http://www.freebsdwiki.net/api.php?action=feedcontributions&user=Dave&feedformat=atomFreeBSDwiki - User contributions [en]2024-03-29T05:32:01ZUser contributionsMediaWiki 1.18.0http://www.freebsdwiki.net/index.php/User_talk:DaveUser talk:Dave2010-05-12T15:35:22Z<p>Dave: /* you're welcome....two years later */</p>
<hr />
<div>==temporary==<br />
ColdFire: look for the discussion about your article in its discussion page, it's been moved there. [[Talk:Installing_Apache_with_PHP]] --[[User:Jimbo|Jimbo]] 11:32, 29 March 2006 (EST)<br />
<br />
==RE:welcome==<br />
What do you think of the idea of putting the whole handbook in here and improving it through the wiki process? We may be able to get the doc project on board with that, especially since there are some tools (crude as of yet I think) that can convert mediawiki markup to docbook. Do you have the space and bandwidth for that? If it really takes off it could be merged back into the official FreeBSD webspace. - [[User:Taxman|Taxman]] 15:28, 17 Sep 2004 (GMT)<br />
<br />
<br />
==problem with that==<br />
There are two problems with that; a) this question is better asked of Jimbo (since this is his baby, not mine,) although I am pretty sure his answer's going to be along the lines of "no, I'd rather write something easier to deal with than to copy verbatim" and b) the handbook makes my eyes gloss over, and part of the reason I think a wiki is better than the handbook is because it brings fresher ways of presenting the information -- especially nice is the compactness of it (specifics when you want 'em). I mean, the handbook is already available in chunks of HTML-ized chapters....don't need to repeat work that's been done already. Although I'm sure Jimbo would be happy to see his work linked from/become part of official FreeBSD documentation (I know I'd be happy if someone saw an article I wrote and went "oh shit! that's how you do it! thanks!")<br />
<br />
--[[User:Dave|Dave]]<br />
<br />
==Dave said it right==<br />
I'm not in favor of getting this project buried underneath the ''Handbook'', for all the reasons Dave listed. I get pretty frustrated every time I try digging information out of the ''Handbook''; so while I don't mind incorporating some of the stuff from it piecemeal, I am very very very much not in favor of dumping it here ''en masse''. --[[User:Jimbo|Jimbo]] 00:40, 18 Sep 2004 (GMT)<br />
<br />
== thanks... two years later ==<br />
<br />
The suggestion you made in [[Talk:Tcpdump]] was right on... I just found that (for the first time, wtflol) today, and hexedit did exactly what i wanted of it. Awesome!<br />
<br />
--[[User:Jimbo|Jimbo]] 14:07, 18 December 2008 (EST)<br />
<br />
== you're welcome....two years later ==<br />
<br />
np<br />
--[[User:Dave|Dave]] 15:35, 12 May 2010 (UTC)</div>Davehttp://www.freebsdwiki.net/index.php/User_talk:DaveUser talk:Dave2010-05-12T15:35:06Z<p>Dave: /* you're welcome....two years later */ new section</p>
<hr />
<div>==temporary==<br />
ColdFire: look for the discussion about your article in its discussion page, it's been moved there. [[Talk:Installing_Apache_with_PHP]] --[[User:Jimbo|Jimbo]] 11:32, 29 March 2006 (EST)<br />
<br />
==RE:welcome==<br />
What do you think of the idea of putting the whole handbook in here and improving it through the wiki process? We may be able to get the doc project on board with that, especially since there are some tools (crude as of yet I think) that can convert mediawiki markup to docbook. Do you have the space and bandwidth for that? If it really takes off it could be merged back into the official FreeBSD webspace. - [[User:Taxman|Taxman]] 15:28, 17 Sep 2004 (GMT)<br />
<br />
<br />
==problem with that==<br />
There are two problems with that; a) this question is better asked of Jimbo (since this is his baby, not mine,) although I am pretty sure his answer's going to be along the lines of "no, I'd rather write something easier to deal with than to copy verbatim" and b) the handbook makes my eyes gloss over, and part of the reason I think a wiki is better than the handbook is because it brings fresher ways of presenting the information -- especially nice is the compactness of it (specifics when you want 'em). I mean, the handbook is already available in chunks of HTML-ized chapters....don't need to repeat work that's been done already. Although I'm sure Jimbo would be happy to see his work linked from/become part of official FreeBSD documentation (I know I'd be happy if someone saw an article I wrote and went "oh shit! that's how you do it! thanks!")<br />
<br />
--[[User:Dave|Dave]]<br />
<br />
==Dave said it right==<br />
I'm not in favor of getting this project buried underneath the ''Handbook'', for all the reasons Dave listed. I get pretty frustrated every time I try digging information out of the ''Handbook''; so while I don't mind incorporating some of the stuff from it piecemeal, I am very very very much not in favor of dumping it here ''en masse''. --[[User:Jimbo|Jimbo]] 00:40, 18 Sep 2004 (GMT)<br />
<br />
== thanks... two years later ==<br />
<br />
The suggestion you made in [[Talk:Tcpdump]] was right on... I just found that (for the first time, wtflol) today, and hexedit did exactly what i wanted of it. Awesome!<br />
<br />
--[[User:Jimbo|Jimbo]] 14:07, 18 December 2008 (EST)<br />
<br />
== you're welcome....two years later ==<br />
<br />
np//dp</div>Davehttp://www.freebsdwiki.net/index.php/Talk:AccessPointTalk:AccessPoint2008-05-31T23:26:25Z<p>Dave: /* recommendation */</p>
<hr />
<div>i'll add the ppp section later...<br />
<br />
== recommendation ==<br />
<br />
remove the linux section at the beginning. looks petty and doesn't add anything to the article. Sell BSD, don't try to pull a Hillary on Linux. Also, maybe a security section? I don't do a lot of BSD these days so can't add anything myself. <br />
<br />
--[[User:Dave|Dave]] 19:24, 31 May 2008 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/Talk:AccessPointTalk:AccessPoint2008-05-31T23:24:51Z<p>Dave: recommendation</p>
<hr />
<div>i'll add the ppp section later...<br />
<br />
== recommendation ==<br />
<br />
remove the linux section at the beginning. looks petty and doesn't add anything to the article. Sell BSD, don't try to pull a Hillary on Linux.<br />
<br />
--[[User:Dave|Dave]] 19:24, 31 May 2008 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/Qmail,_Mail_toasterQmail, Mail toaster2008-01-02T22:39:55Z<p>Dave: /* Making or Requesting a Certificate for Qmail's TLS */</p>
<hr />
<div>== What is a mail toaster, and what are we doing here? ==<br />
<br />
A "mail toaster" is a silly name for a very useful and commonly needed "applicance" - a single server that can handle everything you need to do with email: receive it, send it, weed out spam, allow webmail access, allow authenticated SMTP traffic so that laptop users and other "road warriors" can send email from any network they happen to be attached to, handle multiple mail domains, allow delegation of web-based administration of individual domains to individuals responsible for those domains (and their domain only), and even allow delegation of web-based individual mailbox maintenance to owners of the individual mailboxes. <br />
<br />
When you're done following through this article, you'll have a machine which will do exactly that - and even a few things more, like allow users to set "auto-reply" messages, forward their mail temporarily to other addresses, you name it.<br />
<br />
(If you have a Microsoft Active Directory setup for your users, you may want to look at using [[qmail-ldap]] instead. But that's an entirely different animal.)<br />
<br />
We'll be using the following ports:<br />
<br />
* apache2<br />
* qmail-tls<br />
* ucspi-tcp<br />
* vpopmail<br />
* vqadmin<br />
* qmailadmin<br />
* sqwebmail<br />
* dovecot<br />
* qsheff<br />
* safecat<br />
* clamav<br />
* p5-Mail-SpamAssassin<br />
<br />
== Prerequisites ==<br />
<br />
First of all, you're going to need a FreeBSD server - all of the applications we're going to use are free software and available for pretty much any *nix, but we're going to be covering installing them using the ports tree... so your mileage would vary ''considerably'' were you to be trying to follow this article along on a Linux or Solaris or what have you.<br />
<br />
Second of all, you're going to need DNS information set up to point the mail services (MX records) for any domains that you want to handle mail for at this machine. You may or may not want the same server to act as nameserver (DNS server) and mailserver, but either way, setting up DNS is beyond the scope of this article... we're just going to set up the services themselves here, not set up the internet to point the mail at us to begin with.<br />
<br />
Finally, before we get started, be sure to synchronize your ports tree to make sure you get the newest versions of all the ports you'll be installing. Mailserver components are ''critical'', you don't want to wind up with something outdated that could potentially have had a vulnerability disclosed in it!<br />
<br />
ph34r# '''cvsup /usr/share/examples/cvsup/ports-supfile'''<br />
<br />
And now that we have the latest versions of all of our ports, let's get started!<br />
<br />
== Installing Apache2 ==<br />
<br />
This is probably the easiest part of the whole process. Note: if you've already got your own copy of Apache up and running and you know how to care for it and feed it, that's perfectly fine, and you can skip on ahead to the next section - we aren't really going to do a whole lot of magical things with the webserver, we just need it available so that we can deliver our webmail and web-based control interfaces. It's also fine if you're using Apache 1.x instead of Apache 2.x; just make your own little adjustments and follow right along.<br />
<br />
ph34r# '''cd /usr/ports/www/apache2'''<br />
ph34r# '''make install clean'''<br />
<br />
When the port's done building, '''rehash''' to update your system's PATH cache, and start Apache:<br />
<br />
ph34r# '''rehash'''<br />
ph34r# '''apachectl start'''<br />
<br />
Check to make sure it's running:<br />
<br />
ph34r# '''ps ax | grep httpd'''<br />
91237 ?? Ss 0:00.37 /usr/local/sbin/httpd -k start<br />
91246 ?? S 0:00.00 /usr/local/sbin/httpd -k start<br />
91247 ?? S 0:00.00 /usr/local/sbin/httpd -k start<br />
91248 ?? S 0:00.00 /usr/local/sbin/httpd -k start<br />
91249 ?? S 0:00.00 /usr/local/sbin/httpd -k start<br />
91250 ?? S 0:00.00 /usr/local/sbin/httpd -k start<br />
<br />
And we're good! Now, on to the parts that actually handle the mail...<br />
<br />
== Installing Qmail with SMTP Authentication ==<br />
<br />
Now, it's time to get the basics installed - first things first, get Qmail installed with the SMTP_AUTH and the TLS patches in place. This will allow us not only to send and receive mail, but also to authenticate SMTP sessions with a username and password so that authorized "road warriors" can use this server to send their email no matter what network they are physically attached to, and to use TLS encryption if supported on the remote end (which might be one of those road warriors, or might be another domain's mailserver) to keep potential unfriendlies from easily sniffing potentially sensitive information out of our email.<br />
<br />
Note that we're NOT issuing '''make install clean''' as a single command here, because there are other steps we want to take after building the port before we clean out the work directory!<br />
<br />
ph34r# '''cd /usr/ports/mail/qmail-tls'''<br />
ph34r# '''make config'''<br />
<br />
You'll get an NCURSES text-mode gui config screen now, and you want to make sure to check the SMTP_AUTH_PATCH and RCDLINK options before you go on. You may also want DISCBOUNCES, MAILDIRQUOTA, and LOCALTIME, at your discretion. Once that's done, we'll grab all our files and apply the FreeBSD port's patches before applying our own:<br />
