與 <citerefentry><refentrytitle>ssh-add</refentrytitle><manvolnum>1</manvolnum></citerefentry>。</para> <para>若使用了密碼,在每次連線到伺服器時都會提示使用者輸入密碼。要將 <acronym>SSH</acronym> 金鑰載入到記憶體並讓每次連線時不必再輸入密碼,可使用 <citerefentry><refentrytitle>ssh-agent</refentrytitle><manvolnum>1</manvolnum></citerefentry> 與 <citerefentry><refentrytitle>ssh-add</refentrytitle><manvolnum>1</manvolnum></citerefentry>。</para>
<para>認証可用 <command>ssh-agent</command> 來管理,只要將私鑰載入,<command>ssh-agent</command> 可用在執行其他應用程式,如 Shell 或視窗管理程式。</para> <para>認証可用 <command>ssh-agent</command> 來管理,只要將私鑰載入,<command>ssh-agent</command> 可用在執行其他應用程式,如 Shell 或視窗管理程式。</para>
<para>要在 Shell 使用 <command>ssh-agent</command>,使用 Shell 做為參數來啟動 <command>ssh-agent</command>。執行 <command>ssh-add</command> 來加入識別碼,然後輸入私鑰的密碼。使用者將可使用 <command>ssh</command> 連線到任何有安裝對應公鑰的主機,例如:</para> <para>要在 Shell 使用 <command>ssh-agent</command>,使用 Shell 做為參數來啟動 <command>ssh-agent</command>。執行 <command>ssh-add</command> 來加入識別碼,然後輸入私鑰的密碼。使用者將可使用 <command>ssh</command> 連線到任何有安裝對應公鑰的主機,例如:</para>
<screen xml:lang="en"><prompt>%</prompt> ssh-agent <replaceable>csh</replaceable> <screen xml:lang="en"><prompt>%</prompt> <userinput>ssh-agent <replaceable>csh</replaceable></userinput>
<prompt>%</prompt> ssh-add <prompt>%</prompt> <userinput>ssh-add</userinput>
Enter passphrase for key '/usr/home/user/.ssh/id_rsa': <co xml:id="co-ssh-agent-passphrase"/> Enter passphrase for key '/usr/home/user/.ssh/id_rsa': <co xml:id="co-ssh-agent-passphrase"/>
Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/user/.ssh/id_rsa) Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/user/.ssh/id_rsa)
<prompt>%</prompt></screen> <prompt>%</prompt></screen>
<calloutlist> <calloutlist>
<callout arearefs="co-ssh-agent-passphrase"> <callout arearefs="co-ssh-agent-passphrase">
<para>輸入金鑰的密碼。</para> <para>輸入金鑰的密碼。</para>
</callout> </callout>
▲ Show 20 LinesShow All 373 Lines▼ Show 20 Lines <author xml:lang="en"><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Contributed
<screen xml:lang="en"><prompt>#</prompt> <userinput>pkg audit -F</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>pkg audit -F</userinput></screen>
<para xml:lang="en"><application>pkg</application> displays messages <para xml:lang="en"><application>pkg</application> displays messages
any published vulnerabilities in installed packages:</para> any published vulnerabilities in installed packages:</para>
<programlisting xml:lang="en">Affected package: cups-base-1.1.22.0_1 <programlisting xml:lang="en">Affected package: cups-base-1.1.22.0_1
Type of problem: cups-base -- HPGL buffer overflow vulnerability. Type of problem: cups-base -- HPGL buffer overflow vulnerability.
Reference: &lt;http://www.FreeBSD.org/ports/portaudit/40a3bca2-6809-11d9-a9e7-0001020eed82.html&gt; Reference: &lt;https://www.FreeBSD.org/ports/portaudit/40a3bca2-6809-11d9-a9e7-0001020eed82.html&gt;
1 problem(s) in your installed packages found. 1 problem(s) in your installed packages found.
You are advised to update or deinstall the affected package(s) immediately.</programlisting> You are advised to update or deinstall the affected package(s) immediately.</programlisting>
<para xml:lang="en">By pointing a web browser to the displayed <para xml:lang="en">By pointing a web browser to the displayed
<acronym>URL</acronym>, an administrator may obtain more <acronym>URL</acronym>, an administrator may obtain more
information about the vulnerability. This will include the information about the vulnerability. This will include the
▲ Show 20 LinesShow All 123 Lines▼ Show 20 Lines
# gpg --verify bind-stable-9.patch.asc # gpg --verify bind-stable-9.patch.asc
b) Execute the following commands as root: b) Execute the following commands as root:
# cd /usr/src # cd /usr/src
# patch &lt; /path/to/patch # patch &lt; /path/to/patch
Recompile the operating system using buildworld and installworld as Recompile the operating system using buildworld and installworld as
described in &lt;URL:http://www.FreeBSD.org/handbook/makeworld.html&gt;. described in &lt;URL:https://www.FreeBSD.org/handbook/makeworld.html&gt;.
Restart the applicable daemons, or reboot the system. Restart the applicable daemons, or reboot the system.
3) To update your vulnerable system via a binary patch: 3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64 Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility: platforms can be updated via the freebsd-update(8) utility:
▲ Show 20 LinesShow All 6,377 Lines▼ Show 20 Lines </listitem>
</itemizedlist> </itemizedlist>
<indexterm xml:lang="en"><primary>livefs <indexterm xml:lang="en"><primary>livefs
<acronym>CD</acronym></primary></indexterm> <acronym>CD</acronym></primary></indexterm>
<para>在安全的地方保存這份列印結果與安裝媒體的複本,在緊急還原時可能會需要,接著開機進入安裝媒體並選擇 <literal>Live CD</literal> 以存取救援 Shell (Rescue shell),這個救援模式可以用來檢視目前系統的狀態,若有需要,可重新格式化磁碟然後自備份還原資料。</para> <para>在安全的地方保存這份列印結果與安裝媒體的複本,在緊急還原時可能會需要,接著開機進入安裝媒體並選擇 <literal>Live CD</literal> 以存取救援 Shell (Rescue shell),這個救援模式可以用來檢視目前系統的狀態,若有需要,可重新格式化磁碟然後自備份還原資料。</para>
<note> <note>
<para>FreeBSD/i386!10.3-RELEASE 的安裝媒體未含救援 Shell,針對該版本,可改自 <uri xlink:href="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/ISO-IMAGES/10.3/FreeBSD-10.3-RELEASE-i386-livefs.iso">ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/ISO-IMAGES/10.3/FreeBSD-10.3-RELEASE-i386-livefs.iso</uri> 下載 <acronym>CD</acronym> 映像檔並燒錄。</para> <para>FreeBSD/i386!10.4-RELEASE 的安裝媒體未含救援 Shell,針對該版本,可改自 <uri xlink:href="ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/ISO-IMAGES/10.4/FreeBSD-10.4-RELEASE-i386-livefs.iso">ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/ISO-IMAGES/10.4/FreeBSD-10.4-RELEASE-i386-livefs.iso</uri> 下載 Livefs <acronym>CD</acronym> 映像檔並燒錄。</para>
</note> </note>
<para>然後,測試救援 Shell 下的備份。記錄下整個程序,將這份記錄隨媒體、列印結果、備份檔一併保存,這份記錄可以避免在緊張壓力下做緊急還原時因不慎造成備份的毀壞。</para> <para>然後,測試救援 Shell 下的備份。記錄下整個程序,將這份記錄隨媒體、列印結果、備份檔一併保存,這份記錄可以避免在緊張壓力下做緊急還原時因不慎造成備份的毀壞。</para>
<para>要再安全性一點,則可將最新的備份儲存在與實體電腦與磁碟機有一段明顯距離的遠端位置。</para> <para>要再安全性一點,則可將最新的備份儲存在與實體電腦與磁碟機有一段明顯距離的遠端位置。</para>
</sect2> </sect2>
</sect1> </sect1>
▲ Show 20 LinesShow All 532 Lines▼ Show 20 Lines <step>
<para xml:lang="en">A <application>gbde</application> partition must be <para xml:lang="en">A <application>gbde</application> partition must be
initialized before it can be used. This initialization initialized before it can be used. This initialization
needs to be performed only once. This command will open needs to be performed only once. This command will open
the default editor, in order to set various configuration the default editor, in order to set various configuration
options in a template. For use with the options in a template. For use with the
<acronym>UFS</acronym> file system, set the sector_size to <acronym>UFS</acronym> file system, set the sector_size to
2048:</para> 2048:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c.lock</userinput># $FreeBSD$ <screen xml:lang="en"><prompt>#</prompt> <userinput>gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c.lock</userinput>
# <phrase its:translate="no">$FreeBSD$</phrase>
# #
# Sector size is the smallest unit of data which can be read or written. # Sector size is the smallest unit of data which can be read or written.
# Making it too small decreases performance and decreases available space. # Making it too small decreases performance and decreases available space.
# Making it too large may prevent filesystems from working. 512 is the # Making it too large may prevent filesystems from working. 512 is the
# minimum and always safe. For UFS, use the fragment size # minimum and always safe. For UFS, use the fragment size
# #
sector_size = 2048 sector_size = 2048
[...]</screen> [...]</screen>
▲ Show 20 LinesShow All 415 Lines▼ Show 20 Lines <listitem>
<para xml:lang="en">The size of the blocks data is broken into before <para xml:lang="en">The size of the blocks data is broken into before
it is encrypted. Larger sector sizes increase it is encrypted. Larger sector sizes increase
performance at the cost of higher storage performance at the cost of higher storage
overhead. The recommended size is 4096 bytes.</para> overhead. The recommended size is 4096 bytes.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para xml:lang="en">This example configures an encryped swap partition using <para xml:lang="en">This example configures an encrypted swap partition using
the Blowfish algorithm with a key length of 128 bits and a the Blowfish algorithm with a key length of 128 bits and a
sectorsize of 4 kilobytes:</para> sectorsize of 4 kilobytes:</para>
<programlisting xml:lang="en"># Device Mountpoint FStype Options Dump Pass# <programlisting xml:lang="en"># Device Mountpoint FStype Options Dump Pass#
/dev/ada0s1b.eli none swap sw,ealgo=blowfish,keylen=128,sectorsize=4096 0 0</programlisting> /dev/ada0s1b.eli none swap sw,ealgo=blowfish,keylen=128,sectorsize=4096 0 0</programlisting>
</sect2> </sect2>
▲ Show 20 LinesShow All 3,191 Lines▼ Show 20 Lines <sect2 xml:id="zfs-zpool-online">
<para>可用的備援儲存池大小會受到每個 vdev 中容量最小的裝置限制。最小的裝置可以替換成較大的裝置,在更換 (<link linkend="zfs-zpool-replace">Replace</link>) 或修復 (<link linkend="zfs-term-resilver">Resilver</link>) 作業後,儲存池可以成長到該新裝置的可用容量。例如,要做一個 1 TB 磁碟機與一個 2 TB 磁碟機的鏡像,可用的空間會是 1 TB,當 1 TB 磁碟機備更換成另一個 2 TB 的磁碟機時,修復程序會複製既有的資料到新的磁碟機,由於現在兩個裝置都有 2 TB 的容量,所以鏡像的可用空間便會成長到 2 TB。</para> <para>可用的備援儲存池大小會受到每個 vdev 中容量最小的裝置限制。最小的裝置可以替換成較大的裝置,在更換 (<link linkend="zfs-zpool-replace">Replace</link>) 或修復 (<link linkend="zfs-term-resilver">Resilver</link>) 作業後,儲存池可以成長到該新裝置的可用容量。例如,要做一個 1 TB 磁碟機與一個 2 TB 磁碟機的鏡像,可用的空間會是 1 TB,當 1 TB 磁碟機備更換成另一個 2 TB 的磁碟機時,修復程序會複製既有的資料到新的磁碟機,由於現在兩個裝置都有 2 TB 的容量,所以鏡像的可用空間便會成長到 2 TB。</para>
<para>可以在每個裝置用 <command>zpool online -e</command> 來觸發擴充的動作,在擴充完所有裝置後,儲存池便可使用額外的空間。</para> <para>可以在每個裝置用 <command>zpool online -e</command> 來觸發擴充的動作,在擴充完所有裝置後,儲存池便可使用額外的空間。</para>
</sect2> </sect2>
<sect2 xml:id="zfs-zpool-import"> <sect2 xml:id="zfs-zpool-import">
<title>匯入與匯出儲存池</title> <title>匯入與匯出儲存池</title>
<para>儲存池在移動到其他系統之前需要做匯出 (<emphasis>Export</emphasis>),會卸載所有的資料集,然後標記每個裝置為已匯出,為了避免被其他磁碟子系統存取,因此仍會鎖定這些裝置。這個動作讓儲存池可以在支援 <acronym>ZFS</acronym> 的其他機器、其他作業系統做匯入 (<emphasis>Import</emphasis>),甚至是不同的硬體架構 (有一些注意事項,請參考 <citerefentry><refentrytitle>zpool</refentrytitle><manvolnum>8</manvolnum></citerefentry>)。當資料集有被開啟的檔案,可使用 <command> zpool export -f</command> 來強制匯出儲存池,使用這個指令需要小心,資料集是被強制卸載的,因此有可能造成在該資料集開啟檔案的應用程式發生無法預期的結果。</para> <para>儲存池在移動到其他系統之前需要做匯出 (<emphasis>Export</emphasis>),會卸載所有的資料集,然後標記每個裝置為已匯出,為了避免被其他磁碟子系統存取,因此仍會鎖定這些裝置。這個動作讓儲存池可以在支援 <acronym>ZFS</acronym> 的其他機器、其他作業系統做匯入 (<emphasis>Import</emphasis>),甚至是不同的硬體架構 (有一些注意事項,請參考 <citerefentry><refentrytitle>zpool</refentrytitle><manvolnum>8</manvolnum></citerefentry>)。當資料集有被開啟的檔案,可使用 <command>zpool export -f</command> 來強制匯出儲存池,使用這個指令需要小心,資料集是被強制卸載的,因此有可能造成在該資料集開啟檔案的應用程式發生無法預期的結果。</para>
<para>匯出未使用的儲存池:</para> <para>匯出未使用的儲存池:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>zpool export mypool</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>zpool export mypool</userinput></screen>
<para>匯入儲存池會自動掛載資料集,若不想自動掛載,可以使用 <command>zpool import -N</command>。<command>zpool import -o</command> 可以設定在匯入時暫時使用的屬性。<command>zpool import altroot=</command> 允許匯入時指定基礎掛載點 (Base mount point) 來替換檔案系統根目錄。若儲存池先前用在不同的系統且不正常匯出,可能會需要使用 <command>zpool import -f</command> 來強制匯入。<command>zpool import -a</command> 會匯入所有沒有被其他系統使用的儲存池。</para> <para>匯入儲存池會自動掛載資料集,若不想自動掛載,可以使用 <command>zpool import -N</command>。<command>zpool import -o</command> 可以設定在匯入時暫時使用的屬性。<command>zpool import altroot=</command> 允許匯入時指定基礎掛載點 (Base mount point) 來替換檔案系統根目錄。若儲存池先前用在不同的系統且不正常匯出,可能會需要使用 <command>zpool import -f</command> 來強制匯入。<command>zpool import -a</command> 會匯入所有沒有被其他系統使用的儲存池。</para>
<para>列出所有可以匯入的儲存池:</para> <para>列出所有可以匯入的儲存池:</para>
▲ Show 20 LinesShow All 371 Lines▼ Show 20 Linestank custom:costcenter 1234 local</screen>
<para>要移除自訂屬性,可用 <command>zfs inherit</command> 加上 <option>-r</option>。若父資料集未定義任何自訂屬性,將會將該屬性完全移除 (更改動作仍會記錄於儲存池的歷史記錄)。</para> <para>要移除自訂屬性,可用 <command>zfs inherit</command> 加上 <option>-r</option>。若父資料集未定義任何自訂屬性,將會將該屬性完全移除 (更改動作仍會記錄於儲存池的歷史記錄)。</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>zfs inherit -r <replaceable>custom</replaceable>:<replaceable>costcenter</replaceable> <replaceable>tank</replaceable></userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>zfs inherit -r <replaceable>custom</replaceable>:<replaceable>costcenter</replaceable> <replaceable>tank</replaceable></userinput>
<prompt>#</prompt> <userinput>zfs get <replaceable>custom</replaceable>:<replaceable>costcenter</replaceable> <replaceable>tank</replaceable></userinput> <prompt>#</prompt> <userinput>zfs get <replaceable>custom</replaceable>:<replaceable>costcenter</replaceable> <replaceable>tank</replaceable></userinput>
NAME PROPERTY VALUE SOURCE NAME PROPERTY VALUE SOURCE
tank custom:costcenter - - tank custom:costcenter - -
<prompt>#</prompt> <userinput>zfs get all <replaceable>tank</replaceable> | grep <replaceable>custom</replaceable>:<replaceable>costcenter</replaceable></userinput> <prompt>#</prompt> <userinput>zfs get all <replaceable>tank</replaceable> | grep <replaceable>custom</replaceable>:<replaceable>costcenter</replaceable></userinput>
<prompt>#</prompt></screen> <prompt>#</prompt></screen>
<sect3 xml:id="zfs-zfs-set-share">
<title>取得與設定共享屬性</title>
<para xml:lang="en">Two commonly used and useful dataset properties are the
<acronym>NFS</acronym> and <acronym>SMB</acronym> share
options. Setting these define if and how
<acronym>ZFS</acronym> datasets may be shared on the network.
At present, only setting sharing via <acronym>NFS</acronym> is
supported on FreeBSD. To get the current status of
a share, enter:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>zfs get sharenfs <replaceable>mypool/usr/home</replaceable></userinput>
NAME PROPERTY VALUE SOURCE
mypool/usr/home sharenfs on local
<prompt>#</prompt> <userinput>zfs get sharesmb <replaceable>mypool/usr/home</replaceable></userinput>
NAME PROPERTY VALUE SOURCE
mypool/usr/home sharesmb off local</screen>
<para xml:lang="en">To enable sharing of a dataset, enter:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput> zfs set sharenfs=on <replaceable>mypool/usr/home</replaceable></userinput></screen>
<para xml:lang="en">It is also possible to set additional options for sharing
datasets through <acronym>NFS</acronym>, such as
<option>-alldirs</option>, <option>-maproot</option> and
<option>-network</option>. To set additional options to a
dataset shared through NFS, enter:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput> zfs set sharenfs="-alldirs,-maproot=<replaceable>root</replaceable>,-network=<replaceable>192.168.1.0/24</replaceable>" <replaceable>mypool/usr/home</replaceable></userinput></screen>
</sect3>
</sect2> </sect2>
<sect2 xml:id="zfs-zfs-snapshot"> <sect2 xml:id="zfs-zfs-snapshot">
<title>管理快照 (Snapshot)</title> <title>管理快照 (Snapshot)</title>
<para>快照 (<link linkend="zfs-term-snapshot">Snapshot</link>) 是 <acronym>ZFS</acronym> 最強大的功能之一。快照提供了資料集唯讀、單一時間點 (Point-in-Time) 的複製功能,使用了寫入時複製 (Copy-On-Write, <acronym>COW</acronym>) 的技術,可以透過保存在磁碟上的舊版資料快速的建立快照。若沒有快照存在,在資料被覆蓋或刪除時,便回收空間供未來使用。由於只記錄前一個版本與目前資料集的差異,因此快照可節省磁碟空間。快照只允許在整個資料集上使用,無法在各別檔案或目錄。當建立了一個資料集的快照時,便備份了所有內含的資料,這包含了檔案系統屬性、檔案、目錄、權限等等。第一次建立快照時只會使用到更改參照到資料區塊的空間,不會用到其他額外的空間。使用 <option>-r</option> 可以對使用同名的資料集及其所有子資料集的建立一個遞迴快照,提供一致且即時 (Moment-in-time) 的完整檔案系統快照功能,這對於那些彼此有相關或相依檔案存放在不同資料集的應用程式非常重要。不使用快照所備份的資料其實是分散不同時間點的。</para> <para>快照 (<link linkend="zfs-term-snapshot">Snapshot</link>) 是 <acronym>ZFS</acronym> 最強大的功能之一。快照提供了資料集唯讀、單一時間點 (Point-in-Time) 的複製功能,使用了寫入時複製 (Copy-On-Write, <acronym>COW</acronym>) 的技術,可以透過保存在磁碟上的舊版資料快速的建立快照。若沒有快照存在,在資料被覆蓋或刪除時,便回收空間供未來使用。由於只記錄前一個版本與目前資料集的差異,因此快照可節省磁碟空間。快照只允許在整個資料集上使用,無法在各別檔案或目錄。當建立了一個資料集的快照時,便備份了所有內含的資料,這包含了檔案系統屬性、檔案、目錄、權限等等。第一次建立快照時只會使用到更改參照到資料區塊的空間,不會用到其他額外的空間。使用 <option>-r</option> 可以對使用同名的資料集及其所有子資料集的建立一個遞迴快照,提供一致且即時 (Moment-in-time) 的完整檔案系統快照功能,這對於那些彼此有相關或相依檔案存放在不同資料集的應用程式非常重要。不使用快照所備份的資料其實是分散不同時間點的。</para>
<para><acronym>ZFS</acronym> 中的快照提供了多種功能,即使是在其他缺乏快照功能的檔案系統上。一個使用快照的典型例子是在安裝軟體或執行系統升級這種有風險的動作時,能有一個快速的方式可以備份檔案系統目前的狀態,若動作失敗,可以使用快照還原 (Roll back) 到與快照建立時相同的系統狀態,若升級成功,便可刪除快照來釋放空間。若沒有快照功能,升級失敗通常會需要使用備份來恢復 (Restore) 系統,而這個動作非常繁瑣、耗時且可能會需要停機一段時間系統無法使用。使用快照可以快速的還原,即使系統正在執行一般的運作,只而要短暫或甚至不需停機。能夠節省大量在有數 TB 的儲存系統上從備份複製所需資料的時間。快照並非要用來取代儲存池的完整備份,但可以用在快速且簡單的保存某個特定時間點的資料集。</para> <para><acronym>ZFS</acronym> 中的快照提供了多種功能,即使是在其他缺乏快照功能的檔案系統上。一個使用快照的典型例子是在安裝軟體或執行系統升級這種有風險的動作時,能有一個快速的方式可以備份檔案系統目前的狀態,若動作失敗,可以使用快照還原 (Roll back) 到與快照建立時相同的系統狀態,若升級成功,便可刪除快照來釋放空間。若沒有快照功能,升級失敗通常會需要使用備份來恢復 (Restore) 系統,而這個動作非常繁瑣、耗時且可能會需要停機一段時間系統無法使用。使用快照可以快速的還原,即使系統正在執行一般的運作,只而要短暫或甚至不需停機。能夠節省大量在有數 TB 的儲存系統上從備份複製所需資料的時間。快照並非要用來取代儲存池的完整備份,但可以用在快速且簡單的保存某個特定時間點的資料集。</para>
▲ Show 20 LinesShow All 132 Lines▼ Show 20 Lines+ /var/tmp/passwd</screen>
<para>在第一個範例中,因為 <command>rm</command> 操作不小心移除了預期外的資料,要還原到快照。</para> <para>在第一個範例中,因為 <command>rm</command> 操作不小心移除了預期外的資料,要還原到快照。</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>zfs list -rt all <replaceable>mypool/var/tmp</replaceable></userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>zfs list -rt all <replaceable>mypool/var/tmp</replaceable></userinput>
NAME USED AVAIL REFER MOUNTPOINT NAME USED AVAIL REFER MOUNTPOINT
mypool/var/tmp 262K 93.2G 120K /var/tmp mypool/var/tmp 262K 93.2G 120K /var/tmp
mypool/var/tmp@my_recursive_snapshot 88K - 152K - mypool/var/tmp@my_recursive_snapshot 88K - 152K -
mypool/var/tmp@after_cp 53.5K - 118K - mypool/var/tmp@after_cp 53.5K - 118K -
mypool/var/tmp@diff_snapshot 0 - 120K - mypool/var/tmp@diff_snapshot 0 - 120K -
<prompt>%</prompt> <userinput>ls /var/tmp</userinput> <prompt>#</prompt> <userinput>ls /var/tmp</userinput>
passwd passwd.copy passwd passwd.copy vi.recover
<prompt>%</prompt> <userinput>rm /var/tmp/passwd*</userinput> <prompt>#</prompt> <userinput>rm /var/tmp/passwd*</userinput>
<prompt>%</prompt> <userinput>ls /var/tmp</userinput> <prompt>#</prompt> <userinput>ls /var/tmp</userinput>
vi.recover vi.recover</screen>
<prompt>%</prompt></screen>
<para>在此時,使用者發現到刪除了太多檔案並希望能夠還原。<acronym>ZFS</acronym> 提供了簡單的方可以取回檔案,便是使用還原 (Rollback),但這只在有定期對重要的資料使用快照時可用。要拿回檔案並從最後一次快照重新開始,可執行以下指令:</para> <para>在此時,使用者發現到刪除了太多檔案並希望能夠還原。<acronym>ZFS</acronym> 提供了簡單的方可以取回檔案,便是使用還原 (Rollback),但這只在有定期對重要的資料使用快照時可用。要拿回檔案並從最後一次快照重新開始,可執行以下指令:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>zfs rollback <replaceable>mypool/var/tmp@diff_snapshot</replaceable></userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>zfs rollback <replaceable>mypool/var/tmp@diff_snapshot</replaceable></userinput>
<prompt>%</prompt> <userinput>ls /var/tmp</userinput> <prompt>#</prompt> <userinput>ls /var/tmp</userinput>
passwd passwd.copy vi.recover</screen> passwd passwd.copy vi.recover</screen>
<para>還原操作會將資料集還原為最後一次快照的狀態。這也可以還原到更早之前,有其他在其之後建立的快照。要這麼做時,<acronym>ZFS</acronym> 會發出這個警告:</para> <para>還原操作會將資料集還原為最後一次快照的狀態。這也可以還原到更早之前,有其他在其之後建立的快照。要這麼做時,<acronym>ZFS</acronym> 會發出這個警告:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>zfs list -rt snapshot <replaceable>mypool/var/tmp</replaceable></userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>zfs list -rt snapshot <replaceable>mypool/var/tmp</replaceable></userinput>
AME USED AVAIL REFER MOUNTPOINT AME USED AVAIL REFER MOUNTPOINT
mypool/var/tmp@my_recursive_snapshot 88K - 152K - mypool/var/tmp@my_recursive_snapshot 88K - 152K -
mypool/var/tmp@after_cp 53.5K - 118K - mypool/var/tmp@after_cp 53.5K - 118K -
mypool/var/tmp@diff_snapshot 0 - 120K - mypool/var/tmp@diff_snapshot 0 - 120K -
<prompt>#</prompt> <userinput>zfs rollback <replaceable>mypool/var/tmp@my_recursive_snapshot</replaceable></userinput> <prompt>#</prompt> <userinput>zfs rollback <replaceable>mypool/var/tmp@my_recursive_snapshot</replaceable></userinput>
cannot rollback to 'mypool/var/tmp@my_recursive_snapshot': more recent snapshots exist cannot rollback to 'mypool/var/tmp@my_recursive_snapshot': more recent snapshots exist
use '-r' to force deletion of the following snapshots: use '-r' to force deletion of the following snapshots:
mypool/var/tmp@after_cp mypool/var/tmp@after_cp
mypool/var/tmp@diff_snapshot</screen> mypool/var/tmp@diff_snapshot</screen>
<para>這個警告是因在該快照與資料集的目前狀態之間有其他快照存在,然而使用者想要還原到該快照。要完成這樣的還原動作,必須刪除在這之間的快照,因為 <acronym>ZFS</acronym> 無法追蹤不同資料集狀態間的變更。在使用者未指定 <option>-r</option> 來確認這個動作前,<acronym>ZFS</acronym> 不會刪除受影響的快照。若確定要這麼做,那麼必須要知道會遺失所有在這之間的快照,然後可執行以下指令:</para> <para>這個警告是因在該快照與資料集的目前狀態之間有其他快照存在,然而使用者想要還原到該快照。要完成這樣的還原動作,必須刪除在這之間的快照,因為 <acronym>ZFS</acronym> 無法追蹤不同資料集狀態間的變更。在使用者未指定 <option>-r</option> 來確認這個動作前,<acronym>ZFS</acronym> 不會刪除受影響的快照。若確定要這麼做,那麼必須要知道會遺失所有在這之間的快照,然後可執行以下指令:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>zfs rollback -r <replaceable>mypool/var/tmp@my_recursive_snapshot</replaceable></userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>zfs rollback -r <replaceable>mypool/var/tmp@my_recursive_snapshot</replaceable></userinput>
<prompt>#</prompt> <userinput>zfs list -rt snapshot <replaceable>mypool/var/tmp</replaceable></userinput> <prompt>#</prompt> <userinput>zfs list -rt snapshot <replaceable>mypool/var/tmp</replaceable></userinput>
NAME USED AVAIL REFER MOUNTPOINT NAME USED AVAIL REFER MOUNTPOINT
mypool/var/tmp@my_recursive_snapshot 8K - 152K - mypool/var/tmp@my_recursive_snapshot 8K - 152K -
<prompt>%</prompt> <userinput>ls /var/tmp</userinput> <prompt>#</prompt> <userinput>ls /var/tmp</userinput>
vi.recover</screen> vi.recover</screen>
<para>可從 <command>zfs list -t snapshot</command> 的結果來確認 <command>zfs rollback -r</command> 會移除的快照。</para> <para>可從 <command>zfs list -t snapshot</command> 的結果來確認 <command>zfs rollback -r</command> 會移除的快照。</para>
</sect3> </sect3>
<sect3 xml:id="zfs-zfs-snapshot-snapdir"> <sect3 xml:id="zfs-zfs-snapshot-snapdir">
<title>從快照還原個別檔案</title> <title>從快照還原個別檔案</title>
<para>快照會掛載在父資料集下的隱藏目錄:<filename>.zfs/snapshots/<replaceable>snapshotname</replaceable></filename>。預設不會顯示這些目錄,即使是用 <command>ls -a</command> 指令。雖然該目錄不會顯示,但該目錄實際存在,而且可以像一般的目錄一樣存取。一個名稱為 <literal>snapdir</literal> 的屬性可以控制是否在目錄清單中顯示這些隱藏目錄,設定該屬性為可見 (<literal>visible</literal>) 可以讓這些目錄出現在 <command>ls</command> 以及其他處理目錄內容的指令中。</para> <para>快照會掛載在父資料集下的隱藏目錄:<filename>.zfs/snapshots/<replaceable>snapshotname</replaceable></filename>。預設不會顯示這些目錄,即使是用 <command>ls -a</command> 指令。雖然該目錄不會顯示,但該目錄實際存在,而且可以像一般的目錄一樣存取。一個名稱為 <literal>snapdir</literal> 的屬性可以控制是否在目錄清單中顯示這些隱藏目錄,設定該屬性為可見 (<literal>visible</literal>) 可以讓這些目錄出現在 <command>ls</command> 以及其他處理目錄內容的指令中。</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>zfs get snapdir <replaceable>mypool/var/tmp</replaceable></userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>zfs get snapdir <replaceable>mypool/var/tmp</replaceable></userinput>
NAME PROPERTY VALUE SOURCE NAME PROPERTY VALUE SOURCE
mypool/var/tmp snapdir hidden default mypool/var/tmp snapdir hidden default
<prompt>%</prompt> <userinput>ls -a /var/tmp</userinput> <prompt>#</prompt> <userinput>ls -a /var/tmp</userinput>
. .. passwd vi.recover . .. passwd vi.recover
<prompt>#</prompt> <userinput>zfs set snapdir=visible <replaceable>mypool/var/tmp</replaceable></userinput> <prompt>#</prompt> <userinput>zfs set snapdir=visible <replaceable>mypool/var/tmp</replaceable></userinput>
<prompt>%</prompt> <userinput>ls -a /var/tmp</userinput> <prompt>#</prompt> <userinput>ls -a /var/tmp</userinput>
. .. .zfs passwd vi.recover</screen> . .. .zfs passwd vi.recover</screen>
<para>要還原個別檔案到先前的狀態非常簡單,只要從快照中複製檔案到父資料集。在 <filename>.zfs/snapshot</filename> 目錄結構下有一個與先前所做的快照名稱相同的目錄,可以很容易的找到。在下個範例中,我們會示範從隱藏的 <filename>.zfs</filename> 目錄還原一個檔案,透過從含有該檔案的最新版快照複製:</para> <para>要還原個別檔案到先前的狀態非常簡單,只要從快照中複製檔案到父資料集。在 <filename>.zfs/snapshot</filename> 目錄結構下有一個與先前所做的快照名稱相同的目錄,可以很容易的找到。在下個範例中,我們會示範從隱藏的 <filename>.zfs</filename> 目錄還原一個檔案,透過從含有該檔案的最新版快照複製:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>rm /var/tmp/passwd</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>rm /var/tmp/passwd</userinput>
<prompt>%</prompt> <userinput>ls -a /var/tmp</userinput> <prompt>#</prompt> <userinput>ls -a /var/tmp</userinput>
. .. .zfs vi.recover . .. .zfs vi.recover
<prompt>#</prompt> <userinput>ls /var/tmp/.zfs/snapshot</userinput> <prompt>#</prompt> <userinput>ls /var/tmp/.zfs/snapshot</userinput>
after_cp my_recursive_snapshot after_cp my_recursive_snapshot
<prompt>#</prompt> <userinput>ls /var/tmp/.zfs/snapshot/<replaceable>after_cp</replaceable></userinput> <prompt>#</prompt> <userinput>ls /var/tmp/.zfs/snapshot/<replaceable>after_cp</replaceable></userinput>
passwd vi.recover passwd vi.recover
<prompt>#</prompt> <userinput>cp /var/tmp/.zfs/snapshot/<replaceable>after_cp/passwd</replaceable> <replaceable>/var/tmp</replaceable></userinput></screen> <prompt>#</prompt> <userinput>cp /var/tmp/.zfs/snapshot/<replaceable>after_cp/passwd</replaceable> <replaceable>/var/tmp</replaceable></userinput></screen>
<para>執行 <command>ls .zfs/snapshot</command> 時,雖然 <literal>snapdir</literal> 可能已經設為隱藏,但仍可能可以顯示該目錄中的內容,這取決於管理者是否要顯示這些目錄,可以只顯示特定的資料集,而其他的則不顯示。從這個隱藏的 <filename>.zfs/snapshot</filename> 複製檔案或目錄非常簡單,除此之外,嘗試其他的動作則會出現以下錯誤:</para> <para>執行 <command>ls .zfs/snapshot</command> 時,雖然 <literal>snapdir</literal> 可能已經設為隱藏,但仍可能可以顯示該目錄中的內容,這取決於管理者是否要顯示這些目錄,可以只顯示特定的資料集,而其他的則不顯示。從這個隱藏的 <filename>.zfs/snapshot</filename> 複製檔案或目錄非常簡單,除此之外,嘗試其他的動作則會出現以下錯誤:</para>
▲ Show 20 LinesShow All 169 Lines▼ Show 20 Lines <itemizedlist>
<listitem> <listitem>
<para>正常會需要 <systemitem class="username">root</systemitem> 的權限來傳送與接收串流,這需要可以 <systemitem class="username">root</systemitem> 登入到接收端系統。但是,預設因安全性考慮會關閉以 <systemitem class="username">root</systemitem> 登入。ZFS 委託 (<link linkend="zfs-zfs-allow">ZFS Delegation</link>) 系統可以用來允許一個非 <systemitem class="username">root</systemitem> 使用者在每個系統上執行各自的發送與接收操作。</para> <para>正常會需要 <systemitem class="username">root</systemitem> 的權限來傳送與接收串流,這需要可以 <systemitem class="username">root</systemitem> 登入到接收端系統。但是,預設因安全性考慮會關閉以 <systemitem class="username">root</systemitem> 登入。ZFS 委託 (<link linkend="zfs-zfs-allow">ZFS Delegation</link>) 系統可以用來允許一個非 <systemitem class="username">root</systemitem> 使用者在每個系統上執行各自的發送與接收操作。</para>
</listitem> </listitem>
<listitem> <listitem>
<para>在傳送端系統上:</para> <para>在傳送端系統上:</para>
<screen xml:lang="en"><prompt>#</prompt> <command>zfs allow -u someuser send,snapshot <replaceable>mypool</replaceable></command></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>zfs allow -u someuser send,snapshot <replaceable>mypool</replaceable></userinput></screen>
</listitem> </listitem>
<listitem> <listitem>
<para>要掛載儲存池,無權限的使用者必須擁有該目錄且必須允許一般的使用者掛載檔案系統。在接收端系統上:</para> <para>要掛載儲存池,無權限的使用者必須擁有該目錄且必須允許一般的使用者掛載檔案系統。在接收端系統上:</para>
<screen xml:lang="en"><prompt>#</prompt> sysctl vfs.usermount=1 <screen xml:lang="en"><prompt>#</prompt> <userinput>sysctl vfs.usermount=1</userinput>
vfs.usermount: 0 -&gt; 1 vfs.usermount: 0 -&gt; 1
<prompt>#</prompt> echo vfs.usermount=1 &gt;&gt; /etc/sysctl.conf <prompt>#</prompt> <userinput>sysrc -f /etc/sysctl.conf vfs.usermount=1</userinput>
<prompt>#</prompt> <userinput>zfs create <replaceable>recvpool/backup</replaceable></userinput> <prompt>#</prompt> <userinput>zfs create <replaceable>recvpool/backup</replaceable></userinput>
<prompt>#</prompt> <userinput>zfs allow -u <replaceable>someuser</replaceable> create,mount,receive <replaceable>recvpool/backup</replaceable></userinput> <prompt>#</prompt> <userinput>zfs allow -u <replaceable>someuser</replaceable> create,mount,receive <replaceable>recvpool/backup</replaceable></userinput>
<prompt>#</prompt> chown <replaceable>someuser</replaceable> <replaceable>/recvpool/backup</replaceable></screen> <prompt>#</prompt> <userinput>chown <replaceable>someuser</replaceable> <replaceable>/recvpool/backup</replaceable></userinput></screen>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>無權限的使用者現在有能力可以接收並掛載資料集,且 <replaceable>home</replaceable> 資料集可以被複製到遠端系統:</para> <para>無權限的使用者現在有能力可以接收並掛載資料集,且 <replaceable>home</replaceable> 資料集可以被複製到遠端系統:</para>
<screen xml:lang="en"><prompt>%</prompt> <userinput>zfs snapshot -r <replaceable>mypool/home</replaceable>@<replaceable>monday</replaceable></userinput> <screen xml:lang="en"><prompt>%</prompt> <userinput>zfs snapshot -r <replaceable>mypool/home</replaceable>@<replaceable>monday</replaceable></userinput>
<prompt>%</prompt> <userinput>zfs send -R <replaceable>mypool/home</replaceable>@<replaceable>monday</replaceable> | ssh <replaceable>someuser@backuphost</replaceable> zfs recv -dvu <replaceable>recvpool/backup</replaceable></userinput></screen> <prompt>%</prompt> <userinput>zfs send -R <replaceable>mypool/home</replaceable>@<replaceable>monday</replaceable> | ssh <replaceable>someuser@backuphost</replaceable> zfs recv -dvu <replaceable>recvpool/backup</replaceable></userinput></screen>
▲ Show 20 LinesShow All 101 Lines▼ Show 20 Lines <sect2 xml:id="zfs-zfs-compression">
<screen xml:lang="en"><prompt>#</prompt> <userinput>zfs get used,compressratio,compression,logicalused <replaceable>mypool/compressed_dataset</replaceable></userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>zfs get used,compressratio,compression,logicalused <replaceable>mypool/compressed_dataset</replaceable></userinput>
NAME PROPERTY VALUE SOURCE NAME PROPERTY VALUE SOURCE
mypool/compressed_dataset used 449G - mypool/compressed_dataset used 449G -
mypool/compressed_dataset compressratio 1.11x - mypool/compressed_dataset compressratio 1.11x -
mypool/compressed_dataset compression lz4 local mypool/compressed_dataset compression lz4 local
mypool/compressed_dataset logicalused 496G -</screen> mypool/compressed_dataset logicalused 496G -</screen>
<para>資料集目前使用了 449!GB 的空間 (在 used 屬性)。在尚未壓縮前,該資料集應該會使用 496!GB 的空間 (於 <literal>logicallyused</literal> 屬性),這個結果顯示目前的壓縮比為 1.11:1。</para> <para>資料集目前使用了 449!GB 的空間 (在 used 屬性)。在尚未壓縮前,該資料集應該會使用 496!GB 的空間 (於 <literal>logicalused</literal> 屬性),這個結果顯示目前的壓縮比為 1.11:1。</para>
<para>壓縮功能在與使用者配額 (<link linkend="zfs-term-userquota">User Quota</link>) 一併使用時可能會產生無法預期的副作用。使用者配額會限制一個使用者在一個資料集上可以使用多少空間,但衡量的依據是以 <emphasis>壓縮後</emphasis> 所使用的空間,因此,若一個使用者有 10 GB 的配額,寫入了 10 GB 可壓縮的資料,使用者將還會有空間儲存額外的資料。若使用者在之後更新了一個檔案,例如一個資料庫,可能有更多或較少的可壓縮資料,那麼剩餘可用的空間量也會因此而改變,這可能會造成奇怪的現象便是,一個使用者雖然沒有增加實際的資料量 (於 <literal>logicalused</literal> 屬性),但因為更改影響了壓縮率,導致使用者達到配額的上限。</para> <para>壓縮功能在與使用者配額 (<link linkend="zfs-term-userquota">User Quota</link>) 一併使用時可能會產生無法預期的副作用。使用者配額會限制一個使用者在一個資料集上可以使用多少空間,但衡量的依據是以 <emphasis>壓縮後</emphasis> 所使用的空間,因此,若一個使用者有 10 GB 的配額,寫入了 10 GB 可壓縮的資料,使用者將還會有空間儲存額外的資料。若使用者在之後更新了一個檔案,例如一個資料庫,可能有更多或較少的可壓縮資料,那麼剩餘可用的空間量也會因此而改變,這可能會造成奇怪的現象便是,一個使用者雖然沒有增加實際的資料量 (於 <literal>logicalused</literal> 屬性),但因為更改影響了壓縮率,導致使用者達到配額的上限。</para>
<para>壓縮功能在與備份功能一起使用時也可能會有類似的問題,通常會使用配額功能來限制能夠儲存的資料量來確保有足夠的備份空間可用。但是由於配額功能並不會考量壓縮狀況,可能會有比未壓縮版本備份更多的資料量會被寫入到資料集。</para> <para>壓縮功能在與備份功能一起使用時也可能會有類似的問題,通常會使用配額功能來限制能夠儲存的資料量來確保有足夠的備份空間可用。但是由於配額功能並不會考量壓縮狀況,可能會有比未壓縮版本備份更多的資料量會被寫入到資料集。</para>
</sect2> </sect2>
<sect2 xml:id="zfs-zfs-deduplication"> <sect2 xml:id="zfs-zfs-deduplication">
<title>去重複 (Deduplication)</title> <title>去重複 (Deduplication)</title>
<para>當開啟,去重複 (<link linkend="zfs-term-deduplication">Deduplication</link>) 功能會使用每個資料區塊的校驗碼 (Checksum) 來偵測重複的資料區塊,當新的資料區塊與現有的資料區塊重複,<acronym>ZFS</acronym> 便會寫入連接到現有資料的參考來替代寫入重複的資料區塊,這在資料中有大量重複的檔案或資訊時可以節省大量的空間,要注意的是:去重複功能需要使用大量的記憶體且大部份可節省的空間可改開啟壓縮功能來達成,而壓縮功能不需要使用額外的記憶體。</para> <para>當開啟,去重複 (<link linkend="zfs-term-deduplication">Deduplication</link>) 功能會使用每個資料區塊的校驗碼 (Checksum) 來偵測重複的資料區塊,當新的資料區塊與現有的資料區塊重複,<acronym>ZFS</acronym> 便會寫入連接到現有資料的參考來替代寫入重複的資料區塊,這在資料中有大量重複的檔案或資訊時可以節省大量的空間,要注意的是:去重複功能需要使用大量的記憶體且大部份可節省的空間可改開啟壓縮功能來達成,而壓縮功能不需要使用額外的記憶體。</para>
<para>要開啟去重複功能,需在目標儲存池設定 <literal>dedup</literal> 屬性:</para> <para>要開啟去重複功能,需在目標儲存池設定 <literal>dedup</literal> 屬性:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>zfs set dedup=on <replaceable>pool</replaceable></userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>zfs set dedup=on <replaceable>pool</replaceable></userinput></screen>
<para>只有要被寫入到儲存池的新資料才會做去重複的動作,先前已被寫入到儲存池的資料不會因此啟動了這個選項而做去重複。查看已開啟去重複屬性的儲存池會如下:</para> <para>只有要被寫入到儲存池的新資料才會做去重複的動作,先前已被寫入到儲存池的資料不會因此啟動了這個選項而做去重複。查看已開啟去重複屬性的儲存池會如下:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>zpool list</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>zpool list</userinput>
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT
pool 2.84G 2.19M 2.83G 0% 1.00x ONLINE -</screen> pool 2.84G 2.19M 2.83G 0% 1.00x ONLINE -</screen>
<para><literal>DEDUP</literal> 欄位會顯示儲存池的實際去重複率,數值為 <literal>1.00x</literal> 代表資料尚未被去重複。在下一個例子會在前面所建立的去重複儲存池中複製三份 Port 樹到不同的目錄中。</para> <para><literal>DEDUP</literal> 欄位會顯示儲存池的實際去重複率,數值為 <literal>1.00x</literal> 代表資料尚未被去重複。在下一個例子會在前面所建立的去重複儲存池中複製三份 Port 樹到不同的目錄中。</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>zpool list</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>for d in dir1 dir2 dir3; do</userinput>
for d in dir1 dir2 dir3; do &gt; <userinput>mkdir $d &amp;&amp; cp -R /usr/ports $d &amp;</userinput>
for&gt; mkdir $d &amp;&amp; cp -R /usr/ports $d &amp; &gt; <userinput>done</userinput></screen>
for&gt; done</screen>
<para>已經偵測到重複的資料並做去重複:</para> <para>已經偵測到重複的資料並做去重複:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>zpool list</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>zpool list</userinput>
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT
pool 2.84G 20.9M 2.82G 0% 3.00x ONLINE -</screen> pool 2.84G 20.9M 2.82G 0% 3.00x ONLINE -</screen>
<para><literal>DEDUP</literal> 欄位顯示有 <literal>3.00x</literal> 的去重複率,這代表已偵測到多份複製的 Port 樹資料並做了去重複的動作,且只會使用第三份資料所佔的空間。去重複能節省空間的潛力可以非常巨大,但會需要消耗大量的記憶體來持續追蹤去重複的資料區塊。</para> <para><literal>DEDUP</literal> 欄位顯示有 <literal>3.00x</literal> 的去重複率,這代表已偵測到多份複製的 Port 樹資料並做了去重複的動作,且只會使用第三份資料所佔的空間。去重複能節省空間的潛力可以非常巨大,但會需要消耗大量的記憶體來持續追蹤去重複的資料區塊。</para>
▲ Show 20 LinesShow All 827 Lines▼ Show 20 Lines <para>This is a good section for those who transfer files, using
USB devices, from Windows to FreeBSD and vice-versa. My camera, USB devices, from Windows to FreeBSD and vice-versa. My camera,
and many other cameras I have seen default to using FAT16. There and many other cameras I have seen default to using FAT16. There
is (was?) a kde utility, I think called kamera, that could be used is (was?) a kde utility, I think called kamera, that could be used
to access camera devices. A section on this would be useful.</para> to access camera devices. A section on this would be useful.</para>
<para>XXXTR: Though! The disks chapter, covers a bit of this and <para>XXXTR: Though! The disks chapter, covers a bit of this and
devfs under it's USB devices. It leaves a lot to be desired though, devfs under it's USB devices. It leaves a lot to be desired though,
see: see:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/usb-disks.html https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/usb-disks.html
It may be better to flesh out that section a bit more. Add the It may be better to flesh out that section a bit more. Add the
word "camera" to it so that others can easily notice.</para> word "camera" to it so that others can easily notice.</para>
</sect1> </sect1>
<sect1> <sect1>
<title>Linux EXT File System</title> <title>Linux EXT File System</title>
<para>Probably NOT as useful as the other two, but it requires <para>Probably NOT as useful as the other two, but it requires
Show All 39 Lines <authorgroup>
<author xml:lang="en"> <author xml:lang="en">
<personname> <personname>
<firstname>Allan</firstname> <firstname>Allan</firstname>
<surname>Jude</surname> <surname>Jude</surname>
</personname> </personname>
<contrib>bhyve section by </contrib> <contrib>bhyve section by </contrib>
</author> </author>
</authorgroup> </authorgroup>
<authorgroup>
<author xml:lang="en">
<personname>
<firstname>Benedict</firstname>
<surname>Reuschling</surname>
</personname>
<contrib>Xen section by </contrib>
</author>
</authorgroup>
</info> </info>
<sect1 xml:id="virtualization-synopsis"> <sect1 xml:id="virtualization-synopsis">
<title>概述</title> <title>概述</title>
<para>虛擬化軟體可以讓同一台機器得以同時執行多種作業系統。在 <acronym>PC</acronym> 上的這類軟體系統通常涉及的角色有執行虛擬化軟體的主端 (Host) 作業系統以及數個安裝在其中的客端 (Guest) 作業系統。</para> <para>虛擬化軟體可以讓同一台機器得以同時執行多種作業系統。在 <acronym>PC</acronym> 上的這類軟體系統通常涉及的角色有執行虛擬化軟體的主端 (Host) 作業系統以及數個安裝在其中的客端 (Guest) 作業系統。</para>
<para>讀完這章,您將了解︰</para> <para>讀完這章,您將了解︰</para>
▲ Show 20 LinesShow All 598 Lines▼ Show 20 Linesperm vboxnetctl 0660</programlisting>
<screen xml:lang="en"><prompt>%</prompt> <userinput>VirtualBox</userinput></screen> <screen xml:lang="en"><prompt>%</prompt> <userinput>VirtualBox</userinput></screen>
<para>要取得更多有關設定與使用 <application><trademark>VirtualBox</trademark></application> 的資訊,請參考 <link xlink:href="http://www.virtualbox.org">官方網站</link>。供 FreeBSD 特定的資訊與疑難排解操作指示,可參考 <link xlink:href="http://wiki.FreeBSD.org/VirtualBox">FreeBSD wiki 中相關的頁面</link>。</para> <para>要取得更多有關設定與使用 <application><trademark>VirtualBox</trademark></application> 的資訊,請參考 <link xlink:href="http://www.virtualbox.org">官方網站</link>。供 FreeBSD 特定的資訊與疑難排解操作指示,可參考 <link xlink:href="http://wiki.FreeBSD.org/VirtualBox">FreeBSD wiki 中相關的頁面</link>。</para>
</sect2> </sect2>
<sect2 xml:id="virtualization-virtualbox-usb-support"> <sect2 xml:id="virtualization-virtualbox-usb-support">
<title><trademark>VirtualBox</trademark> USB 支援</title> <title><trademark>VirtualBox</trademark> USB 支援</title>
