Опубликован: 06.08.2012 | Доступ: свободный | Студентов: 1327 / 46 | Оценка: 5.00 / 5.00 | Длительность: 53:41:00
Лекция 30:

FreeBSD configuration File

Continuing in /etc/defaults/rc.conf,

nisdomainname="NO"    # Set to NIS domain if using NIS (or NO).

If you're using Sun's NIS, set this. We don't discuss NIS in this book.

dhcp_program="/sbin/dhclient"  # Path to dhcp client program.
dhcp_flags=" "                 # Additional flags to pass to dhcp client.

The settings for the DHCP client, dhclient. Normally you won't need to change them. We talked about DHCP on page 302.

firewall_enable="NO"                # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall"  # Which script to run to set up the firewall
firewall_type="UNKNCWN"             # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO"                 # Set to YES to suppress rule display
firewall_logging="NO"               # Set to YES to enable events logging

Parameters for the ipfw firewall. See page 389, where we set the following flags in the /etc/rc.conf for gw:

firewall_enable="YES"   # Set to YES to enable firewall functionality
firewall_type="client"  # Firewall type (see /etc/rc.firewall)

You don't normally run firewalls on laptops, though there's no technical reason why not. The problem with firewalls on laptops is that the configuration files are dependent on where the system is located, which makes it a pain for systems that frequently change locations. As a result, we won't add any firewall parameters to the /etc/rc.conf for andante.

ip_portrange_first="NO"  # Set first dynamically allocated port
ip_portrange_last="NO"   # Set last dynamically allocated port

These values are used to set the numbers of ports that are dynamically allocated. Normally they won't need changing.

ipsec_enable="NO"             # Set to YES to run setkey on ipsec_file
ipsec_file="/etc/ipsec.conf"  # Name of config file for setkey

Parameters for IPSec. We don't discuss IPSec in this book.

natd_program="/sbin/natd"  # path to natd, if you want a different one.
natd_enable="NO"           # Enable natd (if firewall_enable == YES).
natd_interface=" "         # Public interface or IPaddress to use.
natd_flags=" "             # Additional flags for natd.

Parameters for natd. See page 395 for more details. In the example there, we'll add these lines to gw's /etc/rc.conf:

gateway_enable="YES"           # Set to YES if this host is a gateway.
firewall_script="/etc/rc.nat"  # script for NAT only
firewall_type="client"         # firewall type if running a firewall

Continuing with /etc/defaults/rc.conf,

ipfilter_enable="NO"             # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf"     # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules"  # rules definition file for ipfilter, see 
                                           # /usr/src/contrib/ipfilter/rules for examples
ipfilter_flags=" "               # additional flags for ipfilter
ipnat_enable="NO"                # Set to YES to enable ipnat functionality
ipnat_program="/sbin/ipnat"      # where the ipnat program lives
ipnat_rules="/etc/ipnat.rules"   # rules definition file for ipnat
ipnat_flags=" "                  # additional flags for ipnat
ipfs_enable="NO"                 # Set to YES to enable saving and restoring
ipfs_program="/sbin/ipmon"       # where the ipfilter monitor program lives
ipmon_flags="-Ds"                # typically "-Ds" or "-D /var/log/ipflog"
ipfs_enable="NO"                 # Set to YES to enable saving and restoring
                                           #ofstate tables at shutdown and boot
ipfs_program="/sbin/ipfs"        #where the ipfs program lives
ipfs_flags=" "                   #additional flags for ipfs

These entries define defaults for ipfilter, another firewall package, ipnat, another NAT package, ipmon, an IP monitor package, and ipfs, a utility for saving the state tables of ipfilter, ipnat and ipfilter. We don't discuss any of them in this book.

tcp_extensions="NO"      # Disallow RFC1323 extensions (or YES).
log_in_vain="0"          # >=1 to log connects to ports w/o listeners.
tcp_keepalive="YES"      # Enable stale TCP connection timeout (or NO).
#For the following option you need to have TCP_DROP_SYNFIN set in your
#kernel. Please refer to LINT and NOTES for details.
tcp_drop_synfin="NO"     # Set to YES to drop TCP packets with SYN+FIN
                                   # NOTE: this violates the TCP specification
icnp_drop_redirect="NO"  # Set to YES to ignore ICMP REDIRECT packets
icmp_log_redirect="NO"   # Set to YES to log ICMP REDIRECT packets

These are some of the more obscure IP configuration variables. You can find more about them in tcp(4) and icmp(4).

network_interfaces="auto"            # List of network interfaces (or "auto").
cloned_interfaces=" "                # List of cloned network interfaces to create.
# cloned_interfaces="gif0 gif1 gif2 gif3"  # Pre-cloning GENERIC config.
ifconfig_lo0="inet"        #default loopback device configuration.
# ifconfig_lo0_alias0="inet netmask Oxffffffff"  # Sample alias entry.
# ifconfig_ed0_ipx="ipx 0x00010010"  #Sample IPX address family entry

In previous releases of FreeBSD, you had to set network_interfaces to a list of the interfaces on the machine. Nowadays the value auto enables the startup scripts to find them by themselves, so you don't need to change this variable. You still need to set the interface addresses, of course. For gw, we add the following entry to /etc/rc.conf:

If config_ed0="inet    netmask"

We don't need to do anything here for andante: its Ethernet interface is a PC Card card. We looked at that on page 304.

If you're using DHCP, you don't have an address to specify, of course. You still need to tell the startup scripts to use DHCP, however. Do it like this:

If config_ed0="DHCP"