<br />
ph34r# '''make fetch'''<br />
ph34r# '''make patch'''<br />
<br />
Now we want to apply a couple of custom patches of our own - one to allow issuing custom SMTP 554 errors, and one to tell Qmail NOT to tell mail clients it allows CRAM-MD5 logins for authenticated SMTP (since Vpopmail's vchkpw password check program doesn't support it, so you wind up failing the first AUTH check and falling back on PLAIN every time you try to send an email otherwise).<br />
<br />
ph34r# '''cd work/qmail-1.03'''<br />
ph34r# '''fetch http://www.freebsdwiki.net/images/3/33/Qqxrc.patch.txt'''<br />
ph34r# '''patch < Qqxrc.patch.txt'''<br />
<br />
Pay careful attention to the output of the patch program: if it tells you any hunks failed, you'll need to investigate and resolve the problem or who knows what you'll wind up with. Next, we want to make sure Qmail doesn't tell mail clients that we accept CRAM-MD5 logins, since Qmail would take them but vchkpw would fail to understand them. You can use [[media:Qmail-noCRAM-MD5.patch.txt|this patch]] if you like, but I'd recommend just using this quick-and-dirty "poor man's patch" instead:<br />
<br />
ph34r# '''sed -i .bak s/CRAM-MD5\ // qmail-smtpd.c'''<br />
<br />
Now we can change back into our port directory and issue a make install.<br />
<br />
ph34r# '''cd ../..''<br />
ph34r# '''make install'''<br />
<br />
== Making or Requesting a Certificate for Qmail's TLS ==<br />
<br />
Now we'll need to install a certificate for use with TLS authentication/encryption. To make a certificate request, you can type in '''make certificate-req''' - but that's all I can tell you about that process; I typically use a self-signed certificate instead (one which is not stored at Thawte or Verisign or one of the other major providers, but only on the local server). You don't have to pay for a self-signed certificate, where you would for one from Thawte or Verisign ''et al'', but you should be aware that 1. users will be warned that they are being asked to accept a certificate not signed by a recognized authority the first time they connect to a server with a self-signed certificate, and 2. Microsoft Outlook may refuse to connect to a server with a self-signed certificate using TLS '''AT ALL''', so you may need to forgo encryption entirely for Outlook users if you're signing your own certificate.<br />
<br />
To use a certificate from a known-and-trusted certifying authority (Thawte/Verisign etc,) you'll need to create a [[CSR]] and send it to them when you ask them for a certificate. Be prepared to pay ~200USD for a cert. They'll send you the certificate back and you'll need to install it on your server. This is made easier by [[webmin]], but you can do it via the commandline using [[OpenSSL]]. Certificate management is outside the scope of this article and not something to be taken lightly, as it can be more subtle and difficult than it initially appears.<br />
<br />
Whew! With that said, actually generating the self-signed certificate is easy:<br />
<br />
ph34r# '''make certificate'''<br />
<br />
After entering in a bit of info at some prompts - country, state, city, that sort of thing - a certificate will be created and saved in '''/var/qmail/control/servercert.pem'''. All done. One thing worth noting - whatever you enter at the prompt that says '''Common Name (eg, YOUR name) []:''' is what's going to show up in security prompts in browsers and email clients, and frequently will trigger EXTRA "oh no something's not right!" prompting if it doesn't match the URL of your server. So in general, if you were creating this certificate for a mailserver mail.getsdeliveredhere.net, you would want to enter mail.getsdeliveredhere.net at that prompt.<br />
<br />
== Initial Qmail Configuration ==<br />
<br />
Now it's time to make sure Qmail knows how to deliver the mail it receives. The way we do this is by selecting one of a large selection of possible startup scripts from /var/qmail/boot, and copying that script to /var/qmail/rc, which is symlinked to /usr/local/etc/rc.d/qmail.sh for starting and stopping Qmail when needed. We're going to be using the maildir storage format, so this is the command we'll issue:<br />
<br />
ph34r# '''cp /var/qmail/boot/maildir /var/qmail/rc'''<br />
<br />
Now add a line to /etc/rc.conf so that the startup script we just copied will run automatically when we boot the machine up:<br />
<br />
ph34r# '''echo SENDMAIL_ENABLE="NONE" >> /etc/rc.conf'''<br />
<br />
Now we'll need to generate Qmail's basic control files. Easy:<br />
<br />
ph34r# '''/var/qmail/configure/config-fast'''<br />
Your fully qualified host name is .<br />
Putting into control/me...<br />
Putting into control/defaultdomain...<br />
Putting into control/plusdomain...<br />
Putting into control/locals...<br />
Putting into control/rcpthosts...<br />
Now qmail will refuse to accept SMTP messages except to .<br />
Make sure to change rcpthosts if you add hosts to locals or virtualdomains!<br />
ph34r#<br />
<br />
Now you need to put the real name of the machine in '''/var/qmail/control/me''' - nothing fancy here, no comments, no arguments to set, just edit the file and put the name of the server in there; ie mail.getsdeliveredhere.net. Don't worry about locals, rcpthosts, or any of that good stuff - vpopmail will handle that for us, and we're going to cover that next. But first, we need to fire up qmail and make sure it's running:<br />
<br />
ph34r# '''/usr/local/etc/rc.d/qmail.sh start'''<br />
ph34r# '''ps ax | grep qmail'''<br />
87877 p0 R 0:00.26 qmail-send<br />
87878 p0 S 0:00.10 splogger qmail<br />
87879 p0 S 0:00.00 qmail-lspawn ./Maildir/<br />
87880 p0 S 0:00.03 qmail-rspawn<br />
87881 p0 S 0:00.03 qmail-clean<br />
<br />
Good deal! Now let's move on to vpopmail.<br />
<br />
== Installing vpopmail ==<br />
<br />
Now, we want to make sure that we can keep our mail accounts separate from our system accounts - maybe ''you'' want every Tom, Dick, and Harry with an email account to potentially be able to use that username and password to get a shell prompt, but I certainly don't! In fact, even for those folks - like myself - who have both a mailbox and a shell account, I want to make certain that the credentials used AREN'T the same, to minimize security risks. I also want to make it easy to administer the email for multiple domains from a single machine - and that's where vpopmail comes in.<br />
<br />
ph34r# '''cd /usr/ports/mail/vpopmail'''<br />
ph34r# '''make install clean'''<br />
<br />
Now we need to make a quick permissions change, so that our authenticated SMTP will work right with Vpopmail's password authentication program:<br />
<br />
ph34r# '''chmod 4755 /usr/local/vpopmail/bin/vchkpw'''<br />
ph34r# '''chown root /usr/local/vpopmail/bin/vchkpw'''<br />
<br />
Mmmmm, simple. That's all we have to do with vpopmail. As a bonus, installing vpopmail also got us the '''ucspi-tcp''' port, which we'll need to use to keep a daemon listening on port 25 (and port 2525, for reasons we'll discuss later) for incoming SMTP traffic. Okay, but now that we've got a separate database for mailbox accounts from system accounts, how do we manage it? That would be two more ports - qmailadmin, and vqadmin. Vqadmin lets us add, delete, and otherwise manage entire domains we want to handle the mail for, while qmailadmin gives us a nice friendly little interface to handle individual mailboxes within individual domains. First, vqadmin:<br />
<br />
== Installing VQadmin ==<br />
<br />
ph34r# '''cd /usr/ports/mail/vqadmin'''<br />
ph34r# '''make install clean'''<br />
<br />
Now, the vqadmin port just put its files in /usr/local/www/cgi-bin-dist/vqadmin and /usr/local/www/data-dist/images. This is probably NOT where you actually want those files to go - so you'll want to move that whole directory to wherever you actually want it served from. For the purposes of this article, we'll assume that it's a mailserver and a mailserver only, and so you're just serving everything from /usr/local/www/data and /usr/local/www/cgi-bin. So we'll move the files where we need them:<br />
<br />
ph34r# '''mv /usr/local/www/cgi-bin-dist/vqadmin /usr/local/www/cgi-bin'''<br />
ph34r# '''mv /usr/local/www/data-dist/images /usr/local/www/data'''<br />
<br />
Now we'll need to add a snippet to our httpd.conf file to handle authentication for us when we use vqadmin:<br />
<br />
# VQadmin : web interface for administering Qmail<br />
<br />
<Directory "/usr/local/www/cgi-bin/vqadmin"><br />
deny from all<br />
Options ExecCGI<br />
AllowOverride AuthConfig<br />
Order deny,allow<br />
</Directory><br />
<br />
All that does is make sure that access is allowed to our vqadmin directory, but ONLY allowed for authorized users. Next, we'll need to create a .htaccess file and a password file to tell the system what does or does not constitute an authorized user. First, create the .htaccess file in the directory you put vqadmin in (in this example /usr/local/www/cgi-bin/vqadmin):<br />
<br />
# This is /usr/local/www/cgi-bin/vqadmin/.htaccess<br />
<br />
AuthType Basic<br />
AuthUserFile /usr/local/www/vqadmin.passwd<br />
AuthName vQadmin<br />
require valid-user<br />
satisfy any<br />
<br />
Now, it's time to create the password file referenced in the .htaccess file you just wrote. In this example, we're going to use the username "admin" because it's already configured in vqadmin's '''vqadmin.acl''' file to be an administrator account when present - REMEMBER, if instead you choose to use a different username, and you want that username to be able to administer vqadmin as well as look at it, you'll need to edit vqadmin.acl as well to reflect that!<br />
<br />
ph34r# '''htpasswd -c /usr/local/www/vqadmin.passwd admin'''<br />
New password:<br />
Re-type new password:<br />
Adding password for user admin<br />
<br />
The '''htpasswd''' command, with the -c flag, will create the new file and will add the user "admin", with the password you specify twice on the command line when prompted. The screen will not echo your keystrokes or any asterisks; it will just sit there until you hit enter at each password prompt.<br />
<br />
Okay! Now you should be ready to add your first (possibly your only) domain, using vqadmin. First, restart Apache so that the changes you made to httpd.conf will take effect:<br />
<br />
ph34r# '''apachectl restart'''<br />
<br />
Now fire up your web browser and check out your particular version of "www.yourdomainname.tld/cgi-bin/vqadmin/vqadmin.cgi". You should get a plain-but-functional HTML page showing you links to add/delete/otherwise maintain your domains. Add a domain here, and let's move on to qmailadmin.<br />
<br />
== Installing Qmailadmin ==<br />
<br />
VQadmin handles the overall installation / deleting / privilege editing of entire domains from the system administrator's level, and it can even be used for modifying individual mailboxes, in a primitive kind of way. But for actually maintaining existing domains - and just as importantly, for ''delegating'' the handling of individual domains and individual mailboxes in those domains to the people who actually use them - what we want is Qmailadmin. First, we'll build it from the ports tree:<br />
<br />
ph34r# cd /usr/ports/mail/qmailadmin<br />
ph34r# make install clean<br />
<br />
Qmailadmin dumps its files in /usr/local/www/cgi-bin.default and /usr/local/www/data.default, which is certainly not where we actually want them. Again, we'll want to put them in the correct cgi-bin directory for whatever your webserver configuration is - in our example, it looks like this:<br />
<br />