<para><application><trademark>VirtualBox</trademark></application> 擴充包目前不支援 FreeBSD 主端系統,沒有這個擴充包,FreeBSD 主端系統無法傳遞 <acronym>USB</acronym> 埠給客端作業系統。</para> <para xml:lang="en"><application><trademark>VirtualBox</trademark></application> can be configured
to pass <acronym>USB</acronym> devices through to the guest
operating system. The host controller of the OSE version is
limited to emulating <acronym>USB</acronym> 1.1 devices until
the extension pack supporting <acronym>USB</acronym> 2.0 and 3.0
devices becomes available on FreeBSD.</para>
<para xml:lang="en">For <application><trademark>VirtualBox</trademark></application> to be
aware of <acronym>USB</acronym> devices attached to the
machine, the user needs to be a member of the <systemitem class="groupname">operator</systemitem> group.</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>pw groupmod operator -m <replaceable>yourusername</replaceable></userinput></screen>
<para>重新啟動登作階段與 <application><trademark>VirtualBox</trademark></application> 來讓這些變更生效,且建立必要的 <acronym>USB</acronym> 的過濾器。</para>
</sect2> </sect2>
<sect2 xml:id="virtualization-virtualbox-host-dvd-cd-access"> <sect2 xml:id="virtualization-virtualbox-host-dvd-cd-access">
<title><trademark>VirtualBox</trademark> Host <acronym>DVD</acronym>/<acronym>CD</acronym> 存取</title> <title><trademark>VirtualBox</trademark> Host <acronym>DVD</acronym>/<acronym>CD</acronym> 存取</title>
<para>透過共享實體磁碟機可讓客端系統能夠存取主端系統的 <acronym>DVD</acronym>/<acronym>CD</acronym> 磁碟機。在 <trademark>VirtualBox</trademark> 中,這個功能可在虛擬機器設定中的儲存 (Storage) 視窗中設定。若需要,可先建立一個空的 <acronym>IDE</acronym> <acronym>CD</acronym>/<acronym>DVD</acronym> 裝置,然後在跳出的選單中選擇要做為虛擬 <acronym>CD</acronym>/<acronym>DVD</acronym> 磁碟機的主端磁碟機,此時會出現一個標籤為 <literal>Passthrough</literal> 的核選方塊,勾選這個核選方塊可讓虛擬機器直接使用該硬體,例如,音樂 <acronym>CD</acronym> 或燒錄機只會在有勾選此選項時能夠運作。</para> <para>透過共享實體磁碟機可讓客端系統能夠存取主端系統的 <acronym>DVD</acronym>/<acronym>CD</acronym> 磁碟機。在 <trademark>VirtualBox</trademark> 中,這個功能可在虛擬機器設定中的儲存 (Storage) 視窗中設定。若需要,可先建立一個空的 <acronym>IDE</acronym> <acronym>CD</acronym>/<acronym>DVD</acronym> 裝置,然後在跳出的選單中選擇要做為虛擬 <acronym>CD</acronym>/<acronym>DVD</acronym> 磁碟機的主端磁碟機,此時會出現一個標籤為 <literal>Passthrough</literal> 的核選方塊,勾選這個核選方塊可讓虛擬機器直接使用該硬體,例如,音樂 <acronym>CD</acronym> 或燒錄機只會在有勾選此選項時能夠運作。</para>
<para><application><trademark>VirtualBox</trademark></application> <acronym>DVD</acronym>/<acronym>CD</acronym> 功能要能運作需要執行 <acronym>HAL</acronym>,因此需在 <filename>/etc/rc.conf</filename> 中開啟,若該服務尚未啟動,則啟動它:</para> <para><application><trademark>VirtualBox</trademark></application> <acronym>DVD</acronym>/<acronym>CD</acronym> 功能要能運作需要執行 <acronym>HAL</acronym>,因此需在 <filename>/etc/rc.conf</filename> 中開啟,若該服務尚未啟動,則啟動它:</para>
▲ Show 20 LinesShow All 101 Lines▼ Show 20 LinesFreeBSD-10.3-RELEASE-amd64-bootonly.iso 100% of 230 MB 570 kBps 06m17s</screen>
indicates which disk image to use, <option>-i</option> tells indicates which disk image to use, <option>-i</option> tells
<application>bhyve</application> to boot from the <application>bhyve</application> to boot from the
<acronym>CD</acronym> image instead of the disk, and <acronym>CD</acronym> image instead of the disk, and
<option>-I</option> defines which <acronym>CD</acronym> image <option>-I</option> defines which <acronym>CD</acronym> image
to use. The last parameter is the name of the virtual to use. The last parameter is the name of the virtual
machine, used to track the running machines. This example machine, used to track the running machines. This example
starts the virtual machine in installation mode:</para> starts the virtual machine in installation mode:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>sh /usr/share/examples/bhyve/vmrun.sh -c <replaceable>4</replaceable> -m <replaceable>1024M</replaceable> -t <replaceable>tap0</replaceable> -d <replaceable>guest.img</replaceable> -i -I <replaceable>FreeBSD-10.3-RELEASE-amd64-bootonly.iso</replaceable> <replaceable>guestname</replaceable></userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>sh /usr/share/examples/bhyve/vmrun.sh -c <replaceable>1</replaceable> -m <replaceable>1024M</replaceable> -t <replaceable>tap0</replaceable> -d <replaceable>guest.img</replaceable> -i -I <replaceable>FreeBSD-10.3-RELEASE-amd64-bootonly.iso</replaceable> <replaceable>guestname</replaceable></userinput></screen>
<para xml:lang="en">The virtual machine will boot and start the installer. <para xml:lang="en">The virtual machine will boot and start the installer.
After installing a system in the virtual machine, when the After installing a system in the virtual machine, when the
system asks about dropping in to a shell at the end of the system asks about dropping in to a shell at the end of the
installation, choose <guibutton>Yes</guibutton>. A small installation, choose <guibutton>Yes</guibutton>. A small
change needs to be made to make the system start with a serial change needs to be made to make the system start with a serial
console. Edit <filename>/etc/ttys</filename> and replace the console. Edit <filename>/etc/ttys</filename> and replace the
existing <literal>ttyu0</literal> line with:</para> existing <literal>ttyu0</literal> line with:</para>
▲ Show 20 LinesShow All 237 Lines▼ Show 20 Lines
dr-xr-xr-x 14 root wheel 512 Mar 17 06:38 ../ dr-xr-xr-x 14 root wheel 512 Mar 17 06:38 ../
crw------- 1 root wheel 0x1a2 Mar 17 12:20 guestname crw------- 1 root wheel 0x1a2 Mar 17 12:20 guestname
crw------- 1 root wheel 0x19f Mar 17 12:19 linuxguest crw------- 1 root wheel 0x19f Mar 17 12:19 linuxguest
crw------- 1 root wheel 0x1a1 Mar 17 12:19 otherguest</screen> crw------- 1 root wheel 0x1a1 Mar 17 12:19 otherguest</screen>
<para xml:lang="en">A specified virtual machine can be destroyed using <para xml:lang="en">A specified virtual machine can be destroyed using
<command>bhyvectl</command>:</para> <command>bhyvectl</command>:</para>
<screen xml:lang="en"><prompt>#</prompt> bhyvectl --destroy --vm=<replaceable>guestname</replaceable></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>bhyvectl --destroy --vm=<replaceable>guestname</replaceable></userinput></screen>
</sect2> </sect2>
<sect2 xml:id="virtualization-bhyve-onboot"> <sect2 xml:id="virtualization-bhyve-onboot">
<title>Persistent 設定</title> <title>Persistent 設定</title>
<para xml:lang="en">In order to configure the system to start <para xml:lang="en">In order to configure the system to start
<application>bhyve</application> guests at boot time, the <application>bhyve</application> guests at boot time, the
following configurations must be made in the specified following configurations must be made in the specified
Show All 18 Linesif_tap_load="YES"</programlisting>
<step> <step>
<title xml:lang="en"><filename>/etc/rc.conf</filename></title> <title xml:lang="en"><filename>/etc/rc.conf</filename></title>
<programlisting xml:lang="en">cloned_interfaces="<replaceable>bridge0</replaceable> <replaceable>tap0</replaceable>" <programlisting xml:lang="en">cloned_interfaces="<replaceable>bridge0</replaceable> <replaceable>tap0</replaceable>"
ifconfig_bridge0="addm <replaceable>igb0</replaceable> addm <replaceable>tap0</replaceable>"</programlisting> ifconfig_bridge0="addm <replaceable>igb0</replaceable> addm <replaceable>tap0</replaceable>"</programlisting>
</step> </step>
</procedure> </procedure>
</sect2> </sect2>
<!-- </sect1>
Note: There is no working/end-user ready Xen support for FreeBSD as of 07-2010.
Hide all information regarding Xen under FreeBSD.
<sect2 id="virtualization-other"> <sect1 xml:id="virtualization-host-xen">
<title>Other Virtualization Options</title> <title>以 FreeBSD 作為主端安裝 <trademark>Xen</trademark></title>
<para>There is ongoing work in getting <para xml:lang="en"><application>Xen</application> is a GPLv2-licensed <link xlink:href="https://en.wikipedia.org/wiki/Hypervisor#Classification">type
<application>&xen;</application> 1 hypervisor</link> for <trademark class="registered">Intel</trademark> and <trademark class="registered">ARM</trademark> architectures. FreeBSD
to work as a host environment on &os;.</para> has included <trademark>i386</trademark> and <trademark class="registered">AMD</trademark>!64-Bit <link xlink:href="https://wiki.xenproject.org/wiki/DomU">DomU</link>
</sect2> and <link xlink:href="https://en.wikipedia.org/wiki/Amazon_Elastic_Compute_Cloud">Amazon
EC2</link> unprivileged domain (virtual machine) support since
FreeBSD!8.0 and includes Dom0 control domain (host) support in
FreeBSD!11.0. Support for para-virtualized (PV) domains has
been removed from FreeBSD!11 in favor of hardware virtualized
(HVM) domains, which provides better performance.</para>
<para xml:lang="en"><trademark>Xen</trademark> is a bare-metal hypervisor, which means that it is the
first program loaded after the BIOS. A special privileged guest
called the Domain-0 (<literal>Dom0</literal> for short) is then
started. The Dom0 uses its special privileges to directly
access the underlying physical hardware, making it a
high-performance solution. It is able to access the disk
controllers and network adapters directly. The <trademark>Xen</trademark> management
tools to manage and control the <trademark>Xen</trademark> hypervisor are also used
by the Dom0 to create, list, and destroy VMs. Dom0 provides
virtual disks and networking for unprivileged domains, often
called <literal>DomU</literal>. <trademark>Xen</trademark> Dom0 can be compared to
the service console of other hypervisor solutions, while the
DomU is where individual guest VMs are run.</para>
<!-- Hidden until the mode in which FreeBSD uses Xen is supported.
<para>Features of &xen; include GPU passthrough from the host
running the Dom0 into a DomU guest machine. This requires a
CPU, chipset, and BIOS with VT-D support and might require extra
patches or not work with all graphics cards. A list of adapters
can be found in the <link
xlink:href="https://wiki.xenproject.org/wiki/Xen_VGA_Passthrough_Tested_Adapters">Xen
Wiki</link>. Note that not all GPUs listed there are
supported on &os;. The &xen; hypervisor also supports PCI
passthrough to give a DomU guest full, direct access to a PCI
device like NIC, disk controller, or soundcard.</para>
--> -->
<para xml:lang="en"><trademark>Xen</trademark> can migrate VMs between different <trademark>Xen</trademark> servers. When
the two xen hosts share the same underlying storage, the
migration can be done without having to shut the VM down first.
Instead, the migration is performed live while the DomU is
running and there is no need to restart it or plan a downtime.
This is useful in maintenance scenarios or upgrade windows to
ensure that the services provided by the DomU are still
provided. Many more features of <trademark>Xen</trademark> are listed on the <link xlink:href="https://wiki.xenproject.org/wiki/Category:Overview">Xen
Wiki Overview page</link>. Note that not all features are
supported on FreeBSD yet.</para>
<sect2 xml:id="virtualization-host-xen-requirements">
<title xml:lang="en">Hardware Requirements for <trademark>Xen</trademark> Dom0</title>
<para xml:lang="en">To run the <trademark>Xen</trademark> hypervisor on a host, certain hardware
functionality is required. Hardware virtualized domains
require Extended Page Table (<link xlink:href="http://en.wikipedia.org/wiki/Extended_Page_Table">EPT</link>)
and Input/Output Memory Management Unit (<link xlink:href="http://en.wikipedia.org/wiki/List_of_IOMMU-supporting_hardware">IOMMU</link>)
support in the host processor.</para>
</sect2>
<sect2 xml:id="virtualization-host-xen-dom0-setup">
<title xml:lang="en"><trademark>Xen</trademark> Dom0 Control Domain Setup</title>
<para xml:lang="en">The <package>emulators/xen</package> package works with
FreeBSD!11 amd64 binary snapshots and equivalent systems
built from source. This example assumes VNC output for
unprivileged domains which is accessed from a another system
using a tool such as <package>net/tightvnc</package>.</para>
<para xml:lang="en">Install <package>emulators/xen</package>:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>pkg install xen</userinput></screen>
<para xml:lang="en">Configuration files must be edited to prepare the host
for the Dom0 integration. An entry to
<filename>/etc/sysctl.conf</filename> disables the limit on
how many pages of memory are allowed to be wired. Otherwise,
DomU VMs with higher memory requirements will not run.</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>sysrc -f /etc/sysctl.conf vm.max_wired=-1</userinput></screen>
<para xml:lang="en">Another memory-related setting involves changing
<filename>/etc/login.conf</filename>, setting the
<literal>memorylocked</literal> option to
<literal>unlimited</literal>. Otherwise, creating DomU
domains may fail with <errorname>Cannot allocate
memory</errorname> errors. After making the change to
<filename>/etc/login.conf</filename>, run
<command>cap_mkdb</command> to update the capability database.
See <xref linkend="security-resourcelimits"/> for
details.</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>sed -i '' -e 's/memorylocked=64K/memorylocked=unlimited/' /etc/login.conf</userinput>
<prompt>#</prompt> <userinput>cap_mkdb /etc/login.conf</userinput></screen>
<para xml:lang="en">Add an entry for the <trademark>Xen</trademark> console to
<filename>/etc/ttys</filename>:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>echo 'xc0 "/usr/libexec/getty Pc" xterm on secure' &gt;&gt; /etc/ttys</userinput></screen>
<para xml:lang="en">Selecting a <trademark>Xen</trademark> kernel in
<filename>/boot/loader.conf</filename> activates the Dom0.
<trademark>Xen</trademark> also requires resources like CPU and memory from the
host machine for itself and other DomU domains. How much CPU
and memory depends on the individual requirements and hardware
capabilities. In this example, 8!GB of memory and 4
virtual CPUs are made available for the Dom0. The serial
console is also activated and logging options are
defined.</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>sysrc -f /boot/loader.conf hw.pci.mcfg=0</userinput>
<prompt>#</prompt> <userinput>sysrc -f /boot/loader.conf xen_kernel="/boot/xen"</userinput>
<prompt>#</prompt> <userinput>sysrc -f /boot/loader.conf xen_cmdline="dom0_mem=<replaceable>8192M</replaceable> dom0_max_vcpus=<replaceable>4</replaceable> dom0pvh=1 console=com1,vga com1=115200,8n1 guest_loglvl=all loglvl=all"</userinput></screen>
<para xml:lang="en">Log files that <trademark>Xen</trademark> creates for the Dom0 and DomU VMs
are stored in <filename>/var/log/xen</filename>. This
directory does not exist by default and must be
created.</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>mkdir -p /var/log/xen</userinput>
<prompt>#</prompt> <userinput>chmod 644 /var/log/xen</userinput></screen>
<para xml:lang="en"><trademark>Xen</trademark> provides a boot menu to activate and de-activate
the hypervisor on demand in
<filename>/boot/menu.rc.local</filename>:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>echo "try-include /boot/xen.4th" &gt;&gt; /boot/menu.rc.local</userinput></screen>
<para xml:lang="en">Activate the xencommons service during system
startup:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>sysrc xencommons_enable=yes</userinput></screen>
<para xml:lang="en">These settings are enough to start a Dom0-enabled
system. However, it lacks network functionality for the
DomU machines. To fix that, define a bridged interface with
the main NIC of the system which the DomU VMs can use to
connect to the network. Replace
<replaceable>igb0</replaceable> with the host network
interface name.</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>sysrc autobridge_interfaces=bridge0</userinput>
<prompt>#</prompt> <userinput>sysrc autobridge_bridge0=<replaceable>igb0</replaceable></userinput>
<prompt>#</prompt> <userinput>sysrc ifconfig_bridge0=SYNCDHCP</userinput></screen>
<para xml:lang="en">Restart the host to load the <trademark>Xen</trademark> kernel and start the
Dom0.</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>reboot</userinput></screen>
<para xml:lang="en">After successfully booting the <trademark>Xen</trademark> kernel and logging
into the system again, the <trademark>Xen</trademark> management tool
<command>xl</command> is used to show information about the
domains.</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>xl list</userinput>
Name ID Mem VCPUs State Time(s)
Domain-0 0 8192 4 r----- 962.0</screen>
<para xml:lang="en">The output confirms that the Dom0 (called
<literal>Domain-0</literal>) has the ID <literal>0</literal>
and is running. It also has the memory and virtual CPUs
that were defined in <filename>/boot/loader.conf</filename>
earlier. More information can be found in the <link xlink:href="https://www.xenproject.org/help/documentation.html"><trademark>Xen</trademark>
Documentation</link>. DomU guest VMs can now be
created.</para>
</sect2>
<sect2 xml:id="virtualization-host-xen-domu-setup">
<title><trademark>Xen</trademark> DomU 客端 VM 設置</title>
<para xml:lang="en">Unprivileged domains consist of a configuration file and
virtual or physical hard disks. Virtual disk storage for
the DomU can be files created by <citerefentry><refentrytitle>truncate</refentrytitle><manvolnum>1</manvolnum></citerefentry> or ZFS
volumes as described in <xref linkend="zfs-zfs-volume"/>.
In this example, a 20!GB volume is used. A VM is
created with the ZFS volume, a FreeBSD ISO image, 1!GB of
RAM and two virtual CPUs. The ISO installation file is
retrieved with <citerefentry><refentrytitle>fetch</refentrytitle><manvolnum>1</manvolnum></citerefentry> and saved locally in a file
called <filename>freebsd.iso</filename>.</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>fetch <replaceable>ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/10.3/FreeBSD-10.3-RELEASE-amd64-bootonly.iso</replaceable> -o <replaceable>freebsd.iso</replaceable></userinput></screen>
<para xml:lang="en">A ZFS volume of 20!GB called
<filename>xendisk0</filename> is created to serve as the disk
space for the VM.</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>zfs create -V20G -o volmode=dev zroot/xendisk0</userinput></screen>
<para xml:lang="en">The new DomU guest VM is defined in a file. Some specific
definitions like name, keymap, and VNC connection details are
also defined. The following <filename>freebsd.cfg</filename>
contains a minimum DomU configuration for this example:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>cat freebsd.cfg</userinput>
builder = "hvm" <co xml:id="co-xen-builder"/>
name = "freebsd" <co xml:id="co-xen-name"/>
memory = 1024 <co xml:id="co-xen-memory"/>
vcpus = 2 <co xml:id="co-xen-vcpus"/>
vif = [ 'mac=00:16:3E:74:34:32,bridge=bridge0' ] <co xml:id="co-xen-vif"/>
disk = [
'/dev/zvol/tank/xendisk0,raw,hda,rw', <co xml:id="co-xen-disk"/>
'/root/freebsd.iso,raw,hdc:cdrom,r' <co xml:id="co-xen-cdrom"/>
]
vnc = 1 <co xml:id="co-xen-vnc"/>
vnclisten = "0.0.0.0"
serial = "pty"
usbdevice = "tablet"</screen>
<para xml:lang="en">These lines are explained in more detail:</para>
<calloutlist>
<callout arearefs="co-xen-builder">
<para xml:lang="en">This defines what kind of virtualization to use.
<literal>hvm</literal> refers to hardware-assisted
virtualization or hardware virtual machine. Guest
operating systems can run unmodified on CPUs with
virtualization extensions, providing nearly the same
performance as running on physical hardware.
<literal>generic</literal> is the default value and
creates a PV domain.</para>
</callout>
<callout arearefs="co-xen-name">
<para xml:lang="en">Name of this virtual machine to distinguish it from
others running on the same Dom0. Required.</para>
</callout>
<callout arearefs="co-xen-memory">
<para xml:lang="en">Quantity of RAM in megabytes to make available to the
VM. This amount is subtracted from the hypervisor's total
available memory, not the memory of the Dom0.</para>
</callout>
<callout arearefs="co-xen-vcpus">
<para xml:lang="en">Number of virtual CPUs available to the guest VM. For
best performance, do not create guests with more virtual
CPUs than the number of physical CPUs on the host.</para>
</callout>
<callout arearefs="co-xen-vif">
<para xml:lang="en">Virtual network adapter. This is the bridge connected
to the network interface of the host. The
<literal>mac</literal> parameter is the MAC address set on
the virtual network interface. This parameter is
optional, if no MAC is provided <trademark>Xen</trademark> will generate a
random one.</para>
</callout>
<callout arearefs="co-xen-disk">
<para xml:lang="en">Full path to the disk, file, or ZFS volume of the disk
storage for this VM. Options and multiple disk
definitions are separated by commas.</para>
</callout>
<callout arearefs="co-xen-cdrom">
<para xml:lang="en">Defines the Boot medium from which the initial
operating system is installed. In this example, it is the
ISO imaged downloaded earlier. Consult the <trademark>Xen</trademark>
documentation for other kinds of devices and options to
set.</para>
</callout>
<callout arearefs="co-xen-vnc">
<para xml:lang="en">Options controlling VNC connectivity to the serial
console of the DomU. In order, these are: active VNC
support, define IP address on which to listen, device node
for the serial console, and the input method for precise
positioning of the mouse and other input methods.
<literal>keymap</literal> defines which keymap to use, and
is <literal>english</literal> by default.</para>
</callout>
</calloutlist>
<para xml:lang="en">After the file has been created with all the necessary
options, the DomU is created by passing it to <command>xl
create</command> as a parameter.</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>xl create freebsd.cfg</userinput></screen>
<note>
<para xml:lang="en">Each time the Dom0 is restarted, the configuration file
must be passed to <command>xl create</command> again to
re-create the DomU. By default, only the Dom0 is created
after a reboot, not the individual VMs. The VMs can
continue where they left off as they stored the operating
system on the virtual disk. The virtual machine
configuration can change over time (for example, when adding
more memory). The virtual machine configuration files must
be properly backed up and kept available to be able to
re-create the guest VM when needed.</para>
</note>
<para xml:lang="en">The output of <command>xl list</command> confirms that the
DomU has been created.</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>xl list</userinput>
Name ID Mem VCPUs State Time(s)
Domain-0 0 8192 4 r----- 1653.4
freebsd 1 1024 1 -b---- 663.9</screen>
<para xml:lang="en">To begin the installation of the base operating system,
start the VNC client, directing it to the main network address
of the host or to the IP address defined on the
<literal>vnclisten</literal> line of
<filename>freebsd.cfg</filename>. After the operating system
has been installed, shut down the DomU and disconnect the VNC
viewer. Edit <filename>freebsd.cfg</filename>, removing the
line with the <literal>cdrom</literal> definition or
commenting it out by inserting a <literal>#</literal>
character at the beginning of the line. To load this new
configuration, it is necessary to remove the old DomU with
<command>xl destroy</command>, passing either the name or the
id as the parameter. Afterwards, recreate it using the
modified <filename>freebsd.cfg</filename>.</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>xl destroy freebsd</userinput>
<prompt>#</prompt> <userinput>xl create freebsd.cfg</userinput></screen>
<para xml:lang="en">The machine can then be accessed again using the VNC
viewer. This time, it will boot from the virtual disk where
the operating system has been installed and can be used as a
virtual machine.</para>
</sect2>
</sect1> </sect1>
</chapter> </chapter>
<!-- <!--
The FreeBSD Documentation Project The FreeBSD Documentation Project
$FreeBSD$ $FreeBSD$
▲ Show 20 LinesShow All 955 Lines▼ Show 20 Lines </author>
</indexterm> </indexterm>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>freebsd-update</primary> <primary>freebsd-update</primary>
<see>updating-upgrading</see> <see>updating-upgrading</see>
</indexterm> </indexterm>
<para>隨時套用安全性更新以及升級到新發佈的作業系統版本對管理一個持續運作的系統是非常重要的任務,FreeBSD 內含可以執行這兩項任務的工具程式,叫做 <command>freebsd-update</command>。</para> <para>隨時套用安全性更新以及升級到新發佈的作業系統版本對管理一個持續運作的系統是非常重要的任務,FreeBSD 內含可以執行這兩項任務的工具程式,叫做 <command>freebsd-update</command>。</para>
<para>這個工具程式支援使用 Binary 對 FreeBSD 做安全性與和錯誤更新,不需要手動編譯和安裝修補 (Patch) 或新核心。目前由安全性團隊提供支援的 Binary 更新可用於所有的架構和發行版。支援的發行版清單及各自的支援期限列於 <uri xlink:href="http://www.FreeBSD.org/security/">http://www.FreeBSD.org/security/</uri>。</para> <para>這個工具程式支援使用 Binary 對 FreeBSD 做安全性與和錯誤更新,不需要手動編譯和安裝修補 (Patch) 或新核心。目前由安全性團隊提供支援的 Binary 更新可用於所有的架構和發行版。支援的發行版清單及各自的支援期限列於 <uri xlink:href="https://www.FreeBSD.org/security/">https://www.FreeBSD.org/security/</uri>。</para>
<para>這個工具程式也支援升級作業系統到次要的發佈版以及升級到另一個發佈版分支。在升級到新的發佈版本前,需先查看該版本的發佈公告,因為發行公告中包含了該發行版本的相關重要資訊。發行公告可自 <uri xlink:href="http://www.FreeBSD.org/releases/">http://www.FreeBSD.org/releases/</uri> 取得。</para> <para>這個工具程式也支援升級作業系統到次要的發佈版以及升級到另一個發佈版分支。在升級到新的發佈版本前,需先查看該版本的發佈公告,因為發行公告中包含了該發行版本的相關重要資訊。發行公告可自 <uri xlink:href="https://www.FreeBSD.org/releases/">https://www.FreeBSD.org/releases/</uri> 取得。</para>
<note> <note>
<para>如果有使用 <command>crontab</command> 來執行 <citerefentry><refentrytitle>freebsd-update</refentrytitle><manvolnum>8</manvolnum></citerefentry>,則必須在升級作業系統前先關閉。</para> <para>如果有使用 <command>crontab</command> 來執行 <citerefentry><refentrytitle>freebsd-update</refentrytitle><manvolnum>8</manvolnum></citerefentry>,則必須在升級作業系統前先關閉。</para>
</note> </note>
<para>本節將說明 <command>freebsd-update</command> 使用的設定檔, 示範如何套用安全性修補及如何升級到主要或次要的作業系統發行版,並討論升級作業系統的需要考量的事項。</para> <para>本節將說明 <command>freebsd-update</command> 使用的設定檔, 示範如何套用安全性修補及如何升級到主要或次要的作業系統發行版,並討論升級作業系統的需要考量的事項。</para>
<sect2 xml:id="freebsdupdate-config-file"> <sect2 xml:id="freebsdupdate-config-file">
▲ Show 20 LinesShow All 227 Lines▼ Show 20 Lines <sect1 xml:id="updating-upgrading-documentation">
<indexterm xml:lang="en"><primary>Updating and Upgrading</primary></indexterm> <indexterm xml:lang="en"><primary>Updating and Upgrading</primary></indexterm>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>Documentation</primary> <primary>Documentation</primary>
<see>Updating and Upgrading</see> <see>Updating and Upgrading</see>
</indexterm> </indexterm>
<para>文件是 FreeBSD 作業系統不可或缺的一部份。在最新版本的 FreeBSD 文件可在 FreeBSD 網站 (<link xlink:href="@@URL_RELPREFIX@@/doc/">http://www.freebsd.org/doc/</link>) 取得的同時,也可很簡單的取得 FreeBSD 網站、使用手冊、<acronym>FAQ</acronym> 及文章的本地複本。</para> <para>說明文件是 FreeBSD 作業系統不可或缺的一部份。最新版本的 FreeBSD 文件除了可在 FreeBSD 網站 (<link xlink:href="@@URL_RELPREFIX@@/doc/">https://www.freebsd.org/doc/</link>) 取得,也可很簡單的取得本地的 FreeBSD 網站、使用手冊、<acronym>FAQ</acronym> 及文章副本。</para>
<para>本節將說明如何使用原始碼與 FreeBSD Port 套件集來取得最新版本 FreeBSD 文件本地複本。</para> <para>本節將說明如何使用原始碼與 FreeBSD Port 套件集來取得最新版本 FreeBSD 文件本地複本。</para>
<para>要取得編輯與提出修正文件相關的資訊請參考 FreeBSD 文件計畫入門書 (<link xlink:href="@@URL_RELPREFIX@@/doc/zh_TW.UTF-8/books/fdp-primer">http://www.freebsd.org/doc/zh_TW.UTF-8/books/fdp-primer/</link>)。</para> <para>有關編輯與提出修正說明文件的資訊,請參考 FreeBSD 文件計畫入門書 (<link xlink:href="@@URL_RELPREFIX@@/doc/en_US.ISO8859-1/books/fdp-primer">https://www.freebsd.org/doc/en_US.ISO8859-1/books/fdp-primer/</link>)。</para>
<sect2 xml:id="updating-installed-documentation"> <sect2 xml:id="updating-installed-documentation">
<title>自原始碼更新說明文件</title> <title>自原始碼更新說明文件</title>
<para>從原始碼重新編譯 FreeBSD 文件需要一些不屬於 FreeBSD 基礎系統的工具。需要的工具包括 <application>svn</application> 可透過由 FreeBSD 文件計劃所開發的 <package>textproc/docproj</package> 套件或 Port 安裝。</para> <para>從原始碼重新編譯 FreeBSD 文件需要一些不屬於 FreeBSD 基礎系統的工具。需要的工具包括 <application>svn</application> 可透過由 FreeBSD 文件計劃所開發的 <package>textproc/docproj</package> 套件或 Port 安裝。</para>
<para>安裝完成之後,可使用 <application>svn</application> 來取得乾淨的文件原始碼複本:</para> <para>安裝完成之後,可使用 <application>svn</application> 來取得乾淨的文件原始碼複本:</para>
▲ Show 20 LinesShow All 121 Lines▼ Show 20 Lines<prompt>#</prompt> <userinput>make FORMATS='html html-split' install clean</userinput></screen>
<para>套件使用的名稱格式與 Port 的名稱不同:<literal><replaceable>lang</replaceable>-freebsd-doc</literal>,其中 <replaceable>lang</replaceable> 是語言代碼的縮寫,例如 <literal>hu</literal> 代表匈牙利語,<literal>zh_cn</literal> 代表簡體中文。</para> <para>套件使用的名稱格式與 Port 的名稱不同:<literal><replaceable>lang</replaceable>-freebsd-doc</literal>,其中 <replaceable>lang</replaceable> 是語言代碼的縮寫,例如 <literal>hu</literal> 代表匈牙利語,<literal>zh_cn</literal> 代表簡體中文。</para>
</note> </note>
<para>要指定文件的格式,需以編譯 Port 來代替安裝套件。例如要編譯並安裝英語文件:</para> <para>要指定文件的格式,需以編譯 Port 來代替安裝套件。例如要編譯並安裝英語文件:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/misc/freebsd-doc-en</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/misc/freebsd-doc-en</userinput>
<prompt>#</prompt> <userinput>make install clean</userinput></screen> <prompt>#</prompt> <userinput>make install clean</userinput></screen>
<para>Port 提供設定選單來指定要編譯與安裝的格式,預設分頁的 <acronym>HTML</acronym> (類似 <uri xlink:href="http://www.FreeBSD.org">http://www.FreeBSD.org</uri> 使用的格式) 以及 <acronym>PDF</acronym>。</para> <para>Port 提供設定選單來指定要編譯與安裝的格式,預設會選擇分頁的 <acronym>HTML</acronym> (類似 <uri xlink:href="http://www.FreeBSD.org">http://www.FreeBSD.org</uri> 使用的格式) 以及 <acronym>PDF</acronym>。</para>
<para>此外,編譯文件 Port 時也可指定數個 <command>make</command> 選項,包括:</para> <para>此外,編譯文件 Port 時也可指定數個 <command>make</command> 選項,包括:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term xml:lang="en"><varname>WITH_HTML</varname></term> <term xml:lang="en"><varname>WITH_HTML</varname></term>
<listitem> <listitem>
Show All 15 Lines <varlistentry>
<listitem> <listitem>
<para>指定要安裝文件的位置,預設為 <filename>/usr/local/share/doc/freebsd</filename>。</para> <para>指定要安裝文件的位置,預設為 <filename>/usr/local/share/doc/freebsd</filename>。</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para>以下範例使用變數來安裝 <acronym>PDF</acronym> 的匈牙利語文件到特定目錄:</para> <para>以下範例使用變數來安裝 <acronym>PDF</acronym> 的匈牙利語文件到特定目錄:</para>
<screen xml:lang="en"><prompt>#</prompt> cd /usr/ports/misc/freebsd-doc-hu <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/ports/misc/freebsd-doc-hu</userinput>
<prompt>#</prompt> make -DWITH_PDF DOCBASE=share/doc/freebsd/hu install clean</screen> <prompt>#</prompt> <userinput>make -DWITH_PDF DOCBASE=share/doc/freebsd/hu install clean</userinput></screen>
<para>文件套件或 Port 可以依 <xref linkend="ports"/> 的說明更新。例如以下指令會使用 <package>ports-mgmt/portmaster</package> 更新已安裝的匈牙利語文件:</para> <para>文件套件或 Port 可以依 <xref linkend="ports"/> 的說明更新。例如以下指令會使用 <package>ports-mgmt/portmaster</package> 更新已安裝的匈牙利語文件:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>portmaster -PP hu-freebsd-doc</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>portmaster -PP hu-freebsd-doc</userinput></screen>
</sect2> </sect2>
</sect1> </sect1>
<sect1 xml:id="current-stable"> <sect1 xml:id="current-stable">
▲ Show 20 LinesShow All 59 Lines▼ Show 20 Lines<prompt>#</prompt> <userinput>make -DWITH_PDF DOCBASE=share/doc/freebsd/hu install clean</userinput></screen>
<listitem> <listitem>
<para>積極!很鼓勵 FreeBSD-CURRENT 使用者發表他們對加強哪些功能或是修復哪些錯誤的建議。 如果您在建議時能附上相關程式碼的話, 那真是太棒了!</para> <para>積極!很鼓勵 FreeBSD-CURRENT 使用者發表他們對加強哪些功能或是修復哪些錯誤的建議。 如果您在建議時能附上相關程式碼的話, 那真是太棒了!</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</sect2> </sect2>
</sect1> </sect1>
<sect1 xml:id="updating-src"> <sect1 xml:id="makeworld">
<title>從原始碼更新 FreeBSD</title> <title xml:id="updating-src">從原始碼更新 FreeBSD</title>
<para>從編譯原始碼來更新 FreeBSD 比起用 Binary 更新有幾項優點,在編譯程式碼時可以自訂選項來充分運用特定硬體,部份基礎系統可以使用非預設的設定值編譯,或是在不需要或不想要的時候跳過編譯。使用編譯的程序來更新系統比起安裝 Binary 來更新會耗時許多,但能夠完整自訂一個量身定做版本的 FreeBSD。</para> <para>從編譯原始碼來更新 FreeBSD 比起用 Binary 更新有幾項優點,在編譯程式碼時可以自訂選項來充分運用特定硬體,部份基礎系統可以使用非預設的設定值編譯,或是在不需要或不想要的時候跳過編譯。使用編譯的程序來更新系統比起安裝 Binary 來更新會耗時許多,但能夠完整自訂一個量身定做版本的 FreeBSD。</para>
<sect2 xml:id="updating-src-quick-start"> <sect2 xml:id="updating-src-quick-start">
<title>快速開始</title> <title>快速開始</title>
<para>這是從原始碼編譯來更新 FreeBSD 的標準步驟快速的參考,稍後的章節會更詳細的說明這個程序。</para> <para>這是從原始碼編譯來更新 FreeBSD 的標準步驟快速的參考,稍後的章節會更詳細的說明這個程序。</para>
Show All 13 Lines
<prompt>#</prompt> <userinput>shutdown -r now</userinput> <co xml:id="updating-src-qs-shutdown"/></screen> <prompt>#</prompt> <userinput>shutdown -r now</userinput> <co xml:id="updating-src-qs-shutdown"/></screen>
<calloutlist> <calloutlist>
<callout arearefs="updating-src-qs-svnup"> <callout arearefs="updating-src-qs-svnup">
<para>取得最新版本的原始碼,請參考 <xref linkend="updating-src-obtaining-src"/> 來了解更多取得與更新原始碼的資訊。</para> <para>取得最新版本的原始碼,請參考 <xref linkend="updating-src-obtaining-src"/> 來了解更多取得與更新原始碼的資訊。</para>
</callout> </callout>
<callout arearefs="updating-src-qs-review-updating"> <callout arearefs="updating-src-qs-review-updating">
<para>從原始碼編譯之前與之後任何需要手動操作步驟會在 <filename>/usr/src/UPDATING</filename> 中有說明。</para> <para>檢查 <filename>/usr/src/UPDATING</filename> 看是否有任後在原始碼編譯之前或之後需要手動操作的步驟。</para>
</callout> </callout>
<callout arearefs="updating-src-qs-cd"> <callout arearefs="updating-src-qs-cd">
<para>前往原始碼目錄。</para> <para>前往原始碼目錄。</para>
</callout> </callout>
<callout arearefs="updating-src-qs-buildworld"> <callout arearefs="updating-src-qs-buildworld">
<para>編譯世界 (World),即除了核心 (Kernel) 外的所有東西。</para> <para>編譯世界 (World),即除了核心 (Kernel) 外的所有東西。</para>
</callout> </callout>
<callout arearefs="updating-src-qs-kernel"> <callout arearefs="updating-src-qs-kernel">
<para>編譯並安裝核心,此動作等同於同時做 <buildtarget>buildkernel</buildtarget> <buildtarget>installkernel</buildtarget>。</para> <para>編譯並安裝核心,此動作等同於 <command>make buildkernel installkernel</command>。</para>
</callout> </callout>
<callout arearefs="updating-src-qs-reboot"> <callout arearefs="updating-src-qs-reboot">
<para xml:lang="en">Reboot the system to the new kernel.</para> <para>重新啟動系統以使用新的核心。</para>
</callout> </callout>
<callout arearefs="updating-src-qs-cd2"> <callout arearefs="updating-src-qs-cd2">
<para>前往原始碼目錄。</para> <para>前往原始碼目錄。</para>
</callout> </callout>
<callout arearefs="updating-src-qs-installworld"> <callout arearefs="updating-src-qs-installworld">
<para>安裝世界。</para> <para>安裝世界。</para>
▲ Show 20 LinesShow All 48 Lines▼ Show 20 Lines <table xml:id="updating-src-obtaining-src-repopath">
<entry>檔案庫路徑</entry> <entry>檔案庫路徑</entry>
<entry>說明</entry> <entry>說明</entry>
</row> </row>
</thead> </thead>
<tbody> <tbody>
<row> <row>
<entry xml:lang="en"><literal><replaceable>X.Y</replaceable>-RELEASE</literal></entry> <entry xml:lang="en"><literal><replaceable>X.Y</replaceable>-RELEASE</literal></entry>
<entry xml:lang="en"><literal>base/releng/</literal><replaceable>X.Y</replaceable></entry> <entry><literal>base/releng/</literal><replaceable>X.Y</replaceable></entry>
<entry>發佈版本加上關鍵的安全性與錯誤修正,較建議大多數使用者使用這個分支。</entry> <entry>發佈版本加上關鍵的安全性與錯誤修正,較建議大多數使用者使用這個分支。</entry>
</row> </row>
<row> <row xml:id="STABLE">
<entry xml:lang="en"><literal><replaceable>X.Y</replaceable>-STABLE</literal></entry> <entry xml:lang="en"><literal><replaceable>X.Y</replaceable>-STABLE</literal></entry>
<entry xml:lang="en"><literal>base/stable/</literal><replaceable>X</replaceable></entry> <entry xml:lang="en"><literal>base/stable/</literal><replaceable>X</replaceable></entry>
<entry> <entry>
<para>發佈版本加上所有在該分支上其他開發中的程式,<emphasis>STABLE</emphasis> 代表不會更改應用程式 Binary 介面 (Applications Binary Interface, <acronym>ABI</acronym>),所以在先前版本所編譯的軟體仍可以正常運作,舉例來說,被編譯在 FreeBSD 10.1 可執行的軟體在編譯完 FreeBSD 10-STABLE 之後仍可以執行。</para> <para>發佈版本加上所有在該分支上其他開發中的程式,<emphasis>STABLE</emphasis> 代表不會更改應用程式 Binary 介面 (Applications Binary Interface, <acronym>ABI</acronym>),所以在先前版本所編譯的軟體仍可以正常運作,舉例來說,被編譯在 FreeBSD 10.1 可執行的軟體在編譯完 FreeBSD 10-STABLE 之後仍可以執行。</para>
<para>STABLE 分支偶爾也會有錯誤或無法相容的問題會影響使用者,雖然這些問題通常會很快的被修正。</para> <para>STABLE 分支偶爾也會有錯誤或無法相容的問題會影響使用者,雖然這些問題通常會很快的被修正。</para>
</entry> </entry>
</row> </row>
<row> <row>
<entry xml:lang="en"><literal><replaceable>X</replaceable>-CURRENT</literal></entry> <entry xml:lang="en"><literal><replaceable>X</replaceable>-CURRENT</literal></entry>
<entry xml:lang="en"><literal>base/head/</literal></entry> <entry xml:lang="en"><literal>base/head/</literal></entry>
<entry>最新未發佈的 FreeBSD 開發版本,CURRENT 分支可能會有重大錯誤或不相容的問題,只建議進階的使用者使用。</entry> <entry>最新未發佈的 FreeBSD 開發版本,CURRENT 分支可能會有重大錯誤或不相容的問題,只建議進階的使用者使用。</entry>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</table> </table>
<para>查看 FreeBSD 目前使用的版本可使用 <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>1</manvolnum></citerefentry>:</para> <para>查看 FreeBSD 目前使用的版本可使用 <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>1</manvolnum></citerefentry>:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>uname -r</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>uname -r</userinput>
10.3-RELEASE</screen> 10.3-RELEASE</screen>
<para xml:lang="en">Based on <para>根據 <xref linkend="updating-src-obtaining-src-repopath"/>,要更新 <literal>10.3-RELEASE</literal> 需使用的原始碼檔案庫路徑為 <literal>base/releng/10.3</literal>,在取出 (checkout) 原始碼時便要使用這個路徑:</para>
<xref linkend="updating-src-obtaining-src-repopath"/>, the
source used to update <literal>10.3-RELEASE</literal> has
a repository path of <literal>base/releng/10.3</literal>.
