FreeBSD configuration File
Continuing,
#If you have any sppp(4) interfaces above, you might also want to set #the following parameters. Refer to spppcontrol(8) for their meaning sppp_interfaces="" # List of sppp interfaces. #sppp_interfaces="isp0" # example: sppp over ISDN #spppconfig_isp0="authproto=chap myauthname=foo myauthsecret='top secret' hisauthnam e=some-gw hisauthsecret='another secret'" gif_interfaces="NO" # List of GIF tunnels (or "NO"). #gif_interfaces="gif0 gifl" # Exanples typically for a router. # Choose correct tunnel addrs. #gifconfig_gif0="10.1.1.1 10.1.2.1" #Examples typically for a router. #gifconfig_gif1="10.1.1.2 10.1.2.2" #Examples typically for a router.
These are parameters for the sppp implementation for isdn4bsd and the Generic Tunnel Interface, both of which we won't discuss here. See the man pages spp(4) and gif(4) for more details.
#User ppp configuration. ppp_enable="NO" # Start user-ppp (or NO). ppp_mode="auto" # Choice of "auto", "ddial", "direct" or "dedicated". # For details see man page for ppp(8). Default is auto. ppp_nat="YES" # Use PPP's internal network address translation or NO. ppp_profile="papchap" # Which profile to use from /etc/ppp/ppp.conf ppp_user="root" # Which user to run ppp as
These parameters relate to running user PPP, which we discussed in "Chapter 20" , on page 348.
### Network daemon (miscellaneous) ### syslogd_enable="YES" # Run syslog daemon (or NO). syslogd_program="/usr/sbin/syslogd" # path to syslogd, if you want a different one. syslogd_flags="-s" # Flags to syslogd (if enabled). #syslogd_flags="-ss" # Syslogd flags to not bind an inet socket
You should always run syslogd unless you have a very good reason not to. In previous releases of FreeBSD, syslogd_flags was empty, but security concerns have changed that, and now by default syslogd is started with the -s flag, which stops syslogd from accepting remote messages. If you specify the -ss flag, as suggested in the comment, you will also not be able to log to remote systems.
Sometimes it's very useful to log to a remote system. For example, you might want all systems in example.org to log to gw. That way you get one set of log files for the entire network. To do this, you would add the following line at the beginning of /etc/syslog.conf on each machine:
*.* @gw
For this to work, add the following to /etc/rc.conf on gw:
syslogd_flags=""
Next come some parameters relating to inetd, the Internet Daemon, sometimes called the super-server. It's responsible for starting services on behalf of remote clients.
inetd_enable="NO" # Run the network daemon dispatcher (YES/NO). inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different one. inetd_flags=" wW" # Optional flags to inetd
We looked at inetd on page 448. Normally you will want to have it enabled, but you won't need to change the fags. Add this line to the /etc/rc.conf for both gw and andante:
inetd_enable="YES"
named_enable="NO" # Run named, the DNS server (or NO). named_program="/usr/sbin/named" # path to named, if you want a different one. #named_flags="-u bind -g bind" #Flags for named
These parameters specify whether we should run the name server, and what flags we should use if we do. See page 366 for more details. Previous versions of named required a flag to specify the location of the configuration file, but the location FreeBSD uses has now become the standard, so we no longer need to specify any flags. All we put in /etc/rc.conf for gw is:
named_enable="YES" # Run named, the DNS server (or NO).
Continuing with /etc/defaults/rc.conf,
kerberos4_server_enable="NO" # Run a kerberos IV master server (or NO). kerberos4_server="/usr/sbin/kerberos" # path to kerberos IV KDC kadmind4_server_enable="NO" # Run kadmind (or NO) kadmind4_server="/usr/sbin/kadmind" # path to kerberos IV admin daemon kerberos5_server_enable="NO" # Run a kerberos 5 master server (or NO). kerberos5_server="/usr/libexec/kdc" # path to kerberos 5 KDC kadmind5_server_enable="NO" # Run kadmind (or NO) kadmind5_server="/usr/libexec/k5admind" # path to kerberos 5 admin daemon kerberos_stash="NO" # Is the kerberos master key stashed?
Set these if you want to run Kerberos. We don't discuss Kerberos in this book.
rwhod_enable="NO" # Run the rwho daemon (or NO). rwhod_flags=" " # Flags for rwhod
Set this if you want to run the rwhod daemon, which broadcasts information about the system load.
rarpd_enable="NO" # Run rarpd (or NO). rarpd_flags=" " # Flags to rarpd. bootparamd_enable="NO" # Run bootparamd (or NO). bootparamd_flags=" " # Flags to bootparamd xtend_enable="NO" # Run the X-10 power controller daemon. xtend_flags=" " # Flags to xtend (if enabled).
These entries relate to the rarpd, bootparamd and the X-10 daemons, which we don't discuss in this book. See the respective man pages.
pppoed_enable="NO" # Run the PPP over Ethernet daemon. pppoed_provider="* " # Provider and ppp(8) config file entry. pppoed_flags="-P /var/run/pppoed.pid" #Flags to pppoed (if enabled). pppoed_interface="fxp0" # The interface that pppoed runs on.
pppoed is the PPP Over Ethernet daemon. We discussed it briefly on page 348.
sshd_enable="NO" # Enable sshd sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one. sshd_flags=" " # Additional flags for sshd.
sshd is the Secure Shell Daemon which we talked about on page 453. You don't need to change anything here to run ssh, but if you want to connect to this system with ssh, you'll need to run sshd. In gw's /etc/rc.conf we put:
sshd_enable="YES"
amd_enable="NO" # Run amd service with $amd_flags (or NO). amd_flags="-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map" amd_map_program="NO" # Can be set to "ypcat -k amd.master"
These entries relate to the automounter, which we don't discuss in this book. See amd(8) for details.
nfs_client_enable="NO" # This host is an NFS client (or NO). nfs_access_cache="2" # Client cache timeout in seconds nfs_server_enable="NO" # This host is an NFS server (or NO). nfs_server_flags="-u -t -n 4" #Flags to nfsd (if enabled). mountd_enable="NO" # Run mountd (or NO). mountd_flags="r" # Flags to mountd (if NFS server enabled). weak_mountd_authentication="NO" # Allow non root mount requests to be served. nfs_reserved_port_only="NO" # Provide NFS only on secure port (or NO). nfs_bufpackets="DEFAULT" # bufspace (in packets) for client (or DEFAULT) rpc_lockd_enable="NO" # Run NFS rpclockd needed for client/server. rpc_statd_enable="NO" # Run NFS rpcstatd needed for client/server. rpcbind_enable="NO" # Run the portmapper service (YES/NO). rpcbind_program="/usr/sbin/rpcbind" # path to rpcbind, if you want a different one. rpcbind_flags=" " # Flags to rpcbind (if enabled). rpc_ypupdated_enable="NO" # Run if NIS master and SecureRPC (or NO)