ph34r# '''mv /usr/local/www/cgi-bin.default/qmailadmin /usr/local/www/cgi-bin'''<br />
ph34r# '''mv /usr/local/www/data.default/qmailadmin /usr/local/www/data'''<br />
<br />
Now the nice thing is, since Qmailadmin uses the actual mailbox usernames and passwords themselves to authenticate, you don't have to futz about any with .htaccess files and password files like VQadmin needed - once you've copied those files, you're good to go! <br />
<br />
Go ahead and test it out by browsing to www.yourdomainname.tld/cgi-bin/qmailadmin/qmailadmin. You should get a nice little login screen asking for a username and password and domain. Remember the domain you added when you tested VQadmin earlier? Log in here as username '''postmaster''', password whatever you set when you created the domain, and domain name as whatever domain name you created earlier. Voila! You're set up, and you can add/delete/manage/mangle mailboxes and mailing lists and what have you in this domain to your heart's content.<br />
<br />
You can also set the postmaster password to this domain to be DIFFERENT from the password to access VQadmin, and delegate this domain's administration to someone else without worrying about them getting into something on another domain you're hosting mail for. You can even let owners of individual mailboxes login as themselves, and they'll be able to change the settings for their own mailbox, but not for others on the domain or anything domain-wide. Handy!<br />
<br />
== Installing Sqwebmail ==<br />
<br />
If you have to spend much time working on other people's computers, you'll probably want to be able to use a web interface to check your email as well as administer your server. For that, we use '''sqwebmail''' - which is the webmail chunk of the '''Courier''' mailserver package, by itself. Sqwebmail assumes a maildir storage format, and it's ''blindingly'' fast compared to most other webmail packages because it does ''not'' use IMAP to communicate with the actual server - it just accesses the maildirs directly.<br />
<br />
When we install, we'll be using the -DWITH_VCHKPW argument, to set the environment variable "WITH_VCHKPW" to true, so that the port knows we want it to build using Vpopmail authentication routines. NOTE: newer versions of this port use an NCURSES text-mode config GUI, which will let you simply check the AUTH_VCHKPW option to do this. You may also install spell-check support via the NCURSES gui.<br />
<br />
ph34r# '''cd /usr/ports/mail/sqwebmail'''<br />
ph34r# '''make -DWITH_VCHKPW'''<br />
ph34r# '''make install'''<br />
ph34r# '''make install-configure'''<br />
ph34r# '''make clean'''<br />
<br />
First, as usual for web-based ports, we have to copy a couple of directories from "where they got put" to "where they should be."<br />
<br />
ph34r# '''mv /usr/local/www/data-dist/sqwebmail /usr/local/www/data'''<br />
ph34r# '''mv /usr/local/www/cgi-bin-dist/sqwebmail /usr/local/www/cgi-bin'''<br />
<br />
Now we'll need to add this line to root's [[crontab]] (use the command '''crontab -e''' while you are root, and check the quick docs on [[vi]] if you don't know how to use it):<br />
<br />
0 * * * * bin /usr/local/share/sqwebmail/cleancache.pl<br />
<br />
Now append this line to /etc/rc.conf:<br />
<br />
sqwebmaild_enable="YES"<br />
<br />
Now start the daemons:<br />
<br />
ph34r# '''/usr/local/etc/rc.d/courier-authdaemond.sh start'''<br />
ph34r# '''/usr/local/etc/rc.d/sqwebmail-sqwebmaild.sh start'''<br />
<br />
And you should be ready to test it out! Fire up http://www.yourdomainname.tld/cgi-bin/sqwebmail/sqwebmail, and login as postmaster@yourdomainname.tld (the postmaster account @ the domain you created with vqadmin earlier) and use the same password you set for postmaster on that domain. Voila! You've got webmail.<br />
<br />
== Installing Dovecot ==<br />
<br />
Okay, so now we've got Qmail running, we've got a virtual domain and its postmaster account set up and working using Vqadmin and Qmailadmin... but as of right now, the only way to ''check'' that account is via webmail. This is probably ''not'' what we want - what we really want is POP3 and/or IMAP access. There are lots of POP3 and IMAP servers available, but I've had (by far!) the best performance results (and least observed discovered vulnerabilities) from the Dovecot package, so that's what we're going to use here.<br />
<br />
ph34r# '''cd /usr/ports/mail/dovecot'''<br />
ph34r# '''make -DWITH_VPOPMAIL install'''<br />
<br />
Note that we're specifying the WITH_VPOPMAIL option to make sure that Dovecot understands it should be authenticating using the Vpopmail user credentials, not system user credentials. As of the current port version of Dovecot, you actually get an [[ncurses]] GUI pop-up when you build the port; so you should make sure to manually check the VPOPMAIL box if you do. DON'T select POSTGRESQL or MYSQL or any of that other stuff - that's for advanced mail installations which use those databases instead of maildirs for delivery, and it's not what we're doing here!<br />
<br />
At the end of the port compilation and installation process, it will ask you a couple of questions, to which you'll just answer "yes":<br />
<br />
===> Installing for dovecot-0.99.12.1<br />
You need a group "dovecot".<br />
Would you like me to create it [y]? '''y'''<br />
Done.<br />
You need a user "dovecot".<br />
Would you like me to create it [y]? '''y'''<br />
Done.<br />
<br />
Now you'll need to fix up the dovecot.conf file to properly set Dovecot up to handle your maildirs, and to authenticate users against Vpopmail credentials.<br />
<br />
ph34r# '''cd /usr/local/etc'''<br />
ph34r# '''cp dovecot.conf.sample dovecot.conf'''<br />
ph34r# '''edit dovecot.conf'''<br />
<br />
First, look for the section which configures Dovecot's handling of mail storage. You'll find a bunch of commented-out examples, followed by this NON-commented line:<br />
<br />
default_mail_env = mbox:/var/mail/%u<br />
<br />
Comment that line out completely - Dovecot will handle maildirs in vpopmail's locations just fine with no config information in dovecot.conf at all, but WON'T handle them properly with that default_mail_env line specified the way it is. So:<br />
<br />
#default_mail_env = mbox:/var/mail/%u<br />
<br />
Next, find the two lines that look like this (but they won't be together, they will be separated by some comments):<br />
<br />
auth_userdb = passwd<br />
auth_passdb = passwd<br />
<br />
And set them both to read "vpopmail" instead.<br />
<br />
auth_userdb = vpopmail<br />
auth_passdb = vpopmail<br />
<br />
Finally, we'll need to change the valid_uid settings, to make sure that IMAP and POP3 logins are allowed for the vpopmail system account - and (for security reasons) ONLY the vpopmail system account! Look for the appropriate section, and - assuming that your vpopmail installation created your vpopmail system account with the uid of 89, which it should have (and if you're paranoid, '''cat /etc/passwd | grep vpopmail''' in another terminal window to check) - change it to read as following:<br />
<br />
# Valid UID range for users, defaults to 500 and above. This is mostly<br />
# to make sure that users can't log in as daemons or other system users.<br />
# Note that denying root logins is hardcoded to dovecot binary and can't<br />
# be done even if first_valid_uid is set to 0.<br />
first_valid_uid = 89<br />
last_valid_uid = 89<br />
<br />
Now we need to set dovecot_enable in /etc/rc.conf:<br />
<br />
ph34r# '''echo dovecot_enable="YES" >> /etc/rc.conf'''<br />
<br />
Now that dovecot's configured, let's fire it up, and make sure it starts:<br />
<br />
ph34r# '''/usr/local/etc/rc.d/dovecot.sh start<br />
Starting dovecot.<br />
ph34r# '''ps ax | grep dove'''<br />
87484 ?? Ss 0:00.00 /usr/local/sbin/dovecot<br />
87485 ?? S 0:00.00 dovecot-auth<br />
<br />
Yup - we started it, and the process is running. Now we'll move on to setting up the server to actually listen for incoming SMTP traffic.<br />
<br />
== Listening for Incoming SMTP ==<br />
<br />
Next, you'll want to get your server actually listening for incoming mail. You'll do that by creating a startup script to run ucspi-tcp listening on port 25 (and port 2525, for reasons we'll get into in a moment) and directing incoming connections to Qmail.<br />
<br />
Before we can actually start tcpserver, we need to have a ruleset available to tell it what types of connections to allow from which hosts. This is MANDATORY for setting up SMTP servers, because if you don't disallow mail relay from untrusted networks, spammers will find you VERY VERY QUICKLY and use all your bandwidth irritating lots of people, some of whom will know exactly how to get hold of your ISP and tell them you're a problem child. You Do Not Want This. So, create the following as /etc/tcp.smtp:<br />
<br />
192.168.0.:allow,RELAYCLIENT=""<br />
<br />
Note that this assumes that your server is running on a network 192.168.0.x, which may or may not actually be the case.<br />
<br />
Now you'll need to use the '''tcprules''' program to compile this into a '''cdb''' format ruleset. '''Rehash''' to make sure your system's PATH cache knows about tcprules, and let's do it:<br />
<br />
ph34r# '''rehash'''<br />
ph34r# '''cat /etc/tcp.smtp | tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp'''<br />
<br />
And finally, we'll need to generate a startup script to run tcpserver with. Some of the lines of the shell script shown below are [[escaped to multi-line format]] for readability, and while that ''should'' work fine entered as shown, I tend to recommend removing the backslashes and line breaks when you actually enter the script into your own machine, and entering those lines as single continuous lines. One less thing to worry about breaking, right?<br />
<br />
So put the following script at /usr/local/etc/rc.d/tcpserver.sh:<br />
<br />
#!/bin/sh<br />
<br />
case "$1" in<br />
start)<br />
/usr/local/bin/tcpserver -H -l0 -R -c 512 -x /etc/tcp.smtp.cdb -u 82 -g 81 \<br />
0 smtp /usr/local/bin/rblsmtpd -b -r bl.spamcop.net -r dnsbl.njabl.org \<br />
/var/qmail/bin/qmail-smtpd mail.isreceivedhere.net /usr/local/vpopmail/bin/vchkpw \<br />
/usr/bin/true 2>&1 | /var/qmail/bin/splogger rblsmtpd &<br />
<br />
/usr/local/bin/tcpserver -H -l0 -R -c 512 -x /etc/tcp.smtp.cdb -u 82 -g 81 \<br />
0 2525 /usr/local/bin/rblsmtpd -b -r bl.spamcop.net -r dnsbl.njabl.org \<br />
/var/qmail/bin/qmail-smtpd mail.isreceivedhere.net /usr/local/vpopmail/bin/vchkpw \<br />
/usr/bin/true 2>&1 | /var/qmail/bin/splogger rblsmtpd &<br />
<br />
## -H tells tcpserver not to do remote DNS lookup before accepting connections<br />
## -l0 tells tcpserver not to look up local host name in DNS; instead use "0" as its name<br />
## -R tells tcpserver not to ask the remote server for its DNS information<br />
## -c 512 tells tcpserver not to attempt to process more than 512 simultaneous connections<br />
## -x specifies a rules database to control connections with<br />
## -u 82 runs tcpserver under the qmaild uid<br />
## -g 81 runs tcpserver under the qmaild gid<br />
## 0 indicates tcpserver is running on this machine<br />
## smtp (...)qmail-smtpd specifies to pass SMTP connections to qmail-smtpd<br />
## ... or ...<br />
## 2525 (...)qmail-smtpd specifies to pass connections on port 2525 to qmail-smtpd<br />
## rblsmtpd checks for blacklisted IP addresses before accepting SMTP<br />
## -b specifies an SMTP 553 error code to return to blacklisted servers<br />
## -r is specified before each successive RBL source<br />
## descriptor 2 is sent to splogger to create standard log entries attributed to rblsmtpd<br />
## end the line with & or the process hangs the console that starts it!<br />
##<br />
echo "tcpserver-SMTP started"<br />
;;<br />
stop)<br />