That path is used when checking out the source:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>mv /usr/src /usr/src.bak</userinput> <co xml:id="updating-src-obtaining-src-mv"/> <screen xml:lang="en"><prompt>#</prompt> <userinput>mv /usr/src /usr/src.bak</userinput> <co xml:id="updating-src-obtaining-src-mv"/>
<prompt>#</prompt> <userinput>svn checkout https://svn.freebsd.org/base/<replaceable>releng/10.3</replaceable> /usr/src</userinput> <co xml:id="updating-src-obtaining-src-checkout-cmd"/></screen> <prompt>#</prompt> <userinput>svn checkout https://svn.freebsd.org/base/<replaceable>releng/10.3</replaceable> /usr/src</userinput> <co xml:id="updating-src-obtaining-src-checkout-cmd"/></screen>
<calloutlist> <calloutlist>
<callout arearefs="updating-src-obtaining-src-mv"> <callout arearefs="updating-src-obtaining-src-mv">
<para>將舊的目錄移到其他地方,若沒有在這個目錄做過任何本地修改,可直接刪除這個目錄。</para> <para>將舊的目錄移到其他地方,若沒有在這個目錄做過任何本地修改,可直接刪除這個目錄。</para>
</callout> </callout>
<callout arearefs="updating-src-obtaining-src-checkout-cmd"> <callout arearefs="updating-src-obtaining-src-checkout-cmd">
<para>將從 <xref linkend="updating-src-obtaining-src-repopath"/> 查到的路徑加到檔案庫 <acronym>URL</acronym> 之後。第三個參數用來存放本地系統原始碼的目標目錄。</para> <para>將從 <xref linkend="updating-src-obtaining-src-repopath"/> 查到的路徑加到檔案庫 <acronym>URL</acronym> 之後。第三個參數用來存放本地系統原始碼的目標目錄。</para>
</callout> </callout>
</calloutlist> </calloutlist>
</note> </note>
</sect2> </sect2>
<sect2 xml:id="updating-src-building"> <sect2 xml:id="updating-src-building">
<title>從原始碼編譯</title> <title>從原始碼編譯</title>
<para xml:id="makeworld">編譯世界 (<emphasis>world</emphasis>) 即編譯整個作業系統除了核心 (Kernel),要先做這個動作以便提供最新的工具來編譯核心,接著便可編譯核心:</para> <para>編譯世界 (<emphasis>world</emphasis>) 即編譯整個作業系統除了核心 (Kernel),要先做這個動作以便提供最新的工具來編譯核心,接著便可編譯核心:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/src</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>cd /usr/src</userinput>
<prompt>#</prompt> <userinput>make buildworld</userinput> <prompt>#</prompt> <userinput>make buildworld</userinput>
<prompt>#</prompt> <userinput>make buildkernel</userinput></screen> <prompt>#</prompt> <userinput>make buildkernel</userinput></screen>
<para>編譯完的程式會寫入至 <filename>/usr/obj</filename>。</para> <para>編譯完的程式會寫入至 <filename>/usr/obj</filename>。</para>
<para>以上這些均為基本的步驟,用來控制編譯的其他選項在以下章節會說明。</para> <para>以上這些均為基本的步驟,用來控制編譯的其他選項在以下章節會說明。</para>
▲ Show 20 LinesShow All 4,623 Lines▼ Show 20 Lines <warning>
across these protocols, consider tunneling sessions over across these protocols, consider tunneling sessions over
<citerefentry><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry> (<xref linkend="security-ssh-tunneling"/>) <citerefentry><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry> (<xref linkend="security-ssh-tunneling"/>)
or using <acronym>SSL</acronym> (<xref linkend="openssl"/>).</para> or using <acronym>SSL</acronym> (<xref linkend="openssl"/>).</para>
</warning> </warning>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>網域名稱系統 (Domain Name System, <acronym>DNS</acronym>)</term> <term>網域名稱系統 (<acronym>DNS</acronym>)</term>
<listitem> <listitem>
<para xml:lang="en">The Domain Name System (<acronym>DNS</acronym>) and <para xml:lang="en">The Domain Name System (<acronym>DNS</acronym>) and
its daemon <command>named</command> play a large role in its daemon <command>named</command> play a large role in
the delivery of email. In order to deliver mail from one the delivery of email. In order to deliver mail from one
site to another, the <acronym>MTA</acronym> will look up site to another, the <acronym>MTA</acronym> will look up
the remote site in <acronym>DNS</acronym> to determine the remote site in <acronym>DNS</acronym> to determine
which host will receive mail for the destination. This which host will receive mail for the destination. This
process also occurs when mail is sent from a remote host process also occurs when mail is sent from a remote host
▲ Show 20 LinesShow All 98 Lines▼ Show 20 Lines <para xml:lang="en">This access database file defines which hosts or
have their messages held and will receive the specified have their messages held and will receive the specified
text as the reason for the hold.</para> text as the reason for the hold.</para>
<para xml:lang="en">Examples of using these options for both <para xml:lang="en">Examples of using these options for both
<acronym>IPv4</acronym> and <acronym>IPv6</acronym> <acronym>IPv4</acronym> and <acronym>IPv6</acronym>
addresses can be found in the FreeBSD sample configuration, addresses can be found in the FreeBSD sample configuration,
<filename>/etc/mail/access.sample</filename>:</para> <filename>/etc/mail/access.sample</filename>:</para>
<programlisting xml:lang="en"># $FreeBSD$ <programlisting xml:lang="en"># <phrase its:translate="no">$FreeBSD$</phrase>
# #
# Mail relay access control list. Default is to reject mail unless the # Mail relay access control list. Default is to reject mail unless the
# destination is local, or listed in /etc/mail/local-host-names # destination is local, or listed in /etc/mail/local-host-names
# #
## Examples (commented out for safety) ## Examples (commented out for safety)
#From:cyberspammer.com ERROR:"550 We don't accept mail from spammers" #From:cyberspammer.com ERROR:"550 We don't accept mail from spammers"
#From:okay.cyberspammer.com OK #From:okay.cyberspammer.com OK
#Connect:sendmail.org RELAY #Connect:sendmail.org RELAY
▲ Show 20 LinesShow All 318 Lines▼ Show 20 Linesdaily_submit_queuerun="NO"</programlisting>
<filename>/etc/mail/mailer.conf</filename> to map the expected <filename>/etc/mail/mailer.conf</filename> to map the expected
<application>Sendmail</application> binaries to the location <application>Sendmail</application> binaries to the location
of the new binaries. More information about this mapping can of the new binaries. More information about this mapping can
be found in <citerefentry><refentrytitle>mailwrapper</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> be found in <citerefentry><refentrytitle>mailwrapper</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
<para xml:lang="en">The default <filename>/etc/mail/mailer.conf</filename> <para xml:lang="en">The default <filename>/etc/mail/mailer.conf</filename>
looks like this:</para> looks like this:</para>
<programlisting xml:lang="en"># $FreeBSD$ <programlisting xml:lang="en"># <phrase its:translate="no">$FreeBSD$</phrase>
# #
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail # Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
# #
sendmail /usr/libexec/sendmail/sendmail sendmail /usr/libexec/sendmail/sendmail
send-mail /usr/libexec/sendmail/sendmail send-mail /usr/libexec/sendmail/sendmail
mailq /usr/libexec/sendmail/sendmail mailq /usr/libexec/sendmail/sendmail
newaliases /usr/libexec/sendmail/sendmail newaliases /usr/libexec/sendmail/sendmail
hoststat /usr/libexec/sendmail/sendmail hoststat /usr/libexec/sendmail/sendmail
Show All 21 Linesnewaliases /usr/local/sbin/sendmail</programlisting>
not automatically update not automatically update
<filename>/etc/mail/mailer.conf</filename>, edit this file in <filename>/etc/mail/mailer.conf</filename>, edit this file in
a text editor so that it points to the new binaries. This a text editor so that it points to the new binaries. This
example points to the binaries installed by example points to the binaries installed by
<package>mail/ssmtp</package>:</para> <package>mail/ssmtp</package>:</para>
<programlisting xml:lang="en">sendmail /usr/local/sbin/ssmtp <programlisting xml:lang="en">sendmail /usr/local/sbin/ssmtp
send-mail /usr/local/sbin/ssmtp send-mail /usr/local/sbin/ssmtp
mailq /usr/libexec/sendmail/sendmail mailq /usr/local/sbin/ssmtp
newaliases /usr/libexec/sendmail/sendmail newaliases /usr/local/sbin/ssmtp
hoststat /usr/libexec/sendmail/sendmail hoststat /usr/bin/true
purgestat /usr/libexec/sendmail/sendmail</programlisting> purgestat /usr/bin/true</programlisting>
<para xml:lang="en">Once everything is configured, it is recommended to reboot <para xml:lang="en">Once everything is configured, it is recommended to reboot
the system. Rebooting provides the opportunity to ensure that the system. Rebooting provides the opportunity to ensure that
the system is correctly configured to start the new the system is correctly configured to start the new
<acronym>MTA</acronym> automatically on boot.</para> <acronym>MTA</acronym> automatically on boot.</para>
</sect2> </sect2>
</sect1> </sect1>
▲ Show 20 LinesShow All 3,820 Lines▼ Show 20 Linesdhcpd_ifaces="dc0"</programlisting>
<author> <author>
<firstname>Daniel</firstname> <firstname>Daniel</firstname>
<surname>Gerzo</surname> <surname>Gerzo</surname>
</author> </author>
</authorgroup> </authorgroup>
</sect1info> </sect1info>
--> -->
<title>網域名稱系統 (Domain Name System, <acronym>DNS</acronym>)</title> <title>網域名稱系統 (<acronym>DNS</acronym>)</title>
<indexterm xml:lang="en"><primary>DNS</primary></indexterm> <indexterm xml:lang="en"><primary>DNS</primary></indexterm>
<para xml:lang="en">Domain Name System (<acronym>DNS</acronym>) is the protocol <para>網域名稱系統 (Domain Name System, <acronym>DNS</acronym>) 是一種協定用來轉換網域名稱為 <acronym>IP</acronym> 位址,反之亦然。<acronym>DNS</acronym> 會協調網際網路上有權的根節點 (Authoritative root)、最上層網域 (Top Level Domain, <acronym>TLD</acronym>) 及其他小規模名稱伺服器來取得結果,而這些伺服器可管理與快取個自的網域資訊。要在系統上做 <acronym>DNS</acronym> 查詢並不需要架設一個名稱伺服器。</para>
through which domain names are mapped to <acronym>IP</acronym>
addresses, and vice versa. <acronym>DNS</acronym> is
coordinated across the Internet through a somewhat complex
system of authoritative root, Top Level Domain
(<acronym>TLD</acronym>), and other smaller-scale name servers,
which host and cache individual domain information. It is not
necessary to run a name server to perform
<acronym>DNS</acronym> lookups on a system.</para>
<indexterm xml:lang="en"><primary>BIND</primary></indexterm> <indexterm xml:lang="en"><primary>BIND</primary></indexterm>
<para xml:lang="en">In FreeBSD 10, the Berkeley Internet Name Domain <para>在 FreeBSD 10,已自基礎系統移除了 Berkeley Internet Name Domain (<acronym>BIND</acronym>),並替換為 Unbound。Unbound 被設置來做為 FreeBSD 的基礎中的本地快取解析程式。<acronym>BIND</acronym> 仍可以自 Port 套件集取得,名稱為 <package role="port">dns/bind99</package> 或 <package role="port">dns/bind98</package>。在 FreeBSD 9 與較先前的版本,FreeBSD 基礎系統中是內建 <acronym>BIND</acronym>,FreeBSD 的版本提供了增強的安全性功能、新檔案系統配置及自動化 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>8</manvolnum></citerefentry> 設置,而 <acronym>BIND</acronym> 是由 <link xlink:href="https://www.isc.org/">Internet Systems Consortium</link> 所維護。</para>
(<acronym>BIND</acronym>) has been removed from the base system
and replaced with Unbound. Unbound as configured in the FreeBSD
Base is a local caching resolver. <acronym>BIND</acronym> is
still available from The Ports Collection as <package role="port">dns/bind99</package> or <package role="port">dns/bind98</package>. In FreeBSD 9 and lower,
<acronym>BIND</acronym> is included in FreeBSD Base. The FreeBSD
version provides enhanced security features, a new file system
layout, and automated <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>8</manvolnum></citerefentry> configuration.
<acronym>BIND</acronym> is maintained by the <link xlink:href="https://www.isc.org/">Internet Systems
Consortium</link>.</para>
<indexterm xml:lang="en"><primary>resolver</primary></indexterm> <indexterm xml:lang="en"><primary>resolver</primary></indexterm>
<indexterm xml:lang="en"><primary>reverse <indexterm xml:lang="en"><primary>reverse
<acronym>DNS</acronym></primary></indexterm> <acronym>DNS</acronym></primary></indexterm>
<indexterm xml:lang="en"><primary>root zone</primary></indexterm> <indexterm xml:lang="en"><primary>root zone</primary></indexterm>
<para xml:lang="en">The following table describes some of the terms associated <para>以下表格會說明一些與 <acronym>DNS</acronym> 有關的術語:</para>
with <acronym>DNS</acronym>:</para>
<table frame="none" pgwide="1"> <table frame="none" pgwide="1">
<title><acronym>DNS</acronym> 術語</title> <title><acronym>DNS</acronym> 術語</title>
<tgroup cols="2"> <tgroup cols="2">
<colspec colwidth="1*"/> <colspec colwidth="1*"/>
<colspec colwidth="3*"/> <colspec colwidth="3*"/>
<thead> <thead>
<row> <row>
<entry>術語</entry> <entry>術語</entry>
<entry>定義</entry> <entry>定義</entry>
</row> </row>
</thead> </thead>
<tbody> <tbody>
<row> <row>
<entry xml:lang="en">Forward <acronym>DNS</acronym></entry> <entry>正向 <acronym>DNS</acronym> (Forward <acronym>DNS</acronym>)</entry>
<entry xml:lang="en">Mapping of hostnames to <acronym>IP</acronym> <entry>將主機名稱對應 <acronym>IP</acronym> 位址的動作。</entry>
addresses.</entry>
</row> </row>
<row> <row>
<entry xml:lang="en">Origin</entry> <entry>源頭 (Origin)</entry>
<entry xml:lang="en">Refers to the domain covered in a particular zone <entry>代表某個轄區檔案中所涵蓋的網域。</entry>
file.</entry>
</row> </row>
<row> <row>
<entry xml:lang="en"><application>named</application>, BIND</entry> <entry xml:lang="en"><application>named</application>, BIND</entry>
<entry xml:lang="en">Common names for the BIND name server package <entry>在 FreeBSD 中對 BIND 名稱伺服器套件的通用稱呼。</entry>
within FreeBSD.</entry>
</row> </row>
<row> <row>
<entry xml:lang="en">Resolver</entry> <entry>解析器 (Resolver)</entry>
<entry xml:lang="en">A system process through which a machine queries <entry>主機向名稱伺服器查詢轄區資訊的系統程序。</entry>
a name server for zone information.</entry>
</row> </row>
<row> <row>
<entry xml:lang="en">Reverse <acronym>DNS</acronym></entry> <entry>反向 <acronym>DNS</acronym> (Reverse <acronym>DNS</acronym>)</entry>
<entry xml:lang="en">Mapping of <acronym>IP</acronym> addresses to <entry>將 <acronym>IP</acronym> 對應主機名稱的動作。</entry>
hostnames.</entry>
</row> </row>
<row> <row>
<entry xml:lang="en">Root zone</entry> <entry>根轄區 (Root zone)</entry>
<entry xml:lang="en">The beginning of the Internet zone hierarchy. All <entry>網際網路轄區階層的最開始,所有的轄區會在根轄區之下,類似在檔案系統中所有的檔案會在根目錄底下。</entry>
zones fall under the root zone, similar to how all files
in a file system fall under the root directory.</entry>
</row> </row>
<row> <row>
<entry xml:lang="en">Zone</entry> <entry>轄區 (Zone)</entry>
<entry xml:lang="en">An individual domain, subdomain, or portion of the <entry>獨立的網域、子網域或或由相同授權 (Authority) 管理的部分 <acronym>DNS</acronym>。</entry>
<acronym>DNS</acronym> administered by the same
authority.</entry>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</table> </table>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>zones</primary> <primary>zones</primary>
<secondary>examples</secondary> <secondary>examples</secondary>
</indexterm> </indexterm>
<para xml:lang="en">Examples of zones:</para> <para>轄區範例:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para xml:lang="en"><systemitem>.</systemitem> is how the root zone is <para><systemitem>.</systemitem> 是一般在文件中表達根轄區的方式。</para>
usually referred to in documentation.</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en"><systemitem>org.</systemitem> is a Top Level Domain <para><systemitem>org.</systemitem> 是一個在根轄區底下的最上層網域 (Top Level Domain , <acronym>TLD</acronym>)。</para>
(<acronym>TLD</acronym>) under the root zone.</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en"><systemitem class="fqdomainname">example.org.</systemitem> is a zone <para><systemitem class="fqdomainname">example.org.</systemitem> 是一個在 <systemitem>org.</systemitem> <acronym>TLD</acronym> 底下的轄區。</para>
under the <systemitem>org.</systemitem>
<acronym>TLD</acronym>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en"><systemitem>1.168.192.in-addr.arpa</systemitem> is a <para><systemitem>1.168.192.in-addr.arpa</systemitem> 是一個轄區用來代表所有在 <systemitem class="ipaddress">192.168.1.*</systemitem> <acronym>IP</acronym> 位址空間底下的 <acronym>IP</acronym> 位址。</para>
zone referencing all <acronym>IP</acronym> addresses which
fall under the <systemitem class="ipaddress">192.168.1.*</systemitem>
<acronym>IP</acronym> address space.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para xml:lang="en">As one can see, the more specific part of a hostname <para>如您所見,更詳細的主機名稱會加在左方,例如 <systemitem class="fqdomainname">example.org.</systemitem> 比 <systemitem>org.</systemitem> 更具體,如同 <systemitem>org.</systemitem> 比根轄區更具體,主機名稱每一部份的架構很像檔案系統:<filename>/dev</filename> 目錄在根目錄底下,以此類推。</para>
appears to its left. For example, <systemitem class="fqdomainname">example.org.</systemitem> is more
specific than <systemitem>org.</systemitem>, as
<systemitem>org.</systemitem> is more specific than the root
zone. The layout of each part of a hostname is much like a file
system: the <filename>/dev</filename> directory falls within the
root, and so on.</para>
<sect2> <sect2>
<title>要執行名稱伺服器的原因</title> <title>要架設名稱伺服器的原因</title>
<para xml:lang="en">Name servers generally come in two forms: authoritative <para>名稱伺服器通常有兩種形式:有權的 (Authoritative) 名稱伺服器與快取 (或稱解析) 名稱伺服器。</para>
name servers, and caching (also known as resolving) name
servers.</para>
<para xml:lang="en">An authoritative name server is needed when:</para> <para>以下情況會需要一台有權的名稱伺服器:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para xml:lang="en">One wants to serve <acronym>DNS</acronym> information <para>想要提供 <acronym>DNS</acronym> 資訊給全世界,做為官方回覆查詢。</para>
to the world, replying authoritatively to queries.</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en">A domain, such as <systemitem class="fqdomainname">example.org</systemitem>, is <para>已經註冊了一個網域,例如 <systemitem class="fqdomainname">example.org</systemitem>,且要將 <acronym>IP</acronym> 位址分配到主機名稱下。</para>
registered and <acronym>IP</acronym> addresses need to be
assigned to hostnames under it.</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en">An <acronym>IP</acronym> address block requires <para>一段 <acronym>IP</acronym> 位址範圍需要反向 <acronym>DNS</acronym> 項目 (<acronym>IP</acronym> 轉主機名稱)。</para>
reverse <acronym>DNS</acronym> entries
(<acronym>IP</acronym> to hostname).</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en">A backup or second name server, called a slave, will <para>要有一台備援或次要名稱伺服器用來回覆查詢。</para>
reply to queries.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para xml:lang="en">A caching name server is needed when:</para> <para>以下情況會需要一台快取名稱伺服器:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para xml:lang="en">A local <acronym>DNS</acronym> server may cache and <para>比起查詢外部的名稱伺服器本地 <acronym>DNS</acronym> 伺服器可以快取並更快的回應。</para>
respond more quickly than querying an outside name
server.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para xml:lang="en">When one queries for <systemitem class="fqdomainname">www.FreeBSD.org</systemitem>, the <para>當查詢 <systemitem class="fqdomainname">www.FreeBSD.org</systemitem> 時,解析程式通常會查詢上游 <acronym>ISP</acronym> 的名稱伺服器然後接收其回覆,使用本地、快取 <acronym>DNS</acronym> 伺服器,只需要由快取 <acronym>DNS</acronym> 伺服器對外部做一次查詢,其他的查詢則不需要再向區域網路之外查詢,因為這些資訊已經在本地被快取了。</para>
resolver usually queries the uplink <acronym>ISP</acronym>'s
name server, and retrieves the reply. With a local, caching
<acronym>DNS</acronym> server, the query only has to be made
once to the outside world by the caching
<acronym>DNS</acronym> server. Additional queries will not
have to go outside the local network, since the information is
cached locally.</para>
</sect2> </sect2>
<sect2> <sect2>
<title><acronym>DNS</acronym> 伺服器設定於 FreeBSD 10.0 及之後版本</title> <title><acronym>DNS</acronym> 伺服器設定於 FreeBSD 10.0 及之後版本</title>
<para xml:lang="en">In FreeBSD 10.0, <application>BIND</application> has been <para>於 FreeBSD 10.0,<application>BIND</application> 已被替換為 <application>Unbound</application>,<application>Unbound</application> 只會驗證快取解析程式,若需要有權的 (Authoritative) 伺服器,有很多可在 Port 套件集找到。</para>
replaced with <application>Unbound</application>.
<application>Unbound</application> is a validating caching
resolver only. If an authoritative server is needed, many are
available from the Ports Collection.</para>
<para xml:lang="en"><application>Unbound</application> is provided in the FreeBSD <para><application>Unbound</application> 由 FreeBSD 基礎系統提供,預設只會提供本機的 <acronym>DNS</acronym> 解析,雖然基礎系統的套件可被設定提供本機以外的解析服務,但要解決這樣的需求仍建議安裝 FreeBSD Port 套件集中的 <application>Unbound</application>。</para>
base system. By default, it will provide
<acronym>DNS</acronym> resolution to the local machine only.
While the base system package can be configured to provide
resolution services beyond the local machine, it is
recommended that such requirements be addressed by installing
<application>Unbound</application> from the FreeBSD Ports
Collection.</para>
<para xml:lang="en">To enable <application>Unbound</application>, add the <para>要開啟 <application>Unbound</application> 可加入下行到 <filename>/etc/rc.conf</filename>:</para>
following to <filename>/etc/rc.conf</filename>:</para>
<programlisting xml:lang="en">local_unbound_enable="YES"</programlisting> <programlisting xml:lang="en">local_unbound_enable="YES"</programlisting>
<para xml:lang="en">Any existing nameservers in <para>任何已存在於 <filename>/etc/resolv.conf</filename> 中的名稱伺服器會在新的 <application>Unbound</application> 設定中被設為追隨者 (Forwarder)。</para>
<filename>/etc/resolv.conf</filename> will be configured as
forwarders in the new <application>Unbound</application>
configuration.</para>
<note> <note>
<para xml:lang="en">If any of the listed nameservers do not support <para>若任一個列在清單中的名稱伺服器不支援 <acronym>DNSSEC</acronym>,則本地的 <acronym>DNS</acronym> 解析便會失敗,請確認有測試每一台名稱伺服器並移除所有測試失敗的項目。以下指令會顯示出信認樹或在 <systemitem class="ipaddress">192.168.1.1</systemitem> 上執行失敗的名稱伺服器:</para>
<acronym>DNSSEC</acronym>, local <acronym>DNS</acronym>
resolution will fail. Be sure to test each nameserver and
remove any that fail the test. The following command will
show the trust tree or a failure for a nameserver running on
<systemitem class="ipaddress">192.168.1.1</systemitem>:</para>
</note> </note>
<screen xml:lang="en"><prompt>%</prompt> <userinput>drill -S FreeBSD.org @<replaceable>192.168.1.1</replaceable></userinput></screen> <screen xml:lang="en"><prompt>%</prompt> <userinput>drill -S FreeBSD.org @<replaceable>192.168.1.1</replaceable></userinput></screen>
<para xml:lang="en">Once each nameserver is confirmed to support <para>確認完每一台名稱伺服器都支援 <acronym>DNSSEC</acronym> 後啟動 <application>Unbound</application>:</para>
<acronym>DNSSEC</acronym>, start
<application>Unbound</application>:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>service local_unbound onestart</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>service local_unbound onestart</userinput></screen>
<para xml:lang="en">This will take care of updating <para>這將會更新 <filename>/etc/resolv.conf</filename> 來讓查詢已用 <acronym>DNSSEC</acronym> 確保安全的網域現在可以運作。</para>
<filename>/etc/resolv.conf</filename> so that queries for
<acronym>DNSSEC</acronym> secured domains will now work. For
example, run the following to validate the FreeBSD.org
<acronym>DNSSEC</acronym> trust tree:</para>
<screen xml:lang="en"><prompt>%</prompt> <userinput>drill -S FreeBSD.org</userinput> <screen xml:lang="en"><prompt>%</prompt> <userinput>drill -S FreeBSD.org</userinput>
;; Number of trusted keys: 1 ;; Number of trusted keys: 1
;; Chasing: freebsd.org. A ;; Chasing: freebsd.org. A
DNSSEC Trust tree: DNSSEC Trust tree:
freebsd.org. (A) freebsd.org. (A)
|---freebsd.org. (DNSKEY keytag: 36786 alg: 8 flags: 256) |---freebsd.org. (DNSKEY keytag: 36786 alg: 8 flags: 256)
Show All 9 Lines |---freebsd.org. (DS keytag: 32659 digest type: 2)
|---. (DNSKEY keytag: 40926 alg: 8 flags: 256) |---. (DNSKEY keytag: 40926 alg: 8 flags: 256)
|---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
;; Chase successful</screen> ;; Chase successful</screen>
</sect2> </sect2>
<sect2> <sect2>
<title>DNS 伺服器設定於 FreeBSD 9.<replaceable>X</replaceable></title> <title>DNS 伺服器設定於 FreeBSD 9.<replaceable>X</replaceable></title>
<para xml:lang="en">In FreeBSD, the BIND daemon is called <para>在 FreeBSD 中,會稱 BIND daemon 為 <application>named</application>。</para>
<application>named</application>.</para>
<informaltable frame="none" pgwide="1"> <informaltable frame="none" pgwide="1">
<tgroup cols="2"> <tgroup cols="2">
<thead> <thead>
<row> <row>
<entry>檔案</entry> <entry>檔案</entry>
<entry>說明</entry> <entry>說明</entry>
</row> </row>
</thead> </thead>
<tbody> <tbody>
<row> <row>
<entry xml:lang="en"><citerefentry><refentrytitle>named</refentrytitle><manvolnum>8</manvolnum></citerefentry></entry> <entry xml:lang="en"><citerefentry><refentrytitle>named</refentrytitle><manvolnum>8</manvolnum></citerefentry></entry>
<entry xml:lang="en">The BIND daemon.</entry> <entry>BIND daemon 本身。</entry>
</row> </row>
<row> <row>
<entry xml:lang="en"><citerefentry><refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum></citerefentry></entry> <entry xml:lang="en"><citerefentry><refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum></citerefentry></entry>
<entry xml:lang="en">Name server control utility.</entry> <entry>名稱伺服器控制工具。</entry>
</row> </row>
<row> <row>
<entry xml:lang="en"><filename>/etc/namedb</filename></entry> <entry xml:lang="en"><filename>/etc/namedb</filename></entry>
<entry xml:lang="en">Directory where BIND zone information <entry>儲存 BIND 轄區 (Zone) 資訊的目錄。</entry>
resides.</entry>
</row> </row>
<row> <row>
<entry xml:lang="en"><filename>/etc/namedb/named.conf</filename></entry> <entry xml:lang="en"><filename>/etc/namedb/named.conf</filename></entry>
<entry xml:lang="en">Configuration file of the daemon.</entry> <entry>Daemon 的設定檔。</entry>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</informaltable> </informaltable>
<para xml:lang="en">Depending on how a given zone is configured on the server, <para>依指定轄區在伺服器上設定的方式,與該轄區相關的檔案會存放在 <filename>/etc/namedb</filename> 目錄中的 <filename>master</filename>, <filename>slave</filename> 或 <filename>dynamic</filename> 子目錄,這些檔案中會含有 <acronym>DNS</acronym> 資訊,會在名稱伺服器回覆查詢時使用到。</para>
the files related to that zone can be found in the
<filename>master</filename>,
<filename>slave</filename>, or
<filename>dynamic</filename> subdirectories
of the <filename>/etc/namedb</filename>
directory. These files contain the <acronym>DNS</acronym>
information that will be given out by the name server in
response to queries.</para>
<sect3> <sect3>
<title>啟動 BIND</title> <title>啟動 BIND</title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>BIND</primary> <primary>BIND</primary>
<secondary>starting</secondary> <secondary>starting</secondary>
</indexterm> </indexterm>
<para xml:lang="en">Since BIND is installed by default, configuring it is <para>由於 BIND 預設已經安裝,要設定它相對簡單。</para>
relatively simple.</para>
<para xml:lang="en">The default <application>named</application> <para>預設的 <application>named</application> 設定成只做基本的名稱解析伺服器,運作於 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>8</manvolnum></citerefentry> 環境中,並限制只傾聽本地 IPv4 loopback 位址 (127.0.0.1),若只要使用這個設定啟動伺服器一次可使用以下指令:</para>
configuration is that of a basic resolving name server,
running in a <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>8</manvolnum></citerefentry> environment, and restricted to
listening on the local IPv4 loopback address (127.0.0.1).
To start the server one time with this configuration, use
the following command:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>service named onestart</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>service named onestart</userinput></screen>
<para xml:lang="en">To ensure the <application>named</application> daemon is <para>要讓 <application>named</application> 在每次開機都會啟動,可加入下行到 <filename>/etc/rc.conf</filename>:</para>
started at boot each time, put the following line into the
<filename>/etc/rc.conf</filename>:</para>
<programlisting xml:lang="en">named_enable="YES"</programlisting> <programlisting xml:lang="en">named_enable="YES"</programlisting>
<para xml:lang="en">There are many configuration options for <para>還有許多 <filename>/etc/namedb/named.conf</filename> 的設定選項以超出本文章的範圍,<application>named</application> 其他在 FreeBSD 上的啟動選項可在 <filename>/etc/defaults/rc.conf</filename> 與在 <citerefentry><refentrytitle>rc.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> 中尋找 <literal>named_<replaceable>*</replaceable></literal> 項目,也建議閱讀 <xref linkend="configtuning-rcd"/> 一節。</para>
<filename>/etc/namedb/named.conf</filename> that are beyond
the scope of this document. Other startup options for
<application>named</application> on FreeBSD can be found in the
<literal>named_<replaceable>*</replaceable></literal> flags
in <filename>/etc/defaults/rc.conf</filename> and in
<citerefentry><refentrytitle>rc.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The <xref linkend="configtuning-rcd"/>
section is also a good read.</para>
</sect3> </sect3>
<sect3> <sect3>
<title>設定檔</title> <title>設定檔</title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>BIND</primary> <primary>BIND</primary>
<secondary>configuration files</secondary> <secondary>configuration files</secondary>
</indexterm> </indexterm>
<para xml:lang="en">Configuration files for <application>named</application> <para><application>named</application> 的設定檔目前儲存在 <filename>/etc/namedb</filename> 目錄中且使用前必須先做修改,除非您只需要它做簡單的解析,這也是需要做最多設定的地方。</para>
currently reside in <filename>/etc/namedb</filename>
directory and will need modification before use unless all
that is needed is a simple resolver. This is where most of
the configuration will be performed.</para>
<sect4> <sect4>
<title xml:lang="en"><filename>/etc/namedb/named.conf</filename></title> <title xml:lang="en"><filename>/etc/namedb/named.conf</filename></title>
<programlisting xml:lang="en">// $FreeBSD$ <programlisting xml:lang="en">// <phrase its:translate="no">$FreeBSD$</phrase>
// //
// Refer to the named.conf(5) and named(8) man pages, and the documentation // Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details. // in /usr/share/doc/bind9 for more details.
// //
// If you are going to set up an authoritative server, make sure you // If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with // understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties, // simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic. // or cause huge amounts of useless Internet traffic.
Show All 39 Lines
// forward only; // forward only;
// If you wish to have forwarding configured automatically based on // If you wish to have forwarding configured automatically based on
// the entries in /etc/resolv.conf, uncomment the following line and // the entries in /etc/resolv.conf, uncomment the following line and
// set named_auto_forward=yes in /etc/rc.conf. You can also enable // set named_auto_forward=yes in /etc/rc.conf. You can also enable
// named_auto_forward_only (the effect of which is described above). // named_auto_forward_only (the effect of which is described above).
// include "/etc/namedb/auto_forward.conf";</programlisting> // include "/etc/namedb/auto_forward.conf";</programlisting>
<para xml:lang="en">Just as the comment says, to benefit from an uplink's <para>如同註解所述,要利用上游的快取功能,可以在此啟動 <literal>forwarders</literal>,正常的情況下,名稱伺服器會在網際網路上做遞迴查詢來尋找特定名稱伺服器,直到找到要查詢的答案,開啟快取功能會讓名稱伺服器先查詢上游的名稱伺服器 (或自行設定的名稱伺服器) 來利用該伺服器的快取,若查詢的上游名稱伺服器是有規模營運且快速的名稱伺服器,則開啟此功能是相當值得的。</para>
cache, <literal>forwarders</literal> can be enabled here.
Under normal circumstances, a name server will recursively
query the Internet looking at certain name servers until
it finds the answer it is looking for. Having this
enabled will have it query the uplink's name server (or
name server provided) first, taking advantage of its
cache. If the uplink name server in question is a heavily
trafficked, fast name server, enabling this may be
worthwhile.</para>
<warning> <warning>
<para xml:lang="en"><systemitem class="ipaddress">127.0.0.1</systemitem> <para>在此處使用 <systemitem class="ipaddress">127.0.0.1</systemitem> 會<emphasis>沒有</emphasis>作用,請更改此 <acronym>IP</acronym> 位址為上游的名稱伺服器。</para>
will <emphasis>not</emphasis> work here. Change this
<acronym>IP</acronym> address to a name server at the
uplink.</para>
</warning> </warning>
<programlisting xml:lang="en"> /* <programlisting xml:lang="en"> /*
Modern versions of BIND use a random <acronym>UDP</acronym> port for each outgoing Modern versions of BIND use a random <acronym>UDP</acronym> port for each outgoing
query by default in order to dramatically reduce the possibility query by default in order to dramatically reduce the possibility
of cache poisoning. All users are strongly encouraged to utilize of cache poisoning. All users are strongly encouraged to utilize
this feature, and to configure their firewalls to accommodate it. this feature, and to configure their firewalls to accommodate it.
▲ Show 20 LinesShow All 225 Lines▼ Show 20 Lineszone "1.168.192.in-addr.arpa" {
type slave; type slave;
file "/etc/namedb/slave/1.168.192.in-addr.arpa"; file "/etc/namedb/slave/1.168.192.in-addr.arpa";
masters { masters {
192.168.1.1; 192.168.1.1;
}; };
}; };
*/</programlisting> */</programlisting>
<para xml:lang="en">In <filename>named.conf</filename>, these are examples <para>在 <filename>named.conf</filename> 中,這些為正向與反向轄區的備援 (Slave) 項目範例。</para>
of slave entries for a forward and reverse zone.</para>
<para xml:lang="en">For each new zone served, a new zone entry must be <para>每一個要提供的新轄區 (Zone),都必須在 <filename>named.conf</filename> 加入新轄區的項目。</para>
added to <filename>named.conf</filename>.</para>
<para xml:lang="en">For example, the simplest zone entry for <para>以最簡單的轄區項目 <systemitem class="fqdomainname">example.org</systemitem> 來舉例:</para>
<systemitem class="fqdomainname">example.org</systemitem>
can look like:</para>
<programlisting xml:lang="en">zone "example.org" { <programlisting xml:lang="en">zone "example.org" {
type master; type master;
file "master/example.org"; file "master/example.org";
};</programlisting> };</programlisting>
<para xml:lang="en">The zone is a master, as indicated by the <para>該轄區的角色為主要 (Master),使用 <option>type</option> 述敘句來指定,該轄區的資訊會儲存在 <filename>/etc/namedb/master/example.org</filename>,使用 <option>file</option> 述敘句來指定。</para>
<option>type</option> statement, holding its zone
information in
<filename>/etc/namedb/master/example.org</filename>
indicated by the <option>file</option> statement.</para>
<programlisting xml:lang="en">zone "example.org" { <programlisting xml:lang="en">zone "example.org" {
type slave; type slave;
file "slave/example.org"; file "slave/example.org";
};</programlisting> };</programlisting>
<para xml:lang="en">In the slave case, the zone information is transferred <para>若為次要轄區,則會由主要名稱伺服器接收特定轄區的轄區資訊,並儲存到指定的檔案,若主要伺服器故障或無法連線,次要名稱伺服器會有先前接收過的轄區資訊可用來繼續提供服務。</para>
from the master name server for the particular zone, and
saved in the file specified. If and when the master
server dies or is unreachable, the slave name server will
have the transferred zone information and will be able to
serve it.</para>
</sect4> </sect4>
<sect4> <sect4>
<title xml:lang="en">Zone Files</title> <title>轄區檔案</title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>BIND</primary> <primary>BIND</primary>
<secondary>zone files</secondary> <secondary>zone files</secondary>
</indexterm> </indexterm>
<para xml:lang="en">An example master zone file for <para><systemitem class="fqdomainname">example.org</systemitem> 的主要轄區檔範例 (位於 <filename>/etc/namedb/master/example.org</filename>) 如下:</para>
<systemitem class="fqdomainname">example.org</systemitem>
(existing within
<filename>/etc/namedb/master/example.org</filename>) is as
follows:</para>
<programlisting xml:lang="en">$TTL 3600 ; 1 hour default TTL <programlisting xml:lang="en">$TTL 3600 ; 1 hour default TTL
example.org. IN SOA ns1.example.org. admin.example.org. ( example.org. IN SOA ns1.example.org. admin.example.org. (
2006051501 ; Serial 2006051501 ; Serial
10800 ; Refresh 10800 ; Refresh
3600 ; Retry 3600 ; Retry
604800 ; Expire 604800 ; Expire
300 ; Negative Response TTL 300 ; Negative Response TTL
Show All 14 Lines
ns1 IN A 192.168.1.2 ns1 IN A 192.168.1.2
ns2 IN A 192.168.1.3 ns2 IN A 192.168.1.3
mx IN A 192.168.1.4 mx IN A 192.168.1.4
mail IN A 192.168.1.5 mail IN A 192.168.1.5
; Aliases ; Aliases
www IN CNAME example.org.</programlisting> www IN CNAME example.org.</programlisting>
<para xml:lang="en">Note that every hostname ending in a <quote>.</quote> <para>注意,每個有以 <quote>.</quote> 號結尾的主機是完整的主機名稱,也就是說,若沒有以 <quote>.</quote> 結尾則是該源頭 (Origin) 的相對主機名稱。例如 <literal>ns1</literal> 會被轉換成 <literal>ns1.<replaceable>example.org.</replaceable></literal>。</para>
is an exact hostname, whereas everything without a
trailing <quote>.</quote> is relative to the origin. For
example, <literal>ns1</literal> is translated into
<literal>ns1.<replaceable>example.org.</replaceable></literal></para>
<para xml:lang="en">The format of a zone file follows:</para> <para>轄區檔案的格式如下:</para>
<programlisting xml:lang="en">recordname IN recordtype value</programlisting> <programlisting xml:lang="en">recordname IN recordtype value</programlisting>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary><acronym>DNS</acronym></primary> <primary><acronym>DNS</acronym></primary>
<secondary>records</secondary> <secondary>records</secondary>
</indexterm> </indexterm>
<para xml:lang="en">The most commonly used <acronym>DNS</acronym> <para>最常用到的 <acronym>DNS</acronym> 記錄有:</para>
records:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term xml:lang="en">SOA</term> <term xml:lang="en">SOA</term>
<listitem> <listitem>
<para xml:lang="en">start of zone authority</para> <para>開始轄區授權 (Authority)</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en">NS</term> <term xml:lang="en">NS</term>
<listitem> <listitem>
<para xml:lang="en">an authoritative name server</para> <para>一台有權的名稱伺服器</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en">A</term> <term xml:lang="en">A</term>
<listitem> <listitem>
<para xml:lang="en">a host address</para> <para>主機位址</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en">CNAME</term> <term xml:lang="en">CNAME</term>
<listitem> <listitem>
<para xml:lang="en">the canonical name for an alias</para> <para>別名的正規名稱 (Canonical name)</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en">MX</term> <term xml:lang="en">MX</term>
<listitem> <listitem>
<para xml:lang="en">mail exchanger</para> <para>郵件交換器 (Mail exchanger)</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en">PTR</term> <term xml:lang="en">PTR</term>
<listitem> <listitem>
<para xml:lang="en">a domain name pointer (used in reverse <para>網域名稱指標 (用在反向 <acronym>DNS</acronym>)</para>
<acronym>DNS</acronym>)</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<programlisting xml:lang="en">example.org. IN SOA ns1.example.org. admin.example.org. ( <programlisting xml:lang="en">example.org. IN SOA ns1.example.org. admin.example.org. (
2006051501 ; Serial 2006051501 ; Serial
10800 ; Refresh after 3 hours 10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour 3600 ; Retry after 1 hour
604800 ; Expire after 1 week 604800 ; Expire after 1 week
300 ) ; Negative Response TTL</programlisting> 300 ) ; Negative Response TTL</programlisting>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term xml:lang="en"><systemitem class="fqdomainname">example.org.</systemitem></term> <term xml:lang="en"><systemitem class="fqdomainname">example.org.</systemitem></term>
<listitem> <listitem>
<para xml:lang="en">the domain name, also the origin for this <para>網域名稱,也同樣是此轄區檔案的源頭 (Origin)。</para>
zone file.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en"><systemitem class="fqdomainname">ns1.example.org.</systemitem></term> <term xml:lang="en"><systemitem class="fqdomainname">ns1.example.org.</systemitem></term>
<listitem> <listitem>
<para xml:lang="en">the primary/authoritative name server for this <para>此轄區主要/有權的名稱伺服器。</para>
zone.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en"><literal>admin.example.org.</literal></term> <term xml:lang="en"><literal>admin.example.org.</literal></term>
<listitem> <listitem>
<para xml:lang="en">the responsible person for this zone, <para>此轄區的負責人,將 <quote>@</quote> 取代後的電子郵件位址。 (<email>admin@example.org</email> 會變成 <literal>admin.example.org</literal>)</para>
email address with <quote>@</quote>
replaced. (<email>admin@example.org</email> becomes
<literal>admin.example.org</literal>)</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en"><literal>2006051501</literal></term> <term xml:lang="en"><literal>2006051501</literal></term>
<listitem> <listitem>
<para xml:lang="en">the serial number of the file. This must be <para>該檔案的序號,每次修改轄區檔案之後應該增加此序號,目前許多管理者會偏好採用 <literal>yyyymmddrr</literal> 格式來編號,如 <literal>2006051501</literal> 代表最後一次修改於 2006 年 5 月 15 號,再後面的 <literal>01</literal> 代表這是在那一天做的第一次修改,序號的編號很重要,因為它會在更新轄區之後用來通知備援 (Slave) 的名稱伺服器。</para>
incremented each time the zone file is modified.
Nowadays, many admins prefer a
<literal>yyyymmddrr</literal> format for the serial
number. <literal>2006051501</literal> would mean
last modified 05/15/2006, the latter
<literal>01</literal> being the first time the zone
file has been modified this day. The serial number
is important as it alerts slave name servers for a
zone when it is updated.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<programlisting xml:lang="en"> IN NS ns1.example.org.</programlisting> <programlisting xml:lang="en"> IN NS ns1.example.org.</programlisting>
<para xml:lang="en">This is an NS entry. Every name server that is going <para>這是一個 NS 項目,每個要有權力能做回覆的名稱伺服器必須具有至少設定一個項目。</para>
to reply authoritatively for the zone must have one of
these entries.</para>
<programlisting xml:lang="en">localhost IN A 127.0.0.1 <programlisting xml:lang="en">localhost IN A 127.0.0.1
ns1 IN A 192.168.1.2 ns1 IN A 192.168.1.2
ns2 IN A 192.168.1.3 ns2 IN A 192.168.1.3
mx IN A 192.168.1.4 mx IN A 192.168.1.4
mail IN A 192.168.1.5</programlisting> mail IN A 192.168.1.5</programlisting>
<para xml:lang="en">The A record indicates machine names. As seen above, <para>A 記錄代表主機名稱,以上述例子來說,<systemitem class="fqdomainname">ns1.example.org</systemitem> 會解析為 <systemitem class="ipaddress">192.168.1.2</systemitem>。</para>
<systemitem class="fqdomainname">ns1.example.org</systemitem> would
resolve to <systemitem class="ipaddress">192.168.1.2</systemitem>.</para>
<programlisting xml:lang="en"> IN A 192.168.1.1</programlisting> <programlisting xml:lang="en"> IN A 192.168.1.1</programlisting>
<para xml:lang="en">This line assigns <acronym>IP</acronym> address <para>這行會分配 <acronym>IP</acronym> 位址 <systemitem class="ipaddress">192.168.1.1</systemitem> 給目前的源頭 (Origin),在這個例子為 <systemitem class="fqdomainname">example.org</systemitem>。</para>
<systemitem class="ipaddress">192.168.1.1</systemitem> to
the current origin, in this case <systemitem class="fqdomainname">example.org</systemitem>.</para>
<programlisting xml:lang="en">www IN CNAME @</programlisting> <programlisting xml:lang="en">www IN CNAME @</programlisting>
<para xml:lang="en">The canonical name record is usually used for giving <para>canonical name 記錄通常用來替主機設定別名,在這個例子中 <systemitem>www</systemitem> 是 <quote>master</quote> 主機的別名,其名稱會與網域名稱 <systemitem class="fqdomainname">example.org</systemitem> (<systemitem class="ipaddress">192.168.1.1</systemitem>) 相同。CNAME 不能與其他類型的記錄同時用在一個主機上。</para>
aliases to a machine. In the example,
<systemitem>www</systemitem> is aliased to the
<quote>master</quote> machine whose name happens to be the
same as the domain name
<systemitem class="fqdomainname">example.org</systemitem>
(<systemitem class="ipaddress">192.168.1.1</systemitem>).
CNAMEs can never be used together with another kind of
record for the same hostname.</para>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>MX record</primary> <primary>MX record</primary>
</indexterm> </indexterm>
<programlisting xml:lang="en"> IN MX 10 mail.example.org.</programlisting> <programlisting xml:lang="en"> IN MX 10 mail.example.org.</programlisting>
<para xml:lang="en">The MX record indicates which mail servers are <para>MX 記錄用來指定該轄區要負責處理內寄郵件的郵件伺服器,<systemitem class="fqdomainname">mail.example.org</systemitem> 是郵件伺服器的主機名稱,而 10 是該郵件伺服器的優先順序。</para>
responsible for handling incoming mail for the zone.
<systemitem class="fqdomainname">mail.example.org</systemitem> is
the hostname of a mail server, and 10 is the priority of
that mail server.</para>
<para xml:lang="en">One can have several mail servers, with priorities of <para>一個轄區可以有很多台郵件伺服器,每一台使用不同的優先順序 10, 20 以此類推,一台郵件伺服器嘗試要寄件給 <systemitem class="fqdomainname">example.org</systemitem> 會先嘗試優先順序最高的 MX (優先順序數字最低的記錄),然後第二高的,接著繼續,直到郵件被寄出。</para>
10, 20 and so on. A mail server attempting to deliver to
<systemitem class="fqdomainname">example.org</systemitem>
would first try the highest priority MX (the record with
the lowest priority number), then the second highest, etc,
until the mail can be properly delivered.</para>
<para xml:lang="en">For in-addr.arpa zone files (reverse <para>in-addr.arpa 轄區檔案 (反向 <acronym>DNS</acronym>) 也使用相同的格式,除了項目要改使用 PTR 而非 A 或 CNAME。</para>
<acronym>DNS</acronym>), the same format is used, except
with PTR entries instead of A or CNAME.</para>
<programlisting xml:lang="en">$TTL 3600 <programlisting xml:lang="en">$TTL 3600
1.168.192.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. ( 1.168.192.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. (
2006051501 ; Serial 2006051501 ; Serial
10800 ; Refresh 10800 ; Refresh
3600 ; Retry 3600 ; Retry
604800 ; Expire 604800 ; Expire
300 ) ; Negative Response TTL 300 ) ; Negative Response TTL
IN NS ns1.example.org. IN NS ns1.example.org.
IN NS ns2.example.org. IN NS ns2.example.org.
1 IN PTR example.org. 1 IN PTR example.org.
2 IN PTR ns1.example.org. 2 IN PTR ns1.example.org.
3 IN PTR ns2.example.org. 3 IN PTR ns2.example.org.
4 IN PTR mx.example.org. 4 IN PTR mx.example.org.
5 IN PTR mail.example.org.</programlisting> 5 IN PTR mail.example.org.</programlisting>
<para xml:lang="en">This file gives the proper <acronym>IP</acronym> <para>這個檔案會對上述虛擬網域給予 <acronym>IP</acronym> 位置到主機名稱的正確對應表。</para>
address to hostname mappings for the above fictitious
domain.</para>
<para xml:lang="en">It is worth noting that all names on the right side <para>值得注意的是,所有在 PTR 記錄右邊的名字必須要是完整的 (即以 <quote>.</quote> 結尾)。</para>
of a PTR record need to be fully qualified (i.e., end in
a <quote>.</quote>).</para>
</sect4> </sect4>
</sect3> </sect3>
<sect3> <sect3>
<title>快取名稱伺服器</title> <title>快取名稱伺服器</title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>BIND</primary> <primary>BIND</primary>
<secondary>caching name server</secondary> <secondary>caching name server</secondary>
</indexterm> </indexterm>
<para xml:lang="en">A caching name server is a name server whose primary <para>快取名稱伺服器是一種主要用來解析遞迴查詢的名稱伺服器,它只會詢問自己的查詢並記住結果供以後使用。</para>
role is to resolve recursive queries. It simply asks
queries of its own, and remembers the answers for later
use.</para>
</sect3> </sect3>
<sect3> <sect3>
<title xml:lang="en"><acronym role="Domain Name Security Extensions">DNSSEC</acronym></title> <title xml:lang="en"><acronym role="Domain Name Security Extensions">DNSSEC</acronym></title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>BIND</primary> <primary>BIND</primary>
<secondary><acronym>DNS</acronym> security <secondary><acronym>DNS</acronym> security
extensions</secondary> extensions</secondary>
</indexterm> </indexterm>
<para xml:lang="en">Domain Name System Security Extensions, or <acronym role="Domain Name Security Extensions">DNSSEC</acronym> <para>網域名稱系統安全性擴充 (Domain Name System Security Extension),或簡稱 <acronym role="Domain Name Security Extensions">DNSSEC</acronym>,是一套規範,用來保護解析名稱伺服器收到偽造的 <acronym>DNS</acronym> 資料,如:假 <acronym>DNS</acronym> 記錄,利用數位簽章,解析器可以驗証記錄的正確性。注意,<acronym role="Domain Name Security Extensions">DNSSEC</acronym> 只提供透過數位簽署資源記錄 (Resource Records, <acronym role="Resource Record">RR</acronym>) 的方式來確認正確性,這代表它無法保護要前往 <systemitem class="fqdomainname">example.net</systemitem> 但卻跑去 <systemitem class="fqdomainname">example.com</systemitem> 的使用者,<acronym>DNSSEC</acronym> 所做的唯一一件事便是認証資料在傳輸時沒有被竄改。<acronym>DNS</acronym> 的安全性是保護網際網路重要的一步,要取得更進一步有關 <acronym>DNSSEC</acronym> 如何運作的資訊可從相關的 <acronym>RFC</acronym> 文件開始,請參考 <xref linkend="dns-read"/> 清單。</para>
for short, is a suite of specifications to protect resolving
name servers from forged <acronym>DNS</acronym> data, such
as spoofed <acronym>DNS</acronym> records. By using digital
signatures, a resolver can verify the integrity of the
record. Note that <acronym role="Domain Name Security Extensions">DNSSEC</acronym> only provides integrity via
digitally signing the Resource Records (<acronym role="Resource Record">RR</acronym>s). It provides
neither confidentiality nor protection against false
end-user assumptions. This means that it cannot protect
against people going to
<systemitem class="fqdomainname">example.net</systemitem>
instead of
<systemitem class="fqdomainname">example.com</systemitem>.
The only thing <acronym>DNSSEC</acronym> does is
authenticate that the data has not been compromised in
transit. The security of <acronym>DNS</acronym> is an
important step in securing the Internet in general. For
more in-depth details of how <acronym>DNSSEC</acronym>
works, the relevant <acronym>RFC</acronym>s are a good place
to start. See the list in
<xref linkend="dns-read"/>.</para>
<para xml:lang="en">The following sections will demonstrate how to enable <para>接下來的章節會示範如何在一台運行 <acronym>BIND</acronym> 9 的有權的 <acronym>DNS</acronym> 伺服器與遞迴 (或快取) <acronym>DNS</acronym> 伺服器開啟 <acronym>DNSSEC</acronym>。雖然所有 <acronym>BIND</acronym> 9 的版本階支援 <acronym>DNSSEC</acronym>,但要能夠在驗証 <acronym>DNS</acronym> 查詢時使用已簽署的根轄區必須使用版本 9.6.2 以上,這是因為較先前的版本缺少必要的演算法來開啟使用根轄區金鑰驗證的功能,強烈建議使用 <acronym>BIND</acronym> 9.7 的最新版本或之後的版本以支援根金鑰的自動自動金鑰更新以及自動確保轄區已簽署與更新簽名為最新版的功能,9.6.2 與 9.7 之後版本的設定會有一些差異,差異點會再特別說明。</para>
<acronym>DNSSEC</acronym> for an authoritative
<acronym>DNS</acronym> server and a recursive (or caching)
<acronym>DNS</acronym> server running
<acronym>BIND</acronym> 9. While all versions of
<acronym>BIND</acronym> 9 support <acronym>DNSSEC</acronym>,
it is necessary to have at least version 9.6.2 in order to
be able to use the signed root zone when validating
<acronym>DNS</acronym> queries. This is because earlier
versions lack the required algorithms to enable validation
using the root zone key. It is strongly recommended to use
the latest version of <acronym>BIND</acronym> 9.7 or later
to take advantage of automatic key updating for the root
key, as well as other features to automatically keep zones
signed and signatures up to date. Where configurations
differ between 9.6.2 and 9.7 and later, differences will be
pointed out.</para>
<sect4> <sect4>
<title xml:lang="en">Recursive <acronym>DNS</acronym> Server <title xml:lang="en">Recursive <acronym>DNS</acronym> Server
Configuration</title> Configuration</title>
<para xml:lang="en">Enabling <acronym>DNSSEC</acronym> validation of <para>需要對 <filename>named.conf</filename> 做一些修改才能開啟遞迴 <acronym>DNS</acronym> 伺服器執行查詢 <acronym>DNSSEC</acronym> 的驗証,在做這更改前,必須先取得根轄區金鑰或信任的錨點 (Anchor),目前 <acronym>BIND</acronym> 可用的檔案格式不支援根轄區金鑰 (Root zone key),因此必須手動轉換為需要的格式,金鑰本身可使用 <application>dig</application> 查詢根轄區來取得,透過執行</para>
queries performed by a recursive <acronym>DNS</acronym>
server requires a few changes to
<filename>named.conf</filename>. Before making these
changes the root zone key, or trust anchor, must be
acquired. Currently the root zone key is not available in
a file format <acronym>BIND</acronym> understands, so it
has to be manually converted into the proper format. The
key itself can be obtained by querying the root zone for
it using <application>dig</application>. By
running</para>
<screen xml:lang="en"><prompt>%</prompt> <userinput>dig +multi +noall +answer DNSKEY . &gt; root.dnskey</userinput></screen> <screen xml:lang="en"><prompt>%</prompt> <userinput>dig +multi +noall +answer DNSKEY . &gt; root.dnskey</userinput></screen>
<para xml:lang="en">the key will end up in <para>金鑰會儲存到 <filename>root.dnskey</filename>,其內容應會如下:</para>
<filename>root.dnskey</filename>. The contents should
look something like this:</para>
<programlisting xml:lang="en">. 93910 IN DNSKEY 257 3 8 ( <programlisting xml:lang="en">. 93910 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036 ) ; key id = 19036
. 93910 IN DNSKEY 256 3 8 ( . 93910 IN DNSKEY 256 3 8 (
AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf AwEAAcaGQEA+OJmOzfzVfoYN249JId7gx+OZMbxy69Hf
UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE UyuGBbRN0+HuTOpBxxBCkNOL+EJB9qJxt+0FEY6ZUVjE
g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V g58sRr4ZQ6Iu6b1xTBKgc193zUARk4mmQ/PPGxn7Cn5V
EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt
) ; key id = 34525</programlisting> ) ; key id = 34525</programlisting>
<para xml:lang="en">Do not be alarmed if the obtained keys differ from <para>若取得的金鑰與此範例不同不要感到訝異,可能在最後一次更新這些操作指示之後有更改過,這個輸出結果實際上包含了兩組金鑰,在清單中的第一組金鑰,即在 DNSKEY 記錄類型之後有數值 257 的這組,是我們需要的,這個數值代表該金鑰是一個 Secure Entry Point (<acronym role="Secure Entry Point">SEP</acronym>)、俗稱 Key Signing Key (<acronym role="Key Signing Key">KSK</acronym>)。第二組金鑰,數值為 256,這是一個附屬金鑰,俗稱 Zone Signing Key (<acronym role="Zone Signing Key">ZSK</acronym>)。更多有關不同金鑰類型的資訊之後在 <xref linkend="dns-dnssec-auth"/> 會說明。</para>
this example. They might have changed since these
instructions were last updated. This output actually
contains two keys. The first key in the listing, with the
value 257 after the DNSKEY record type, is the one needed.
This value indicates that this is a Secure Entry Point
(<acronym role="Secure Entry Point">SEP</acronym>),
commonly known as a Key Signing Key
(<acronym role="Key Signing Key">KSK</acronym>). The
second key, with value 256, is a subordinate key, commonly
called a Zone Signing Key
(<acronym role="Zone Signing Key">ZSK</acronym>). More on
the different key types later in
<xref linkend="dns-dnssec-auth"/>.</para>
<para xml:lang="en">Now the key must be verified and formatted so that <para>現在必須驗証這個金鑰並格式化才可供 <acronym>BIND</acronym> 使用。產生 <acronym role="Delegation Signer">DS</acronym> <acronym role="Resource Record">RR</acronym> 集來驗証這個金鑰,使用以下指令建立一個包含這些 <acronym role="Resource Record">RR</acronym> 的檔案</para>
<acronym>BIND</acronym> can use it. To verify the key,
generate a <acronym role="Delegation Signer">DS</acronym>
<acronym role="Resource Record">RR</acronym> set. Create
a file containing these
<acronym role="Resource Record">RR</acronym>s with</para>
<screen xml:lang="en"><prompt>%</prompt> <userinput>dnssec-dsfromkey -f root.dnskey . &gt; root.ds</userinput></screen> <screen xml:lang="en"><prompt>%</prompt> <userinput>dnssec-dsfromkey -f root.dnskey . &gt; root.ds</userinput></screen>
<para xml:lang="en">These records use SHA-1 and SHA-256 respectively, and <para>這些記錄分別使用 SHA-1 與 SHA-256,且如下範例所示,使用 SHA-256 的段落較長。</para>
should look similar to the following example, where the
longer is using SHA-256.</para>
<programlisting xml:lang="en">. IN DS 19036 8 1 <programlisting xml:lang="en">. IN DS 19036 8 1
B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</programlisting> . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</programlisting>
<para xml:lang="en">The SHA-256 <acronym>RR</acronym> can now be compared <para>SHA-256 <acronym>RR</acronym> 現在可以與在 <link xlink:href="https://data.iana.org/root-anchors/root-anchors.xml">https://data.iana.org/root-anchors/root-anchors.xml</link> 中的 digest 比對。要完全確保該金鑰沒有被竄改,<acronym>XML</acronym> 檔案中的資料應使用正確的 <acronym>PGP</acronym> 簽名來驗證。</para>
to the digest in <link xlink:href="https://data.iana.org/root-anchors/root-anchors.xml">https://data.iana.org/root-anchors/root-anchors.xml</link>.
To be absolutely sure that the key has not been tampered
with the data in the <acronym>XML</acronym> file should be
verified using a proper <acronym>PGP</acronym> signature.</para>
<para xml:lang="en">Next, the key must be formatted properly. This <para>接著,金鑰必須正確的格式化,<acronym>BIND</acronym> 版本 9.6.2 與 9.7 及之後的版本有一些不同,在版本 9.7 開始支援自動追蹤對金鑰的變更並在需要的時候更新,這可使用 <literal>managed-keys</literal> 如下範例所示來達成。若使用較舊的版本,金鑰必須使用 <literal>trusted-keys</literal> 敘述加入且必須手動更新,供 <acronym>BIND</acronym> 9.6.2 的格式如下:</para>
differs a little between <acronym>BIND</acronym> versions
9.6.2 and 9.7 and later. In version 9.7 support was added
to automatically track changes to the key and update it as
necessary. This is done using
<literal>managed-keys</literal> as seen in the example
below. When using the older version, the key is added
using a <literal>trusted-keys</literal> statement and
updates must be done manually. For
<acronym>BIND</acronym> 9.6.2 the format should look
like:</para>
<programlisting xml:lang="en">trusted-keys { <programlisting xml:lang="en">trusted-keys {
"." 257 3 8 "." 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0="; QxA+Uk1ihz0=";
};</programlisting> };</programlisting>
<para xml:lang="en">For 9.7 the format will instead be:</para> <para>供 9.7 的格式則為:</para>
<programlisting xml:lang="en">managed-keys { <programlisting xml:lang="en">managed-keys {
"." initial-key 257 3 8 "." initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0="; QxA+Uk1ihz0=";
};</programlisting> };</programlisting>
<para xml:lang="en">The root key can now be added to <para>現在可以直接或透過引用包含金鑰的檔案將根金鑰 (Root key) 加入到 <filename>named.conf</filename>,完成這些步驟後,編輯 <filename>named.conf</filename> 來設定 <acronym>BIND</acronym> 執行 <acronym>DNSSEC</acronym> 在查詢時驗證並加入以下項目到 <literal>options</literal> 指示項目中:</para>
<filename>named.conf</filename> either directly or by
including a file containing the key. After these steps,
configure <acronym>BIND</acronym> to do
<acronym>DNSSEC</acronym> validation on queries by editing
<filename>named.conf</filename> and adding the following
to the <literal>options</literal> directive:</para>
<programlisting xml:lang="en">dnssec-enable yes; <programlisting xml:lang="en">dnssec-enable yes;
dnssec-validation yes;</programlisting> dnssec-validation yes;</programlisting>
<para xml:lang="en">To verify that it is actually working use <para xml:lang="en">To verify that it is actually working use
<application>dig</application> to make a query for a <application>dig</application> to make a query for a
signed zone using the resolver just configured. A signed zone using the resolver just configured. A
successful reply will contain the <literal>AD</literal> successful reply will contain the <literal>AD</literal>
▲ Show 20 LinesShow All 96 Lines▼ Show 20 Lines$include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<para xml:lang="en">Finally, sign the zone and tell <para xml:lang="en">Finally, sign the zone and tell
<acronym>BIND</acronym> to use the signed zone file. To <acronym>BIND</acronym> to use the signed zone file. To
sign a zone <application>dnssec-signzone</application> is sign a zone <application>dnssec-signzone</application> is
used. The command to sign the zone used. The command to sign the zone
<systemitem class="fqdomainname">example.com</systemitem>, <systemitem class="fqdomainname">example.com</systemitem>,
located in <filename>example.com.db</filename> would look located in <filename>example.com.db</filename> would look
similar to</para> similar to</para>
<screen xml:lang="en"><prompt>%</prompt> <userinput>dnssec-signzone -o <screen xml:lang="en"><prompt>%</prompt> <userinput>dnssec-signzone -o example.com -k Kexample.com.+005+nnnnn.KSK example.com.db Kexample.com.+005+nnnnn.ZSK.key</userinput></screen>
example.com -k Kexample.com.+005+nnnnn.KSK example.com.db
Kexample.com.+005+nnnnn.ZSK.key</userinput></screen>
<para xml:lang="en">The key supplied to the <option>-k</option> argument <para xml:lang="en">The key supplied to the <option>-k</option> argument
is the <acronym>KSK</acronym> and the other key file is is the <acronym>KSK</acronym> and the other key file is
the <acronym>ZSK</acronym> that should be used in the the <acronym>ZSK</acronym> that should be used in the
signing. It is possible to supply more than one signing. It is possible to supply more than one
<acronym>KSK</acronym> and <acronym>ZSK</acronym>, which <acronym>KSK</acronym> and <acronym>ZSK</acronym>, which
will result in the zone being signed with all supplied will result in the zone being signed with all supplied
keys. This can be needed to supply zone data signed using keys. This can be needed to supply zone data signed using
▲ Show 20 LinesShow All 195 Lines▼ Show 20 Lines$include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
</author> </author>
</authorgroup> </authorgroup>
</info> </info>
<indexterm xml:lang="en"><primary>web servers</primary> <indexterm xml:lang="en"><primary>web servers</primary>
<secondary>setting up</secondary></indexterm> <secondary>setting up</secondary></indexterm>
<indexterm xml:lang="en"><primary>Apache</primary></indexterm> <indexterm xml:lang="en"><primary>Apache</primary></indexterm>
<para xml:lang="en">The open source <para>開放源碼的 <application>Apache HTTP Server</application> 是目前最廣泛被使用的網頁伺服器,FreeBSD 預設並不會安裝這個網頁伺服器,但可從 <package>www/apache24</package> 套件或 Port 安裝。</para>
<application>Apache HTTP Server</application> is the most widely
used web server. FreeBSD does not install this web server by
default, but it can be installed from the
<package>www/apache24</package> package or port.</para>
<para xml:lang="en">This section summarizes how to configure and start version <para>本節將會摘要如何設定並啟動在 FreeBSD 上 2.<replaceable>x</replaceable> 版的 <application>Apache HTTP Server</application>,要取得有關 <application>Apache</application> 更詳細的資訊及其設定項目請參考 <link xlink:href="http://httpd.apache.org/">httpd.apache.org</link>。</para>
2.<replaceable>x</replaceable> of the <application>Apache HTTP
Server</application> on FreeBSD. For more detailed information
about <application>Apache</application>!2.X and its
configuration directives, refer to <link xlink:href="http://httpd.apache.org/">httpd.apache.org</link>.</para>
<sect2> <sect2>
<title>設定並啟動 Apache</title> <title>設定並啟動 Apache</title>
<indexterm xml:lang="en"><primary>Apache</primary> <indexterm xml:lang="en"><primary>Apache</primary>
<secondary>configuration file</secondary></indexterm> <secondary>configuration file</secondary></indexterm>
<para xml:lang="en">In FreeBSD, the main <application>Apache HTTP <para>在 FreeBSD 中,主 <application>Apache HTTP Server</application> 設定檔會安裝於 <filename>/usr/local/etc/apache2<replaceable>x</replaceable>/httpd.conf</filename>,其中 <replaceable>x</replaceable> 代表版號,這份 <acronym>ASCII</acronym> 文字檔中以 <literal>#</literal> 做為行首的是註解,而最常需修改的項目有:</para>
Server</application> configuration file is installed as
<filename>/usr/local/etc/apache2<replaceable>x</replaceable>/httpd.conf</filename>,
where <replaceable>x</replaceable> represents the version
number. This <acronym>ASCII</acronym> text file begins
comment lines with a <literal>#</literal>. The most
frequently modified directives are:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term xml:lang="en"><literal>ServerRoot "/usr/local"</literal></term> <term xml:lang="en"><literal>ServerRoot "/usr/local"</literal></term>
<listitem> <listitem>
<para xml:lang="en">Specifies the default directory hierarchy for the <para>指定該 <application>Apache</application> 的預設安裝路徑,Binary 檔會儲存在伺服器根目錄 (Server root) 下的 <filename>bin</filename> 與 <filename>sbin</filename> 子目錄,而設定檔會儲存在 <filename>etc/apache2<replaceable>x</replaceable></filename> 子目錄。</para>
<application>Apache</application> installation.
Binaries are stored in the <filename>bin</filename> and
<filename>sbin</filename> subdirectories of the server
root and configuration files are stored in the <filename>etc/apache2<replaceable>x</replaceable></filename>
subdirectory.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en"><literal>ServerAdmin you@example.com</literal></term> <term xml:lang="en"><literal>ServerAdmin you@example.com</literal></term>
<listitem> <listitem>
<para xml:lang="en">Change this to the email address to receive problems <para>更改此項目為您要接收問題回報的電子郵件位址,這個位址也會顯示在一些伺服器產生的頁面上,如:錯誤頁面。</para>
with the server. This address also appears on some
server-generated pages, such as error documents.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en"><literal>ServerName <term xml:lang="en"><literal>ServerName
www.example.com:80</literal></term> www.example.com:80</literal></term>
<listitem> <listitem>
<para xml:lang="en">Allows an administrator to set a hostname which is <para>讓管理者可以設定伺服器要回傳給客戶端的主機名稱 (Hostname),例如,<systemitem>www</systemitem> 可以更改為實際的主機名稱,若系統並未有註冊的 <acronym>DNS</acronym> 名稱,則可改輸入其 <acronym>IP</acronym> 位址,若伺服器需要傾聽其他埠號,可更改 <literal>80</literal> 為其他埠號。</para>
sent back to clients for the server. For example,
<systemitem>www</systemitem> can be used instead of the
actual hostname. If the system does not have a
registered <acronym>DNS</acronym> name, enter its
<acronym>IP</acronym> address instead. If the server
will listen on an alternate report, change
<literal>80</literal> to the alternate port
number.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en"><literal>DocumentRoot <term xml:lang="en"><literal>DocumentRoot
"/usr/local/www/apache2<replaceable>x</replaceable>/data"</literal></term> "/usr/local/www/apache2<replaceable>x</replaceable>/data"</literal></term>
<listitem> <listitem>
<para xml:lang="en">The directory where documents will be served from. <para>提供文件的目錄,預設所有的請求均會到此目錄,但可以使用符號連結與別名來指向其他地方。</para>
By default, all requests are taken from this directory,
but symbolic links and aliases may be used to point to
other locations.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para xml:lang="en">It is always a good idea to make a backup copy of the <para>在對 <application>Apache</application> 設定檔做變更之前,建議先做備份,在 <application>Apache</application> 設定完成之後,儲存讓檔案並使用 <command>apachectl</command> 檢驗設定,執行 <command>apachectl configtest</command> 的結果應回傳 <literal>Syntax OK</literal>。</para>
default <application>Apache</application> configuration file
before making changes. When the configuration of
<application>Apache</application> is complete, save the file
and verify the configuration using
<command>apachectl</command>. Running <command>apachectl
configtest</command> should return <literal>Syntax
OK</literal>.</para>
<indexterm xml:lang="en"><primary>Apache</primary> <indexterm xml:lang="en"><primary>Apache</primary>
<secondary>starting or stopping</secondary></indexterm> <secondary>starting or stopping</secondary></indexterm>
<para xml:lang="en">To launch <application>Apache</application> at system <para>要在系統啟動時執行 <application>Apache</application>,可加入下行到 <filename>/etc/rc.conf</filename>:</para>
startup, add the following line to
<filename>/etc/rc.conf</filename>:</para>
<programlisting xml:lang="en">apache<replaceable>24</replaceable>_enable="YES"</programlisting> <programlisting xml:lang="en">apache<replaceable>24</replaceable>_enable="YES"</programlisting>
<para xml:lang="en">If <application>Apache</application> should be started <para>若 <application>Apache</application> 要使用非預設的選項啟動,可加入下行到 <filename>/etc/rc.conf</filename> 來指定所需的旗標參數:</para>
with non-default options, the following line may be added to
<filename>/etc/rc.conf</filename> to specify the needed
flags:</para>
<programlisting xml:lang="en">apache<replaceable>24</replaceable>_flags=""</programlisting> <programlisting xml:lang="en">apache<replaceable>24</replaceable>_flags=""</programlisting>
<para xml:lang="en">If <application>apachectl</application> does not report <para>若 <application>apachectl</application> 未回報設定錯,則可啟動 <command>httpd</command>:</para>
configuration errors, start <command>httpd</command>
now:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>service apache<replaceable>24</replaceable> start</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>service apache<replaceable>24</replaceable> start</userinput></screen>
<para xml:lang="en">The <command>httpd</command> service can be tested by <para><command>httpd</command> 服務可以透過在網頁瀏覽器中輸入 <literal>http://<replaceable>localhost</replaceable></literal> 來測試,將 <replaceable>localhost</replaceable> 更改為執行 <command>httpd</command> 那台主機的完整網域名稱 (Fully-qualified domain name)。預設會顯示的網頁為 <filename>/usr/local/www/apache<replaceable>24</replaceable>/data/index.html</filename>。</para>
entering
<literal>http://<replaceable>localhost</replaceable></literal>
in a web browser, replacing
<replaceable>localhost</replaceable> with the fully-qualified
domain name of the machine running <command>httpd</command>.
The default web page that is displayed is
<filename>/usr/local/www/apache<replaceable>24</replaceable>/data/index.html</filename>.</para>
<para xml:lang="en">The <application>Apache</application> configuration can be <para>後續若有在 <command>httpd</command> 執行中時修改 <application>Apache</application> 設定檔可使用以下指令來測試是否有誤:</para>
tested for errors after making subsequent configuration
changes while <command>httpd</command> is running using the
following command:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>service apache<replaceable>24</replaceable> configtest</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>service apache<replaceable>24</replaceable> configtest</userinput></screen>
<note> <note>
<para xml:lang="en">It is important to note that <para>注意,<literal>configtest</literal> 並非採用 <citerefentry><refentrytitle>rc</refentrytitle><manvolnum>8</manvolnum></citerefentry> 標準,不應預期其可在所有的啟動 Script 中正常運作。</para>
<literal>configtest</literal> is not an <citerefentry><refentrytitle>rc</refentrytitle><manvolnum>8</manvolnum></citerefentry> standard,
and should not be expected to work for all startup
scripts.</para>
</note> </note>
</sect2> </sect2>
<sect2> <sect2>
<title>虛擬主機</title> <title>虛擬主機</title>
<para xml:lang="en">Virtual hosting allows multiple websites to run on one <para>虛擬主機允許在一個 <application>Apache</application> 伺服器執行多個網站,虛擬主機可以是以 IP 為主 (<firstterm>IP-based</firstterm>) 或以名稱為主 (<firstterm>name-based</firstterm>)。以 <acronym>IP</acronym> 為主的虛擬主機中的每一個網站要使用不同的 <acronym>IP</acronym> 位址。以名稱為主的虛擬主機會使用客戶端的 HTTP/1.1 標頭來判斷主機名稱,這可讓不同的網站共用相同的 <acronym>IP</acronym> 位址。</para>
<application>Apache</application> server. The virtual hosts
can be <firstterm>IP-based</firstterm> or
<firstterm>name-based</firstterm>.