## no action needs to be taken to kill tcpserver processes<br />
##<br />
exit 0<br />
;;<br />
*)<br />
echo "Usage: leave this script alone, it's for boot only."<br />
exit 64<br />
;;<br />
esac<br />
<br />
So why are we running another instance of tcpserver on port 2525, as well as the standard one on port 25? Because there are a lot of ISPs these days that are blocking all traffic to destination port 25 anywhere outside their own network. So you will probably want to be able to set up your mail clients, on portable machines, to access your authenticated SMTP on a non-standard port to get around that limitation. I use 2525 because it's easy to remember, but of course you can pick whatever you like. <br />
<br />
Whew! Now let's make sure our tcpserver.sh script is executable, then fire it up and make sure tcpserver is running.<br />
<br />
ph34r# '''chmod 755 /usr/local/etc/rc.d/tcpserver.sh'''<br />
ph34r# '''/usr/local/etc/rc.d/tcpserver.sh start'''<br />
tcpserver-SMTP started.<br />
ph34r# '''ps ax | grep tcpserver'''<br />
87717 p0 S 0:00.00 /usr/local/bin/tcpserver -H -l0 -R -c 512 -x /etc/tcp<br />
87719 p0 S 0:00.00 /usr/local/bin/tcpserver -H -l0 -R -c 512 -x /etc/tcp<br />
<br />
Great - at this point we've got what appears to be a fully functional mailserver. All that's left is installing our spam and virus filtering capabilities, and then testing everything to make sure it works.<br />
<br />
== Adding Spam and Virus Filtering ==<br />
<font color="red" size="+1">'''WARNING: contents of this section are under extremely heavy development and what you see here is likely to be outdated.''' <br />
<br />
Do not attempt to implement this filtering mechanism unless you REALLY understand what you're doing and feel confident you can fix any problems you may encounter. You may also wish to inspect the discussion page for this article for (considerably) more as-it-develops information.</font><br />
<br />
We're going to want spamassassin for spam filtering and clamav for virus filtering. Install them.<br />
<br />
ph34r# '''cd /usr/ports/security/clamav && make install clean'''<br />
<br />
once that's done...<br />
<br />
ph34r# '''cd /usr/ports/mail/p5-Mail-SpamAssassin && make install clean'''<br />
<br />
and now, to allow them each to actually start up...<br />
<br />
ph34r# '''echo clamav_clamd_enable=YES >> /etc/rc.conf'''<br />
ph34r# '''echo clamav_freshclam_enable=YES >> /etc/rc.conf'''<br />
ph34r# '''echo spamd_enable=YES >> /etc/rc.conf'''<br />
<br />
Fire them up - '''/usr/local/etc/rc.d/clamav-clamd.sh start && /usr/local/etc/rc.d/clamav-freshclam.sh start && /usr/local/etc/rc.d/spamd.sh start''' - and make sure they're running. '''ps waux | grep clam''' should show you a freshclam process and a clamd process, and '''ps waux | grep spam''' should show you a spamd process.<br />
<br />
Now it's time to install Qsheff. Qsheff is a wrapper for Qmail's queuing program, qmail-queue. It's stone axe simple - no environment variable messiness to get stepped on, it simply moves qmail-queue to qmail.orig, puts a symlink to itself where qmail-queue used to be, and then gives the message to the "real" qmail-queue after it's done. So let's install it.<br />
<br />
ph34r# '''cd /usr/ports/mail/qsheff && make install clean'''<br />
<br />
After the port is installed, it will give you a message telling you it isn't ''really'' installed yet, first you need to run a shell script to actually replace the original qmail-queue. This is true, but first we'll need to kill off all tcpserver and qmail processes.<br />
<br />
ph34r# '''killall tcpserver'''<br />
ph34r# '''/usr/local/etc/rc.d/qmail.sh stop'''<br />
ph34r# '''/usr/local/etc/qsheff/install-wrapper.sh'''<br />
* Moving qmail-queue to /var/qmail/bin/qmail-queue.orig... <br />
* Creating qmail-queue link to /var/qmail/bin/qmail-qsheff... <br />
<br />
! Don't forget to start qmail-send and qmail-smtpd.<br />
<br />
Before we actually restart our qmail processes, let's go ahead and get qsheff configured the way we want it.<br />
<br />
In its default configuration, qsheff gives you virus filtering via clamav, but no spam filtering - qsheff doesn't support that natively; you have to add your own script to handle that. Which is exactly what we're going to do. First, we'll need the port '''safecat''' to let us easily deliver mail to a maildir of our choice, so we install that.<br />
<br />
ph34r# '''cd /usr/ports/sysutils/safecat && make install clean''' <br />
<br />
then create this script as '''/usr/local/bin/maildump.pl''':<br />
<br />
#!/usr/bin/perl <br />
<br />
############################################################################################ <br />
# maildump.pl - this script needs the safecat package, and is primarily intended for use # <br />
# as a spamassassin / clamav wrapper for use with the qsheff QMAIL-QUEUE wrapper. # <br />
# # <br />
# in this configuration it will save a copy of spam or virus messages if the appropriate # <br />
# config variables are set, or save a copy of EVERYTHING if quarantine_all is set, and it # <br />
# will SMTP 554 reject any messages $antispam_agent or $antivirus_agent gives non-zero # <br />
# exit codes for, BEFORE the originating SMTP connection is dropped - meaning true # <br />
# positives won't generate bounces that harm innocent bystanders (at least not from YOUR # <br />
# server, though the originating spam gateway may not be as nice) and any false positives # <br />
# WILL get immediate notification that their mail was not delivered. # <br />
# # <br />
# (c) 2006-02-16 JRS Systems. All rights reserved under BSD license. You may use this # <br />
# script freely for any purpose commercial or noncommercial # <br />
# as long as this notice remains intact. # <br />
############################################################################################ <br />
<br />
# IMPORTANT: $ServerName must match the contents of /var/qmail/control/me! <br />
# (Hardcoded instead of dynamically read for efficiency concerns.)<br />
#<br />
$ServerName = 'mail01.advantex.net';<br />
<br />
$quarantine_spam = 1; <br />
$quarantine_virus = 1; <br />
<br />
# this setting saves copies of EVERYTHING in the quarantine directory - spam, viruses, and <br />
# perfectly good mail alike. Some sysadmins like to store copies of everything that crosses <br />
# their server for a few days this way in order to bail users out of "omg I deleted it, can <br />
#you get it back for me?" type incidents. <br />
<br />
$quarantine_all = 0; <br />
<br />
$antivirus_agent = "/usr/local/bin/clamdscan --quiet"; <br />
$antispam_agent="/usr/local/bin/spamc -E"; <br />
$delivery_agent="/usr/local/bin/maildir"; <br />
<br />
$quarantine_dir="/usr/local/vpopmail/domains/YOUR_DOMAIN/YOUR_MAILBOX_NAME/Maildir/.INBOX.quarantine"; <br />
<br />
################################################################################################# <br />
# END CONFIGURATION VARIABLE SECTION ############################################################ <br />
################################################################################################# <br />
<br />
# qsheff creates a temporary directory with the originating email split into several files <br />
# stored in the order of their occurrence in the full message. All these files concatenated <br />
# = the original email. <br />
# <br />
$email_files='_headers_ textfile*'; <br />
print `chmod -R 755 .. `; <br />
<br />
# Spamc is the client half of the client/server implementation of SpamAssassin, and the -E <br />
# argument instructs it to mangle up the message if it flags positive while also giving you <br />
# a non-zero exit code on its way out if it flags positive. <br />
# <br />
# /usr/local/bin/maildir is an executable installed with the safecat package which simply <br />
# delivers an email to a maildir. You want to point it to the directory containing the <br />
# cur, new, and tmp directories, NOT straight to maildir/new. <br />
# <br />
# If you choose, you can have maildump.pl deliver quarantined mails to an <br />
# actual retrievable-with-a-mail-client maildir. Note that while that's convenient, <br />
# it does mean you're potentially exposing every single email you quarantine - or every <br />
# single mail, PERIOD, if you set $quarantineall - to the internet behind the dubious <br />
# protection of a single accountname and password. Think carefully - if you aren't <br />
# SURE you want to do that, pick a location that ISN'T accessible directly to vpopmail <br />
# or whatever else you may have handling user accounts. <br />
# <br />
<br />
# We don't want to do spamassassin scanning on authenticated outbound messages.<br />
$ourReceivedRegex='^\s*Received:\s*from\s*.*\s*(HELO .*)\s*(.*)\s*by\s*' . $ServerName;<br />
$authReceivedRegex='^\s*Received:\s*from\s*.*\s*(HELO .*)\s*(.*\@.*@.*)\s*by\s*' . $ServerName;<br />
<br />
@headers=`cat _headers_`;<br />
<br />
$stop = 0;<br />
foreach $line (@headers) {<br />
if ($line =~ /$ourReceivedRegex/i && $stop == 0) {<br />
$auth = ($line =~ /$authReceivedRegex/i);<br />
$stop = 1;<br />
}<br />
}<br />
<br />
# The special variable $? captures the exit code of the last code forked by the script - in<br />
# this case, the exit code given when $filter_agent finished up. For reasons known only to<br />
# Larry Wall, Perl "helpfully" (?) bitwise shifts exit codes captured in $? - so we have to<br />
# bitwise shift them BACK to get any good out of them.<br />
<br />
if (! $auth) {<br />
@in=`cat $email_files | $antispam_agent`;<br />
$spam_found = ($? >> 8);<br />
} else {<br />
@in=`cat $email_files`;<br />
$spam_found = 0;<br />
}<br />
<br />
# Now time for anti-virus scanning.<br />
<br />
print `$antivirus_agent`; <br />
$virus_found = ($? >> 8); <br />
<br />
if ( $quarantine_all!=0 || <br />
($quarantine_spam !=0 && $spam_found != 0) || <br />
($quarantine_virus !=0 && $virus_found !=0) <br />
) <br />
{ <br />
open (FH, "| $delivery_agent $quarantine_dir"); <br />
foreach $line (@in) { <br />
print FH "$line"; <br />
} <br />
close (FH); <br />
} <br />
<br />
# Pass along an exit code telling qsheff whether mail is clean. You may need or want to write <br />
# your own logic routine to deliver your own specific exit code instead of simply passing along <br />
# a plain boolean true or false to signify clean or dirty mail. <br />
# <br />
# qsheff will cause qmail to SMTP 554 reject the mail if you pass it anything other than a zero <br />
# here. <br />
<br />
$exit_code = ($spam_found != 0 || $virus_found != 0); <br />
<br />
exit $exit_code; <br />
<br />
Once you've done that, you'll need to set the following variables in /usr/local/etc/qsheff/qsheff.conf:<br />
<br />
enable_filter_prog=1<br />
filter_prog=/usr/local/bin/maildump.pl <br />
blackhole_enable=1<br />
<br />
These variables tell Qsheff that you're using an external filtering agent, it's located at /usr/local/bin/maildump.pl (we'll be creating that momentarily), and that you don't want Qsheff to emit useless bounce messages to innocent third parties when it encounters spam or viruses. Now three more variables in qsheff.conf:<br />
<br />
enable_virus_prog=0 <br />
enable_body_filter=0<br />
enable_subject_filter=0<br />
<br />
These tell it not to use its native clamav filtering (we'll be handling that in maildump.pl), and not to use its own native spam filtering mechanism, since we'll be handling that using spamassassin (also in maildump.pl). NOTE: if you ''don't'' disable body_filter and subject_filter, you will not get quarantine copies of any messages that trigger them!<br />
<br />