<acronym>IP</acronym>-based virtual hosting uses a different
<acronym>IP</acronym> address for each website. Name-based
virtual hosting uses the clients HTTP/1.1 headers to figure
out the hostname, which allows the websites to share the same
<acronym>IP</acronym> address.</para>
<para xml:lang="en">To setup <application>Apache</application> to use <para>要設定 <application>Apache</application> 使用以名稱為主的虛擬主機可在每一個網站加入 <literal>VirtualHost</literal> 區塊,例如,有一個名稱為 <systemitem class="fqdomainname">www.domain.tld</systemitem> 的主機擁有一個 <systemitem class="fqdomainname">www.someotherdomain.tld</systemitem> 的虛擬網域,可加入以下項目到 <filename>httpd.conf</filename>:</para>
name-based virtual hosting, add a
<literal>VirtualHost</literal> block for each website. For
example, for the webserver named <systemitem class="fqdomainname">www.domain.tld</systemitem> with a
virtual domain of <systemitem class="fqdomainname">www.someotherdomain.tld</systemitem>,
add the following entries to
<filename>httpd.conf</filename>:</para>
<programlisting xml:lang="en">&lt;VirtualHost *&gt; <programlisting xml:lang="en">&lt;VirtualHost *&gt;
ServerName <replaceable>www.domain.tld</replaceable> ServerName <replaceable>www.domain.tld</replaceable>
DocumentRoot <replaceable>/www/domain.tld</replaceable> DocumentRoot <replaceable>/www/domain.tld</replaceable>
&lt;/VirtualHost&gt; &lt;/VirtualHost&gt;
&lt;VirtualHost *&gt; &lt;VirtualHost *&gt;
ServerName <replaceable>www.someotherdomain.tld</replaceable> ServerName <replaceable>www.someotherdomain.tld</replaceable>
DocumentRoot <replaceable>/www/someotherdomain.tld</replaceable> DocumentRoot <replaceable>/www/someotherdomain.tld</replaceable>
&lt;/VirtualHost&gt;</programlisting> &lt;/VirtualHost&gt;</programlisting>
<para xml:lang="en">For each virtual host, replace the values for <para>每一個虛擬主機均需更改其 <literal>ServerName</literal> 與 <literal>DocumentRoot</literal> 的值為實際要使用的值。</para>
<literal>ServerName</literal> and
<literal>DocumentRoot</literal> with the values to be
used.</para>
<para xml:lang="en">For more information about setting up virtual hosts, <para>更多有關設定虛擬主機的資訊,可參考 <application>Apache</application> 官方說明文件於:<uri xlink:href="http://httpd.apache.org/docs/vhosts/">http://httpd.apache.org/docs/vhosts/</uri>。</para>
consult the official <application>Apache</application>
documentation at: <uri xlink:href="http://httpd.apache.org/docs/vhosts/">http://httpd.apache.org/docs/vhosts/</uri>.</para>
</sect2> </sect2>
<sect2> <sect2>
<title>Apache 模組</title> <title>Apache 模組</title>
<indexterm xml:lang="en"><primary>Apache</primary> <indexterm xml:lang="en"><primary>Apache</primary>
<secondary>modules</secondary></indexterm> <secondary>modules</secondary></indexterm>
<para xml:lang="en"><application>Apache</application> uses modules to augment <para><application>Apache</application> 使用模組 (Module) 來擴充伺服器所提供的功能。請參考 <uri xlink:href="http://httpd.apache.org/docs/current/mod/">http://httpd.apache.org/docs/current/mod/</uri> 來取得可用模組的完整清單與設定詳細資訊。</para>
the functionality provided by the basic server. Refer to <uri xlink:href="http://httpd.apache.org/docs/current/mod/">http://httpd.apache.org/docs/current/mod/</uri>
for a complete listing of and the configuration details for
the available modules.</para>
<para xml:lang="en">In FreeBSD, some modules can be compiled with the <para>在 FreeBSD 中有些模組可以隨著 <package>www/apache24</package> Port 編譯,只要在 <filename>/usr/ports/www/apache24</filename> 輸入 <command>make config</command> 便可查看有那一些模組是預設開啟的,若模組未與 Port 一併編譯,FreeBSD Port 套件集也提供了一個簡單的方式可安裝各種模組,本節將介紹最常使用的三個模組。</para>
<package>www/apache24</package> port. Type <command>make
config</command> within
<filename>/usr/ports/www/apache24</filename> to see which
modules are available and which are enabled by default. If
the module is not compiled with the port, the FreeBSD Ports
Collection provides an easy way to install many modules. This
section describes three of the most commonly used
modules.</para>
<sect3> <sect3>
<title xml:lang="en"><filename>mod_ssl</filename></title> <title xml:lang="en"><filename>mod_ssl</filename></title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>web servers</primary> <primary>web servers</primary>
<secondary>secure</secondary> <secondary>secure</secondary>
</indexterm> </indexterm>
<indexterm xml:lang="en"><primary>SSL</primary></indexterm> <indexterm xml:lang="en"><primary>SSL</primary></indexterm>
<indexterm xml:lang="en"><primary>cryptography</primary></indexterm> <indexterm xml:lang="en"><primary>cryptography</primary></indexterm>
<para xml:lang="en">The <filename>mod_ssl</filename> module uses the <para><filename>mod_ssl</filename> 模組利用了 <application>OpenSSL</application> 透過 Secure Sockets Layer (<acronym>SSLv3</acronym>) 與 Transport Layer Security (<acronym>TLSv1</acronym>) 通訊協定來提供強大的加密,這個模組提供了向受信認的憑証簽署機構申請簽章憑証所需的任何東西,讓 FreeBSD 上能夠執行安全的網頁伺服器。</para>
<application>OpenSSL</application> library to provide strong
cryptography via the Secure Sockets Layer
(<acronym>SSLv3</acronym>) and Transport Layer Security
(<acronym>TLSv1</acronym>) protocols. This module provides
everything necessary to request a signed certificate from a
trusted certificate signing authority to run a secure web
server on FreeBSD.</para>
<para xml:lang="en">In FreeBSD, <filename>mod_ssl</filename> module is enabled <para>在 FreeBSD 中 <filename>mod_ssl</filename> 模組預設在套件與 Port 均是開啟的,可用的設定項目在 <uri xlink:href="http://httpd.apache.org/docs/current/mod/mod_ssl.html">http://httpd.apache.org/docs/current/mod/mod_ssl.html</uri> 會說明。</para>
by default in both the package and the port. The available
configuration directives are explained at <uri xlink:href="http://httpd.apache.org/docs/current/mod/mod_ssl.html">http://httpd.apache.org/docs/current/mod/mod_ssl.html</uri>.</para>
</sect3> </sect3>
<sect3> <sect3>
<title xml:lang="en"><filename>mod_perl</filename></title> <title xml:lang="en"><filename>mod_perl</filename></title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>mod_perl</primary> <primary>mod_perl</primary>
<secondary>Perl</secondary> <secondary>Perl</secondary>
</indexterm> </indexterm>
<para xml:lang="en">The <para><filename>mod_perl</filename> 模組讓您可以使用 <application>Perl</application> 撰寫 <application>Apache</application> 模組,除此之外,嵌入到伺服器的直譯器可避免啟動外部直譯器的額外開銷與 <application>Perl</application> 耗費的啟動時間。</para>
<filename>mod_perl</filename> module makes it possible to
write <application>Apache</application> modules in
<application>Perl</application>. In addition, the
persistent interpreter embedded in the server avoids the
overhead of starting an external interpreter and the penalty
of <application>Perl</application> start-up time.</para>
<para xml:lang="en">The <filename>mod_perl</filename> can be installed using <para><filename>mod_perl</filename> 可以使用 <package>www/mod_perl2</package> 套件或 Port 安裝,有關使用此模組的說明文件可在 <uri xlink:href="http://perl.apache.org/docs/2.0/index.html">http://perl.apache.org/docs/2.0/index.html</uri> 中找到。</para>
the <package>www/mod_perl2</package> package or port.
Documentation for using this module can be found at <uri xlink:href="http://perl.apache.org/docs/2.0/index.html">http://perl.apache.org/docs/2.0/index.html</uri>.</para>
</sect3> </sect3>
<sect3> <sect3>
<info> <info>
<title xml:lang="en"><filename>mod_php</filename></title> <title xml:lang="en"><filename>mod_php</filename></title>
<authorgroup> <authorgroup>
<author xml:lang="en"> <author xml:lang="en">
<personname> <personname>
<firstname>Tom</firstname> <firstname>Tom</firstname>
<surname>Rhodes</surname> <surname>Rhodes</surname>
</personname> </personname>
<contrib>Written by </contrib> <contrib>Written by </contrib>
</author> </author>
</authorgroup> </authorgroup>
</info> </info>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>mod_php</primary> <primary>mod_php</primary>
<secondary>PHP</secondary> <secondary>PHP</secondary>
</indexterm> </indexterm>
<para xml:lang="en"><firstterm>PHP: Hypertext Preprocessor</firstterm> <para><firstterm>PHP: Hypertext Preprocessor</firstterm> (<acronym>PHP</acronym>) 是一般用途的腳本 (Script) 語言,特別適用於網站開發,能夠嵌入在 <acronym>HTML</acronym> 當中,它的語法參考自 <application>C</application>, <trademark>Java</trademark> 及 <application>Perl</application>,目的在讓網頁開發人員能快速的寫出動態網頁。</para>
(<acronym>PHP</acronym>) is a general-purpose scripting
language that is especially suited for web development.
Capable of being embedded into <acronym>HTML</acronym>, its
syntax draws upon <application>C</application>, <trademark>Java</trademark>, and
<application>Perl</application> with the intention of
allowing web developers to write dynamically generated
webpages quickly.</para>
<para xml:lang="en">To gain support for <acronym>PHP</acronym>5 for the <para>要在 <application>Apache</application> 網頁伺服器上加入對 <acronym>PHP</acronym>5 的支援,可安裝 <package>www/mod_php56</package> 套件或 Port,這會安裝並設定支援動態 <acronym>PHP</acronym> 應用程式所需的模組。安裝過程會自動加入下行到 <filename>/usr/local/etc/apache2<replaceable>4</replaceable>/httpd.conf</filename>:</para>
<application>Apache</application> web server, install the
<package>www/mod_php56</package> package or port. This will
install and configure the modules required to support
dynamic <acronym>PHP</acronym> applications. The
installation will automatically add this line to
<filename>/usr/local/etc/apache2<replaceable>4</replaceable>/httpd.conf</filename>:</para>
<programlisting xml:lang="en">LoadModule php5_module libexec/apache24/libphp5.so</programlisting> <programlisting xml:lang="en">LoadModule php5_module libexec/apache24/libphp5.so</programlisting>
<!-- <!--
I do not think this is still needed I do not think this is still needed
AddModule mod_php5.c AddModule mod_php5.c
&lt;IfModule mod_php5.c&gt; &lt;IfModule mod_php5.c&gt;
DirectoryIndex index.php index.html DirectoryIndex index.php index.html
&lt;/IfModule&gt; &lt;/IfModule&gt;
&lt;IfModule mod_php5.c&gt; &lt;IfModule mod_php5.c&gt;
AddType application/x-httpd-php .php AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps AddType application/x-httpd-php-source .phps
&lt;/IfModule&gt;</programlisting> &lt;/IfModule&gt;</programlisting>
--> -->
<para xml:lang="en">Then, perform a graceful restart to load the <para>接著,執行 graceful 重新啟動來載入 <acronym>PHP</acronym> 模組:</para>
<acronym>PHP</acronym> module:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>apachectl graceful</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>apachectl graceful</userinput></screen>
<para xml:lang="en">The <acronym>PHP</acronym> support provided by <para>由 <package>www/mod_php56</package> 所提供的 <acronym>PHP</acronym> 支援是有限的,若需要額外的支援可以使用 <package>lang/php56-extensions</package> Port 來安裝,該 Port 提供了選單介面來選擇可用的 <acronym>PHP</acronym> 擴充套件。</para>
<package>www/mod_php56</package> is limited. Additional
support can be installed using the
<package>lang/php56-extensions</package> port which provides
a menu driven interface to the available
<acronym>PHP</acronym> extensions.</para>
<para xml:lang="en">Alternatively, individual extensions can be installed <para>或者,可以找到適當的 Port 來安裝各別的擴充套件,例如,要增加 <acronym>PHP</acronym> 對 <application>MySQL</application> 資料庫伺服器的支援可安裝 <package>databases/php56-mysql</package>。</para>
using the appropriate port. For instance, to add
<acronym>PHP</acronym> support for the
<application>MySQL</application> database server, install
<package>databases/php56-mysql</package>.</para>
<para xml:lang="en">After installing an extension, the <para>在安裝完擴充套件之後,必須重新載入 <application>Apache</application> 伺服器來使用新的設定值:</para>
<application>Apache</application> server must be reloaded to
pick up the new configuration changes:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>apachectl graceful</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>apachectl graceful</userinput></screen>
</sect3> </sect3>
</sect2> </sect2>
<sect2> <sect2>
<title>動態網站</title> <title>動態網站</title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>web servers</primary> <primary>web servers</primary>
<secondary>dynamic</secondary> <secondary>dynamic</secondary>
</indexterm> </indexterm>
<para xml:lang="en">In addition to <application>mod_perl</application> and <para>除了 <application>mod_perl</application> 與 <application>mod_php</application> 外,也有其他語言可用來建立動態網頁內容,這包含了 <application>Django</application> 與 <application>Ruby on Rails</application>。</para>
<application>mod_php</application>, other languages are
available for creating dynamic web content. These include
<application>Django</application> and
<application>Ruby on Rails</application>.</para>
<sect3> <sect3>
<title xml:lang="en">Django</title> <title xml:lang="en">Django</title>
<indexterm xml:lang="en"><primary>Python</primary></indexterm> <indexterm xml:lang="en"><primary>Python</primary></indexterm>
<indexterm xml:lang="en"><primary>Django</primary></indexterm> <indexterm xml:lang="en"><primary>Django</primary></indexterm>
<para xml:lang="en"><application>Django</application> is a BSD-licensed <para><application>Django</application> 是以 BSD 授權的框架 (Framework),指在讓開發人員能快速的寫出高效、優雅的網頁應用程式。它提供了物件關聯對應器 (Object-relational mapper),所以各種資料型態可當做 <application>Python</application> 的物件來開發,且提供了豐富的動態資料庫存取 <acronym>API</acronym> 給這些物件,讓開發人員不再需要寫 <acronym>SQL</acronym>。它也同時提供了可擴充的樣板系統,來讓應用程式的邏輯與 <acronym>HTML</acronym> 呈現能夠被拆開。</para>
framework designed to allow developers to write high
performance, elegant web applications quickly. It provides
an object-relational mapper so that data types are developed
as <application>Python</application> objects. A rich
dynamic database-access <acronym>API</acronym> is provided
for those objects without the developer ever having to write
<acronym>SQL</acronym>. It also provides an extensible
template system so that the logic of the application is
separated from the <acronym>HTML</acronym>
presentation.</para>
<para xml:lang="en">Django depends on <filename>mod_python</filename>, and <para>Django 需要 <filename>mod_python</filename>,以及一個 <acronym>SQL</acronym> 資料庫引擎才能運作。在 FreeBSD 中的 <package>www/py-django</package> Port 會自動安裝 <filename>mod_python</filename> 以及對 <application>PostgreSQL</application>, <application>MySQL</application> 或 <application>SQLite</application> 資料庫的支援,預設為 <application>SQLite</application>,要更改資料庫引擎可在 <filename>/usr/ports/www/py-django</filename> 輸入 <command>make config</command> 然後再安裝該 Port。</para>
an <acronym>SQL</acronym> database engine. In FreeBSD, the
<package>www/py-django</package> port automatically installs
<filename>mod_python</filename> and supports the
<application>PostgreSQL</application>,
<application>MySQL</application>, or
<application>SQLite</application> databases, with the
default being <application>SQLite</application>. To change
the database engine, type <command>make config</command>
within <filename>/usr/ports/www/py-django</filename>, then
install the port.</para>
<para xml:lang="en">Once <application>Django</application> is installed, the <para><application>Django</application> 安裝完成之後,應用程式會需要一個專案目錄並搭配 <application>Apache</application> 設定才能使用內嵌的 <application>Python</application> 直譯器,此直譯器會用來呼叫網站上指定 <acronym>URL</acronym> 的應用程式。</para>
application will need a project directory along with the
<application>Apache</application> configuration in order to
use the embedded <application>Python</application>
interpreter. This interpreter is used to call the
application for specific <acronym>URL</acronym>s on the
site.</para>
<para xml:lang="en">To configure <application>Apache</application> to pass <para>要設定 <application>Apache</application> 傳遞某個 <acronym>URL</acronym> 請求到網站應用程式,可加入下行到 <filename>httpd.conf</filename> 來指定專案目錄的完整路徑:</para>
requests for certain <acronym>URL</acronym>s to the web
application, add the following to
<filename>httpd.conf</filename>, specifying the full path to
the project directory:</para>
<programlisting xml:lang="en">&lt;Location "/"&gt; <programlisting xml:lang="en">&lt;Location "/"&gt;
SetHandler python-program SetHandler python-program
PythonPath "['<replaceable>/dir/to/the/django/packages/</replaceable>'] + sys.path" PythonPath "['<replaceable>/dir/to/the/django/packages/</replaceable>'] + sys.path"
PythonHandler django.core.handlers.modpython PythonHandler django.core.handlers.modpython
SetEnv DJANGO_SETTINGS_MODULE mysite.settings SetEnv DJANGO_SETTINGS_MODULE mysite.settings
PythonAutoReload On PythonAutoReload On
PythonDebug On PythonDebug On
&lt;/Location&gt;</programlisting> &lt;/Location&gt;</programlisting>
<para xml:lang="en">Refer to <uri xlink:href="https://docs.djangoproject.com">https://docs.djangoproject.com</uri> <para>請參考 <uri xlink:href="https://docs.djangoproject.com">https://docs.djangoproject.com</uri> 來取得如何使用 <application>Django</application> 的更多資訊。</para>
for more information on how to use
<application>Django</application>.</para>
</sect3> </sect3>
<sect3> <sect3>
<title xml:lang="en">Ruby on Rails</title> <title xml:lang="en">Ruby on Rails</title>
<indexterm xml:lang="en"><primary>Ruby on Rails</primary></indexterm> <indexterm xml:lang="en"><primary>Ruby on Rails</primary></indexterm>
<para xml:lang="en"><application>Ruby on Rails</application> is another open <para><application>Ruby on Rails</application> 是另外一套開放源碼的網站框架 (Framework),提供了完整的開發堆疊,這使得網頁開發人員可以更有生產力且能夠快速的寫出強大的應用程式,在 FreeBSD 它可以使用 <package>www/rubygem-rails</package> 套件或 Port 安裝。</para>
source web framework that provides a full development stack.
It is optimized to make web developers more productive and
capable of writing powerful applications quickly. On FreeBSD,
it can be installed using the
<package>www/rubygem-rails</package> package or port.</para>
<para xml:lang="en">Refer to <uri xlink:href="http://guides.rubyonrails.org">http://guides.rubyonrails.org</uri> <para>請參考 <uri xlink:href="http://guides.rubyonrails.org">http://guides.rubyonrails.org</uri> 來取得更多有關如何使用 <application>Ruby on Rails</application> 的資訊。</para>
for more information on how to use <application>Ruby on
Rails</application>.</para>
</sect3> </sect3>
</sect2> </sect2>
</sect1> </sect1>
<sect1 xml:id="network-ftp"> <sect1 xml:id="network-ftp">
<!-- <!--
<sect1info> <sect1info>
<authorgroup> <authorgroup>
<author> <author>
<firstname>Murray</firstname> <firstname>Murray</firstname>
<surname>Stokely</surname> <surname>Stokely</surname>
<contrib>Contributed by </contrib> <contrib>Contributed by </contrib>
</author> </author>
</authorgroup> </authorgroup>
</sect1info> </sect1info>
--> -->
<title>檔案傳輸協定 (<acronym>FTP</acronym>)</title> <title>檔案傳輸協定 (<acronym>FTP</acronym>)</title>
<indexterm xml:lang="en"><primary><acronym>FTP</acronym> <indexterm xml:lang="en"><primary><acronym>FTP</acronym>
servers</primary></indexterm> servers</primary></indexterm>
<para xml:lang="en">The File Transfer Protocol (<acronym>FTP</acronym>) provides <para>檔案傳輸協定 (File Transfer Protocol, <acronym>FTP</acronym>) 提供了使用一個簡單的方式能夠將檔案傳輸到與接收自 <acronym>FTP</acronym> 伺服器,FreeBSD 內建了 <acronym>FTP</acronym> 伺服器軟體 <application>ftpd</application> 在基礎系統 (Base system) 中。</para>
users with a simple way to transfer files to and from an
<acronym>FTP</acronym> server. FreeBSD includes
<acronym>FTP</acronym> server software,
<application>ftpd</application>, in the base system.</para>
<para xml:lang="en">FreeBSD provides several configuration files for controlling <para>FreeBSD 提供了多個設定檔來控制對 <acronym>FTP</acronym> 伺服器的存取,本節將摘要這些檔案的設定方式,請參考 <citerefentry><refentrytitle>ftpd</refentrytitle><manvolnum>8</manvolnum></citerefentry> 來取得更多有關內建 <acronym>FTP</acronym> 伺服器的詳細資訊。</para>
access to the <acronym>FTP</acronym> server. This section
summarizes these files. Refer to <citerefentry><refentrytitle>ftpd</refentrytitle><manvolnum>8</manvolnum></citerefentry> for more details
about the built-in <acronym>FTP</acronym> server.</para>
<sect2> <sect2>
<title>設定</title> <title>設定</title>
<para xml:lang="en">The most important configuration step is deciding which <para>最重要的一個設定步驟便是決定那些帳號能夠存取 <acronym>FTP</acronym> 伺服器,FreeBSD 系統有數個系統帳號,這些帳號不應該能夠擁有 <acronym>FTP</acronym> 存取權,不允許存取 <acronym>FTP</acronym> 的使用者清單可在 <filename>/etc/ftpusers</filename> 找到,預設該檔案內會有所有的系統帳號,其他不應允許存取 <acronym>FTP</acronym> 的使用者也可在此加入。</para>
accounts will be allowed access to the <acronym>FTP</acronym>
server. A FreeBSD system has a number of system accounts which
should not be allowed <acronym>FTP</acronym> access. The list
of users disallowed any <acronym>FTP</acronym> access can be
found in <filename>/etc/ftpusers</filename>. By default, it
includes system accounts. Additional users that should not be
allowed access to <acronym>FTP</acronym> can be added.</para>
<para xml:lang="en">In some cases it may be desirable to restrict the access <para>在某些情況可能會布望限制某些使用者的存取,而不是完全避免這些使用者使用 <acronym>FTP</acronym>,這可以透過建立 <filename>/etc/ftpchroot</filename> 來完成,詳如 <citerefentry><refentrytitle>ftpchroot</refentrytitle><manvolnum>5</manvolnum></citerefentry> 所述,這個檔案會列出受到 <acronym>FTP</acronym> 存取限制的使用者與群組。</para>
of some users without preventing them completely from using
<acronym>FTP</acronym>. This can be accomplished be creating
<filename>/etc/ftpchroot</filename> as described in
<citerefentry><refentrytitle>ftpchroot</refentrytitle><manvolnum>5</manvolnum></citerefentry>. This file lists users and groups subject
to <acronym>FTP</acronym> access restrictions.</para>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary><acronym>FTP</acronym></primary> <primary><acronym>FTP</acronym></primary>
<secondary>anonymous</secondary> <secondary>anonymous</secondary>
</indexterm> </indexterm>
<para xml:lang="en">To enable anonymous <acronym>FTP</acronym> access to the <para>要在伺服器上開啟匿名 <acronym>FTP</acronym> 存取權,可在 FreeBSD 系統上建立一個名稱為 <systemitem class="username">ftp</systemitem> 使用者,使用者將能夠使用 <systemitem class="username">ftp</systemitem> 或 <systemitem class="username">anonymous</systemitem> 使用者名稱來登入 <acronym>FTP</acronym> 伺服器,當提示輸入密碼時,輸入任何值都會被接受,但是慣例上應使用電子郵件位址來當做密碼。當匿名使用者登入時 <acronym>FTP</acronym> 伺服器會呼叫 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> 來限制使用者只能存取 <systemitem class="username">ftp</systemitem> 使用者的家目錄。</para>
server, create a user named <systemitem class="username">ftp</systemitem> on the FreeBSD system. Users
will then be able to log on to the
<acronym>FTP</acronym> server with a username of
<systemitem class="username">ftp</systemitem> or <systemitem class="username">anonymous</systemitem>. When prompted for
the password, any input will be accepted, but by convention,
an email address should be used as the password. The
<acronym>FTP</acronym> server will call <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry> when an
anonymous user logs in, to restrict access to only the home
directory of the <systemitem class="username">ftp</systemitem> user.</para>
<para xml:lang="en">There are two text files that can be created to specify <para>要設定顯示給 <acronym>FTP</acronym> 客戶端的歡迎訊息有兩個文字檔可以建立,<filename>/etc/ftpwelcome</filename> 的內容會在收到登入提示前顯示給使用者看,登入成功能後,則會顯示 <filename>/etc/ftpmotd</filename> 的內容。注意,這個檔案的路徑是相對於登入環境的,所以 <filename>~ftp/etc/ftpmotd</filename> 的內容只會對匿名使用者顯示。</para>
welcome messages to be displayed to <acronym>FTP</acronym>
clients. The contents of
<filename>/etc/ftpwelcome</filename> will be displayed to
users before they reach the login prompt. After a successful
login, the contents of
<filename>/etc/ftpmotd</filename> will be displayed. Note
that the path to this file is relative to the login
environment, so the contents of
<filename>~ftp/etc/ftpmotd</filename> would be displayed for
anonymous users.</para>
<para xml:lang="en">Once the <acronym>FTP</acronym> server has been <para>設定完 <acronym>FTP</acronym> 伺服器之後,在 <filename>/etc/rc.conf</filename> 設定適當的變數來在開機時啟動該服務:</para>
configured, set the appropriate variable in
<filename>/etc/rc.conf</filename> to start the service during
boot:</para>
<programlisting xml:lang="en">ftpd_enable="YES"</programlisting> <programlisting xml:lang="en">ftpd_enable="YES"</programlisting>
<para xml:lang="en">To start the service now:</para> <para>要立即啟動服務可:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>service ftpd start</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>service ftpd start</userinput></screen>
<para xml:lang="en">Test the connection to the <acronym>FTP</acronym> server <para>要測試到 <acronym>FTP</acronym> 伺服器的連線可輸入:</para>
by typing:</para>
<screen xml:lang="en"><prompt>%</prompt> <userinput>ftp localhost</userinput></screen> <screen xml:lang="en"><prompt>%</prompt> <userinput>ftp localhost</userinput></screen>
<indexterm xml:lang="en"><primary>syslog</primary></indexterm> <indexterm xml:lang="en"><primary>syslog</primary></indexterm>
<indexterm xml:lang="en"><primary>log files</primary> <indexterm xml:lang="en"><primary>log files</primary>
<secondary><acronym>FTP</acronym></secondary></indexterm> <secondary><acronym>FTP</acronym></secondary></indexterm>
<para xml:lang="en">The <application>ftpd</application> daemon uses <para><application>ftpd</application> daemon 會使用 <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> 來記錄訊息,預設,系統記錄 Daemon 會寫入有關 <acronym>FTP</acronym> 的訊息到 <filename>/var/log/xferlog</filename>,<acronym>FTP</acronym> 記錄的位置可以透過更改 <filename>/etc/syslog.conf</filename> 中下行來做修改:</para>
<citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> to log messages. By default, the system log
daemon will write messages related to <acronym>FTP</acronym>
in <filename>/var/log/xferlog</filename>. The location of
the <acronym>FTP</acronym> log can be modified by changing the
following line in
<filename>/etc/syslog.conf</filename>:</para>
<programlisting xml:lang="en">ftp.info /var/log/xferlog</programlisting> <programlisting xml:lang="en">ftp.info /var/log/xferlog</programlisting>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary><acronym>FTP</acronym></primary> <primary><acronym>FTP</acronym></primary>
<secondary>anonymous</secondary> <secondary>anonymous</secondary>
</indexterm> </indexterm>
<note> <note>
<para xml:lang="en">Be aware of the potential problems involved with running <para>要注意啟動匿名 <acronym>FTP</acronym> 伺服器可能的潛藏問題,尤其是要讓匿名使用者上傳檔案時要再次確認,因為這可能讓該 <acronym>FTP</acronym> 站變成用來交換未授權商業軟體的交流平台或者更糟的狀況。若真的需要匿名 <acronym>FTP</acronym> 上傳,那麼請檢查權限設定,讓這些檔案在尚未被管理者審查前不能夠被其他匿名使用者讀取。</para>
an anonymous <acronym>FTP</acronym> server. In particular,
think twice about allowing anonymous users to upload files.
It may turn out that the <acronym>FTP</acronym> site becomes
a forum for the trade of unlicensed commercial software or
worse. If anonymous <acronym>FTP</acronym> uploads are
required, then verify the permissions so that these files
cannot be read by other anonymous users until they have
been reviewed by an administrator.</para>
</note> </note>
</sect2> </sect2>
</sect1> </sect1>
<sect1 xml:id="network-samba"> <sect1 xml:id="network-samba">
<!-- <!--
<sect1info> <sect1info>
<authorgroup> <authorgroup>
Show All 13 Lines <indexterm xml:lang="en">
<primary>file server</primary> <primary>file server</primary>
<secondary>Windows clients</secondary> <secondary>Windows clients</secondary>
</indexterm> </indexterm>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>print server</primary> <primary>print server</primary>
<secondary>Windows clients</secondary> <secondary>Windows clients</secondary>
</indexterm> </indexterm>
<para xml:lang="en"><application>Samba</application> is a popular open source <para><application>Samba</application> 是熱門的開放源碼軟體套件,使用 <acronym>SMB/CIFS</acronym> 通訊協定提供檔案與列印服務,此通訊協定內建於 <trademark class="registered">Microsoft</trademark>!<trademark class="registered">Windows</trademark> 系統,在非 <trademark class="registered">Microsoft</trademark>!<trademark class="registered">Windows</trademark> 的系統可透過安裝 <application>Samba</application> 客戶端程式庫來支援此協定。此通訊協定讓客戶端可以存取共享的資料與印表機,這些共享的資源可掛載到一個本機的磁碟機,而共享的印表機則可以當做本機的印表機使用。</para>
software package that provides file and print services using the
<acronym>SMB/CIFS</acronym> protocol. This protocol is built
into <trademark class="registered">Microsoft</trademark>!<trademark class="registered">Windows</trademark> systems. It can be added to
non-<trademark class="registered">Microsoft</trademark>!<trademark class="registered">Windows</trademark> systems by installing the
<application>Samba</application> client libraries. The protocol
allows clients to access shared data and printers. These shares
can be mapped as a local disk drive and shared printers can be
used as if they were local printers.</para>
<para xml:lang="en">On FreeBSD, the <application>Samba</application> client <para>在 FreeBSD 上,可以使用 <package>net/samba-smbclient</package> Port 或套件來安裝 <application>Samba</application> 客戶端程式庫,這個客戶端提供了讓 FreeBSD 系統能存取 <acronym>SMB/CIFS</acronym> 在 <trademark class="registered">Microsoft</trademark>!<trademark class="registered">Windows</trademark> 網路中共享的資源。</para>
libraries can be installed using the
<package>net/samba-smbclient</package> port or package. The
client provides the ability for a FreeBSD system to access
<acronym>SMB/CIFS</acronym> shares in a <trademark class="registered">Microsoft</trademark>!<trademark class="registered">Windows</trademark>
network.</para>
<para xml:lang="en">A FreeBSD system can also be configured to act as a <para>FreeBSD 系統也可以透過安裝 <package>net/samba46</package> Port 或套件來設定成 <application>Samba</application> 伺服器,這讓管理者可以在 FreeBSD 系統上建立 <acronym>SMB</acronym>/<acronym>CIFS</acronym> 的共享資源,讓執行 <trademark class="registered">Microsoft</trademark>!<trademark class="registered">Windows</trademark> 或 <application>Samba</application> 客戶端程式庫的客戶端能夠存取。</para>
<application>Samba</application> server by installing the
<package>net/samba43</package> port or package. This allows the
administrator to create <acronym>SMB</acronym>/<acronym>CIFS</acronym>
shares on
the FreeBSD system which can be accessed by clients running
<trademark class="registered">Microsoft</trademark>!<trademark class="registered">Windows</trademark> or the <application>Samba</application>
client libraries.</para>
<sect2> <sect2>
<title>伺服器設定</title> <title>伺服器設定</title>
<para xml:lang="en"><application>Samba</application> is configured in <para><application>Samba</application> 的設定位於 <filename>/usr/local/etc/smb4.conf</filename>,必須先設定這個檔案才可使用 <application>Samba</application>。</para>
<filename>/usr/local/etc/smb4.conf</filename>. This file must
be created before <application>Samba</application>
can be used.</para>
<para xml:lang="en">A simple <filename>smb4.conf</filename> to share <para>要共享目錄與印表機給在工作群組中的 <trademark class="registered">Windows</trademark> 客戶端的簡易 <filename>smb4.conf</filename> 範例如下。對於涉及 LDAP 或 Active Directory 的複雜安裝,可使用 <citerefentry><refentrytitle>samba-tool</refentrytitle><manvolnum>8</manvolnum></citerefentry> 來建立初始的 <filename>smb4.conf</filename>。</para>
directories and printers with <trademark class="registered">Windows</trademark> clients in a
workgroup is shown here. For more complex setups
involving LDAP or Active Directory, it is easier to use
<citerefentry><refentrytitle>samba-tool</refentrytitle><manvolnum>8</manvolnum></citerefentry> to create the initial
<filename>smb4.conf</filename>.</para>
<programlisting xml:lang="en">[global] <programlisting xml:lang="en">[global]
workgroup = WORKGROUP workgroup = WORKGROUP
server string = Samba Server Version %v server string = Samba Server Version %v
netbios name = ExampleMachine netbios name = ExampleMachine
wins support = Yes wins support = Yes
security = user security = user
passdb backend = tdbsam passdb backend = tdbsam
# Example: share /usr/src accessible only to 'developer' user # Example: share /usr/src accessible only to 'developer' user
[src] [src]
path = /usr/src path = /usr/src
valid users = developer valid users = developer
writable = yes writable = yes
browsable = yes browsable = yes
read only = no read only = no
guest ok = no guest ok = no
public = no public = no
create mask = 0666 create mask = 0666
directory mask = 0755</programlisting> directory mask = 0755</programlisting>
<sect3> <sect3>
<title>全域設定</title> <title>全域設定</title>
<para xml:lang="en">Settings that describe the network are added in <para>在 <filename>/usr/local/etc/smb4.conf</filename> 中加入用來描述網路環境的設定有:</para>
<filename>/usr/local/etc/smb4.conf</filename>:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term xml:lang="en"><literal>workgroup</literal></term> <term xml:lang="en"><literal>workgroup</literal></term>
<listitem> <listitem>
<para xml:lang="en">The name of the workgroup to be served.</para> <para>要提供的工作群組名稱。</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en"><literal>netbios name</literal></term> <term xml:lang="en"><literal>netbios name</literal></term>
<listitem> <listitem>
<para xml:lang="en">The NetBIOS name by which a <para><application>Samba</application> 伺服器已知的 NetBIOS 名稱,預設為主機的 <acronym>DNS</acronym> 名稱第一節。</para>
<application>Samba</application> server is known. By
default, it is the same as the first component of the
host's <acronym>DNS</acronym> name.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en"><literal>server string</literal></term> <term xml:lang="en"><literal>server string</literal></term>
<listitem> <listitem>
<para xml:lang="en">The string that will be displayed in the output of <para>會顯示於 <command>net view</command> 輸出結果以及其他會尋找伺服器描述文字並顯示的網路工具的文字。</para>
<command>net view</command> and some other
networking tools that seek to display descriptive text
about the server.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en"><literal>wins support</literal></term> <term xml:lang="en"><literal>wins support</literal></term>
<listitem> <listitem>
<para xml:lang="en">Whether <application>Samba</application> will <para>不論 <application>Samba</application> 是否要作為 <acronym>WINS</acronym> 伺服器,請不要在網路上開啟超過一台伺服器的 <acronym>WINS</acronym> 功能。</para>
act as a <acronym>WINS</acronym> server. Do not
enable support for <acronym>WINS</acronym> on more than
one server on the network.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</sect3> </sect3>
<sect3> <sect3>
<title>安全性設定</title> <title>安全性設定</title>
<para xml:lang="en">The most important settings in <para>在 <filename>/usr/local/etc/smb4.conf</filename> 中最重要的設定便是安全性模式以及後端密碼格式,以下項目管控的選項有:</para>
<filename>/usr/local/etc/smb4.conf</filename> are the
security model and the backend password format. These
directives control the options:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term xml:lang="en"><literal>security</literal></term> <term xml:lang="en"><literal>security</literal></term>
<listitem> <listitem>
<para xml:lang="en">The most common settings are <para>最常見的設定為 <literal>security = share</literal> 以及 <literal>security = user</literal>,若客戶端使用的使用者名稱與在 FreeBSD 主機上使用的使用者名稱相同,則應該使用使用者 (user) 層級的安全性,這是預設的安全性原則且它會要求客戶端在存取共享資源前先登入。</para>
<literal>security = share</literal> and
<literal>security = user</literal>. If the clients
use usernames that are the same as their usernames on
the FreeBSD machine, user level security should be
used. This is the default security policy and it
requires clients to first log on before they can
access shared resources.</para>
<para xml:lang="en">In share level security, clients do not need to <para>安全性為共享 (share) 層級時,客戶端存取共享資源不需要先使用有效的使用者名稱與密碼登入伺服器,在是在舊版 <application>Samba</application> 所採用的預設安全性模式。</para>
log onto the server with a valid username and password
before attempting to connect to a shared resource.
This was the default security model for older versions
of <application>Samba</application>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en"><literal>passdb backend</literal></term> <term xml:lang="en"><literal>passdb backend</literal></term>
<listitem> <listitem>
<indexterm xml:lang="en"><primary>NIS+</primary></indexterm> <indexterm xml:lang="en"><primary>NIS+</primary></indexterm>
<indexterm xml:lang="en"><primary>LDAP</primary></indexterm> <indexterm xml:lang="en"><primary>LDAP</primary></indexterm>
<indexterm xml:lang="en"><primary>SQL database</primary></indexterm> <indexterm xml:lang="en"><primary>SQL database</primary></indexterm>
<para xml:lang="en"><application>Samba</application> has several <para><application>Samba</application> 支援數種不同的後端認証模式,客戶端可以使用 LDAP, NIS+, SQL 資料庫或修改過的密碼檔來認証,建議的認証方式是 <literal>tdbsam</literal>,適用於簡易的網路環境且在此處說明,對於較大或更複雜的網路則較建議使用 <literal>ldapsam</literal>,而 <literal>smbpasswd</literal> 是舊版的預設值,現在已廢棄不使用。</para>
different backend authentication models. Clients may
be authenticated with LDAP, NIS+, an SQL database,
or a modified password file. The recommended
authentication method, <literal>tdbsam</literal>,
is ideal for simple networks and is covered here.
For larger or more complex networks,
<literal>ldapsam</literal> is recommended.
<literal>smbpasswd</literal>
was the former default and is now obsolete.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</sect3> </sect3>
<sect3> <sect3>
<title><application>Samba</application> 使用者</title> <title><application>Samba</application> 使用者</title>
<para xml:lang="en">FreeBSD user accounts must be mapped to the <para>FreeBSD 使用者帳號必須對應 <literal>SambaSAMAccount</literal> 資料庫, 才能讓 <trademark class="registered">Windows</trademark> 客戶端存取共享資源,要對應既有的 FreeBSD 使用者帳號可使用 <citerefentry><refentrytitle>pdbedit</refentrytitle><manvolnum>8</manvolnum></citerefentry>:</para>
<literal>SambaSAMAccount</literal> database for
<trademark class="registered">Windows</trademark> clients to access the share.
Map existing FreeBSD user accounts using
<citerefentry><refentrytitle>pdbedit</refentrytitle><manvolnum>8</manvolnum></citerefentry>:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>pdbedit -a <replaceable>username</replaceable></userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>pdbedit -a <replaceable>username</replaceable></userinput></screen>
<para xml:lang="en">This section has only mentioned the most commonly used <para>本節只會提到一些最常用的設定,請參考 <link xlink:href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/">官方 Samba HOWTO</link> 來取得有關可用設定選項的額外資訊。</para>
settings. Refer to the <link xlink:href="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/">Official
Samba HOWTO</link> for additional information about the
available configuration options.</para>
</sect3> </sect3>
</sect2> </sect2>
<sect2> <sect2>
<title>啟動 <application>Samba</application></title> <title>啟動 <application>Samba</application></title>
<para xml:lang="en">To enable <application>Samba</application> at boot time, <para>要在開機時啟動 <application>Samba</application>,可加入下行到 <filename>/etc/rc.conf</filename>:</para>
add the following line to
<filename>/etc/rc.conf</filename>:</para>
<programlisting xml:lang="en">samba_enable="YES"</programlisting> <programlisting xml:lang="en">samba_enable="YES"</programlisting>
<para xml:lang="en">To enable Samba4, use:</para> <para>要啟動 Samba4 可使用:</para>
<programlisting xml:lang="en">samba_server_enable="YES"</programlisting> <programlisting xml:lang="en">samba_server_enable="YES"</programlisting>
<para xml:lang="en">To start <application>Samba</application> now:</para> <para>要立即啟動 <application>Samba</application></para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>service samba start</userinput> <screen xml:lang="en"><prompt>#</prompt> <userinput>service samba start</userinput>
Starting SAMBA: removing stale tdbs : Starting SAMBA: removing stale tdbs :
Starting nmbd. Starting nmbd.
Starting smbd.</screen> Starting smbd.</screen>
<para xml:lang="en"><application>Samba</application> consists of three <para><application>Samba</application> 由三個獨立的 Daemon 所組成,<application>nmbd</application> 與 <application>smbd</application> daemon 可透過 <varname>samba_enable</varname> 來啟動,若同時也需要 winbind 名稱解析服務則需額外設定:</para>
separate daemons. Both the <application>nmbd</application>
and <application>smbd</application> daemons are started by
<varname>samba_enable</varname>. If winbind name resolution
is also required, set:</para>
<programlisting xml:lang="en">winbindd_enable="YES"</programlisting> <programlisting xml:lang="en">winbindd_enable="YES"</programlisting>
<para xml:lang="en"><application>Samba</application> can be stopped at any <para><application>Samba</application> 可以隨時停止,要停止可輸入:</para>
time by typing:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>service samba stop</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>service samba stop</userinput></screen>
<para xml:lang="en"><application>Samba</application> is a complex software <para><application>Samba</application> 是一套擁有能整合 <trademark class="registered">Microsoft</trademark>!<trademark class="registered">Windows</trademark> 網路功能的複雜軟體套件,除了在此處說明的基礎設定,要取得更多的功能資訊,請參考 <uri xlink:href="http://www.samba.org">http://www.samba.org</uri>。</para>
suite with functionality that allows broad integration with
<trademark class="registered">Microsoft</trademark>!<trademark class="registered">Windows</trademark> networks. For more information about
functionality beyond the basic configuration described here,
refer to <uri xlink:href="http://www.samba.org">http://www.samba.org</uri>.</para>
</sect2> </sect2>
</sect1> </sect1>
<sect1 xml:id="network-ntp"> <sect1 xml:id="network-ntp">
<!-- <!--
<sect1info> <sect1info>
<authorgroup> <authorgroup>
<author> <author>
<firstname>Tom</firstname> <firstname>Tom</firstname>
<surname>Hukins</surname> <surname>Hukins</surname>
<contrib>Contributed by </contrib> <contrib>Contributed by </contrib>
</author> </author>
</authorgroup> </authorgroup>
</sect1info> </sect1info>
--> -->
<title>NTP 時間校對</title> <title>NTP 時間校對</title>
<indexterm xml:lang="en"><primary>NTP</primary> <indexterm xml:lang="en"><primary>NTP</primary>
<secondary>ntpd</secondary> <secondary>ntpd</secondary>
</indexterm> </indexterm>
<para xml:lang="en">Over time, a computer's clock is prone to drift. This is <para>隨著使用時間,電腦的時鐘會逐漸偏移,這對需要網路上電腦有相同準確度時間的許多網路服務來說是一個大問題。準確的時間同樣能確保檔案時間戳記的一致性。網路時間協定 (Network Time Protocol, <acronym>NTP</acronym>) 是一種在網路上可以確保時間準確的方式。</para>
problematic as many network services require the computers on a
network to share the same accurate time. Accurate time is also
needed to ensure that file timestamps stay consistent. The
Network Time Protocol (<acronym>NTP</acronym>) is one way to
provide clock accuracy in a network.</para>
<para xml:lang="en">FreeBSD includes <citerefentry><refentrytitle>ntpd</refentrytitle><manvolnum>8</manvolnum></citerefentry> which can be configured to query <para>FreeBSD 內建 <citerefentry><refentrytitle>ntpd</refentrytitle><manvolnum>8</manvolnum></citerefentry> 可以設定來查詢其他 <acronym>NTP</acronym> 伺服器來同步在該主機的時間或者提供時間服務給其他在網路上的電腦,查詢的伺服器可以為在網路上的本地主機或者由 <acronym>ISP</acronym> 提供。除此之外也有 <link xlink:href="http://support.ntp.org/bin/view/Servers/WebHome">開放存取的 <acronym>NTP</acronym> 伺服器線上清單</link>,當要使用開放的 <acronym>NTP</acronym> 伺服器,請選擇地理位置較近的並檢查該服務的使用方針。</para>
other <acronym>NTP</acronym> servers in order to synchronize the
clock on that machine or to provide time services to other
computers in the network. The servers which are queried can be
local to the network or provided by an <acronym>ISP</acronym>.
In addition, an <link xlink:href="http://support.ntp.org/bin/view/Servers/WebHome">online
list of publicly accessible <acronym>NTP</acronym>
servers</link> is available. When choosing a public
<acronym>NTP</acronym> server, select one that is geographically
close and review its usage policy.</para>
<para xml:lang="en">Choosing several <acronym>NTP</acronym> servers is <para>建議選擇多個 <acronym>NTP</acronym> 伺服器,以避免萬一某一台伺服器無法連線,或者該伺服器的時間變的不可靠,當 <application>ntpd</application> 收到回應,會自動先選擇可靠的伺服器。</para>
recommended in case one of the servers becomes unreachable or
its clock proves unreliable. As <application>ntpd</application>
receives responses, it favors reliable servers over the less
reliable ones.</para>
<para xml:lang="en">This section describes how to configure <para>本節將會介紹如何設定 FreeBSD 上的 <application>ntpd</application>,更進一步的說明文件可於 <filename>/usr/share/doc/ntp/</filename> 找到 HTML 格式的版本。</para>
<application>ntpd</application> on FreeBSD. Further documentation
can be found in <filename>/usr/share/doc/ntp/</filename> in HTML
format.</para>
<sect2> <sect2>
<title><acronym>NTP</acronym> 設定</title> <title><acronym>NTP</acronym> 設定</title>
<indexterm xml:lang="en"><primary>NTP</primary> <indexterm xml:lang="en"><primary>NTP</primary>
<secondary>ntp.conf</secondary> <secondary>ntp.conf</secondary>
</indexterm> </indexterm>
<para xml:lang="en">On FreeBSD, the built-in <application>ntpd</application> can <para>在 FreeBSD,內建的 <application>ntpd</application> 可用來同步系統的時間,要在開機時開啟 <application>ntpd</application>,可加入 <literal>ntpd_enable="YES"</literal> 到 <filename>/etc/rc.conf</filename>,也可在 <filename>/etc/rc.conf</filename> 設定其他的變數,請參考 <citerefentry><refentrytitle>rc.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> 與 <citerefentry><refentrytitle>ntpd</refentrytitle><manvolnum>8</manvolnum></citerefentry> 來了解詳情。</para>
be used to synchronize a system's clock. To enable
<application>ntpd</application> at boot time, add
<literal>ntpd_enable="YES"</literal> to
<filename>/etc/rc.conf</filename>. Additional variables can
be specified in <filename>/etc/rc.conf</filename>. Refer to
<citerefentry><refentrytitle>rc.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> and <citerefentry><refentrytitle>ntpd</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
details.</para>
<para xml:lang="en">This application reads <filename>/etc/ntp.conf</filename> <para>該應用程式會讀取 <filename>/etc/ntp.conf</filename> 來得知要查詢那一個 <acronym>NTP</acronym> 伺服器,這裡有一個簡單的 <filename>/etc/ntp.conf</filename> 範例:</para>
to determine which <acronym>NTP</acronym> servers to query.
Here is a simple example of an
<filename>/etc/ntp.conf</filename>:</para>
<example> <example>
<title><filename>/etc/ntp.conf</filename> 範例</title> <title><filename>/etc/ntp.conf</filename> 範例</title>
<programlisting xml:lang="en">server ntplocal.example.com prefer <programlisting xml:lang="en">server ntplocal.example.com prefer
server timeserver.example.org server timeserver.example.org
server ntp2a.example.net server ntp2a.example.net
driftfile /var/db/ntp.drift</programlisting> driftfile /var/db/ntp.drift</programlisting>
</example> </example>
<para xml:lang="en">The format of this file is described in <citerefentry><refentrytitle>ntp.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. <para>這個檔案的格式在 <citerefentry><refentrytitle>ntp.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> 有說明,<literal>server</literal> 選項設定了要查詢那一些伺服器,每一行列一個伺服器。若伺服項目中含有 <literal>prefer</literal>,則會較偏好使用該伺服器。從偏好伺服器收到的回應若明顯與他伺服器的回應差異過大則會被放棄,否則都會以偏好的伺服器為主。<literal>prefer</literal> 參數只應用在已知高度準確的 <acronym>NTP</acronym> 伺服器上,例如那些有特別在監控時間的硬體。</para>
The <literal>server</literal> option specifies which servers
to query, with one server listed on each line. If a server
entry includes <literal>prefer</literal>, that server is
preferred over other servers. A response from a preferred
server will be discarded if it differs significantly from
other servers' responses; otherwise it will be used. The
<literal>prefer</literal> argument should only be used for
<acronym>NTP</acronym> servers that are known to be highly
accurate, such as those with special time monitoring
hardware.</para>
<para xml:lang="en">The <literal>driftfile</literal> entry specifies which <para><literal>driftfile</literal> 項目用來指定要使用那一個檔案儲存系統時間的頻率偏移量,<application>ntpd</application> 會使用這個檔來自動補償時間的自然偏移,讓時間即始在切斷所有外部時間來源一段時間時仍能夠保持合理的設定值。這個檔案也會儲存有關前次由 <acronym>NTP</acronym> 伺服器收到的回應,由於這個檔案包含供 <acronym>NTP</acronym> 使用的內部資訊,所以不應手動修改。</para>
file is used to store the system clock's frequency offset.
<application>ntpd</application> uses this to automatically
compensate for the clock's natural drift, allowing it to
maintain a reasonably correct setting even if it is cut off
from all external time sources for a period of time. This
file also stores information about previous responses
from <acronym>NTP</acronym> servers. Since this file contains
internal information for <acronym>NTP</acronym>, it should not
be modified.</para>
<para xml:lang="en">By default, an <acronym>NTP</acronym> server is accessible <para>預設,<acronym>NTP</acronym> 伺服器是開放給任何網路主機存取的,在 <filename>/etc/ntp.conf</filename> 中的 <literal>restrict</literal> 選項可以用來控制那些系統可以存取該伺服器。例如,要拒絕所有主機的存取,可加入下行到 <filename>/etc/ntp.conf</filename>:</para>
to any network host. The <literal>restrict</literal> option
in <filename>/etc/ntp.conf</filename> can be used to control
which systems can access the server. For example, to deny all
machines from accessing the <acronym>NTP</acronym> server, add
the following line to
<filename>/etc/ntp.conf</filename>:</para>
<programlisting xml:lang="en">restrict default ignore</programlisting> <programlisting xml:lang="en">restrict default ignore</programlisting>
<note> <note>
<para xml:lang="en">This will also prevent access from other <para>這將會避免其他 <acronym>NTP</acronym> 伺服器的存取,若有需要與一個外部 <acronym>NTP</acronym> 伺服器同步,則可以只允許該伺服器。請參考 <citerefentry><refentrytitle>ntp.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> 來取得更多資訊。</para>
<acronym>NTP</acronym> servers. If there is a need to
synchronize with an external <acronym>NTP</acronym> server,
allow only that specific server. Refer to <citerefentry><refentrytitle>ntp.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information.</para>
</note> </note>
<para xml:lang="en">To allow machines within the network to synchronize their <para>要允許在網路內的主機與伺服器同步時間,但要確保這些主機不允許設定伺服器或者被這些主機當作同輩的主機相互同步,可改使用:</para>
clocks with the server, but ensure they are not allowed to
configure the server or be used as peers to synchronize
against, instead use:</para>
<programlisting xml:lang="en">restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap</programlisting> <programlisting xml:lang="en">restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap</programlisting>
<para xml:lang="en">where <systemitem class="ipaddress">192.168.1.0</systemitem> is the local <para>其中 <systemitem class="ipaddress">192.168.1.0</systemitem> 是本地網路的位址,而 <systemitem class="netmask">255.255.255.0</systemitem> 是網路的子遮罩。</para>
network address and <systemitem class="netmask">255.255.255.0</systemitem> is the network's
subnet mask.</para>
<para xml:lang="en">Multiple <literal>restrict</literal> entries are <para>也支援多個 <literal>restrict</literal> 項目,要取得詳細的資料,請參考 <citerefentry><refentrytitle>ntp.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> 的 <literal>Access Control Support</literal> 子章節。</para>
supported. For more details, refer to the <literal>Access
Control Support</literal> subsection of
<citerefentry><refentrytitle>ntp.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
<para xml:lang="en">Once <literal>ntpd_enable="YES"</literal> has been added <para><literal>ntpd_enable="YES"</literal> 加入到 <filename>/etc/rc.conf</filename> 之後,<application>ntpd</application> 便可不需重新開機立即啟動,只要輸入:</para>
to <filename>/etc/rc.conf</filename>,
<application>ntpd</application> can be started now without
rebooting the system by typing:</para>
<screen xml:lang="en"><prompt>#</prompt> <userinput>service ntpd start</userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>service ntpd start</userinput></screen>
</sect2> </sect2>
<sect2> <sect2>
<title>在 <acronym>PPP</acronym> 連線使用 <acronym>NTP</acronym></title> <title>在 <acronym>PPP</acronym> 連線使用 <acronym>NTP</acronym></title>
<para xml:lang="en"><application>ntpd</application> does not need a permanent <para><application>ntpd</application> 並不需要永久的網際網路連線才能正常運作,若有一個 <acronym>PPP</acronym> 連線是設定成需要時撥號,那麼便需要避免 <acronym>NTP</acronym> 的流量觸發撥號或是保持連線不中斷,這可在 <filename>/etc/ppp/ppp.conf</filename> 使用 <literal>filter</literal> 項目設定,例如: </para>
connection to the Internet to function properly. However, if
a <acronym>PPP</acronym> connection is configured to dial out
on demand, <acronym>NTP</acronym> traffic should be prevented
from triggering a dial out or keeping the connection alive.
This can be configured with <literal>filter</literal>
directives in <filename>/etc/ppp/ppp.conf</filename>. For
example:</para>
<programlisting xml:lang="en"> set filter dial 0 deny udp src eq 123 <programlisting xml:lang="en"> set filter dial 0 deny udp src eq 123
# Prevent NTP traffic from initiating dial out # Prevent NTP traffic from initiating dial out
set filter dial 1 permit 0 0 set filter dial 1 permit 0 0
set filter alive 0 deny udp src eq 123 set filter alive 0 deny udp src eq 123
# Prevent incoming NTP traffic from keeping the connection open # Prevent incoming NTP traffic from keeping the connection open
set filter alive 1 deny udp dst eq 123 set filter alive 1 deny udp dst eq 123
# Prevent outgoing NTP traffic from keeping the connection open # Prevent outgoing NTP traffic from keeping the connection open
set filter alive 2 permit 0/0 0/0</programlisting> set filter alive 2 permit 0/0 0/0</programlisting>
<para xml:lang="en">For more details, refer to the <para>要取得更詳細的資訊,請參考於 <citerefentry><refentrytitle>ppp</refentrytitle><manvolnum>8</manvolnum></citerefentry> 的 <literal>PACKET FILTERING</literal> 小節以及在 <filename>/usr/share/examples/ppp/</filename> 中的範例。</para>
<literal>PACKET FILTERING</literal> section in <citerefentry><refentrytitle>ppp</refentrytitle><manvolnum>8</manvolnum></citerefentry> and
the examples in
<filename>/usr/share/examples/ppp/</filename>.</para>
<note> <note>
<para xml:lang="en">Some Internet access providers block low-numbered ports, <para>部份網際網路存取提供商會封鎖較小編號的埠,這會讓 NTP 無法運作,因為回應永遠無到傳送到該主機。</para>
preventing NTP from functioning since replies never reach
the machine.</para>
</note> </note>
</sect2> </sect2>
</sect1> </sect1>
<sect1 xml:id="network-iscsi"> <sect1 xml:id="network-iscsi">
<!-- <!--
<sect1info> <sect1info>
<authorgroup> <authorgroup>
▲ Show 20 LinesShow All 363 Lines▼ Show 20 Lines <indexterm xml:lang="en">
<primary>security</primary> <primary>security</primary>
<secondary>firewalls</secondary> <secondary>firewalls</secondary>
</indexterm> </indexterm>
<sect1 xml:id="firewalls-intro"> <sect1 xml:id="firewalls-intro">
<title>概述</title> <title>概述</title>
<para>防火牆能夠過濾透過系統進出的流量,防火牆可使用一組或多組 <quote>規則 (Rules)</quote> 來檢查網路連線中進出的網路封包(Network packets),並且能允許或阻擋其通過。 而防火牆規則可以檢查封包中一個或數個特徵,例如通訊協定類型、來源或目的主機位址,以及來源及目地的連接埠 (Port)。</para> <para>防火牆能夠過濾透過系統內送 (Incoming) 與外發 (Outgoing) 的流量,防火牆可使用一組或多組 <quote>規則 (Rules)</quote> 來檢查網路連線中進出的網路封包(Network packets),並且能允許或阻擋其通過。 而防火牆規則可以檢查封包中一個或數個特徵,例如通訊協定類型、來源或目的主機位址,以及來源及目地的連接埠 (Port)。</para>
<para>防火牆可以加強主機或網路的安全性,它可以用來完成下列事情:</para> <para>防火牆可以加強主機或網路的安全性,它可以用來完成下列事情:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para xml:lang="en">Protect and insulate the applications, services, and <para>保護並隔離內部網路的應用程式、服務與主機,避免來自網際網路不必要的存取。</para>
machines of an internal network from unwanted traffic from
the public Internet.</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en">Limit or disable access from hosts of the internal <para>限制或者禁止內部網路的主機存取網際網路服務。</para>
network to services of the public Internet.</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en">Support network address translation <para>支援網路位址轉譯 (Network address translation, <acronym>NAT</acronym>),可允許內部網路使用私有 <acronym>IP</acronym> 位址並共用一個連線使用一個 <acronym>IP</acronym> 位址連到網際網路或者自動分配一個共用池當中的公開位址。</para>
(<acronym>NAT</acronym>), which allows an internal network
to use private <acronym>IP</acronym> addresses and share a
single connection to the public Internet using either a
single <acronym>IP</acronym> address or a shared pool of
automatically assigned public addresses.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para xml:lang="en">FreeBSD has three firewalls built into the base system: <para>FreeBSD 有三種內建於基礎系統的防火牆:<application>PF</application>, <application>IPFW</application> 與 <application>IPFILTER</application> 即 <application>IPF</application>。FreeBSD 也提供了兩種流量限制程式 (Traffic shaper) 來控制頻寬的用量:<citerefentry><refentrytitle>altq</refentrytitle><manvolnum>4</manvolnum></citerefentry> 與 <citerefentry><refentrytitle>dummynet</refentrytitle><manvolnum>4</manvolnum></citerefentry>,<application>ALTQ</application> 一般配合 <application>PF</application> 使用,而 <application>dummynet</application> 會配合 <application>IPFW</application>。每一種防火牆都會使用規則來管制來自與送往 FreeBSD 的封包,儘管它們用不同的方式運作且有不同的規則語法。</para>
<application>PF</application>, <application>IPFW</application>,
and <application>IPFILTER</application>, also known as
<application>IPF</application>. FreeBSD also provides two traffic
shapers for controlling bandwidth usage: <citerefentry><refentrytitle>altq</refentrytitle><manvolnum>4</manvolnum></citerefentry> and
<citerefentry><refentrytitle>dummynet</refentrytitle><manvolnum>4</manvolnum></citerefentry>. <application>ALTQ</application> has
traditionally been closely tied with
<application>PF</application> and
<application>dummynet</application> with
<application>IPFW</application>. Each firewall uses rules to
control the access of packets to and from a FreeBSD system,
although they go about it in different ways and each has a
different rule syntax.</para>
<para xml:lang="en">FreeBSD provides multiple firewalls in order to meet the <para>FreeBSD 提供多個防火牆是為了滿足不同的需求與各種使用者的偏好,每位使用者應評估那一種防火牆最能滿足其需求。</para>
different requirements and preferences for a wide variety of
users. Each user should evaluate which firewall best meets
their needs.</para>
<para>讀完這章,您將了解︰</para> <para>讀完這章,您將了解︰</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para xml:lang="en">How to define packet filtering rules.</para> <para>如何定義封包過濾規則。</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en">The differences between the firewalls built into <para>FreeBSD 內建防火牆之間的差異。</para>
FreeBSD.</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en">How to use and configure the <para>如何使用與設定 <application>PF</application> 防火牆。</para>
<application>PF</application> firewall.</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en">How to use and configure the <para>如何使用與設定 <application>IPFW</application> 防火牆。</para>
<application>IPFW</application> firewall.</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en">How to use and configure the <para>如何使用與設定 <application>IPFILTER</application> 防火牆。</para>
<application>IPFILTER</application> firewall.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>在開始閱讀這章之前,您需要︰</para> <para>在開始閱讀這章之前,您需要︰</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>了解 FreeBSD 基礎及網路概念。</para> <para>了解 FreeBSD 基礎及網路概念。</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<note> <note>
<para xml:lang="en">Since all firewalls are based on inspecting the values of <para>由於所有防火牆均是以監控所選封包的控制欄位值為基礎運作,所以防火牆規則集的建立者必須很明白 <acronym>TCP/IP</acronym> 是如何運作的,在封包的控制欄位中會有那些數值,這些數值會被如何用在一般的連線階段,要了解更多相關資訊,可參考 <link xlink:href="http://www.ipprimer.com/overview.cfm">Daryl's TCP/IP Primer</link>。</para>
selected packet control fields, the creator of the firewall
ruleset must have an understanding of how
<acronym>TCP/IP</acronym> works, what the different values in
the packet control fields are, and how these values are used
in a normal session conversation. For a good introduction,
refer to <link xlink:href="http://www.ipprimer.com/overview.cfm">Daryl's
TCP/IP Primer</link>.</para>
</note> </note>
</sect1> </sect1>
<sect1 xml:id="firewalls-concepts"> <sect1 xml:id="firewalls-concepts">
<title>防火牆概念</title> <title>防火牆概念</title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>firewall</primary> <primary>firewall</primary>
<secondary>rulesets</secondary> <secondary>rulesets</secondary>
</indexterm> </indexterm>
<para xml:lang="en">A ruleset contains a group of rules which pass or block <para>一個規則集 (Ruleset) 中會有一群根據封包內的資料來判斷通過或封鎖的規則,主機間雙向的封包交換構成一個連線階段的對話,防火牆規則集會同時處理接收自網際網路的封包以及由系統所產生的回應封包,每一個 <acronym>TCP/IP</acronym> 服務都會預先定義其通訊協定以及要傾聽的埠,要送往指定服務的封包會誕生在來源位址,使用一個不需特殊權限的埠並傳送給目標位址上特定服務的埠,所有上述過程中的參數均可用來當做建立規則的篩選條件,來允許或封鎖服務。</para>
packets based on the values contained in the packet. The
bi-directional exchange of packets between hosts comprises a
session conversation. The firewall ruleset processes both the
packets arriving from the public Internet, as well as the
packets produced by the system as a response to them. Each
<acronym>TCP/IP</acronym> service is predefined by its protocol
and listening port. Packets destined for a specific service
originate from the source address using an unprivileged port and
target the specific service port on the destination address.
All the above parameters can be used as selection criteria to
create rules which will pass or block services.</para>
<para xml:lang="en">To lookup unknown port numbers, refer to <para>要查詢一個不清楚的埠號,可參考 <filename>/etc/services</filename>,或者至 <uri xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri> 查詢埠號來找出特定埠號的用途。</para>
<filename>/etc/services</filename>. Alternatively, visit <uri xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri>
and do a port number lookup to find the purpose of a particular
port number.</para>
<para xml:lang="en">Check out this link for port numbers used by Trojans <uri xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para> <para>查看這個連結來了解有那些埠號會被木馬程式使用 <uri xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>。</para>
<para xml:lang="en">FTP has two modes: active mode and passive mode. The <para>FTP 有兩個模式:主動 (Active) 模式與被動 (Passive) 模式,兩者的差異在於取得資料通道的方式,被動模式會較安全,由於資料通道會取自 FTP 連線請求者。想要取得 FTP 與兩種模式更進一步的說明,詳見 <uri xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>。</para>
difference is in how the data channel is acquired. Passive
mode is more secure as the data channel is acquired by the
ordinal ftp session requester. For a good explanation of FTP
and the different modes, see <uri xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
<para xml:lang="en">A firewall ruleset can be either <para>防火牆規則集可以為排除式 (<quote>exclusive</quote>) 或者內含式 (<quote>inclusive</quote>),一個排除式的防火牆會允許所有的連線通過除了符合規則集的連線,內含式的防火牆則會反過來只允許符合規則集的連線並封鎖其他任何的連線。</para>
<quote>exclusive</quote> or <quote>inclusive</quote>. An
exclusive firewall allows all traffic through except for the
traffic matching the ruleset. An inclusive firewall does the
reverse as it only allows traffic matching the rules through and
blocks everything else.</para>
<para xml:lang="en">An inclusive firewall offers better control of the outgoing <para>內含式的防火牆對於外發的流量有較好的控制,使其成為提供網際網路服務的系統的最佳選擇,它同時可以控制可存取私有網路的網際網路連線,所有不符合該規則的連線會被封鎖並記錄。一般來說,內含式的防火牆會比排除式的防火牆安全,因為內含式的防火牆可以明顯的減少不必要連線所造成風險。</para>
traffic, making it a better choice for systems that offer
services to the public Internet. It also controls the type of
traffic originating from the public Internet that can gain
access to a private network. All traffic that does not match
the rules is blocked and logged. Inclusive firewalls are
generally safer than exclusive firewalls because they
significantly reduce the risk of allowing unwanted
traffic.</para>
<note> <note>
<para xml:lang="en">Unless noted otherwise, all configuration and example <para>除非另有說明,否則所有在此章節的範例規則集均為內含式防火牆規則集。</para>
rulesets in this chapter create inclusive firewall
rulesets.</para>
</note> </note>
<para xml:lang="en">Security can be tightened further using a <quote>stateful <para>使用具狀態防火牆 (<quote>Stateful firewall</quote>) 可以更進一步加強安全性,這種類型的防火牆可持續追蹤連線,只允許與現有連線相符的封包或符合允許條件的新連線通過。</para>
firewall</quote>. This type of firewall keeps track of open
connections and only allows traffic which either matches an
existing connection or opens a new, allowed connection.</para>
<para xml:lang="en">Stateful filtering treats traffic as a bi-directional <para>狀態過濾技術 (Stateful filtering) 將所有的流量當做是一個由雙向封包交換所組成的連線階段,當在符合的規則上指定狀態 (State) 時,防火牆會自動產生內部規則來處理該連線階段中每個預期會通過的封包,這種防火牆有足夠的比對能力可以辨別是否為同一個連線階段的封包,任何不符合連線階段樣板的封包都會被自動拒絕。</para>
exchange of packets comprising a session. When state is
specified on a matching rule the firewall dynamically generates
internal rules for each anticipated packet being exchanged
during the session. It has sufficient matching capabilities to
determine if a packet is valid for a session. Any packets that
do not properly fit the session template are automatically
rejected.</para>
<para xml:lang="en">When the session completes, it is removed from the dynamic <para>當連線階段結束時,該規則將會動態狀態表 (Dynamic state table) 中移除。</para>
state table.</para>
<para xml:lang="en">Stateful filtering allows one to focus on blocking/passing <para>Stateful filtering 讓管理者可以專注於封鎖/傳遞新的連線階段,若新的連線階段通過,那麼該連線階段後續的封包將會自動允許通過,且任何假冒的封包會自動被拒絕。若新的連線階最被封鎖,將不允許其任何後續的封包。Stateful filtering 提供了進階的比對能力,能夠抵禦不同種類由攻擊者發動的 flood 攻擊。</para>
new sessions. If the new session is passed, all its subsequent
packets are allowed automatically and any impostor packets are
automatically rejected. If a new session is blocked, none of
its subsequent packets are allowed. Stateful filtering provides
advanced matching abilities capable of defending against the
flood of different attack methods employed by attackers.</para>
<para xml:lang="en"><acronym>NAT</acronym> stands for <emphasis>Network <para><acronym>NAT</acronym> 代表 <emphasis>Network Address Translation</emphasis> 即網路位址轉譯,<acronym>NAT</acronym> 功能讓在防火牆之後的私有 LAN 可以共用一個 ISP 分配的 IP 位址 (甚至是動態分配的),NAT 每一台在該 LAN 中的電腦均可連線網際網路,而不需要支付 ISP 多個網路帳號或 IP 位址的額外費用。</para>
Address Translation</emphasis>. <acronym>NAT</acronym>
function enables the private LAN behind the firewall to share a
single ISP-assigned IP address, even if that address is
dynamically assigned. NAT allows each computer in the LAN to
have Internet access, without having to pay the ISP for multiple
Internet accounts or IP addresses.</para>
<para xml:lang="en"><acronym>NAT</acronym> will automatically translate the <para><acronym>NAT</acronym> 在當封包要外送到防火牆之外的網際網路時,會自動轉譯每一台電腦在私有 LAN 的 IP 位址成為一個公有 IP 位址,它也同樣會對回傳的封包做反向轉譯。</para>
private LAN IP address for each system on the LAN to the
single public IP address as packets exit the firewall bound for
the public Internet. It also performs the reverse translation
for returning packets.</para>
<para xml:lang="en">According to RFC 1918, the following IP address ranges are <para>根據 RFC1918,會保留以下範圍的 IP 位址做為私有網路使用,永遠不會被傳送到網際網路,因此可供 NAT 使用:</para>
reserved for private networks which will never be routed
directly to the public Internet, and therefore are available
for use with NAT:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para xml:lang="en"><literal>10.0.0.0/8</literal>.</para> <para xml:lang="en"><literal>10.0.0.0/8</literal>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en"><literal>172.16.0.0/12</literal>.</para> <para xml:lang="en"><literal>172.16.0.0/12</literal>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en"><literal>192.168.0.0/16</literal>.</para> <para xml:lang="en"><literal>192.168.0.0/16</literal>.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<warning> <warning>
<para xml:lang="en">When working with the firewall rules, be <emphasis>very <para>在使用防火牆規則時要<emphasis>非常小心</emphasis>,有一些設定<emphasis>會將管理者鎖在伺服器之外</emphasis>,保險起見的方式是在本機的 Console 做初次的防火牆設定,不要直接由遠端透過 <application>ssh</application> 來設定防火牆。</para>
careful</emphasis>. Some configurations <emphasis>can
lock the administrator out</emphasis> of the server. To be
on the safe side, consider performing the initial firewall
configuration from the local console rather than doing it
remotely over <application>ssh</application>.</para>
</warning> </warning>
</sect1> </sect1>
<sect1 xml:id="firewalls-pf"> <sect1 xml:id="firewalls-pf">
<info> <info>
<title xml:lang="en">PF</title> <title xml:lang="en">PF</title>
<authorgroup> <authorgroup>
<author xml:lang="en"> <author xml:lang="en">
<personname> <personname>
<firstname>John</firstname> <firstname>John</firstname>
<surname>Ferrell</surname> <surname>Ferrell</surname>
</personname> </personname>
<contrib>Revised and updated by </contrib> <contrib>Revised and updated by </contrib>
</author> </author>
</authorgroup> </authorgroup>
</info> </info>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>firewall</primary> <primary>firewall</primary>
<secondary>PF</secondary> <secondary>PF</secondary>
</indexterm> </indexterm>
<para xml:lang="en">Since FreeBSD!5.3, a ported version of OpenBSD's <para>自 FreeBSD!5.3 開始,基礎系統便有內建 OpenBSD's <application>PF</application> 防火牆的移植版本,<application>PF</application> 是一套完整、多功能的防火牆,並可選擇開啟 <application>ALTQ</application> (Alternate Queuing) 的支援來提供 Quality of Service (<acronym>QoS</acronym>) 機制。</para>
<application>PF</application> firewall has been included as an
integrated part of the base system.
<application>PF</application> is a complete, full-featured
firewall that has optional support for
<application>ALTQ</application> (Alternate Queuing), which
provides Quality of Service (<acronym>QoS</acronym>).</para>
<para xml:lang="en">The OpenBSD Project maintains the definitive reference for <para>OpenBSD 計劃有維護一份官方參考文件於 <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link> ,Peter Hansteen 有維一份詳盡的 <application>PF</application> 教學於 <link xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>。</para>
<application>PF</application> in the <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>.
Peter Hansteen maintains a thorough
<application>PF</application> tutorial at <link xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para>
<warning> <warning>
<para xml:lang="en">When reading the <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>, <para>在閱讀 <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link> 時,要注意 FreeBSD 採用與 OpenBSD!4.5 相同版本的 <application>PF</application>。</para>
keep in mind that FreeBSD uses the same version of
<application>PF</application> as OpenBSD!4.5.</para>
</warning> </warning>
<para xml:lang="en">The <link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-pf">FreeBSD packet filter mailing list</link> is a good place to ask questions about <para>要詢問有關設定與執行 <application>PF</application> 防火牆的問題可至 <link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-pf">FreeBSD packet filter 郵遞論壇</link>,在詢問問題之前請先查看該郵遞論壇的封存資料,因您的問題可能已有解答。</para>
configuring and running the <application>PF</application>
firewall. Check the mailing list archives before asking a
question as it may have already been answered.</para>
<para xml:lang="en">More information about porting <application>PF</application> <para>更多有關移植 <application>PF</application> 到 FreeBSD 的資訊可至 <uri xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri> 取得。</para>
to FreeBSD can be found at <uri xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para>
<para xml:lang="en">This section of the Handbook focuses on <para>由於 FreeBSD 也支援 <application>PF</application> 因此操作手冊特別在此章節對此介紹,本節會示範如何開啟 <application>PF</application> 與 <application>ALTQ</application>,然後提供幾個在 FreeBSD 系統上建立規則集的例子。</para>
<application>PF</application> as it pertains to FreeBSD. It
demonstrates how to enable <application>PF</application> and
<application>ALTQ</application>. It then provides several
examples for creating rulesets on a FreeBSD system.</para>
<sect2> <sect2>
<title>開啟 <application>PF</application></title> <title>開啟 <application>PF</application></title>
<para xml:lang="en">In order to use <application>PF</application>, its kernel <para xml:lang="en">In order to use <application>PF</application>, its kernel
module must be first loaded. This section describes the module must be first loaded. This section describes the
entries that can be added to <filename>/etc/rc.conf</filename> entries that can be added to <filename>/etc/rc.conf</filename>
in order to enable <application>PF</application>.</para> in order to enable <application>PF</application>.</para>
▲ Show 20 LinesShow All 1,232 Lines▼ Show 20 Lines <sect1 xml:id="firewalls-ipfw">
<title xml:lang="en"><application>IPFW</application></title> <title xml:lang="en"><application>IPFW</application></title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>firewall</primary> <primary>firewall</primary>
<secondary>IPFW</secondary> <secondary>IPFW</secondary>
</indexterm> </indexterm>
<para xml:lang="en"><application>IPFW</application> is a stateful firewall <para><application>IPFW</application> 是一套專為 FreeBSD 所寫的具狀態防火牆 (Stateful firewall),它同時支援 <acronym>IPv4</acronym> 與 <acronym>IPv6</acronym>,它由數個元件組成:核心防火牆過濾規則處理器與其整合的封包計帳設施、記錄設施、<acronym>NAT</acronym>、<citerefentry><refentrytitle>dummynet</refentrytitle><manvolnum>4</manvolnum></citerefentry> 流量限制程式、轉送設施、橋接設施以及 ipstealth 設施。</para>
written for FreeBSD which supports both <acronym>IPv4</acronym> and
<acronym>IPv6</acronym>. It is comprised of several components:
the kernel firewall filter rule processor and its integrated
packet accounting facility, the logging facility,
<acronym>NAT</acronym>, the <citerefentry><refentrytitle>dummynet</refentrytitle><manvolnum>4</manvolnum></citerefentry> traffic shaper, a
forward facility, a bridge facility, and an ipstealth
facility.</para>
<para xml:lang="en">FreeBSD provides a sample ruleset in <para>FreeBSD 提供一個範本規則集於 <filename>/etc/rc.firewall</filename>,其定義了幾個常見情境會使用的防火牆類型來協助初學的使用者撰寫合適的規則集。<application>IPFW</application> 提供了強大的語法讓進階的使用者可以用來自訂符合環境安全性要求的規則集。</para>
<filename>/etc/rc.firewall</filename> which defines several
firewall types for common scenarios to assist novice users in
generating an appropriate ruleset.
<application>IPFW</application> provides a powerful syntax which
advanced users can use to craft customized rulesets that meet
the security requirements of a given environment.</para>
<para xml:lang="en">This section describes how to enable <para>本節將介紹如何開啟 <application>IPFW</application>、規則語法的概要以及示範幾種常見情境所使用的規則集:</para>
<application>IPFW</application>, provides an overview of its
rule syntax, and demonstrates several rulesets for common
configuration scenarios.</para>
<sect2 xml:id="firewalls-ipfw-enable"> <sect2 xml:id="firewalls-ipfw-enable">
<title>開啟 <application>IPFW</application></title> <title>開啟 <application>IPFW</application></title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary><application>IPFW</application></primary> <primary><application>IPFW</application></primary>
<secondary>enabling</secondary> <secondary>enabling</secondary>
▲ Show 20 LinesShow All 978 Lines▼ Show 20 Lines <sect1 xml:id="firewalls-ipf">
<title xml:lang="en">IPFILTER (IPF)</title> <title xml:lang="en">IPFILTER (IPF)</title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary>firewall</primary> <primary>firewall</primary>
<secondary><application>IPFILTER</application></secondary> <secondary><application>IPFILTER</application></secondary>
</indexterm> </indexterm>
<para xml:lang="en"><application>IPFILTER</application>, also known as <para><application>IPFILTER</application> 即為 <application>IPF</application>,是一套跨平台、開放源碼的防火牆,已被移植到各種作業系統,包含 FreeBSD, NetBSD, OpenBSD 與 <trademark>Solaris</trademark>。</para>
<application>IPF</application>, is a cross-platform, open source
firewall which has been ported to several operating systems,
including FreeBSD, NetBSD, OpenBSD, and <trademark>Solaris</trademark>.</para>
<para xml:lang="en"><application>IPFILTER</application> is a kernel-side <para><application>IPFILTER</application> 是核心端 (Kernel-side) 的防火牆且 <acronym>NAT</acronym> 機制可由 Userland 的程式控制與監控,防火牆規則可以使用 <application>ipf</application> 設定或刪除,<acronym>NAT</acronym> 規則可以使用 <application>ipnat</application> 設定或刪除,可使用 <application>ipfstat</application> 來列出 <application>IPFILTER</application> 在核心部份的執行期統計資訊,可使用 <application>ipmon</application> 來記錄 <application>IPFILTER</application> 動作到系統記錄檔。</para>
firewall and <acronym>NAT</acronym> mechanism that can be
controlled and monitored by userland programs. Firewall rules
can be set or deleted using <application>ipf</application>,
<acronym>NAT</acronym> rules can be set or deleted using
<application>ipnat</application>, run-time statistics for the
kernel parts of <application>IPFILTER</application> can be
printed using <application>ipfstat</application>, and
<application>ipmon</application> can be used to log
<application>IPFILTER</application> actions to the system log
files.</para>
<para xml:lang="en"><application>IPF</application> was originally written using <para><application>IPF</application> 原來是以 <quote>最後一個符合的條件優先</quote> 的規則處理邏輯所撰寫並只能使用無狀態 (Stateless) 的規則,之後 <application>IPF</application> 才被加強支援快速 (<literal>quick</literal>) 與保留狀態 (<literal>keep state</literal>) 的選項。</para>
a rule processing logic of <quote>the last matching rule
wins</quote> and only used stateless rules. Since then,
<application>IPF</application> has been enhanced to include the
<literal>quick</literal> and <literal>keep state</literal>
options.</para>
<para xml:lang="en">The <application>IPF</application> FAQ is at <uri xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>. <para><application>IPF</application> FAQ 位於 <uri xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>,可搜尋的 IPFilter 郵遞論壇封存資料可至 <uri xlink:href="http://marc.info/?l=ipfilter">http://marc.info/?l=ipfilter</uri> 取得。</para>
A searchable archive of the IPFilter mailing list is available
at <uri xlink:href="http://marc.info/?l=ipfilter">http://marc.info/?l=ipfilter</uri>.</para>
<para xml:lang="en">This section of the Handbook focuses on <para>由於 FreeBSD 也支援 <application>IPF</application> 因此操作手冊特別在此章節對此介紹,本節提供幾個有使用快速 (<literal>quick</literal>) 與保留狀態 (<literal>keep state</literal>) 選項的規則範例。</para>
<application>IPF</application> as it pertains to FreeBSD. It
provides examples of rules that contain the
<literal>quick</literal> and <literal>keep state</literal>
options.</para>
<sect2> <sect2>
<title>開啟 <application>IPF</application></title> <title>開啟 <application>IPF</application></title>
<indexterm xml:lang="en"> <indexterm xml:lang="en">
<primary><application>IPFILTER</application></primary> <primary><application>IPFILTER</application></primary>
<secondary>enabling</secondary> <secondary>enabling</secondary>
▲ Show 20 LinesShow All 316 Lines▼ Show 20 Lines <listitem>
The port number must also be preceded by the The port number must also be preceded by the
<literal>proto</literal> keyword.</para> <literal>proto</literal> keyword.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en">TCP_FLAG|ICMP_TYPE</term> <term xml:lang="en">TCP_FLAG|ICMP_TYPE</term>
<listitem> <listitem>
<para xml:lang="en">If <literal>tcp</literal> is specifed as the <para xml:lang="en">If <literal>tcp</literal> is specified as the
PROTO_TYPE, flags can be specified as letters, where PROTO_TYPE, flags can be specified as letters, where
each letter represents one of the possible each letter represents one of the possible
<acronym>TCP</acronym> flags used to determine the state <acronym>TCP</acronym> flags used to determine the state
of a connection. Possible values are: of a connection. Possible values are:
<literal>S</literal> (SYN), <literal>S</literal> (SYN),
<literal>A</literal> (ACK), <literal>A</literal> (ACK),
<literal>P</literal> (PSH), <literal>P</literal> (PSH),
<literal>F</literal> (FIN), <literal>F</literal> (FIN),
<literal>U</literal> (URG), <literal>U</literal> (URG),
<literal>R</literal> (RST), <literal>R</literal> (RST),
<literal>C</literal> (CWN), and <literal>C</literal> (CWN), and
<literal>E</literal> (ECN).</para> <literal>E</literal> (ECN).</para>
<para xml:lang="en">If <literal>icmp</literal> is specifed as the <para xml:lang="en">If <literal>icmp</literal> is specified as the
PROTO_TYPE, the <acronym>ICMP</acronym> type to match PROTO_TYPE, the <acronym>ICMP</acronym> type to match
can be specified. Refer to <citerefentry><refentrytitle>ipf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for the can be specified. Refer to <citerefentry><refentrytitle>ipf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for the
allowable types.</para> allowable types.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en">STATE</term> <term xml:lang="en">STATE</term>
▲ Show 20 LinesShow All 1,519 Lines▼ Show 20 Linesifconfig_wlan0="WPA SYNCDHCP"</programlisting>
<programlisting xml:lang="en">if_wi_load="YES"</programlisting> <programlisting xml:lang="en">if_wi_load="YES"</programlisting>
<note> <note>
<para xml:lang="en">The examples in this section use an <citerefentry><refentrytitle>ath</refentrytitle><manvolnum>4</manvolnum></citerefentry> <para xml:lang="en">The examples in this section use an <citerefentry><refentrytitle>ath</refentrytitle><manvolnum>4</manvolnum></citerefentry>
device and the device name in the examples must be device and the device name in the examples must be
changed according to the configuration. A list of changed according to the configuration. A list of
available wireless drivers and supported adapters can be available wireless drivers and supported adapters can be
found in the FreeBSD Hardware Notes, available on found in the FreeBSD Hardware Notes, available on
the <link xlink:href="http://www.FreeBSD.org/releases/index.html">Release the <link xlink:href="https://www.FreeBSD.org/releases/index.html">Release
Information</link> page of the FreeBSD website. If a Information</link> page of the FreeBSD website. If a
native FreeBSD driver for the wireless device does not native FreeBSD driver for the wireless device does not
exist, it may be possible to use the <trademark class="registered">Windows</trademark> driver exist, it may be possible to use the <trademark class="registered">Windows</trademark> driver
with the help of the <link linkend="config-network-ndis">NDIS</link> driver with the help of the <link linkend="config-network-ndis">NDIS</link> driver
wrapper.</para> wrapper.</para>
</note> </note>
<para xml:lang="en">In addition, the modules that implement cryptographic <para xml:lang="en">In addition, the modules that implement cryptographic
▲ Show 20 LinesShow All 2,867 Lines▼ Show 20 Lineslagg0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; metric 0 mtu 1500
<screen xml:lang="en"><prompt>#</prompt> <userinput>dhclient <literal>lagg<replaceable>0</replaceable></literal></userinput></screen> <screen xml:lang="en"><prompt>#</prompt> <userinput>dhclient <literal>lagg<replaceable>0</replaceable></literal></userinput></screen>
<para xml:lang="en">To retain this configuration across reboots, add the <para xml:lang="en">To retain this configuration across reboots, add the
following entries to following entries to
<filename>/etc/rc.conf</filename>:</para> <filename>/etc/rc.conf</filename>:</para>
<programlisting xml:lang="en">ifconfig_bge0="up" <programlisting xml:lang="en">ifconfig_bge0="up"
ifconfig_<replaceable>iwn0</replaceable>="<replaceable>ether 00:21:70:da:ae:37</replaceable>"
wlans_<replaceable>iwn0</replaceable>="wlan0" wlans_<replaceable>iwn0</replaceable>="wlan0"
ifconfig_wlan0="WPA" ifconfig_wlan0="WPA"
create_args_wlan0="<replaceable>wlanaddr 00:21:70:da:ae:37</replaceable>"
cloned_interfaces="<literal>lagg<replaceable>0</replaceable></literal>" cloned_interfaces="<literal>lagg<replaceable>0</replaceable></literal>"
ifconfig_<literal>lagg<replaceable>0</replaceable></literal>="laggproto failover laggport bge0 laggport wlan0 DHCP"</programlisting> ifconfig_<literal>lagg<replaceable>0</replaceable></literal>="up laggproto failover laggport bge0 laggport wlan0 DHCP"</programlisting>
</example> </example>
</sect2> </sect2>
</sect1> </sect1>
<sect1 xml:id="network-diskless"> <sect1 xml:id="network-diskless">
<info> <info>
<title><acronym>PXE</acronym> 無磁碟作業</title> <title><acronym>PXE</acronym> 無磁碟作業</title>
▲ Show 20 LinesShow All 269 Lines▼ Show 20 Lines <secondary>diskless operation</secondary>
<para xml:lang="en">The <acronym>DHCP</acronym> server does not need to be the <para xml:lang="en">The <acronym>DHCP</acronym> server does not need to be the
same machine as the <acronym>TFTP</acronym> and same machine as the <acronym>TFTP</acronym> and
<acronym>NFS</acronym> server, but it needs to be accessible <acronym>NFS</acronym> server, but it needs to be accessible
in the network.</para> in the network.</para>
<para xml:lang="en"><acronym>DHCP</acronym> is not part of the FreeBSD base <para xml:lang="en"><acronym>DHCP</acronym> is not part of the FreeBSD base
system but can be installed using the system but can be installed using the
<package>net/isc-dhcp42-server</package> port or <package>net/isc-dhcp43-server</package> port or
package.</para> package.</para>
<para xml:lang="en">Once installed, edit the configuration file, <para xml:lang="en">Once installed, edit the configuration file,
<filename>/usr/local/etc/dhcpd.conf</filename>. Configure <filename>/usr/local/etc/dhcpd.conf</filename>. Configure
the <literal>next-server</literal>, the <literal>next-server</literal>,
<literal>filename</literal>, and <literal>filename</literal>, and
<literal>root-path</literal> settings as seen in this <literal>root-path</literal> settings as seen in this
example:</para> example:</para>
▲ Show 20 LinesShow All 2,036 Lines▼ Show 20 Lines <secondary>Mirror Sites</secondary>
</indexterm> </indexterm>
<para>FreeBSD <application>Subversion</application> 的檔案庫為:</para> <para>FreeBSD <application>Subversion</application> 的檔案庫為:</para>
<programlisting xml:lang="en">svn.FreeBSD.org</programlisting> <programlisting xml:lang="en">svn.FreeBSD.org</programlisting>
<para>這是可公開存取的鏡像站,使用了 GeoDNS 會自動選擇適合的後端伺服器。若要由瀏覽器檢視 <application>Subversion</application> 檔案庫可以使用 <link xlink:href="https://svnweb.FreeBSD.org/">https://svnweb.FreeBSD.org/</link>。</para> <para>這是可公開存取的鏡像站,使用了 GeoDNS 會自動選擇適合的後端伺服器。若要由瀏覽器檢視 <application>Subversion</application> 檔案庫可以使用 <link xlink:href="https://svnweb.FreeBSD.org/">https://svnweb.FreeBSD.org/</link>。</para>
<note> <para xml:lang="en">HTTPS is the preferred protocol, but the
<para>FreeBSD <application>Subversion</application> 鏡像站先前使用的自我簽署 SSL 憑証記錄於本章節中。自 2015 年 7 月開始,所有鏡像站開始使用官方的 SSL 憑証,若有安裝 <package role="port">security/ca_root_nss</package> Port 則 <application>Subversion</application> 便有辦法辨識。舊的自我簽署憑証與伺服器名稱仍可以使用,但已不建議使用且不再支援。</para> <filename role="package">security/ca_root_nss</filename>
</note> package will need to be installed in order to automatically
validate certificates.</para>
<para>對於未安裝 <package role="port">security/ca_root_nss</package> Port 的系統,所需的 SHA1 與 SHA256 的指紋 (Fingerprint) 為:</para>
<informaltable>
<tgroup cols="2">
<colspec colwidth="1*"/>
<colspec colwidth="1*"/>
<thead>
<row>
<entry>編碼 (Hash)</entry>
<entry>指紋 (Fingerprint)</entry>
</row>
</thead>
<tbody>
<row>
<entry xml:lang="en">SHA1</entry>
<entry xml:lang="en"><literal>E9:37:73:80:B5:32:1B:93:92:94:98:17:59:F0:FA:A2:5F:1E:DE:B9</literal></entry>
</row>
<row>
<entry xml:lang="en">SHA256</entry>
<entry xml:lang="en"><literal>D5:27:1C:B6:55:E6:A8:7D:48:D5:0C:F0:DA:9D:51:60:D7:42:6A:F2:05:F1:8A:47:BE:78:A1:3A:72:06:92:60</literal></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>建議使用 <acronym>HTTPS</acronym> 通訊協定,這可提供避免其他電腦假裝為 FreeBSD 鏡像站 (即為一般所知的 <quote>中間人攻擊 (Man in the middle)</quote> 攻擊) 與其他嘗試傳送惡意內容給終端使用者的保護。</para>
<para>若因防火牆或其他問題無法使用 <literal>https</literal>,那麼下一個選擇為使用 <literal>svn</literal>,這個通訊協定會有較快的傳輸速度。當兩者皆無法使用時才使用 <literal>http</literal>。</para>
<para>對於那些仍使用已不建議使用伺服器名稱的電腦的 SHA1 及 SHA256 指紋可為下列其中之一:</para>
<informaltable>
<tgroup cols="2">
<colspec colwidth="1*"/>
<colspec colwidth="1*"/>
<thead>
<row>
<entry>編碼 (Hash)</entry>
<entry>指紋 (Fingerprint)</entry>
</row>
</thead>
<tbody>
<row>
<entry>舊-SHA1</entry>
<entry xml:lang="en"><literal>1C:BD:85:95:11:9F:EB:75:A5:4B:C8:A3:FE:08:E4:02:73:06:1E:61</literal></entry>
</row>
<row>
<entry>舊-SHA1</entry>
<entry xml:lang="en"><literal>F6:44:AA:B9:03:89:0E:3E:8C:4D:4D:14:F0:27:E6:C7:C1:8B:17:C5</literal></entry>
</row>
<row>
<entry>舊-SHA256</entry>
<entry xml:lang="en"><literal>47:35:A9:09:A3:AB:FA:20:33:36:43:C5:1A:D6:E6:FB:EB:C0:C0:83:37:D4:46:9C:A0:AB:89:7F:C2:9C:4C:A3</literal></entry>
</row>
<row>
<entry>舊-SHA256</entry>
<entry xml:lang="en"><literal>48:3C:84:DB:7C:27:1B:FA:D5:0B:A0:D7:E0:4C:79:AA:A3:8E:A3:FA:84:E6:32:34:7D:EB:30:E6:11:01:CF:BE</literal></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>從這些舊的憑証指紋中找到對應已不建已使用伺服器名稱所使用的項目。</para>
</sect2> </sect2>
<sect2> <sect2>
<title>取得更多資訊</title> <title>取得更多資訊</title>
<para>要取得其他有關使用 <application>Subversion</application> 的資訊請參考 <quote>Subversion Book</quote>,其書名為 <link xlink:href="http://svnbook.red-bean.com/">Version Control with Subversion</link> 或是 <link xlink:href="http://subversion.apache.org/docs/">Subversion Documentation</link>。</para> <para>要取得其他有關使用 <application>Subversion</application> 的資訊請參考 <quote>Subversion Book</quote>,其書名為 <link xlink:href="http://svnbook.red-bean.com/">Version Control with Subversion</link> 或是 <link xlink:href="http://subversion.apache.org/docs/">Subversion Documentation</link>。</para>
</sect2> </sect2>
</sect1> </sect1>
▲ Show 20 LinesShow All 295 Lines▼ Show 20 Lines <para xml:lang="en"><link xlink:href="http://www.jp.FreeBSD.org/">Jpman
User's Reference Manual</link> (Japanese translation). User's Reference Manual</link> (Japanese translation).