Now for a little configuration within maildump.pl itself - did you notice the configuration variable for $quarantine_dir? Set that to be wherever you want to save copies of "bad" mail. Read the comments around it - you can choose a "working" maildir which is accessible to mail clients, or you may choose a hidden one that you have to get at from the shell, or rsync, or ftp, or what have you. That's your decision. <br />
<br />
If you specified a $quarantine_dir that does not exist yet, you'll need to create it now. If you chose to quarantine mail to a vpopmail-accessible area, first browse to your vQadmin and Qmailadmin pages to create the domain and the user account that the quarantined stuff will go in, if they don't already exist. Then you can use /var/qmail/bin/maildirmake to create an IMAP (or Sqwebmail) accessible folder underneath that, if you don't want that account to be nothing but the quarantine:<br />
<br />
#ph34r '''/var/qmail/bin/maildirmake /usr/local/vpopmails/mydomain/myname/Maildir/.INBOX.quarantine'''<br />
<br />
This would cause an IMAP/Sqwebmail-accessible folder named "quarantine" to be created in the account of myname@mydomain.<br />
<br />
Now there's the question of ''what'', exactly, we want to quarantine. You can individually choose whether to save copies of spam, viruses, or even ALL mail (virus, spam, and perfectly good mail alike) in $quarantine_dir by appropriately setting the $quarantine_spam, $quarantine_virus, and $quarantine_all variables. (By default, $quarantine_spam and $quarantine_virus are set - causing both spam and viruses to be quarantined - but $quarantine_all is not.) Note if you do enable $quarantine_all, good mail does still gets delivered where it's supposed to go - maildump just delivers an extra ''copy'' of it to the quarantine directory.<br />
<br />
Now we'll need to make sure that our quarantine directory doesn't consume the whole hard drive. One way to do this is to set up a [[crontab]] or /[[etc/periodic]] script to clean out older stuff once per day. If you want to use /[[etc/periodic]] to handle purges automatically for you, create a new file called /[[etc/periodic]]/daily/900.purge_quarantine:<br />
<br />
cd /usr/local/vpopmails/mydomain/myname/Maildir/.INBOX.quarantine/new<br />
find . -ctime +30 -delete<br />
cd /usr/local/vpopmails/mydomain/myname/Maildir/.INBOX.quarantine/cur<br />
find . -ctime +30 -delete<br />
cd /usr/local/vpopmails/mydomain/myname/Maildir/.INBOX.quarantine/tmp<br />
find . -ctime +30 -delete<br />
<br />
This will cause the server to go rooting through the quarantine folders once per day and get rid of everything in there that's more than 30 days old. NOTE: base how many days it looks back on how much traffic you're expecting to catch in here - if you set $quarantine_all, remember that this directory may grow VERY RAPIDLY, and you may want to purge things at 15 or even 7 days instead of 30!<br />
<br />
== Testing SMTP, IMAP, and POP3 via Telnet ==<br />
<br />
As our first step in testing the server's basic functions, we'll want to test the tcpserver / Qmail combo by simulating some incoming traffic - which will also then give us an email to check for the presence of in our IMAP and POP3 tests later.<br />
<br />
First, since we killed off the tcpserver and qmail processes to install qsheff, we'll need to start them back up:<br />
<br />
ph34r# '''/usr/local/etc/rc.d/qmail.sh start'''<br />
ph34r# '''/usr/local/etc/rc.d/tcpserver.sh start'''<br />
<br />
Now we can use [[telnet]] to interact directly with the server and make sure it's doing what it's supposed to do:<br />
<br />
ph34r# '''telnet localhost 25'''<br />
Trying 127.0.0.1...<br />
Connected to localhost.localdomain.<br />
Escape character is '^]'.<br />
220 ESMTP<br />
'''HELO justtesting'''<br />
250<br />
'''MAIL FROM: me@telnettingin.com'''<br />
250 ok<br />
'''RCPT TO: postmaster@mail.getsdeliveredhere.net'''<br />
250 ok<br />
'''DATA'''<br />
354 go ahead<br />
'''To: postmaster@mail.getsdeliveredhere.net'''<br />
'''From: telnetclient@mail.getsdeliveredhere.net'''<br />
'''Subject: this is a test message'''<br />
'''Just testing SMTP functionality by telnetting in to port 25. I'll end this message now'''<br />
'''by entering in a line with nothing but a period in it and hitting return.'''<br />
'''.'''<br />
250 ok 1103093638 qp 87827<br />
'''QUIT'''<br />
221<br />
Connection closed by foreign host.<br />
<br />
Okay - our server just accepted a telnet connection, responded like a mailserver, and accepted a nice little test email to the postmaster account at the domain we set up earlier. Now let's make sure that we can see that email using the IMAP protocol:<br />
<br />
ph34r# '''telnet localhost 143'''<br />
Trying 127.0.0.1...<br />
Connected to localhost.localdomain.<br />
Escape character is '^]'.<br />
* OK dovecot ready.<br />
'''A LOGIN postmaster@mail.getsdeliveredhere.net thisismypassword'''<br />
A OK logged in.<br />
'''A SELECT inbox'''<br />
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)<br />
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.<br />
* 1 EXISTS<br />
* 1 RECENT<br />
* OK [UIDVALIDITY 1103088195] UIDs valid<br />
* OK [UIDNEXT 1] Predicted next UID<br />
A OK [READ-WRITE] Select completed.<br />
'''A LOGOUT'''<br />
* BYE Logging out<br />
A OK Logout completed.<br />
Connection closed by foreign host.<br />
<br />
Great! By using telnet, we've just verified on a very direct level that our IMAP server answers incoming connections, successfully authenticates users, ''and'' successfully opens their inboxes - see the '''* 1 EXISTS''' and '''* 1 RECENT''' lines? That's the email we telnetted in earlier. So, if we have any problems trying to set up IMAP accounts on actual clients later, now we know that they're client problems or network problems - not server configuration problems. Verifying these things ahead of time will make your life MUCH easier.<br />
<br />
Now let's test POP3 (assuming you want to allow clients to use POP3 as well):<br />
<br />
ph34r# '''telnet localhost 110'''<br />
Trying 127.0.0.1...<br />
Connected to localhost.localdomain.<br />
Escape character is '^]'.<br />
+OK dovecot ready.<br />
'''USER postmaster@mail.getsdeliveredhere.net'''<br />
+OK<br />
'''PASS thisismypassword'''<br />
+OK Logged in.<br />
'''LIST'''<br />
+OK 1 messages:<br />
1 354<br />
.<br />
'''QUIT'''<br />
+OK Logging out.<br />
Connection closed by foreign host.<br />
<br />
Tested, confirmed, and good to go!<br />
<br />
== Configuring Email Clients ==<br />
<br />
Well, we're all done now - we've got a fully functioning mailserver that can handle sending and receiving mail, authenticated SMTP (with and without TLS encryption), webmail, virtual domains, delegation of administration by domain and by individual mailbox, IMAP storage, POP3 for people who can't use IMAP, spam filtering by RBL, and more. Once you've set up your domains and your user accounts (and don't forget for every domain you set up, you will also need DNS ''pointing'' the mail services for that domain to this server, which isn't covered in this article), the only thing left is configuring your clients. Here's a few basic bullets to help you with common SNAFUs with that:<br />
<br />
* remember to set the "username" as mailbox@domainname.tld, ''not'' just "mailbox"<br />
* remember that in order to ''send'' email, the client either has to be on the network named in /etc/tcp.smtp (actually in the compiled version, /etc/tcp.smtp.cdb) or has to login using Authenticated SMTP<br />
* remember that if you expect the client machine to be able to connect reliably from foreign networks, you should configure it to connect to your SMTP server on a nonstandard port<br />
* remember that if you're using a self-signed certificate, you will get security warnings from some clients if you use TLS encryption, and some other clients (notably Microsoft Outlook) will refuse to connect at all using TLS encryption if your certificate is self-signed<br />
<br />
And that's pretty much it - enjoy!<br />
<br />
== See also ==<br />
<br />
http://www.mail-toaster.com/<br />
<br />
http://freebsd.qmailrocks.org/<br />
<br />
http://qmail.org<br />
<br />
http://lifewithqmail.org<br />
<br />
[[Category:Common Tasks]]<br />
[[Category:Qmail]]</div>Davehttp://www.freebsdwiki.net/index.php/ProcProc2007-10-28T01:16:05Z<p>Dave: Reverted edits by 75.16.213.37 (Talk); changed back to last version by 84.171.99.198</p>
<hr />
<div>In Linux, you can use /proc to see various bits of kernel and system info. In FreeBSD, the equivalent is [[sysctl]]. Linux also has sysctl, but its usefulness is nowhere near that of FreeBSD's sysctl. FreeBSD versions prior to 5.0 had a working /proc implementation. However, several serious security issues were discovered and it was decided to move away from /proc. The replacement is [[sysctl]].<br />
<br />
FreeBSD 5.x still has a mountable /proc system, and it is still used for certain debugging programs, including truss. FreeBSD 6.x has moved away from /proc completely, and you need to jump through several hoops in order to get it mounted. No tools included with FreeBSD actually use it for anything, though. FreeBSD 7.x will probably be the first release without any trace of /proc.<br />
<br />
[[Category : Linux Equivalents]]</div>Davehttp://www.freebsdwiki.net/index.php/Talk:SSH,_limiting_to_SCP_or_Rsync_onlyTalk:SSH, limiting to SCP or Rsync only2007-10-22T17:41:23Z<p>Dave: just guessing, really</p>
<hr />
<div>==just btw==<br />
# gcc scpsftprsynconly.c -o /usr/local/bin/scpsftprsynconly<br />
scpsftprsynconly.c: In function ‘main’:<br />
scpsftprsynconly.c:48: error: expected ‘)’ at end of input<br />
scpsftprsynconly.c:48: error: expected declaration or statement at end of input<br />
# <br />
<br />
<br />
tried running this on a centos box and this is what I'm getting. dubl-U Tee Eff Mmm8.<br />
<br />
--[[User:Dave|Dave]] 12:25, 22 October 2007 (EDT)<br />
<br />
== just guessing, really ==<br />
<br />
since I don't know shit, but I added a } before the #ifdef DEBUG section and now I'm getting:<br />
<br />
[root@web ~]# gcc scpsftprsynconly.c -o /usr/local/bin/scpsftprsynconly<br />
scpsftprsynconly.c:45: error: expected identifier or ‘(’ before ‘if’<br />
scpsftprsynconly.c:49: error: expected identifier or ‘(’ before ‘if’<br />
[root@web ~]# <br />
<br />
which is in the first lines of <br />
if (argc < 3) {<br />
printf (restrictmsg);<br />
return 1;<br />
}<br />
if ((strncmp (argv [2], "scp ", 4) != 0)<br />
<br />
wha?<br />
<br />
--[[User:Dave|Dave]] 13:41, 22 October 2007 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/Talk:SSH,_limiting_to_SCP_or_Rsync_onlyTalk:SSH, limiting to SCP or Rsync only2007-10-22T16:25:19Z<p>Dave: </p>
<hr />
<div>==just btw==<br />
# gcc scpsftprsynconly.c -o /usr/local/bin/scpsftprsynconly<br />
scpsftprsynconly.c: In function ‘main’:<br />
scpsftprsynconly.c:48: error: expected ‘)’ at end of input<br />
scpsftprsynconly.c:48: error: expected declaration or statement at end of input<br />
# <br />
<br />
<br />
tried running this on a centos box and this is what I'm getting. dubl-U Tee Eff Mmm8.<br />
<br />
--[[User:Dave|Dave]] 12:25, 22 October 2007 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/Talk:Network_Configuration_(Advanced)Talk:Network Configuration (Advanced)2007-09-16T17:43:14Z<p>Dave: vpn'ing and routes</p>
<hr />
<div>The use of static routing is one of the cleverest networking configuration tricks I have learned despite it being difficult to find information on how to do it on the internet. Therefore I thought I would right it up with a rather detailed example with which to explain how to utilise it. I invite anyone to help on re-working it if they feel the topic could be explained better!<br />
<br />
== IP 80.73.220.216 ==<br />
<br />
Not sure why but my userid [[User:DrModiford]] has been replaced by my internet IP. So it's me in case you're wondering!<br />
<br />
== some thoughts on this ==<br />
<br />
ip/name: it's because you're not logged in.<br />
<br />
dismissing subnetting with "and so on" is a disservice cos it's more complex than that, but I don't really see an easy way to explain it and not glaze people's eyes over. other than that small quibble (which I really don't know what to suggest to change, i'm just pointing it out), I would say excellent article, might want to mention VPNs in there somewhere (as static routes are used a lot in site-to-site VPN'ing (especially IPSec, although Jimbo prefers SSL/openSSL tunnels, they're the de facto standard...)<br />
<br />
--[[User:Dave|Dave]] 18:14, 15 September 2007 (EDT)<br />
<br />
== yup, you just need to log in ==<br />
<br />
anonymous edits are allowed, so you still get to contribute if you forget to log in but your name won't go on it. which kinda sucks for me 'cause I see 14+ edits from an IP address and think I'm gonna have to dig into the anti-spam again. =) Great article though, and I ESPECIALLY like the way you thought to work in the "defaultrouter" option explanation in rc.conf - that was one thing I remember knowing damn well what it was and what I wanted to set it to but having trouble figuring out HOW when I was first starting out. =) --[[User:Jimbo|Jimbo]] 18:23, 15 September 2007 (EDT)<br />
<br />
== another suggestion ==<br />
<br />
consider adding a section on using [[route]] to check your current routes and change them (e.g., route add, route del etc etc). I would do it but uh, <s>I'm lazy. </s>you've do such great work already that I don't want to step on your toes.<br />
<br />
--[[User:Dave|Dave]] 20:11, 15 September 2007 (EDT)<br />
<br />
== Thanks for the feedback ==<br />
<br />
Thanks guys, much appreciated feedback! I had logged in but I guess the cookie or what-ever had lapsed and I became a number (much like in real life I guess!).<br />
<br />
The 'route' command is a good suggestion. Give me a chance to try the command on my FreeBSD box in the office (a Wikipedia server itself) and I'll write up some notes on it.<br />
<br />
The VPN option is a valid point. We use CheckPoint Secure Firewall for that purpose (and its to Hong Kong not Cayman Islands as per my example, but the rest of it is valid). I only have personal experience of this system and personally using SmoothWall. That's not to say I wouldn't be willing to write it up with some pointers but I have minimal foundation of tunneling using SSH/SSL. To me SSH is wrapped in PuTTY and is how I console to my boxes!<br />
<br />
Jimbo, you say that anonymous edits are permitted. Is this intended to allow anyone to contribute? I think most people who are serious at contributing wouldn't take issue at having to sign-up and sign-in to do so - perhaps that's me personally. What do other contributers think?<br />
<br />
== the thing about requiring logins... ==<br />
<br />
... is that it doesn't actually slow down the spammers: in fact what it does is encourage them to register several hundred accounts as rapidly as possible, at which point you are acquiring several hundred trash accounts per day as well as a couple hundred spam edits a day. (My countermeasures have blocked about 3000 spam edits so far this month.) And while reverting spam edits (that get through the defenses) is relatively easy, deleting trash accounts is a screaming PAIN. You actually have to do it from the mysql console itself; mediawiki has zero provision built in for deleting user accounts (and "banning" user accounts just means in a matter of months you have a couple hundred real user accounts buried in THOUSANDS of banned "accounts" and plenty more random-generated trash names coming in every day).<br />
<br />
Also, you'd be surprised how often an anonymous will ''revert'' a spam, if you let them. Or just make a tiny little one or two word fix. Not only are those edits worthwhile in and of themselves, I think they encourage that same person to feel like they've done something valuable, and ''then'' come back and register and contribute more regularly. I know that's how Wikipedia itself got me. --[[User:Jimbo|Jimbo]] 12:34, 16 September 2007 (EDT)<br />
<br />
== and incidentally, check out the OpenVPN article =) ==<br />
<br />
You might find it pretty interesting. With OpenVPN and a very little work, you can duplicate or even improve upon the setup you're describing in your article with a single server in each office and a single internet link in each office. Which may or may not be something your company needs or wants, but it's a pretty sweet capability to have for next to nothing anyway - internet links are DRASTICALLY less expensive than WAN links! =) --[[User:Jimbo|Jimbo]] 12:37, 16 September 2007 (EDT)<br />
<br />
== vpn'ing and routes ==<br />
<br />
generally you'll find one of two setups: a firewall/vpn system that does it all OR a firewall and a seperate VPN system (usually in a DMZ outside the FW) that allows folks in. in the first scenario, you don't need routing -- the FW is your gateway of last resort anyway, and all your traffic goes there no matter what, so who cares? -- but in the 2nd scenario, you only want your VPN traffic going to the vpn server and if it winds up at your FW, it's just gonna sit there doing nothing useful except annoying users and you. hence, routes on your FW for VPNs.<br />
<br />
--[[User:Dave|Dave]] 13:43, 16 September 2007 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/Talk:Network_Configuration_(Advanced)Talk:Network Configuration (Advanced)2007-09-16T00:11:53Z<p>Dave: another suggestion</p>
<hr />
<div>The use of static routing is one of the cleverest networking configuration tricks I have learned despite it being difficult to find information on how to do it on the internet. Therefore I thought I would right it up with a rather detailed example with which to explain how to utilise it. I invite anyone to help on re-working it if they feel the topic could be explained better!<br />
<br />
== IP 80.73.220.216 ==<br />
<br />
Not sure why but my userid [[User:DrModiford]] has been replaced by my internet IP. So it's me in case you're wondering!<br />
<br />
== some thoughts on this ==<br />
<br />
ip/name: it's because you're not logged in.<br />
<br />
dismissing subnetting with "and so on" is a disservice cos it's more complex than that, but I don't really see an easy way to explain it and not glaze people's eyes over. other than that small quibble (which I really don't know what to suggest to change, i'm just pointing it out), I would say excellent article, might want to mention VPNs in there somewhere (as static routes are used a lot in site-to-site VPN'ing (especially IPSec, although Jimbo prefers SSL/openSSL tunnels, they're the de facto standard...)<br />
<br />
--[[User:Dave|Dave]] 18:14, 15 September 2007 (EDT)<br />
<br />
== yup, you just need to log in ==<br />
<br />
anonymous edits are allowed, so you still get to contribute if you forget to log in but your name won't go on it. which kinda sucks for me 'cause I see 14+ edits from an IP address and think I'm gonna have to dig into the anti-spam again. =) Great article though, and I ESPECIALLY like the way you thought to work in the "defaultrouter" option explanation in rc.conf - that was one thing I remember knowing damn well what it was and what I wanted to set it to but having trouble figuring out HOW when I was first starting out. =) --[[User:Jimbo|Jimbo]] 18:23, 15 September 2007 (EDT)<br />
<br />
== another suggestion ==<br />
<br />
consider adding a section on using [[route]] to check your current routes and change them (e.g., route add, route del etc etc). I would do it but uh, <s>I'm lazy. </s>you've do such great work already that I don't want to step on your toes.<br />
<br />
--[[User:Dave|Dave]] 20:11, 15 September 2007 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/Talk:Network_Configuration_(Advanced)Talk:Network Configuration (Advanced)2007-09-15T22:19:25Z<p>Dave: just btw</p>
<hr />
<div>The use of static routing is one of the cleverest networking configuration tricks I have learned despite it being difficult to find information on how to do it on the internet. Therefore I thought I would right it up with a rather detailed example with which to explain how to utilise it. I invite anyone to help on re-working it if they feel the topic could be explained better!<br />
<br />
== IP 80.73.220.216 ==<br />
<br />
Not sure why but my userid [[User:DrModiford]] has been replaced by my internet IP. So it's me in case you're wondering!<br />
<br />
== some thoughts on this ==<br />
<br />
ip/name: it's because you're not logged in.<br />
<br />
dismissing subnetting with "and so on" is a disservice cos it's more complex than that, but I don't really see an easy way to explain it and not glaze people's eyes over. other than that small quibble (which I really don't know what to suggest to change, i'm just pointing it out), I would say excellent article, might want to mention VPNs in there somewhere (as static routes are used a lot in site-to-site VPN'ing (especially IPSec, although Jimbo prefers SSL/openSSL tunnels, they're the de facto standard...)<br />
<br />
--[[User:Dave|Dave]] 18:14, 15 September 2007 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/Talk:Network_Configuration_(Advanced)Talk:Network Configuration (Advanced)2007-09-15T22:14:40Z<p>Dave: ip/name</p>
<hr />
<div>The use of static routing is one of the cleverest networking configuration tricks I have learned despite it being difficult to find information on how to do it on the internet. Therefore I thought I would right it up with a rather detailed example with which to explain how to utilise it. I invite anyone to help on re-working it if they feel the topic could be explained better!<br />
<br />
== IP 80.73.220.216 ==<br />
<br />
Not sure why but my userid [[User:DrModiford]] has been replaced by my internet IP. So it's me in case you're wondering!<br />
<br />
== ip/name ==<br />
<br />
it's because you're not logged in.<br />
<br />
--[[User:Dave|Dave]] 18:14, 15 September 2007 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/Talk:MboxTalk:Mbox2007-09-02T03:43:22Z<p>Dave: Reverted edits by 204.39.95.9 (Talk); changed back to last version by Jimbo</p>
<hr />
<div>Sorry about deleting your "concatenate" thing, Dave. On checking the man page for cat, I see I was wrong about what "cat" is short for in a unixlike system (damn my 8-bit Apple ][ origins!) But I still don't like linking the word concatenate in this article to a redirect to cat. I don't see how it was in any way helpful to the topic of mboxes; more of a red herring. --[[User:Jimbo|Jimbo]] 13:41, 15 Sep 2004 (GMT)<br />
<br />
----<br />
----<br />
<br />
== np ==<br />
<br />
really i just wanted to create a page for [[cat]] and that seemed like a good place to do it. <br />
<br />
-d.</div>Davehttp://www.freebsdwiki.net/index.php/OpenVPNOpenVPN2007-09-02T01:59:24Z<p>Dave: Reverted edits by 204.39.95.9 (Talk); changed back to last version by Jimbo</p>
<hr />
<div>[http://openvpn.sourceforge.net OpenVPN] is a very useful open source, cross platform Virtual Private Networking tool. It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC + DES or IPSEC + 3DES solutions. Better yet, it's so simple it can be run entirely from the command line.<br />
<br />
==Installing==<br />
To build it on a FreeBSD machine, just:<br />
<br />
cd /usr/ports/security/openvpn<br />
make install clean<br />
<br />
it's that easy. Actually doing anything with it will require a little more work. There are many MANY ways to do this, but this one's useful, simple, and clean.<br />
<br />
First, generate yourself a private key file and '''chmod''' it so that only its owner can read it:<br />
<br />