<link xlink:href="http://www.pc.mycom.co.jp/">Mainichi <link xlink:href="http://www.pc.mycom.co.jp/">Mainichi
Communications Inc.</link>, 1998. ISBN4-8399-0088-4 Communications Inc.</link>, 1998. ISBN4-8399-0088-4
P3800E.</para> P3800E.</para>
</listitem> </listitem>
<listitem> <listitem>
<para xml:lang="en"><link xlink:href="http://www.ed.ac.uk/">Edinburgh <para xml:lang="en"><link xlink:href="http://www.ed.ac.uk/">Edinburgh
University</link> has written an University</link> has written an <link xlink:href="http://www.ed.ac.uk/information-services/help-consultancy/is-skills/catalogue/program-op-sys-catalogue/unix1">Online
<link xlink:href="http://unixhelp.ed.ac.uk/">Online
Guide</link> for newcomers to the UNIX environment.</para> Guide</link> for newcomers to the UNIX environment.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</sect1> </sect1>
<sect1 xml:id="bibliography-adminguides"> <sect1 xml:id="bibliography-adminguides">
<title>管理指南</title> <title>管理指南</title>
▲ Show 20 LinesShow All 568 Lines▼ Show 20 Lines <tbody>
</row> </row>
<row> <row>
<entry xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-afs">freebsd-afs</link></entry> <entry xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-afs">freebsd-afs</link></entry>
<entry xml:lang="en">Porting AFS to FreeBSD</entry> <entry xml:lang="en">Porting AFS to FreeBSD</entry>
</row> </row>
<row> <row>
<entry xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/aic7xxx">freebsd-aic7xxx</link></entry>
<entry xml:lang="en">Developing drivers for the <trademark class="registered">Adaptec</trademark>
AIC 7xxx</entry>
</row>
<row>
<entry xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-amd64">freebsd-amd64</link></entry> <entry xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-amd64">freebsd-amd64</link></entry>
<entry xml:lang="en">Porting FreeBSD to AMD64 systems (moderated)</entry> <entry xml:lang="en">Porting FreeBSD to AMD64 systems (moderated)</entry>
</row> </row>
<row> <row>
<entry xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-apache">freebsd-apache</link></entry> <entry xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-apache">freebsd-apache</link></entry>
<entry xml:lang="en">Discussion about <entry xml:lang="en">Discussion about
<application>Apache</application> related <application>Apache</application> related
▲ Show 20 LinesShow All 642 Lines▼ Show 20 Lines branch of the src Subversion repository</entry>
<row> <row>
<entry xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/svn-src-stable-10">svn-src-stable-10</link></entry> <entry xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/svn-src-stable-10">svn-src-stable-10</link></entry>
<entry xml:lang="en"><filename>/usr/src</filename></entry> <entry xml:lang="en"><filename>/usr/src</filename></entry>
<entry xml:lang="en">All changes to the <filename>stable/10</filename> <entry xml:lang="en">All changes to the <filename>stable/10</filename>
branch of the src Subversion repository</entry> branch of the src Subversion repository</entry>
</row> </row>
<row> <row>
<entry xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/svn-src-stable-11">svn-src-stable-11</link></entry>
<entry xml:lang="en"><filename>/usr/src</filename></entry>
<entry xml:lang="en">All changes to the <filename>stable/11</filename>
branch of the src Subversion repository</entry>
</row>
<row>
<entry xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/svn-src-stable-other">svn-src-stable-other</link></entry> <entry xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/svn-src-stable-other">svn-src-stable-other</link></entry>
<entry xml:lang="en"><filename>/usr/src</filename></entry> <entry xml:lang="en"><filename>/usr/src</filename></entry>
<entry xml:lang="en">All changes to the <entry xml:lang="en">All changes to the
older <filename>stable</filename> branches of the src older <filename>stable</filename> branches of the src
Subversion repository</entry> Subversion repository</entry>
</row> </row>
<row> <row>
▲ Show 20 LinesShow All 1,086 Lines▼ Show 20 Lines Conformance</emphasis></para>
<para xml:lang="en">This is a forum for technical discussions related to <para xml:lang="en">This is a forum for technical discussions related to
FreeBSD Conformance to the C99 and the POSIX FreeBSD Conformance to the C99 and the POSIX
standards.</para> standards.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-teaching">freebsd-teaching</link></term>
<listitem>
<para xml:lang="en"><emphasis>Teaching with FreeBSD</emphasis></para>
<para xml:lang="en">Non technical mailing list discussing teaching
with FreeBSD.</para>
</listitem>
</varlistentry>
<varlistentry>
<term xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-testing">freebsd-testing</link></term> <term xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-testing">freebsd-testing</link></term>
<listitem> <listitem>
<para xml:lang="en"><emphasis>Testing on FreeBSD</emphasis></para> <para xml:lang="en"><emphasis>Testing on FreeBSD</emphasis></para>
<para xml:lang="en">Technical mailing list discussing testing on FreeBSD, <para xml:lang="en">Technical mailing list discussing testing on FreeBSD,
including ATF/Kyua, test build infrastructure, port including ATF/Kyua, test build infrastructure, port
tests to FreeBSD from other operating systems (NetBSD, tests to FreeBSD from other operating systems (NetBSD,
▲ Show 20 LinesShow All 123 Lines▼ Show 20 Lines Status</emphasis></para>
list.</para> list.</para>
<para xml:lang="en">Look inside the archives for examples of suitable <para xml:lang="en">Look inside the archives for examples of suitable
messages.</para> messages.</para>
<para xml:lang="en">An editorial digest of the messages to this list <para xml:lang="en">An editorial digest of the messages to this list
might be posted to the FreeBSD website every few months as might be posted to the FreeBSD website every few months as
part of the Status Reports part of the Status Reports
<footnote><para xml:lang="en"><uri xlink:href="http://www.freebsd.org/news/status/">http://www.freebsd.org/news/status/</uri></para></footnote>. <footnote><para xml:lang="en"><uri xlink:href="https://www.freebsd.org/news/status/">https://www.freebsd.org/news/status/</uri></para></footnote>.
Past reports are archived.</para> Past reports are archived.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-wireless">freebsd-wireless</link></term> <term xml:lang="en"><link xlink:href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-wireless">freebsd-wireless</link></term>
<listitem> <listitem>
▲ Show 20 LinesShow All 240 Lines▼ Show 20 Lines
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<anchor xml:id="central-www"/> <anchor xml:id="central-www"/>
<para>中央伺服器</para> <para>中央伺服器</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para xml:lang="en"> <para><link xlink:href="https://www.FreeBSD.org/">https://www.FreeBSD.org/</link></para>
<link xlink:href="http://www.FreeBSD.org/">http://www.FreeBSD.org/</link>
</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem> </listitem>
<listitem> <listitem>
<anchor xml:id="mirrors-am-www"/> <anchor xml:id="mirrors-am-www"/>
<para>亞美尼亞 (Armenia)</para> <para>亞美尼亞 (Armenia)</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
▲ Show 20 LinesShow All 345 Lines▼ Show 20 Lines <sect1 xml:id="pgpkeys-officers">
<!-- <!--
The FreeBSD Documentation Project The FreeBSD Documentation Project
$FreeBSD$ $FreeBSD$
--> -->
<sect2 xml:id="pgpkey-security-officer"> <sect2 xml:id="pgpkey-security-officer">
<title xml:lang="en">Security Officer Team <email>security-officer@FreeBSD.org</email></title> <title>Security Officer Team <email>security-officer@FreeBSD.org</email></title>
<!-- $FreeBSD$ --> <!-- $FreeBSD$ -->
<!-- <!--
sh addkey.sh security-officer ED67ECD65DCF6AE7 ; sh addkey.sh security-officer ED67ECD65DCF6AE7 ;
--> -->
<programlisting role="pgpfingerprint" xml:lang="en"><![CDATA[ <programlisting role="pgpfingerprint"><![CDATA[
pub rsa4096/ED67ECD65DCF6AE7 2013-09-24 [expires: 2018-01-01] pub rsa4096/ED67ECD65DCF6AE7 2013-09-24 [expires: 2018-01-01]
Key fingerprint = 1CF7 FF6F ADF5 CA9F BE1B 8CB2 ED67 ECD6 5DCF 6AE7 Key fingerprint = 1CF7 FF6F ADF5 CA9F BE1B 8CB2 ED67 ECD6 5DCF 6AE7
uid FreeBSD Security Officer <security-officer@FreeBSD.org> uid FreeBSD Security Officer <security-officer@FreeBSD.org>
sub rsa4096/B64357A343D9CBAE 2013-09-24 [expires: 2018-01-01] sub rsa4096/B64357A343D9CBAE 2013-09-24 [expires: 2018-01-01]
]]></programlisting> ]]></programlisting>
<programlisting role="pgpkey" xml:lang="en"><![CDATA[ <programlisting role="pgpkey"><![CDATA[
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFJBjOYBEADuKnefrbTVFTZf9mITVx1lFAqwDHPRHZeWBr2Vq1B/Y1eKKsen mQINBFJBjOYBEADuKnefrbTVFTZf9mITVx1lFAqwDHPRHZeWBr2Vq1B/Y1eKKsen
BKbK/O/CXaLuGFRn/6Ptvi9eLuWnho88qzaPU1Aa7BFRRiZlN+WrTmaDwdONJnJQ BKbK/O/CXaLuGFRn/6Ptvi9eLuWnho88qzaPU1Aa7BFRRiZlN+WrTmaDwdONJnJQ
p1LTPjqHmLVAkD7mFZe/H8Glxot62zEqY7LrEs+ZuxQ8oI51YKjhGaACvkrFMinO p1LTPjqHmLVAkD7mFZe/H8Glxot62zEqY7LrEs+ZuxQ8oI51YKjhGaACvkrFMinO
09+TDey1fupVH1+yskVKQZo1zp//Hl/IrPbZKfGCxIGePQowZF7YLvl8DKPo4jI5 09+TDey1fupVH1+yskVKQZo1zp//Hl/IrPbZKfGCxIGePQowZF7YLvl8DKPo4jI5
KO4tZ1kOPcPL2CqwhuCDy0fpUhrQZBswp6tsGx5mRJxDxfgePRBYDK4tMK+BSVsR KO4tZ1kOPcPL2CqwhuCDy0fpUhrQZBswp6tsGx5mRJxDxfgePRBYDK4tMK+BSVsR
putIKOZ4zoBf12hYFiJ8Yd7e9cqxTiPa7AhxPbAjppiH7qJ3NJKCXOOp9DcSvrfb putIKOZ4zoBf12hYFiJ8Yd7e9cqxTiPa7AhxPbAjppiH7qJ3NJKCXOOp9DcSvrfb
▲ Show 20 LinesShow All 221 Lines▼ Show 20 Lines
3VOWuafMlpON+Ii4YEem56Al/Ei8sDA+BN7cpw7o5Xf+HAG70CdcRDn7Vg== 3VOWuafMlpON+Ii4YEem56Al/Ei8sDA+BN7cpw7o5Xf+HAG70CdcRDn7Vg==
=mLLk =mLLk
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----
]]></programlisting> ]]></programlisting>
</sect2> </sect2>
<sect2 xml:id="pgpkey-secteam-secretary"> <sect2 xml:id="pgpkey-secteam-secretary">
<title xml:lang="en">Security Team Secretary <email>secteam-secretary@FreeBSD.org</email></title> <title>Security Team Secretary <email>secteam-secretary@FreeBSD.org</email></title>
<!-- $FreeBSD$ --> <!-- $FreeBSD$ -->
<!-- <!--
sh addkey.sh secteam-secretary 3CB2EAFCC3D6C666; sh addkey.sh secteam-secretary 3CB2EAFCC3D6C666;
--> -->
<programlisting role="pgpfingerprint" xml:lang="en"><![CDATA[ <programlisting role="pgpfingerprint"><![CDATA[
pub 4096R/3CB2EAFCC3D6C666 2013-09-24 [expires: 2018-01-01] pub 4096R/3CB2EAFCC3D6C666 2013-09-24 [expires: 2018-01-01]
Key fingerprint = FA97 AA04 4DF9 0969 D5EF 4ADA 3CB2 EAFC C3D6 C666 Key fingerprint = FA97 AA04 4DF9 0969 D5EF 4ADA 3CB2 EAFC C3D6 C666
uid FreeBSD Security Team Secretary <secteam-secretary@FreeBSD.org> uid FreeBSD Security Team Secretary <secteam-secretary@FreeBSD.org>
sub 4096R/509B26612335EB65 2013-09-24 [expires: 2018-01-01] sub 4096R/509B26612335EB65 2013-09-24 [expires: 2018-01-01]
]]></programlisting> ]]></programlisting>
<programlisting role="pgpkey" xml:lang="en"><![CDATA[ <programlisting role="pgpkey"><![CDATA[
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFJBjIIBEADadvvpXSkdnBOGV2xcsFwBBcSwAdryWuLk6v2VxjwsPcY6Lwqz mQINBFJBjIIBEADadvvpXSkdnBOGV2xcsFwBBcSwAdryWuLk6v2VxjwsPcY6Lwqz
NAZr2Ox1BaSgX7106Psa6v9si8nxoOtMc5BCM/ps/fmedFU48YtqOTGF+utxvACg NAZr2Ox1BaSgX7106Psa6v9si8nxoOtMc5BCM/ps/fmedFU48YtqOTGF+utxvACg
Ou6SKintEMUa1eoPcww1jzDZ3mxx49bQaNAJLjVxeiAZoYHe9loTe1fxsprCONnx Ou6SKintEMUa1eoPcww1jzDZ3mxx49bQaNAJLjVxeiAZoYHe9loTe1fxsprCONnx
Era1hrI+YA2KjMWDORcwa0sSXRCI3V+b4PUnbMUOQa3fFVUriM4QjjUBU6hW0Ub0 Era1hrI+YA2KjMWDORcwa0sSXRCI3V+b4PUnbMUOQa3fFVUriM4QjjUBU6hW0Ub0
GDPcZq45nd7PoPPtb3/EauaYfk/zdx8Xt0OmuKTi9/vMkvB09AEUyShbyzoebaKH GDPcZq45nd7PoPPtb3/EauaYfk/zdx8Xt0OmuKTi9/vMkvB09AEUyShbyzoebaKH
dKtXlzyAPCZoH9dihFM67rhUg4umckFLc8vc5P2tNblwYrnhgL8ymUaOIjZB/fOi dKtXlzyAPCZoH9dihFM67rhUg4umckFLc8vc5P2tNblwYrnhgL8ymUaOIjZB/fOi
▲ Show 20 LinesShow All 64 Lines▼ Show 20 Lines
lIjBtlclVhaUrE2uLx/yTz2Apbm+GAmD8M0dQ7IYsOFlZNBW9zjgLLCtWDW+p1A= lIjBtlclVhaUrE2uLx/yTz2Apbm+GAmD8M0dQ7IYsOFlZNBW9zjgLLCtWDW+p1A=
=5gJ7 =5gJ7
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----
]]></programlisting> ]]></programlisting>
</sect2> </sect2>
<sect2 xml:id="pgpkey-core-secretary"> <sect2 xml:id="pgpkey-core-secretary">
<title xml:lang="en">Core Team Secretary <email>core-secretary@FreeBSD.org</email></title> <title>Core Team Secretary <email>core-secretary@FreeBSD.org</email></title>
<!-- $FreeBSD$ --> <!-- $FreeBSD$ -->
<!-- <!--
sh addkey.sh core-secretary 36A7C05FE1ECF9BB ; sh addkey.sh core-secretary 36A7C05FE1ECF9BB ;
--> -->
<programlisting role="pgpfingerprint" xml:lang="en"><![CDATA[ <programlisting role="pgpfingerprint"><![CDATA[
pub rsa4096/36A7C05FE1ECF9BB 2014-07-09 [SC] [expires: 2017-07-08] pub rsa4096/36A7C05FE1ECF9BB 2014-07-09 [SC] [expires: 2018-07-08]
Key fingerprint = C07B F5E3 10AE 64BF 6120 B0F6 36A7 C05F E1EC F9BB Key fingerprint = C07B F5E3 10AE 64BF 6120 B0F6 36A7 C05F E1EC F9BB
uid FreeBSD Core Team Secretary <core-secretary@freebsd.org> uid FreeBSD Core Team Secretary <core-secretary@freebsd.org>
uid Core Secretary <core-secretary@freebsd.org> uid Core Secretary <core-secretary@freebsd.org>
sub rsa4096/7B5150C8D7CE5D02 2014-07-09 [E] [expires: 2017-07-08] sub rsa4096/7B5150C8D7CE5D02 2014-07-09 [E] [expires: 2018-07-08]
]]></programlisting> ]]></programlisting>
<programlisting role="pgpkey" xml:lang="en"><![CDATA[ <programlisting role="pgpkey"><![CDATA[
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFO9HvEBEADRfuWeoNUwib7ZjNmhg0Kt1kjiGEEosf3O2yMDfYuAXt4De6qK mQINBFO9HvEBEADRfuWeoNUwib7ZjNmhg0Kt1kjiGEEosf3O2yMDfYuAXt4De6qK
S4KECe5+vZH2T8g+zmNLl/7JxdqHiWj9cnoZ6T3bqKh7w7pW7QzC/Q2k4mZsQkGl S4KECe5+vZH2T8g+zmNLl/7JxdqHiWj9cnoZ6T3bqKh7w7pW7QzC/Q2k4mZsQkGl
xzhStHvaHSPKw5808TME0d3ewAfs0dQkDuA0eari0HipCbOVzqHUMTIROr/syPXs xzhStHvaHSPKw5808TME0d3ewAfs0dQkDuA0eari0HipCbOVzqHUMTIROr/syPXs
jHxb2bj0KVzzq7wgy+vF4Cv25VzaAPBVgPv3HAoO/gLOr4SnXqBCw2vgprWx335t jHxb2bj0KVzzq7wgy+vF4Cv25VzaAPBVgPv3HAoO/gLOr4SnXqBCw2vgprWx335t
QX1JslWlsUDmwwq40q4+eMnSFPZ0ing1DgfhMb+Dnrl6Rbxhb0pwPhbwubppUKfe QX1JslWlsUDmwwq40q4+eMnSFPZ0ing1DgfhMb+Dnrl6Rbxhb0pwPhbwubppUKfe
W6owOrTuUbATVoAhsfNySmUWQKc2p9w/8uFV/jJj9HOSgIMKrNONvqekPrjWOQn9 W6owOrTuUbATVoAhsfNySmUWQKc2p9w/8uFV/jJj9HOSgIMKrNONvqekPrjWOQn9
/lcQtGhldWmtPbMogOfaQisBEn1XjMZ3VEOagQxIe/6LDjU7GGoYvSdwf8Z0wXUY /lcQtGhldWmtPbMogOfaQisBEn1XjMZ3VEOagQxIe/6LDjU7GGoYvSdwf8Z0wXUY
/qDntPwudjJA4wQid1Tzf53gpUjr0tYq7aclpiBGs3F5EOs4HMXq5/xlwRGtBDHY /qDntPwudjJA4wQid1Tzf53gpUjr0tYq7aclpiBGs3F5EOs4HMXq5/xlwRGtBDHY
i9RNAlbRSfSD2s1nGsfsImPowlpjtLa+3PqYs/cRLGDu51DsgV/p/CqtAyebG+9O i9RNAlbRSfSD2s1nGsfsImPowlpjtLa+3PqYs/cRLGDu51DsgV/p/CqtAyebG+9O
WsF0Ydt4Q62jEuU8HY7SOj+AuKJVdUkyAZGk5vkPvsKzjdZUqRslurme7d3LqKai WsF0Ydt4Q62jEuU8HY7SOj+AuKJVdUkyAZGk5vkPvsKzjdZUqRslurme7d3LqKai
FjBGj8UyId/IomDCjth3baGc/Y4e+JKyx1XDXgFY2HoQ2KzEoANrizjy5QARAQAB FjBGj8UyId/IomDCjth3baGc/Y4e+JKyx1XDXgFY2HoQ2KzEoANrizjy5QARAQAB
tCtDb3JlIFNlY3JldGFyeSA8Y29yZS1zZWNyZXRhcnlAZnJlZWJzZC5vcmc+iQIc tDhGcmVlQlNEIENvcmUgVGVhbSBTZWNyZXRhcnkgPGNvcmUtc2VjcmV0YXJ5QGZy
BBABCgAGBQJTvR9BAAoJEANvbJ7n856/QGAQANf7Qn3AvTB1Co9oCtKobbtLxOx/ ZWVic2Qub3JnPokCVAQTAQoAPgIbAwULCQgHAwUVCgkICwUWAwIBAAIeAQIXgBYh
FFw6/jnfurJxQ2Y18N9zTNJ1KCzI8pYbanicWQFqUfC1wu6FrnSlNGQvW464NqcE BMB79eMQrmS/YSCw9janwF/h7Pm7BQJZYPzzBQkHhRGCAAoJEDanwF/h7Pm7cMcP
RElbFE41pvqX+Tb6/dOX07mMBZYK8wgLDcHEjl4i7NHurx1AKA2ro/5utRvfIqmh /jMsEmlRAdWd8rTUxYD2112aOpI8xqphqEiUh/U1xC0mqdMfEt0INe4QvXs4mk6O
PxcHwhNiP1He4MD1NgkyrxmRWtO4VM99mhXdm+pl/8XwuFJrdg4v36pEws6tYJgP WcbNdTokVHKyHyNqHibpQ+TwOAuh0mW3vUmVrxvT2ueoPnJthfoXUiWGkB3gMlnO
wDc86/XrmeJT6GOCRFREdwXn6osSvvVYnx4Pyto/xTG5Fm4sa7S4bxgvvSzp2/L+ l76bcMBlSGAxvWa6f6pjflrfEb3k4Q+3hnV0xO2nL5sfukya2cFXnGJ2/AG3LgDW
eO4JpOGXuhiIGhfEwISta1yf14GKTa4a0Qd+gquml4yd1DBybNoa0zcz/sJOBULe doXIFjTA+15tJkFz4hM+7CSKxlzco/SSVAHoICfTF8AiYz7YOGLi3sAhwyKVFe6r
/CLKzSs5IuGkfdH0os1WEjdqQ7JPct3Yizb7Iw/j1YfvDmnM+tt3EMU1DJ1ttY9+ cDSZGTP39PAgOhG4y9xv2Jjq7fQq1E5Ylcs1XBmKsgcbCgi4ZHoaBd8n/3uq26RI
XB6pZvtjSHNApaDPfSeizstpoLle3kvECBJyEIr5u/hL72dYEZtFiYFlHcvWIq6K Aqno4Bo1nFY2oUHMRE7zFlG/R7WBLPISEwJ3d15QV1twsjfPOAMCjEvS5csF7T0T
qWJlIJrOa7vG7r586qstiG270tCeaVOfZT5grKNcDf4vYEoxL+2NKcHVA0rogRWP ARrBSGZYxXpwXKr7gnRXqEOyzEgivgs/cFLd47uOwB3Ul4/eOKH6yDFFcPKaa9u3
MwSWZbWEAaIilK/6AVzc8xmefZJEHHxH7PprcPsH3MPpOwmWjfheHBKfIfEu1UqW S8cVX2bllSU/hktwLWCDnpE3KimZSOGIYhLvYWvQxMR4Uc3Da37Xq1HL9DoU+VdQ
AD+cRQmE+jEz1vc6DzVUfA4c27j9/GXT9/NQsBTamC6rT3YUZKWlFulCC3ncRwf9 MuCYqRCKjWMuVwL+1so7zbyS/ns95VHUMXquaAdk2z3uHh7fCxUc3yd1T5aaWwFP
ZTGSsiT5qCuV1ECniQI9BBMBCgAnAhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheA mWxun8OkeU2hJ/z4kfTY0gNLvEGGRVXkYJqt1P7eM4rCYt2SPydTlhvU/ko4VzZh
BQJXfUvQBQkFpANfAAoJEDanwF/h7Pm7ZycP/RSnQbk6u80gUkkkuRlUMQo1Oepf eD8tZA1PG7eTnFCiwuYWmz5b3hn6W2g3CF8NepTOMcxGiQEcBBABAgAGBQJTvTXF
KUrARGwwuw7B4rovu35kgqskFo9pbsgKuRUWObj7jsBM/sTCX0tyAD6qQii7ZhDL AAoJEE1Y/c0spJd2Y4YIAMTJLPPhDrAqzH+AuIDKFg1sQluK/UyKvGGMhgY/0yo2
7cc5eHssx4BObgrBAnK/R/NqCZZhkvpODkFqnWwdvYrwUFHgqmhja7ivZKr2Bwdr nHEjX5DeS6PTUroQsgy4CF6GhA6BTgCywlDG7urvz6HPY7uz5XRLKX6m8Q6XbNQK
SEq6dHD+xGjWMtU3/tkS0fhkWSRBvcq3J20gEytjEW9Togn2s0+z1uX4apffiKfq ACY5h+V74FDvlkQSIg0G6HpI5cFUuF82n3QVnnkpRJbgR7KhP4DidEYdGAJMR9nl
zJR5kDS5cp4Hcfl8YFoKSCl7021oa/U1Dy/oDjl/eWm56S2WjSVlAGct/MsBsZVm YeLeUaVotB1n2+It80oD8PGstbDD6OhM8gSFzd5TWaAOtyZ/Gj8v3kSZPJRrkG0T
TlRaXufONiFuRy3rJKFJo7krEevlbpexHIRFXH7qssT/HzW2et7DrgFgYaVgzcOb Ra4vBARpjwcnd4GAD1jXfS5u7PNjiMaXhII150zN4iugfDYGiB3dX4TloW0Z3yBl
5H2Vr6e9u/fnTb4TPaxdkjuuTQwZamc6CPpFTBMKV9ndlkps0d4teVtYMEZa7451 SNdevyszrJc+m20/YdzwGJ7ZhcjY19+rBWqkvR3Gje6JAhwEEAECAAYFAlO9NhEA
/qJYedYqmeCcNNCK/oIjMbSrlIhhTUzMslKjvq/j4C49dad3Z6wtzZV6W7O7DyO2 CgkQwBMwnW1+RFxwzg/9FuDRbqXgo8VS/IpxQTqh1HChcTFEYd0b2pbxV/rG1bl5
fmG6FFDnsul+tUjHzipmdQsyuxdqE1haVa6TwKeWBmWo8x0RddDYB5Rczc5alsaX dRf8BmgKdcN/fJZa23GDM3V7yI1GHRph+41IVO4dwe63/HDoZnXKoBJu4OYZZDq5
1HVhT9cAjBJShGwWjbdoRB3Tvvof4I6xyyoYaen40wMIscjlQH8XvEdoQ85ixdyj NvTIdhBzBDmKhpFplmjlymdKzSplSmetLN1TPJWaUqwP7W63T9nzIzxYZHKGmVZf
CZty1mcGfsvpMP/H9ZCzGWmlSe2kyC4xm3xdP6gVhR7dscvuHoeDkuZ22Yocmzo7 R19cqdRTEkbKHgZBzZ1CifW+uyK4NMPaGvcRW56zuV7hZT5yx6BlMY+A+OFNIfpk
2NCHkLHKmBflGpNiiQIcBBABCgAGBQJTvUdSAAoJEO1n7NZdz2rnVCcP/3zh4y7M 0V0Ozhjko+K6eNfH5fpq88o9IkKcL1iU8yQjRFyiRUslb4rf7hCdupTybYyllZVp
rLnV536rB0tDOM+lsP3UYDmclWZmTENZ+r0ESM4YJzDjKO6ltXhh+MdYqDddY3vq o6jmz08LHUjbTwQdDvsDsQAVg0Ws9ma1JXlfcGFTatg2hG7R+mw2okLfg6Lsl1l2
LnsKTNYuMjKiu6jd0ETy4ThzHxVhcyrgl1yWxyaSsdi5gMOnwNVClHfOD5gaOF0j mU+g7sUdEAIDJAnK/wpQbxVXMruboq386SrssFzxG68tClQdK/VnX19C8WBN6Azk
dRJnLTLMueAEM3fyNzSUjBOHJpk+RcIV3r/u8LvPFV2qwLWa937vYwfLRJ9jaQur 9ymnf9+6X8dAghztdESUznt763yRuyhGk6Voprc6SXcqKxd2SxYHgW7pd1UCtj+M
5MnEVOWBz7CB0g1F06JAcLv16FyWiLCOBxXZJd974lKXHd2yEMkSlF3Of1qX5FI6 ghAazp0KlhqOFFlyOSMdQA+9j86oPaYFLCPRjA/RGgxW8Ucw/VyAHeCNoHfsD4Ml
FK3HQU+c6eJcrWc54++zvgWHZTM3SwY9g5rl57Wz9Vpi13Ev6ArIIIEQ9P1ViwK4 6IoRdNbMZ7V8oLVPEJw5RmytypedTLLbeUpX0JcLvNrd4Hbd08h9bMmcP0GxWBix
zyW78rFoM09juqHkN4uUCWuk0f57XCFkrDA/n6YCSfAxSYXc1I+MKpAm/6yBYiBN 6ZFUnHyvdK9AgvnOMpUNEC5Xcz8dsK1I6A7rwwTELRMUSX/ws8gxbyhUJjj6KqWJ
pyS3Jz5HGO2S0QGsPsBcUHGEmO6k/Z6boJLwaCAGx2dSQ84R4DQeFAd3NjBPab2x AhwEEAEKAAYFAlO9LQIACgkQA29snufznr8ZNA/+MBCWq4N5zvwfJLPrOw2nb6Zj
TNlitcOi+xnidCJZoDWQqx5dSLwLeORsw25ikOWroUS1hqfta2HDnnou4zuyppov WazUhnnkeKkhHmZR9cnt9MQ9RwxPnpCVwve03eJilik620VRFxdctWgQnvLS+QW7
0Q+50JGFJIril8svoUmLfuSk3XUrlxPHgL57Wp5K8NOIU4u/DStX4UaRuHQ+Uu9G EQ5sMysKb9zqkNa4aMJQCmQ/IXQRMhJ9eXImqEYrBSqVgL/pppmXk5xubGDqPQRd
V+c6rr3F46+MooqXISAw5cm/kDMwuOfQ4GOo8J/ADUfLQa6a/JnWFg3hb/rgt/lH b9+lq1/vQDr8u8nblXGRN5CzaIr0vvG13uVC4+rjKMqP3gubpKt+X9adagc66ZTH
JxjZliOZy8G08HyBddNfKCTBauqEyPYWTHzgiQIcBBABCgAGBQJTvUdkAAoJEJLI Pr7O8/DaXO2BT9jkYUf5lYNK2BS5D1XT1d7hZK5G/2dklbtNgSBVhHiaIxARGxTX
Q0VtpqZu/g0QAMXEq8sNraENb3zO8wisdE0UZXOGuQduXDSrwpe26L9mCR/usjeW 84h1GkPGe2XbZGfTiEtWdFrsuuMY4DkVlXE5UXuAMGSlQvAybBbPRpPYJ7D5ny4D
eGqbG9b6mP+fAwXxm/BovdkF3bWguo1GCzztEHy+aTB4voxI6lEnyDKB8GG3mlkV OOqXCmmnOOOcPblEMyi8XQgSiz8TFfyRwUazIIcmoXr8J6bLgTpPpXbAjaoxWngJ
jNAbDjVi/jCZfe6TbJ6xDhX7633ees1An8tvizMHRr+z8zQ3xF4MNjlxLzawPE7/ 1QJr92LU22dSXaK7qXhWuuSco0KJ+5dScFg+uz+zdMa59YMSfvbhlHh8BgLwxdyE
As5uHaT6Q3NhGTGyG1oGsVlO8pYp97p2E/d44m6IlY5XEzO2A2fIq+0N4dcy8omT a+RAiEigFvdjXy2Ljacr+q3v27egPhcWkgPhPD+2fiOBpeZd+3M8/vXImIqYrrMH
X8P4eUZFlUezRbbZtNP8Av77hESXO79gpmQir9fC5/qMBgJN+3iB9O+VcB0SeLm0 g7sXnLTpRJ4dd/1il7lG+vL+mc28Bo5FvMLp2r4QDfX1saqoBVtLSrZqQDhxc5jT
TvUWtSFULqEdDkKArLOgZf0HNnsu7/rb1tR9zqSYN8gsF3MvF0RNHUdbyEh189LZ sOVhj3xnSjs3PoOWakbdwkRFR4/7oszSbB832nZE6mLpvpEE2suLUoBh9EtxAIhx