ph34r# '''openvpn --genkey --secret /usr/local/etc/openvpn.key'''<br />
ph34r# '''chmod 400 /usr/local/etc/openvpn.key'''<br />
<br />
==Starting OpenVPN==<br />
Now you'll need a command to start it with. It can be done purely from the command line - and in fact, in one sense, that's exactly what we're going to do - but to make our lives a little easier, we'll ''actually'' use command line stuff from a shell script in '''/usr/local/etc/rc.d'''. So place this - or something similar - in your '''/usr/local/etc/rc.d''':<br />
<br />
#!/bin/sh<br />
<br />
case "$1" in<br />
start)<br />
# VPN subnets are contained in 10.10.x.x / 255.255.0.0<br />
# port range forwarded through the router is 4900-4982 <br />
<br />
# first make sure the TAP module is loaded<br />
kldload if_tap <br />
<br />
# now ensure IP forwarding is enabled<br />
/sbin/sysctl -w net.inet.ip.forwarding=1<br />
<br />
# Now, make sure there are enough tun* / tap* devices in /dev<br />
cd /dev<br />
/bin/sh MAKEDEV tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9<br />
<br />
# Finally, open up for business.<br />
# A tunnel numbered [x] is configured as follows:<br />
# device tun[x], port (4900 + [x]), network 10.10.(10 + [x])<br />
# Client machine is always .2, server is always .1<br />
<br />
# note - ping-restart on server end with disconnected clients<br />
# seems to be the problem resulting in exhausted mbufs. Trying<br />
# ping-restart on client end only and hoping for the best.<br />
<br />
# 0. Server side - dynamic VPN<br />
/usr/local/sbin/openvpn \<br />
--dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \<br />
--tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \<br />
--secret /usr/local/etc/openvpn.key --ping 1 &<br />
<br />
# # 1a. Client side - persistent VPN<br />
# /usr/local/sbin/openvpn \<br />
# --dev tap1 \<br />
# --remote ''ip_or_hostname.to.connect.to'' \<br />
# --secret /usr/local/etc/openvpn.key \<br />
# --key-method 2 \<br />
# --port 4901 \<br />
# --ifconfig 10.10.11.2 255.255.255.252 \<br />
# --route 192.168.1.0 255.255.255.0 10.10.11.1 \<br />
# --tun-mtu 1500 --tun-mtu-extra 32 \<br />
# --fragment 1300 --mssfix \<br />
# --persist-tun --persist-key --resolv-retry 86400 \<br />
# --ping 10 --ping-restart 15 \<br />
# --verb 4 --mute 10 &<br />
<br />
# 1b. Server side - persistent VPN<br />
/usr/local/sbin/openvpn \<br />
--dev tap1 \<br />
--secret /usr/local/etc/openvpn.key \<br />
--key-method 2 \<br />
--port 4901 \<br />
--ifconfig 10.10.11.1 255.255.255.252 \<br />
--route 192.168.1.0 255.255.255.0 10.10.11.2 \<br />
--tun-mtu 1500 --tun-mtu-extra 32 \<br />
--fragment 1300 --mssfix \<br />
--persist-tun --persist-key --resolv-retry 86400 \<br />
--ping 10 --ping-restart 15 \<br />
--verb 4 --mute 10 &<br />
<br />
<br />
# end section<br />
;;<br />
<br />
stop)<br />
killall openvpn<br />
;;<br />
*)<br />
echo "Usage: `basename $0` {start|stop}" >&2<br />
;;<br />
esac<br />
<br />
exit 0<br />
<br />
Don't forget to '''chmod 755 /usr/local/etc/rc.d/openvpn.sh''' to make sure you can execute it.<br />
<br />
What you've got there is a setup (which can be started up or stopped like any other rc.d script - '''/usr/local/etc/rc.d/openvpn.sh start''' or '''stop''') which provides for two tunnels - one coming from a Windows machine, probably a laptop or something (labeled "dynamic VPN"; more on that in a minute) and one (labeled "persistent VPN") from another BSD or other *nix machine. <br />
<br />
All we'll do on the other *nix box is copy over the '''openvpn.key''' we created on this machine, copy over this same script, comment out the:<br />
<br />
* '''# 1b. Server side - persistent VPN''' section<br />
* ''un''comment the '''# 1a. Client side - persistent VPN''' side<br />
* and fire it up. <br />
<br />
Once the scripts have been started on both machines (obviously you'll need a routeable IP address for at least the machine on the "server" side), presto, you've got a tunnel!<br />
<br />
Obviously this article is unfinished, but work beckons. More later.<br />
<br />
http://freshmeat.net/projects/webmin-openvpnadmin/ is a webmin module for controlling the openvpn (and CA-related tunnels), if you're not all CLI-hardcore like Jimbo.<br />
<br />
[[Category:Ports and Packages]][[Category:Common Tasks]]</div>Davehttp://www.freebsdwiki.net/index.php/User:SimonUser:Simon2007-09-02T01:58:47Z<p>Dave: Reverted edits by 124.38.175.27 (Talk); changed back to last version by Jimbo</p>
<hr />
<div>Simon, aka "relax", is a new FreeBSD user, and a Windoze refugee currently living in Montreal, Quebec, Canada.<br />
<br />
=== Skills ===<br />
<br />
He's an expert on C, very competent in C++, competent with VBS script under softimage|XSI, XSI format, OBJ format, 3DS format, maya scripts and format, I have dabbled in openGL and has done extensive work in the field of graphic file format conversions and making script engines.<br />
<br />
I'm also good at writing small technical manuals for various types of users. I've written 2 introduction classes to applications and numerous walkthrus or intros for newbies. I can translate technical manuals to french.<br />
<br />
I've done some SQL databases, mostly in Access.<br />
<br />
I have a continuing interest in extreme programming, MFC, reverse-engineering, and game design.<br />
<br />
=== ...and lack thereof ===<br />
<br />
However, my Unix/BSD skills are in need of some help!<br />
<br />
For example, how do I duplicate the functionality of various IE's plugins (especially java) in Mozilla is still beyond me. And trying to do it securely too because Moon-sized java security holes are part of what made me quit Windows...<br />
<br />
=== Projects ===<br />
<br />
-Help do a windoze refugee survival kit for mozilla plugins and getting those WMV files to work more than half the time. Ideally that would be like typing "make install" and clicking "yes" at a license prompt that appears immediately (NOT after a few minutes) - then it would work immediately after the compile.<br />
<br />
-Get a job. Any kind of programming or technical translation job if pay is OK or if the project is more interesting than accounting (yawn). I like free projects too, in fact I've been debugging the tome port for a while.<br />
<br />
=== Current need for help ===<br />
<br />
I have FreeBsd 5.2 (who doesn't like java binaries older BSD were happy with) and linuxbase 7 (which doesn't like java on mozilla).<br />
<br />
I've been trying to install java in any shape or form in any browser, but had no success. It has been 3 weeks now, with no other goals in mind.</div>Davehttp://www.freebsdwiki.net/index.php/X_Windows_TerminalX Windows Terminal2007-08-31T03:51:20Z<p>Dave: that manual link is great, but it doesn't make the others less worthwhile.</p>
<hr />
<div>==Advantages==<br />
X Windows can be used in a Server-Client relationship. By setting up your X Windows Server you allow the use of all the programs on that computer to all the client PC's. <br />
<br />
There are many advantages of running client computers in this manner:<br />
* They don't even need a hard drive. <br />
* It's silent as there are no moving parts<br />
* The solution saves power as your computers are very thin.<br />
* Everything can be backed up centrally.<br />
* Boot times for client PC's are the fastest around.<br />
* Clients don't need much CPU speed, memory, etc. Because of this they would be very cheap. You could get away with using a Pentium 100Mhz with 32MB ram, no hard drive, no CD-ROM, no Floppy and a fanless power supply. You just need a ethernet card with a PXEBOOT ROM. (XDM mode)<br />
* Central management of applications, users, config<br />
<br />
==From the Beginning==<br />
I've based this document on FreeBSD 6.1.<br />
<br />
Install FreeBSD 6.1 as per usual.<br />
I've setup my mount points as this:<br />
'''Part Mount Size'''<br />
ad0s1b Swap (equal to how much memory I have in my machine)<br />
ad0s1a / 512MB<br />
ad0s1d /var 1G<br />
ad0s1e /tmp 512MB<br />
ad0s1f /usr 2GB min.<br />
/diskless_ro 512MB<br />
/diskless_rw 1GB min.<br />
<br />
I selected 'A' for auto and then deleted /usr and created /usr as 2g.<br />
<br />
Select User-X install. Yes to Ports if you have the room.<br />
<br />
Select SSH Server and NFS Server in the installation process, for the rest of the options go with the default.<br />
<br />
<br />
NOTE: If you forget to add any of the labels above, you will have to reboot as you cannot add labels to your boot drive when you have booted off it. So boot of the installation CD and use the configure -> label option in the sysinstall screen to add these labels to your boot drive. You may need to retype the mount points for /, /var, /tmp and /usr by hitting 'm' on each label. Once you have created these labels in the 'Disklabel Editor' then you can hit 'w' to write them to the disk. answer 'yes' to the next question, hit 'ok' to the warning message. Now quit and reboot. Add them to fstab (/dev/ad0s1g /diskless_ro) & (/dev/ad0s1h /diskless_rw) and mount.<br />
<br />
I find the best way to get this working is to break it down in to small steps and get each step working independantly. IE: Setup NFS and see if you can mount it from another FreeBSD machine, don't just assume it will work and boot your PXE-Boot machine.<br />
<br />
<br />
Throughout my documentation<br />
<br />
192.168.1.1 = the Server<br />
<br />
192.168.1.2 = the client (may be a full freebsd system or pxeboot)<br />
<br />
<br />
At this point I normally install fluxbox with the following line:<br />
<br />
shell# pkg_add -r fluxbox-devel<br />
<br />
<br />
change your ~/.xinitrc file to the following:<br />
<br />
startfluxbox<br />
<br />
Copy to .xsession<br />
$ ln -s ~/.xinitrc ~/.xsession<br />
<br />
<br />
Use the following command to update your fluxbox menus:<br />
<br />
shell$ fluxbox-generate_menu<br />
<br />
==Running a single application==<br />
<br />
To get started I have my server setup running FreeBSD, with X-Windows and a few applications. Nothing too special. Then I have my client PC, which to start off I used the frenzy 1.0 boot CD to perform these initial tests. You can get this from [http://frenzy.org.ua/eng/ frenzy website]. I entered into fluxbox, but you could equally use any X session.<br />
You must allow incoming connections this is done with two commands<br />
<br />
client$ startx -listen_tcp<br />
client$ xhost +<br />
<br />
This allows all computers to start applications on your client PC. It's dangerous but good for testing everything is setup correctly.<br />
<br />
client$ ssh <server user@server ip><br />
eg: ssh mick@192.168.1.1<br />
<br />
ssh$ export DISPLAY='192.168.1.2:0'<br />
<br />
Or if your running bash:<br />
ssh$ DISPLAY=<client ip>:<client display>; export DISPLAY<br />
eg: DISPLAY=192.168.1.2:0; export DISPLAY<br />
<br />
<br />
ssh$ xcalc &<br />
<br />
This should display on your client<br />
<br />
==Running a whole X Windows Session (XDM)==<br />
This sets up a server so that you can share your X session with any clients which want to connect. (Simular to Terminal Services under windows)<br />
<br />
<br />
===server===<br />
edit:<br />
/usr/X11R6/lib/X11/xdm/xdm-config<br />
<br />
comment out with a '!' the request line<br><br />
DisplayManager.requestPort: 0<br />
<br />
edit:<br><br />
/usr/X11R6/lib/X11/xdm/Xaccess<br />
<br />
Enter a single asterisk any where in the file, so the contents should be one asterisk and the rest commented out. There should be an asterisk on line 49 which you can uncomment.<br />
<br />
Whilst in the /usr/X11R6/lib/X11/xdm directory do these commands:<br />
shell# vi Xstartup<br />
<br />
Add into this file:<br />
<pre><br />
#!/bin/sh<br />
#<br />
# Xstartup<br />
#<br />
# This program is run as root after the user is verified<br />
#<br />