TmapwSxcaoUYPcoOBfwo0MqMuEuyCkMWSD53BvsaSbcs2OWKYAp+oluM0TrnLup3 rBMuGGeDP58XSMmpJrCJAhwEEAEKAAYFAlO9R1IACgkQ7Wfs1l3PaudfGw/9HxYe
7O2G/EbxmMRHZVVyuX60pIQDXO4DjLo9tqbM6OUNCG+1tKEX7Bs9GIzUL2mxZ072 S7WfGMQup0z0zvYksPxQGVoAjAtK0PKGdO8trQY7p43SvZ4nX60byYoH49ko6823
qE8x1A+eidSzy5Tx2nE7DOurziiuv8G3JPFDtLkUVtPx9gqyyG3wmfThkMCl1jnu x5lxI7+SNS9MgEgu3t8C03UGGxamNDOf625VazgZWg9Cywzg3T0BhTPHyeLhvIAN
tYDjetpeC8LcI5S9mFE8BXBka7qEEY19GI/1LJcfMI8lMn16OITYv4/cwqWPMbjS jqf2XjOh/Yew+yNe+7D9vNhdy0pNDGCAPeezC0sZjerq6dh7AgKHJobwNK2KEUtx
Mg6JpWBCFdsxRmIWiggKodt6LfnuEciChejk8ewTf6/47z7aVhdBkYaOiQIcBBIB ciFdvBzoQ6p083dVbA0icb/rTZRM7Yt5egQz61NpeQTnU/mi0AJUffsBbRWqqHUb
CAAGBQJUGDc+AAoJEOqwPFi/3EePCM0QAKFrkt0wW+am/O8ZzIejSCY+htWilGAI GSViUxgusoqf9ggFG8tVLkb73mIqzeAwmGdp4U0Paz12Y5NfIrJ9NR9+v9dMv89U
a6REk5gv00k2dKPCWf5rNPAXeQRAX4qItmd35hz7czElm2EVbrylDD+F9uN8wbkC lIJt2rCK5dlCnwnvsy1jImfXbrYfySjn06U+2q+kE27LByjT8XwE4W9JPDmxLwKZ
MLdIe88caWfoj12lJACAd0NiBSwJPgrajvER92fr173I31cKT6hwXP6bgjU3J4HI TQQe/K6cpqh9LebEIV3YHQPNfz34ChhljsIpTw5i39WqGx+wvQL4Mvj5exyEE5Sh
Cc1h7h5j7g+/YSeHUacPSiY4MuXAQao6e2BtFI77LOwFvIFFdCEMdZDwoH+7lIF9 ODoeuobgXr36B6uQrg+zb3zi855Nd7ciqVg38Gf3ab2sbL08qSmobkLrDlfnwGC9
I+Krm7ojMF5fauaSK4e3kL029QugIFYlgb7HeDGLlonBSn40YXPenafAin0lNGWM 95ZMCQzhffatkco6bJhIJ1ElDDswZJHbg5pYo+aAq8xofwxBonH2hJoCAXXLXz3b
WVv3SKN7tweNkKEhMVoVReropjYpRg+khKaMumwJ9bdGkYP8jq7DwCKXy/J2rfCU 7KRUj2e0JXDLCSbE2DWV8y5UUzhWH2P4Ls6eCdtBuFi1sUb3TP3N+gyWff3PwpPb
zsyVX5Ga7keT8Ztny4RO6YqFtTryraiSPrxDZQ0Gt6kc1m3u+4vh93qJk+foUDRS IM/gDseSXDTGaZPq3wp24YPa1+Zpbj6jP1q21PKJAhwEEAEKAAYFAlO9R2QACgkQ
LWfWjmX9aRf+7+4zdsYBOrpt3tab6FqXrW7IcI+p8PCyBW4c/WHkU3YWreEba21B kshDRW2mpm4s1A/9FrNdO2TWaLGYt+6etJyCH/Ua1vpc9UNM/lIZv/wdV1jVr50M
XGiMDoxfhQ9OyvSHt6G8kgO9+k8sRY/78oGYxR4Aait8/Y54DmHkyZKSewu96So0 EKVQgAVsQBQEhwE7j81WVb26fggfKuLF0P+KMT8Kv8EwudIVTkSYcqfzI5zcG/p5
+TDmcbkeatatDhrasbjfQLWx8363tnQvmhWpw/bpWGmDQDLVTHn9OcXlckGU1fiU NNFsnwRiu7QKPkx1IgCirwkoXwtvFtqEEXD1lIilEQ8aXGcojdMS4clCt5JlHTv8
M7721g4s2UdijTMpyYWfsLTaxOujHyxkwkBBtGV3DCas5Ep2KPMfSOgf3YVtPQH9 Y+TnSy5MrYJfHMSyThVl6xJOfC3/Wb6Gt23I2R7f7DLxHRSx74oqCZPOlD2mFzzC
IaotJSw/A6FdiQI9BBMBCgAnBQJTvR7xAhsDBQkB4TOABQsJCAcDBRUKCQgLBRYD re6EcXMsnkdsTbVVEeAV3n6ixm5IO4ePDmj/NTmjQGr0MNjdNZc8P2WCopDY+Afk
AgEAAh4BAheAAAoJEDanwF/h7Pm7QvMQAKE3pM3e7LrDH6+xsdafxb/RxnVwUI6F Mbqh32COmMl29elelyTTwckO7ZX67szNbmWye2EOxbf1hUtEPhnBklBrD7TAG4YM
aoN3dIZRjIIh7Dyd6WypD43+f4c4AeIX+b78RuCuu+oZMMkHk4/Y4PIRv6jw1wuG PFX7zHh9iFgmdcPxm1QcJDnoWVwzLMubTRZEs3EFImNG8fXaB6DnErclZnxXoJ75
a67iHopFXy9KPYjEQOtLptZUAorqC62CzoVJxwbpIPw1AkKBag7FFKtiymQKbxSA eG8gB24ORqO5QpCha9MzNhq+KpCF9XXNc023mvEM1P6MyLCcC0N4JNk8x8a/M4/D
kEkCOTa64RF+FFDJzUqbRQPJMMhKR35lJ/W3TfNQQViF/nydDdNmSY+gYAPU8kqh 2xgHPlFRriWJU+saIRb+ycCFwwH0kMqMwCwoe8nAi8H1CtEL2zPokiASq/6OWx2S
x4K7K9al9DUwVa/PdL0l549BLOHzmFcEtw4FQOGMYt4Gkma5+6OIMJOuoM/ADAUz yURVTYAAuVwndC5eVbSP1nbqrSw0a3zkVWqFzgM7Je1mEpHlG7wvJzezBhGLah+7
7qdcWYYdsFl42HzC73u7MGLcfGkElcZKkH8sn2zuKsTTtTKD5rhLfIiu132vK7vq 1GjJyrcvSzBwygac6KRFuPY+65F1CJSjMnuZPomY0XzKeXH/X67OeJWd4SWJAhwE
oONdJLd7U1X2Bwif/ub1we7x4eGonZjhKajENpD3o/1Y072gLy8rlZ1r6/J+GQ9T EgEIAAYFAlQYNz4ACgkQ6rA8WL/cR48SlQ/+LansEu3Ku6MWbCvrDGu7wbYcFbJI
EwUBNV8NNOfDPv0pxTP6OCFPHEFA4toG0rRBm7OIxmQXFWmfxMT3NnwBqPCufWlO V5FntgLmIfVkiIY8+Lue6KdYS/oVpbp1bx/OvCYnLSJSmy0ozwJR1HXQ9nrpSfoD
m20JhaU/pefPCqHJVc8Ap+k6/bct3iNuAg1buggFVDWg89uBqF9vfdELiCDF3nRY 3J+P0y5hJYENDDOR3fBInb4c8t5pOxyFvnjkJicgkFpQBbJ+5/Kh4Hb67cM1B3ig
m4bQ6S1cWxvnu5aq9MZdt4Dc1WnTSNfY9/zjKJWmG3miv1D1eo3fSyVJNYVfVzQ2 e/lx4jvzUPonSH0xTPVs2BXbDemu5sP2jzJxpS9eoesAOoNmJQDXNuWbX0CZskgl
3KMOPwR/jdr47Gle8/5OM38zPhZ+vC+XD//Lq0/c8iMO39B4pwQ0Bb8FAhk/6Ug0 uB5RpcPyLCTKTaFEdJxV71ovN3YnhNc8hC30OP9WdbdMu9O0w8SWzVIz6lD3FgXc
cYbap+lPWkY+tDhGcmVlQlNEIENvcmUgVGVhbSBTZWNyZXRhcnkgPGNvcmUtc2Vj gHPkFZusy6TejeamwiKOz69+Ml2/vtBR7JPRSvR8nnFrvNbEKzkAykIUN0sZFbWP
cmV0YXJ5QGZyZWVic2Qub3JnPokCPQQTAQoAJwIbAwULCQgHAwUVCgkICwUWAwIB MViKkkEGENWTKUiOmvd6gghT9HFULp/l1NpbwZ5qymWXIlPwEp7nhH27+5/tA+Ai
AAIeAQIXgAUCV31L5QUJBaQDXwAKCRA2p8Bf4ez5u+H7EACNn3vNhH8AHcdd5SvL S5d0h1pniptt+0vG/IEmToDaBIz+wtip6ij7NHEqL6Uxn9nDwxRn8437ITVxxAkC
+BEv7wLnev+3SgC8infvEHWv6TqOZZ+m4WCeBgUe9pYgoQOvVaSvI3spKY6Of9ry TUYOoCFSzl/vMI9TrEEsV5eHP13psU8EZZnd3LuZloeAAsMapJ3bjSEiiSfDOodp
0By1do/ysqoWnG0yByDuMn42De7WD0dFPKfQCdwnVp2bNKrAF5qluKO/CLlqlcds ZkrmVZObMhVRRA9XVWfryy1xpWy5oV22cYe/8ky8CPUX1mUMNHBo/HQBNNdBsEjo
u0r+O1sG39rokKnAmflTR5CdG/J5LlIiIc1fkokpwW73XOReuDzhJmQais0s6ytI mW8NDy7a1MohgSzC17P96eSNfV0AsWW1XkU1qu0hYaIdZjGQZVGWH9C0BvQ2wFTj
gkBlXcN5TpQ1+of7wGQbTWcx+DlpybZSoPsGw7LH1ydJznIowNd9orer/foOYafs /m5mRalbMbQa06eJAj0EEwEKACcFAlO9LMcCGwMFCQHhM4AFCwkIBwMFFQoJCAsF
CjPa14H/kCf02H8mCMuy3awyj5zCQ/E7oZTLbBG4M8F/AUZ6yN6PZLbQoqdn+3KO FgMCAQACHgECF4AACgkQNqfAX+Hs+btkeA/+KO0G/4Rc91xUYgS7XLK/r+QktX2I
ll2AC2JfYR9JKEKkS9ViRNCd5Me4xSqX11yKwAZVFKgXHDX9SB/QINimbp5Qe/EH JFTdl6eNHTk7bfl6Nue/taEA7EujHDV0+10gBTk6xVvlyA/BgZ2OvmaUWM6J7TAi
CxbkwmwPWluXxsDyisx5Hee5g9bmVxZgPWCYUxW0iPW6yu3XptbnGHOvDnrG49kx Xduahh8xgbNmhQP0Tn4Xb6TpIZ4MbGBvPfiDlI0ukkTahvOSK6OniO2S4vLM5xIW
FCMbEZrz9gBda25qaQ8xdkhu2taq3eOYVLndO9cv1n9LLGDxM8+kxkGWiXyDMXBg XZR9YxFh4iYRLmzr3HnVktc0h6TmcDSKckFeXdjt/xIQDiUVoMvFZnoHkCxoNM6n
uEr+0ldDROw8nP1Z1en6vxXrd4emGSOWrBFNveB6ZhO2uJ2z2fhtsvrBfwPKECRm S6/TCn4PPzsDUJcrI67AOTEZ2TGQJupBDt/Nc2IPPkcHvh7bKcy/9XLuDO5OWgcN
m4gitI1j84c956tV6Y7HsIUNssES0mwXWbDWXz3f5drrvIRqsgr8mcH2yDj6ZG1W JmvJ0oYF06n4F/qcFtswQS/HONqeQ9yYeDnuykNShL8rGSRljuWY0faeCi7uPV9m
o/em1DWUU7I1ucjcuVCJPVnAu4kBHAQQAQIABgUCU701xQAKCRBNWP3NLKSXdmOG JfXLg9yIuvjc/f3FJRBmjJuCPDd46UjR/hgo+5NVmvSljIdmcZlTuQDC/IeIPgO2
CADEySzz4Q6wKsx/gLiAyhYNbEJbiv1MirxhjIYGP9MqNpxxI1+Q3kuj01K6ELIM k6jWrCqRuFy16XGd/LDsNv4ehtpMJ6wnpdVYgntGeKcXlveW8URKrOqZJMpu1s+L
uAhehoQOgU4AssJQxu7q78+hz2O7s+V0Syl+pvEOl2zUCgAmOYfle+BQ75ZEEiIN MheTJG2tLsBYVoOcwQDQbXl3zkv1lN3yxFnh172bvbeOL8rz/OKqmXzcwYc/abg1
Buh6SOXBVLhfNp90FZ55KUSW4EeyoT+A4nRGHRgCTEfZ5WHi3lGlaLQdZ9viLfNK YpDwGOLomSuAUw5GGWa92DSiCMBEP643CUgymShienbBygUotKBsRWaQhPmDB/2a
A/DxrLWww+joTPIEhc3eU1mgDrcmfxo/L95EmTyUa5BtE0WuLwQEaY8HJ3eBgA9Y qoU0B4F2zCli4Ce8cUWCUv2qb4J03dQ3O83OSeyE+1wnTC9PkI/Hg+PA8MjLvrgA
130ubuzzY4jGl4SCNedMzeIroHw2Bogd3V+E5aFtGd8gZUjXXr8rM6yXPpttP2Hc Kv9OPIsobv0fET+0K0NvcmUgU2VjcmV0YXJ5IDxjb3JlLXNlY3JldGFyeUBmcmVl
8Bie2YXI2NffqwVqpL0dxo3uiQIcBBABAgAGBQJTvTYRAAoJEMATMJ1tfkRccM4P YnNkLm9yZz6JAhwEEAEKAAYFAlO9H0EACgkQA29snufznr9AYBAA1/tCfcC9MHUK
/Rbg0W6l4KPFUvyKcUE6odRwoXExRGHdG9qW8Vf6xtW5eXUX/AZoCnXDf3yWWttx j2gK0qhtu0vE7H8UXDr+Od+6snFDZjXw33NM0nUoLMjylhtqeJxZAWpR8LXC7oWu
gzN1e8iNRh0aYfuNSFTuHcHut/xw6GZ1yqASbuDmGWQ6uTb0yHYQcwQ5ioaRaZZo dKU0ZC9bjrg2pwRESVsUTjWm+pf5Nvr905fTuYwFlgrzCAsNwcSOXiLs0e6vHUAo
5cpnSs0qZUpnrSzdUzyVmlKsD+1ut0/Z8yM8WGRyhplWX0dfXKnUUxJGyh4GQc2d Dauj/m61G98iqaE/FwfCE2I/Ud7gwPU2CTKvGZFa07hUz32aFd2b6mX/xfC4Umt2
Qon1vrsiuDTD2hr3EVues7le4WU+csegZTGPgPjhTSH6ZNFdDs4Y5KPiunjXx+X6 Di/fqkTCzq1gmA/ANzzr9euZ4lPoY4JEVER3BefqixK+9VifHg/K2j/FMbkWbixr
avPKPSJCnC9YlPMkI0RcokVLJW+K3+4QnbqU8m2MpZWVaaOo5s9PCx1I208EHQ77 tLhvGC+9LOnb8v547gmk4Ze6GIgaF8TAhK1rXJ/XgYpNrhrRB36Cq6aXjJ3UMHJs
A7EAFYNFrPZmtSV5X3BhU2rYNoRu0fpsNqJC34Oi7JdZdplPoO7FHRACAyQJyv8K 2hrTNzP+wk4FQt78IsrNKzki4aR90fSizVYSN2pDsk9y3diLNvsjD+PVh+8Oacz6
UG8VVzK7m6Kt/Okq7LBc8RuvLQpUHSv1Z19fQvFgTegM5Pcpp3/ful/HQIIc7XRE 23cQxTUMnW21j35cHqlm+2NIc0CloM99J6LOy2mguV7eS8QIEnIQivm7+EvvZ1gR
lM57e+t8kbsoRpOlaKa3Okl3KisXdksWB4Fu6XdVArY/jIIQGs6dCpYajhRZcjkj m0WJgWUdy9YiroqpYmUgms5ru8buvnzqqy2IbbvS0J5pU59lPmCso1wN/i9gSjEv
HUAPvY/OqD2mBSwj0YwP0RoMVvFHMP1cgB3gjaB37A+DJeiKEXTWzGe1fKC1TxCc 7Y0pwdUDSuiBFY8zBJZltYQBoiKUr/oBXNzzGZ59kkQcfEfs+mtw+wfcw+k7CZaN
OUZsrcqXnUyy23lKV9CXC7za3eB23dPIfWzJnD9BsVgYsemRVJx8r3SvQIL5zjKV +F4cEp8h8S7VSpYAP5xFCYT6MTPW9zoPNVR8DhzbuP38ZdP381CwFNqYLqtPdhRk
DRAuV3M/HbCtSOgO68MExC0TFEl/8LPIMW8oVCY4+iqliQIcBBABCgAGBQJTvS0C paUW6UILedxHB/1lMZKyJPmoK5XUQKeJAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsF
AAoJEANvbJ7n856/GTQP/jAQlquDec78HySz6zsNp2+mY1ms1IZ55HipIR5mUfXJ FgMCAQACHgECF4AWIQTAe/XjEK5kv2EgsPY2p8Bf4ez5uwUCWWD88wUJB4URggAK
7fTEPUcMT56QlcL3tN3iYpYpOttFURcXXLVoEJ7y0vkFuxEObDMrCm/c6pDWuGjC CRA2p8Bf4ez5uwziEACfqvM+99JXOoqnx2NzZ+BMfTgNBjYPwwobtCiqVOlkdHum
UApkPyF0ETISfXlyJqhGKwUqlYC/6aaZl5Ocbmxg6j0EXW/fpatf70A6/LvJ25Vx xWO7/BW+Wjfufjxv7ZX4gfdf3lD9zOBv+Ev7zyh68N+O8v+aoOpGaXXlQ1ORhYBY
kTeQs2iK9L7xtd7lQuPq4yjKj94Lm6Srfl/WnWoHOumUxz6+zvPw2lztgU/Y5GFH xtCdhB8TVioGh4ztsPQ+8yV4pIGiBfMMqpPS7mGoZGNcNwRDyu+XM3a4qAyyOLR7
+ZWDStgUuQ9V09Xe4WSuRv9nZJW7TYEgVYR4miMQERsU1/OIdRpDxntl22Rn04hL KctM00WVSfL1UAettQQl/PLPs2+niQWET/7mm8rlAxtnCJSps+c/s9aWSms9mniO
VnRa7LrjGOA5FZVxOVF7gDBkpULwMmwWz0aT2Cew+Z8uAzjqlwpppzjjnD25RDMo hns6g0yv06G1xHS9gziVCl8JeglYH+KYlrHl6q0KkoJ1O0S7NFQO2j3usX238bb5
vF0IEos/ExX8kcFGsyCHJqF6/Cemy4E6T6V2wI2qMVp4CdUCa/di1NtnUl2iu6l4 6h2S6q5l32u7fglp0ufH6vRQIqRbchq7ExfD2QdpW5ra1fdqdhJ/5bFBBNP2Joz3
VrrknKNCifuXUnBYPrs/s3TGufWDEn724ZR4fAYC8MXchGvkQIhIoBb3Y18ti42n O3k/WIwcvAt5OxX2R2ltvqar2rUhEn1/PngjAvW288nwNOuhuyLja9PI+XqRFAkI
K/qt79u3oD4XFpID4Tw/tn4jgaXmXftzPP71yJiKmK6zB4O7F5y06USeHXf9Ype5 VnEDnZogfs3tP1g25S7Kltnj1PLE+utyKHksCeLR0g6PhExESwKCp9iII8eoHcxX
Rvry/pnNvAaORbzC6dq+EA319bGqqAVbS0q2akA4cXOY07DlYY98Z0o7Nz6DlmpG vZum4J8pkSYvrQhvbf7Ecy1GlZ6RNSOMw1SE+Aq0QPi40g6wRS4WpnckmxyGcxbN
3cJERUeP+6LM0mwfN9p2ROpi6b6RBNrLi1KAYfRLcQCIcawTLhhngz+fF0jJqSaw c/2MUH49owyCo5Zkf69gu2sDpXLJ1V4teeGxPB6VAR9fiNrOXtRA7ACbxqlsz1Qr
iQIcBBABCgAGBQJTvUdSAAoJEO1n7NZdz2rnXxsP/R8WHku1nxjELqdM9M72JLD8 KcxLHDUwCpHOirn1E5aMSJOyMxNfCVYRsiHO5nDyGHehsEXWi0uf0Wvkvk3u4YkC
UBlaAIwLStDyhnTvLa0GO6eN0r2eJ1+tG8mKB+PZKOvNt8eZcSO/kjUvTIBILt7f HAQQAQoABgUCU71HUgAKCRDtZ+zWXc9q51QnD/984eMuzKy51ed+qwdLQzjPpbD9
AtN1BhsWpjQzn+tuVWs4GVoPQssM4N09AYUzx8ni4byADY6n9l4zof2HsPsjXvuw 1GA5nJVmZkxDWfq9BEjOGCcw4yjupbV4YfjHWKg3XWN76i57CkzWLjIyoruo3dBE
/bzYXctKTQxggD3nswtLGY3q6unYewIChyaG8DStihFLcXIhXbwc6EOqdPN3VWwN 8uE4cx8VYXMq4JdclscmkrHYuYDDp8DVQpR3zg+YGjhdI3USZy0yzLngBDN38jc0
InG/602UTO2LeXoEM+tTaXkE51P5otACVH37AW0Vqqh1GxklYlMYLrKKn/YIBRvL lIwThyaZPkXCFd6/7vC7zxVdqsC1mvd+72MHy0SfY2kLq+TJxFTlgc+wgdINRdOi
VS5G+95iKs3gMJhnaeFND2s9dmOTXyKyfTUffr/XTL/PVJSCbdqwiuXZQp8J77Mt QHC79ehcloiwjgcV2SXfe+JSlx3dshDJEpRdzn9al+RSOhStx0FPnOniXK1nOePv
YyJn1262H8ko59OlPtqvpBNuywco0/F8BOFvSTw5sS8CmU0EHvyunKaofS3mxCFd s74Fh2UzN0sGPYOa5ee1s/VaYtdxL+gKyCCBEPT9VYsCuM8lu/KxaDNPY7qh5DeL
2B0DzX89+AoYZY7CKU8OYt/VqhsfsL0C+DL4+XschBOUoTg6HrqG4F69+gerkK4P lAlrpNH+e1whZKwwP5+mAknwMUmF3NSPjCqQJv+sgWIgTacktyc+RxjtktEBrD7A
s2984vOeTXe3IqlYN/Bn92m9rGy9PKkpqG5C6w5X58BgvfeWTAkM4X32rZHKOmyY XFBxhJjupP2em6CS8GggBsdnUkPOEeA0HhQHdzYwT2m9sUzZYrXDovsZ4nQiWaA1
SCdRJQw7MGSR24OaWKPmgKvMaH8MQaJx9oSaAgF1y1892+ykVI9ntCVwywkmxNg1 kKseXUi8C3jkbMNuYpDlq6FEtYan7Wthw556LuM7sqaaL9EPudCRhSSK4pfLL6FJ
lfMuVFM4Vh9j+C7OngnbQbhYtbFG90z9zfoMln39z8KT2yDP4A7Hklw0xmmT6t8K i37kpN11K5cTx4C+e1qeSvDTiFOLvw0rV+FGkbh0PlLvRlfnOq69xeOvjKKKlyEg
duGD2tfmaW4+oz9attTyiQIcBBABCgAGBQJTvUdkAAoJEJLIQ0VtpqZuLNQP/Raz MOXJv5AzMLjn0OBjqPCfwA1Hy0GumvyZ1hYN4W/64Lf5RycY2ZYjmcvBtPB8gXXT
XTtk1mixmLfunrScgh/1Gtb6XPVDTP5SGb/8HVdY1a+dDBClUIAFbEAUBIcBO4/N XygkwWrqhMj2Fkx84IkCHAQQAQoABgUCU71HZAAKCRCSyENFbaambv4NEADFxKvL
VlW9un4IHyrixdD/ijE/Cr/BMLnSFU5EmHKn8yOc3Bv6eTTRbJ8EYru0Cj5MdSIA Da2hDW98zvMIrHRNFGVzhrkHblw0q8KXtui/Zgkf7rI3lnhqmxvW+pj/nwMF8Zvw
oq8JKF8LbxbahBFw9ZSIpREPGlxnKI3TEuHJQreSZR07/GPk50suTK2CXxzEsk4V aL3ZBd21oLqNRgs87RB8vmkweL6MSOpRJ8gygfBht5pZFYzQGw41Yv4wmX3uk2ye
ZesSTnwt/1m+hrdtyNke3+wy8R0Use+KKgmTzpQ9phc8wq3uhHFzLJ5HbE21VRHg sQ4V++t93nrNQJ/Lb4szB0a/s/M0N8ReDDY5cS82sDxO/wLObh2k+kNzYRkxshta
Fd5+osZuSDuHjw5o/zU5o0Bq9DDY3TWXPD9lgqKQ2PgH5DG6od9gjpjJdvXpXpck BrFZTvKWKfe6dhP3eOJuiJWOVxMztgNnyKvtDeHXMvKJk1/D+HlGRZVHs0W22bTT
08HJDu2V+u7MzW5lsnthDsW39YVLRD4ZwZJQaw+0wBuGDDxV+8x4fYhYJnXD8ZtU /AL++4RElzu/YKZkIq/Xwuf6jAYCTft4gfTvlXAdEni5tE71FrUhVC6hHQ5CgKyz
HCQ56FlcMyzLm00WRLNxBSJjRvH12geg5xK3JWZ8V6Ce+XhvIAduDkajuUKQoWvT oGX9BzZ7Lu/629bUfc6kmDfILBdzLxdETR1HW8hIdfPS2U5mqcEsXGqFGD3KDgX8
MzYaviqQhfV1zXNNt5rxDNT+jMiwnAtDeCTZPMfGvzOPw9sYBz5RUa4liVPrGiEW KNDKjLhLsgpDFkg+dwb7Gkm3LNjlimAKfqJbjNE65y7qd+zthvxG8ZjER2VVcrl+
/snAhcMB9JDKjMAsKHvJwIvB9QrRC9sz6JIgEqv+jlsdkslEVU2AALlcJ3QuXlW0 tKSEA1zuA4y6PbamzOjlDQhvtbShF+wbPRiM1C9psWdO9qhPMdQPnonUs8uU8dpx
j9Z26q0sNGt85FVqhc4DOyXtZhKR5Ru8Lyc3swYRi2ofu9Roycq3L0swcMoGnOik Owzrq84orr/BtyTxQ7S5FFbT8fYKssht8Jn04ZDApdY57rWA43raXgvC3COUvZhR
Rbj2PuuRdQiUozJ7mT6JmNF8ynlx/1+uzniVneEliQIcBBIBCAAGBQJUGDc+AAoJ PAVwZGu6hBGNfRiP9SyXHzCPJTJ9ejiE2L+P3MKljzG40jIOiaVgQhXbMUZiFooI
EOqwPFi/3EePEpUP/i2p7BLtyrujFmwr6wxru8G2HBWySFeRZ7YC5iH1ZIiGPPi7 CqHbei357hHIgoXo5PHsE3+v+O8+2lYXQZGGjokCHAQSAQgABgUCVBg3PgAKCRDq
nuinWEv6FaW6dW8fzrwmJy0iUpstKM8CUdR10PZ66Un6A9yfj9MuYSWBDQwzkd3w sDxYv9xHjwjNEACha5LdMFvmpvzvGcyHo0gmPobVopRgCGukRJOYL9NJNnSjwln+
SJ2+HPLeaTschb545CYnIJBaUAWyfufyoeB2+u3DNQd4oHv5ceI781D6J0h9MUz1 azTwF3kEQF+KiLZnd+Yc+3MxJZthFW68pQw/hfbjfMG5AjC3SHvPHGln6I9dpSQA
bNgV2w3prubD9o8ycaUvXqHrADqDZiUA1zblm19AmbJIJbgeUaXD8iwkyk2hRHSc gHdDYgUsCT4K2o7xEfdn69e9yN9XCk+ocFz+m4I1NyeByAnNYe4eY+4Pv2Enh1Gn
Ve9aLzd2J4TXPIQt9Dj/VnW3TLvTtMPEls1SM+pQ9xYF3IBz5BWbrMuk3o3mpsIi D0omODLlwEGqOntgbRSO+yzsBbyBRXQhDHWQ8KB/u5SBfSPiq5u6IzBeX2rmkiuH
js+vfjJdv77QUeyT0Ur0fJ5xa7zWxCs5AMpCFDdLGRW1jzFYipJBBhDVkylIjpr3 t5C9NvULoCBWJYG+x3gxi5aJwUp+NGFz3p2nwIp9JTRljFlb90ije7cHjZChITFa
eoIIU/RxVC6f5dTaW8GeaspllyJT8BKe54R9u/uf7QPgIkuXdIdaZ4qbbftLxvyB FUXq6KY2KUYPpISmjLpsCfW3RpGD/I6uw8Ail8vydq3wlM7MlV+Rmu5Hk/GbZ8uE
Jk6A2gSM/sLYqeoo+zRxKi+lMZ/Zw8MUZ/ON+yE1ccQJAk1GDqAhUs5f7zCPU6xB TumKhbU68q2okj68Q2UNBrepHNZt7vuL4fd6iZPn6FA0Ui1n1o5l/WkX/u/uM3bG
LFeXhz9d6bFPBGWZ3dy7mZaHgALDGqSd240hIoknwzqHaWZK5lWTmzIVUUQPV1Vn ATq6bd7Wm+hal61uyHCPqfDwsgVuHP1h5FN2Fq3hG2ttQVxojA6MX4UPTsr0h7eh
68stcaVsuaFdtnGHv/JMvAj1F9ZlDDRwaPx0ATTXQbBI6JlvDQ8u2tTKIYEswtez vJIDvfpPLEWP+/KBmMUeAGorfP2OeA5h5MmSknsLvekqNPkw5nG5HmrWrQ4a2rG4
/enkjX1dALFltV5FNartIWGiHWYxkGVRlh/QtAb0NsBU4/5uZkWpWzG0GtOniQI9 30C1sfN+t7Z0L5oVqcP26Vhpg0Ay1Ux5/TnF5XJBlNX4lDO+9tYOLNlHYo0zKcmF
BBMBCgAnBQJTvSzHAhsDBQkB4TOABQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAAAoJ n7C02sTrox8sZMJAQbRldwwmrORKdijzH0joH92FbT0B/SGqLSUsPwOhXYkCPQQT
EDanwF/h7Pm7ZHgP/ijtBv+EXPdcVGIEu1yyv6/kJLV9iCRU3ZenjR05O235ejbn AQoAJwUCU70e8QIbAwUJAeEzgAULCQgHAwUVCgkICwUWAwIBAAIeAQIXgAAKCRA2
v7WhAOxLoxw1dPtdIAU5OsVb5cgPwYGdjr5mlFjOie0wIl3bmoYfMYGzZoUD9E5+ p8Bf4ez5u0LzEAChN6TN3uy6wx+vsbHWn8W/0cZ1cFCOhWqDd3SGUYyCIew8nels
F2+k6SGeDGxgbz34g5SNLpJE2obzkiujp4jtkuLyzOcSFl2UfWMRYeImES5s69x5 qQ+N/n+HOAHiF/m+/EbgrrvqGTDJB5OP2ODyEb+o8NcLhmuu4h6KRV8vSj2IxEDr
1ZLXNIek5nA0inJBXl3Y7f8SEA4lFaDLxWZ6B5AsaDTOp0uv0wp+Dz87A1CXKyOu S6bWVAKK6gutgs6FSccG6SD8NQJCgWoOxRSrYspkCm8UgJBJAjk2uuERfhRQyc1K
wDkxGdkxkCbqQQ7fzXNiDz5HB74e2ynMv/Vy7gzuTloHDSZrydKGBdOp+Bf6nBbb m0UDyTDISkd+ZSf1t03zUEFYhf58nQ3TZkmPoGAD1PJKoceCuyvWpfQ1MFWvz3S9
MEEvxzjankPcmHg57spDUoS/KxkkZY7lmNH2ngou7j1fZiX1y4PciLr43P39xSUQ JeePQSzh85hXBLcOBUDhjGLeBpJmufujiDCTrqDPwAwFM+6nXFmGHbBZeNh8wu97
Zoybgjw3eOlI0f4YKPuTVZr0pYyHZnGZU7kAwvyHiD4DtpOo1qwqkbhctelxnfyw uzBi3HxpBJXGSpB/LJ9s7irE07Uyg+a4S3yIrtd9ryu76qDjXSS3e1NV9gcIn/7m
7Db+HobaTCesJ6XVWIJ7RninF5b3lvFESqzqmSTKbtbPizIXkyRtrS7AWFaDnMEA 9cHu8eHhqJ2Y4SmoxDaQ96P9WNO9oC8vK5Wda+vyfhkPUxMFATVfDTTnwz79KcUz
0G15d85L9ZTd8sRZ4de9m723ji/K8/ziqpl83MGHP2m4NWKQ8Bji6JkrgFMORhlm +jghTxxBQOLaBtK0QZuziMZkFxVpn8TE9zZ8Aajwrn1pTpttCYWlP6XnzwqhyVXP
vdg0ogjARD+uNwlIMpkoYnp2wcoFKLSgbEVmkIT5gwf9mqqFNAeBdswpYuAnvHFF AKfpOv23Ld4jbgINW7oIBVQ1oPPbgahfb33RC4ggxd50WJuG0OktXFsb57uWqvTG
glL9qm+CdN3UNzvNzknshPtcJ0wvT5CPx4PjwPDIy764ACr/TjyLKG79HxE/uQIN XbeA3NVp00jX2Pf84yiVpht5or9Q9XqN30slSTWFX1c0NtyjDj8Ef43a+OxpXvP+
BFO9HvEBEACynbl7EgcRIGWP7O6h1O6mrYXNZ2JpJBgYosqizdDHyru2nQSrNfgi TjN/Mz4Wfrwvlw//y6tP3PIjDt/QeKcENAW/BQIZP+lINHGG2qfpT1pGPrkCDQRT
wAM1feB2NLJC0coQzRO1sDK2JP770+eK3ZhbWSP5BWN2toSFVEGlVpGWLBGoefae vR7xARAAsp25exIHESBlj+zuodTupq2FzWdiaSQYGKLKos3Qx8q7tp0EqzX4IsAD
ZnZA22IDzpOIjIi7iC92JBsTXESsBoV8iG1rylQ15pcE03IQEuuDu9r7H8RJ3vTf NX3gdjSyQtHKEM0TtbAytiT++9Pnit2YW1kj+QVjdraEhVRBpVaRliwRqHn2nmZ2
X1c+a+B8MUHn56kn3QkdG2blV0/3gjFqqavZeOxZpAmyn9n9Vc3yCCPkagtNQwle QNtiA86TiIyIu4gvdiQbE1xErAaFfIhta8pUNeaXBNNyEBLrg7va+x/ESd70319X
NyZOSOLjjVpBjncE6dATdLOj85phfOU6eO/0bMXAgTr7mY41EIqYqdPQYrY93ySG PmvgfDFB5+epJ90JHRtm5VdP94Ixaqmr2XjsWaQJsp/Z/VXN8ggj5GoLTUMJXjcm
gBvBkyNaH5AlDNZZwJ4ddtDMFoP8nUhBoRrf5ApYyHcEmSXahLfW3a2qrPm/w5VL Tkji441aQY53BOnQE3Szo/OaYXzlOnjv9GzFwIE6+5mONRCKmKnT0GK2Pd8khoAb
EGLt53/6GZvEetpP+TtBLAxX6XaC2SXAOrzfSZENdYt/Ew6F/dTCZ622m0eW65iV wZMjWh+QJQzWWcCeHXbQzBaD/J1IQaEa3+QKWMh3BJkl2oS31t2tqqz5v8OVSxBi
wSi1sNZD2hNFPs/12a2tem7DAWqD2bi8BltKRbO+8T7BARwIl5hXGq5+YnO+DgTI 7ed/+hmbxHraT/k7QSwMV+l2gtklwDq830mRDXWLfxMOhf3UwmettptHluuYlcEo
f4SYkSt8aiPYwDAF3YSkzpiUmZoBSRt6Sb9sZ3zIxpfnrtLFmSeujzinyCVNzFdn tbDWQ9oTRT7P9dmtrXpuwwFqg9m4vAZbSkWzvvE+wQEcCJeYVxqufmJzvg4EyH+E
+HKxZvI9Mc3Tv/LqPruVuWHt1Aj+eygH5bRZw4PTsMNX1FxM/K8hRY91A6Fyp3GC mJErfGoj2MAwBd2EpM6YlJmaAUkbekm/bGd8yMaX567SxZknro84p8glTcxXZ/hy
kb5RzqdEGuSONBseaZirC0d+EYZ4smy1jydpzwT1O8VjY4wi5BdgwQARAQABiQIl sWbyPTHN07/y6j67lblh7dQI/nsoB+W0WcOD07DDV9RcTPyvIUWPdQOhcqdxgpG+
BBgBCgAPAhsMBQJXfUwZBQkFpAOoAAoJEDanwF/h7Pm7BkAP/0WGa2wtgiRontjT Uc6nRBrkjjQbHmmYqwtHfhGGeLJstY8nac8E9TvFY2OMIuQXYMEAEQEAAYkCPAQY
ekeg8wntDfo+8KNI7niFk7Opv2aT1wCXo0uVbHAhK0dJIUtADGep2gtNcStJsn+J AQoAJgIbDBYhBMB79eMQrmS/YSCw9janwF/h7Pm7BQJZYP0lBQkHhRG0AAoJEDan
FRR4uQpYJzB9vMzTI6p4h4FOuiFHQIiJ5Y0fb9iOWkuE3kZviTUs6VTVU2SgqymY wF/h7Pm76ngP/0s33IzGYS/8kylJquBiIdURLj4r7DMNbHWmlc2i7KLYmkHIMtlr
WktL7RcfwMw185T6aK0j/oeksoRyZP1wjmMOtD2SqSsIBMveOcZ+AjUzMW0bCa/7 jstme0Hhh4F9SlVue+pyTf9+TeO5DfqY0xHk0Cevu/JQY40/BWTbrG7fNAF5cOpL
6dr+Um7YCSnwGyOQmFUViSU2mLfUD9PSUdtKo4UllEcBDgGyn9zL6Fc1P2Bh07cE RfijilDRqS9I6+FATt7qsONi3ZTwKkxYoPPRJR5v0XF7P1gapaOPJ3tXY/6kbChr
0lWGwCSbk8FYIbxl1AqwX2AzCzA2x/lnybthEUrVUWavrkKyKQ/9I5E8Vevuq4Rp RgHvk4QAfskp/BNYCfaCZjYtdhuMvsBxMONQUoZkiJ6g4R16WdajTr2z7zmtjF1K
tlGOxILKHtaSBq8+tTGZNBQMJT9eAMGtuVGZLsYt4aGfeUDRrzVtB5cBFZXv+zCz XGQMM/t9NYbgraeW+N6aw1GOAyZhPw6Y/sSsEXVcE+rwTFyHkw45j1BYDYb4Vm5m
TT999xSUMaz9OwaEnjXIbcNsJ1EUCWqhNpNqRyMJfgvruDx63VDxmfDb0+F/KX4p zHLwS0MZohJLhmAXrIJW5irHyW/I7seVcU1l7KtSP64JoMnmIRfhQZnCQBafLWGt
bN8tZe/addztjtljUriKtFTKaVZfwxP9ejg28glyz3kpPdgKlU/q3AIcIxtPf3C9 NWRcP+kbAIwNpod2Lw0+JKAOl9sa7XZohwWZvvIVoIj+qdyBuz2+IsL4341p7ikq
Yi4A3p4fV/YCPnc0K+mPfO1XJtCz5768YsQPDgx9t9M2LLNr1bwDo0ZRP3CVJDbt 4t3Mr6C60MBzqi5Cx4mQikyxAsMPZ7hEtX1Y88+sqYGRcFPtlZfYFaUKTKmw+vZe
9AeJZ6wV/buO+KLjULTvJCWLGuTwDIe7VAaLxjpmGFhmEKEHNOfUOwEaBDwJRlp0 WJgx3WxGJeRpWMeaz3rnWL/JRK0spqGEboWAPQzz2TLy2pOM/RaEnMWykLa8Mvbx
7Z/bTdSjOhRZ4gMvywjeXhqLVTZq w3U+Uo+bLIVd6lf4PtsTbU3NmDebPM8r0yBf7kMY4HtHjDlqvcrcMTF82R2zLZDr
=CJCx fF+R3IdOYqfk6hdiQBLK7Xgu/g0sH5IFtx+sUAr+1zksT+ODXkZB1wul
=+zKf
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----
]]></programlisting> ]]></programlisting>
</sect2> </sect2>
<sect2 xml:id="pgpkey-portmgr-secretary"> <sect2 xml:id="pgpkey-portmgr-secretary">
<title xml:lang="en">Ports Management Team Secretary <email>portmgr-secretary@FreeBSD.org</email></title> <title>Ports Management Team Secretary <email>portmgr-secretary@FreeBSD.org</email></title>
<!-- $FreeBSD$ --> <!-- $FreeBSD$ -->
<!-- <!--
sh addkey.sh portmgr-secretary D8294EC3BBC4D7D5 ; sh addkey.sh portmgr-secretary D8294EC3BBC4D7D5 ;
--> -->
<programlisting role="pgpfingerprint" xml:lang="en"><![CDATA[ <programlisting role="pgpfingerprint"><![CDATA[
pub rsa2048/D8294EC3BBC4D7D5 2012-07-24 [SC] pub rsa2048/D8294EC3BBC4D7D5 2012-07-24 [SC]
Key fingerprint = FB37 45C8 6F15 E8ED AC81 32FC D829 4EC3 BBC4 D7D5 Key fingerprint = FB37 45C8 6F15 E8ED AC81 32FC D829 4EC3 BBC4 D7D5
uid FreeBSD Ports Management Team Secretary <portmgr-secretary@FreeBSD.org> uid FreeBSD Ports Management Team Secretary <portmgr-secretary@FreeBSD.org>
sub rsa2048/5CC117965F65CFE7 2012-07-24 [E] sub rsa2048/5CC117965F65CFE7 2012-07-24 [E]
]]></programlisting> ]]></programlisting>
<programlisting role="pgpkey" xml:lang="en"><![CDATA[ <programlisting role="pgpkey"><![CDATA[
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFAOzqYBCACYd+KGv0/DduIRpSEKWZG2yfDILStzWfdaQMD+8zdWihB0x7dd mQENBFAOzqYBCACYd+KGv0/DduIRpSEKWZG2yfDILStzWfdaQMD+8zdWihB0x7dd
JDBUpV0o0Ixzt9mvu5CHybx+9lOHeFRhZshFXc+bIJOPyi+JrSs100o7Lo6jg6+c JDBUpV0o0Ixzt9mvu5CHybx+9lOHeFRhZshFXc+bIJOPyi+JrSs100o7Lo6jg6+c
Si2vME0ixG4x9YjCi8DisXIGJ1kZiDXhmVWwCvL+vLInpeXrtJnK8yFkmszCOr4Y Si2vME0ixG4x9YjCi8DisXIGJ1kZiDXhmVWwCvL+vLInpeXrtJnK8yFkmszCOr4Y
Q3GXuvdU0BF2tL/Wo/eCbSf+3U9syopVS2L2wKcP76bbYU0ioO35Y503rJEK6R5G Q3GXuvdU0BF2tL/Wo/eCbSf+3U9syopVS2L2wKcP76bbYU0ioO35Y503rJEK6R5G
TchwYvYjSXuhv4ec7N1/j3thrMC9GNpoqjVninTynOk2kn+YZuMpO3c6b/pfoNcq TchwYvYjSXuhv4ec7N1/j3thrMC9GNpoqjVninTynOk2kn+YZuMpO3c6b/pfoNcq
MxoizGlTu8VT4OO/SF1y52OkKjpAsENbFaNTABEBAAG0R0ZyZWVCU0QgUG9ydHMg MxoizGlTu8VT4OO/SF1y52OkKjpAsENbFaNTABEBAAG0R0ZyZWVCU0QgUG9ydHMg
▲ Show 20 LinesShow All 2,080 LinesShow Last 20 Lines