if [ -f /etc/nologin ]; then<br />
xmessage -file /etc/nologin -timeout 30 -center<br />
exit 1<br />
fi<br />
sessreg -a -l $DISPLAY -x /usr/X11R6/lib/xdm/Xservers $LOGNAME<br />
/usr/X11R6/lib/xdm/GiveConsole<br />
exit 0<br />
</pre><br />
<br />
<br />
shell# chmod +x Xstartup<br />
<br />
<br />
Make sure your firewall has all traffic for you lan. (Need to know which exact ports to allow).<br />
<br />
<br />
<b>run xdm on server as root</b><br />
<br />
shell# xdm<br />
<br />
<br />
You can put this xdm into the /etc/ttys so that it starts automatically on boot up.<br />
<br />
===client===<br />
make sure your not in X<br />
<br />
type this command:<br />
<br />
shell# X -broadcast<br />
<br />
This assumes that you are running only one server.<br />
Otherwise use:<br />
<br />
shell# X -query 192.168.1.1<br />
<br />
==DHCP - Install and setup==<br />
Server setup.<br />
<br />
install through package<br />
# pkg_add -r isc-dhcp3-server<br />
<br />
We do this so we can define the root path for the diskless system.<br />
<br />
copy /usr/local/etc/dhcpd.conf.sample to /usr/local/etc/dhcpd.conf<br />
<br />
edit /usr/local/etc/dhcpd.conf and make sure it has these lines in it.<br />
<pre><br />
# dhcpd.conf<br />
#<br />
# Sample configuration file for ISC dhcpd<br />
#<br />
<br />
# option definitions common to all supported networks...<br />
#option domain-name "example.org";<br />
#option domain-name-servers ns1.example.org, ns2.example.org;<br />
<br />
default-lease-time 3600;<br />
max-lease-time 86400;<br />
<br />
# If this DHCP server is the official DHCP server for the local<br />
# network, the authoritative directive should be uncommented.<br />
authoritative;<br />
<br />
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.<br />
ddns-update-style none;<br />
<br />
option root-path "192.168.1.1:/diskless_ro";<br />
<br />
# lines added for pxeboot client<br />
use-host-decl-names on;<br />
next-server 192.168.1.1;<br />
filename "pxeboot";<br />
<br />
# Use this to send dhcp log messages to a different log file (you also<br />
# have to hack syslog.conf to complete the redirection).<br />
log-facility local7;<br />
<br />
# No service will be given on this subnet, but declaring it helps the<br />
# DHCP server to understand the network topology.<br />
<br />
<br />
# This is a very basic subnet declaration.<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.20;<br />
}<br />
</pre><br />
<br />
Create the leases file<br />
<pre><br />
# touch /var/db/dhcpd.leases<br />
</pre><br />
<br />
<br />
Restart the daemon<br />
<pre><br />
# killall dhcpd<br />
# dhcpd<br />
</pre><br />
<br />
<br />
Add to /etc/rc.conf<br />
<pre><br />
dhcpd_enable="YES"<br />
</pre><br />
<br />
===Using a seperate DHCP server===<br />
If you already have a DHCP server and you want to use that instead then you have to do these steps.<br />
<br />
<br />
====On your DHCP Server====<br />
1. edit /usr/local/etc/dhcpd.conf and add the following<br />
<pre><br />
authoritative;<br />
ddns-update-style none;<br />
<br />
option root-path "<X Server IP>:/diskless_ro";<br />
<br />
# lines added for pxeboot client<br />
use-host-decl-names on;<br />
next-server <X Server IP>;<br />
filename "pxeboot";<br />
</pre><br />
<br />
restart dhcpd<br />
# /usr/local/etc/rc.d/isc-dhcpd.sh restart<br />
<br />
====Client====<br />
Your client should boot now just remember that you may get a different IP now that you are talking to a different DHCP server so you have to change your exports file and copy accross a directory in /diskless_rw for the new IP. All this is done on the X Server.<br />
<br />
==TFTP Setup==<br />
TFTP helps us transport the kernel to the PXE-Boot machines.<br />
<br />
<pre><br />
# mkdir /tftpboot<br />
# cp /boot/pxeboot /tftpboot<br />
</pre><br />
<br />
Uncomment the following line in /etc/inetd.conf<br />
<br />
<pre><br />
tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /tftpboot<br />
</pre><br />
<br />
Restart the inetd service<br />
<pre><br />
# killall -HUP inetd<br />
</pre><br />
<br />
If inetd has not started automatically do the following:<br />
<br />
Add the following to /etc/rc.conf<br />
<pre><br />
inetd_enable="YES"<br />
</pre><br />
<br />
Now start inetd manually.<br />
<pre><br />
# inetd<br />
</pre><br />
<br />
===Test===<br />
To test that tftp has loaded type the following:<br />
<pre><br />
# sockstat -4l | grep 69 <br />
</pre><br />
<br />
and you should see this:<br />
<pre><br />
root inetd 13719 5 udp4 *:69 *:*<br />
</pre><br />
<br />
==NFS Setup==<br />
Network File System. Here we share all the directories from the server so that the diskless clients see these drives as if those directories were the diskless client's.<br />
<br />
===Server Setup===<br />
If you forgot to select 'Yes' to NFS server setup in the FreeBSD installation then you have to setup the server manually like so:<br />
<br />
Enable NFS /etc/rc.conf<br />
<pre><br />
rpcbind_enable="YES"<br />
nfs_server_enable="YES"<br />
</pre><br />
<br />
===Test===<br />
A quick test to see if your NFS server is acting normal:<br />
<br />
Edit the /etc/exports and add the following<br />
<pre><br />
/usr -alldirs<br />
</pre><br />
<br />
This allows anyone to connect to your /usr mount.<br />
<br />
Now run these commands to restart and view your mounts<br />
<pre><br />
# kill -HUP `cat /var/run/mountd.pid`<br />
# showmount -e<br />
</pre><br />
<br />
Now try and mount it from a client running BSD<br />
<pre><br />
# mount -t nfs 192.168.1.1:/usr /mnt<br />
</pre><br />
<br />
<br />
===Server exports setup===<br />
<br />
Make directories for each IP for your clients<br />
<pre><br />
# cd /diskless_rw<br />
# mkdir 192.168.1.2<br />
# cd 192.168.1.2<br />
# mkdir etc var<br />
</pre><br />
<br />
Configure /etc/exports<br />
<pre><br />
# file systems accessible only for reading:<br />
# Original way of linking up the /usr<br />
#/usr -ro -maproot=0 -network 192.168.1.0 -mask 255.255.255.0<br />
<br />
/usr -network 192.168.1.0 -mask 255.255.255.0<br />
/diskless_ro -ro -maproot=0 -network 192.168.1.0 -mask 255.255.255.0<br />
/diskless_rw/192.168.1.2/etc /diskless_rw/192.168.1.2/var -maproot=root 192.168.1.2<br />
<br />
</pre><br />
<br />
Restarting NFS<br />
<pre><br />
# kill -HUP `cat /var/run/mountd.pid`<br />
</pre><br />
<br />
<br />
If NFS is not started yet do the following:<br />
<pre><br />
data# rpcbind<br />
data# nfsd -u -t -n 20 -h 192.168.1.1<br />
data# mountd -r<br />
</pre><br />
<br />
Testing to see if the exports are correct<br />
<pre><br />
data# showmount -e<br />
Exports list on localhost:<br />
/usr 192.168.1.0<br />
/diskless_rw/192.168.1.2/var 192.168.1.2<br />
/diskless_rw/192.168.1.2/etc 192.168.1.2<br />
/diskless_ro 192.168.1.0<br />
</pre><br />
<br />
==Setup diskless_rw==<br />
Create directories<br />
<br />
<pre><br />
# cd /diskless_rw/192.168.1.2/etc<br />
# mkdir pam.d X11<br />
<br />
# cd /diskless_rw/192.168.1.2/var<br />
# mkdir home log run tmp<br />
# chmod 1777 tmp<br />
</pre><br />
<br />
Create a swap file in the var directory for the client<br />
<pre><br />
# dd if=/dev/zero of=/diskless_rw/192.168.1.2/var/swap bs=1k count=32000<br />
</pre><br />
<br />
in the /diskless_rw/<ip>/var/log directory I created the following log files so that syslogd would have files to write to:<br />
<pre><br />
# cd /diskless_rw/192.168.1.2/var/log<br />
# touch messages security auth.log maillog lpd-errs xferlog cron debug.log slip.log ppp.log<br />
</pre><br />
<br />
<br />
Copy the following files from the systems /etc directory to /diskless_rw/<client ip>/etc<br />
# cp -Rv <files> /diskless_rw/<ip>/etc<br />
<br />
<pre><br />
auth.conf<br />
disktab<br />
gettytab<br />
group<br />
hosts<br />
login.access<br />
login.conf<br />
login.conf.db<br />
motd<br />
master.passwd<br />
netconfig<br />
protocols<br />
pam.d<br />
pwd.db<br />
services8<br />
spwd.db<br />
syslog.conf<br />
termcap -> /usr/share/misc/termcap<br />
ttys<br />
</pre><br />
<br />
Here is a shortcut which you can just copy and paste in an xterm window.<br />
# cd /etc<br />
# cp -Rv auth.conf disktab gettytab group hosts login.access login.conf login.conf.db master.passwd motd netconfig protocols pam.d pwd.db services spwd.db syslog.conf termcap ttys /diskless_rw/<ip>/etc<br />
It's very important that you copy all the files in pam.d across otherwise you will not have a password prompt on your login.<br />
<br />
Create a fstab in /diskless_rw/<ip>/etc<br />
# touch /diskless_rw/<ip>/etc/fstab<br />
<br />
==Setup diskless_ro==<br />
This is the common root mount for all pxe-boot clients.<br />
<br />
Copy accross important directories and kernel from boot to diskless_ro<br />
<pre><br />
# cp -rv /bin /lib /libexec /sbin /boot /diskless_ro<br />
</pre><br />
<br />
For some client machines you may have to disable the ACPI (Power management) in the /diskless_ro/boot/device.hints<br />
<pre><br />
hint.acpi.0.disabled="1" <br />
</pre><br />
<br />
So we can use the systems /var/tmp and /usr/home directory make soft links to them <br />
# cd /diskless_ro<br />
# ln -s /var/tmp /usr/home<br />
<br />
In the /diskless_ro directory make the following directories:<br />
-dev so that clients can boot without freezing<br />
-var so we can mount from the /diskless_rw/<client ip>/var into the var directory<br />
-etc to store some common files<br />
# mkdir usr dev var etc<br />
<br />
<br />
We require a few files from the systems /etc directory to be copied into the /diskless_ro/etc for common use between the thin clients.<br />
# cd /etc;<br />
# cp services netconfig login.conf /diskless_ro/etc<br />
<br />
<br />
===rc file===<br />
The /diskless_ro/etc/rc file is the first file which is ran after the kernel has loaded. Here we mount a the labels from the server.<br />
<br />
Create the /diskless_ro/etc/rc<br />
<pre><br />
#!/bin/sh<br />
<br />
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin; export PATH<br />
TMPDIR=~/tmp;export TMPDIR<br />
TMP=~/tmp;export TMP<br />
<br />
mount -t nfs 192.168.1.1:/usr /usr<br />
<br />
boot_ip=`/sbin/ifconfig | /usr/bin/grep "inet " | /usr/bin/grep -v 127.0.0.1 |<br />
/usr/bin/awk '{print $2}'`<br />
mount_nfs -L 192.168.1.1:/diskless_rw/${boot_ip}/etc /etc<br />
mount_nfs -L 192.168.1.1:/diskless_rw/${boot_ip}/var /var<br />
<br />
swapon /var/swap<br />
<br />
#rm -rf /var/tmp/*<br />
#rm -rf /var/tmp/.*<br />
<br />
# Option if you choose XDM terminals<br />
#X -query 192.168.1.1<br />
<br />
. /etc/rc2<br />
exit 0<br />
<br />
</pre><br />
<br />
<b>Remember to change 192.168.1.1 to your X server's IP</b><br />
<br />
The -L on the mount_nfs is there so we don't get flock errors.<br />
<br />
===rc2 file===<br />
This sets up some links for libraries and the logging daemon.<br />
<br />
<pre><br />
#!/bin/sh<br />
<br />
mount -a<br />
/sbin/ldconfig -elf /usr/lib/compat /usr/X11R6/lib /usr/local/lib<br />
<br />
syslogd<br />
</pre><br />
<br />
<br />
Now change permissions so rc can run.<br />
# chmod +x rc*<br />
<br />
Copy /diskless_ro/etc/rc and rc2 to /diskless_rw/<client ip>/etc<br />
# cp /diskless_ro/etc/rc* /diskless_rw/192.168.1.2/etc<br />
<br />
==GRUB Floppy boot (optional)==<br />
<br />
(would like to compile this ourselves later)<br />
To get started we downloaded the image from www.hp.uab.edu/~ed/grub-net<br />
<br />
shell# dd if=/data/grub-net.img of=/dev/fd0<br />
<br />
Then we mounted it as msdos<br />
Remove/rename menu.1st from the grub directory as it was doing something funny with it. We think that it was looking for a tftp server through our dhcp and we don't have a the dhcp setup correctly here, so we wanted to do it manually.<br />
<br />
Reboot off the floppy now..<br />
<br />
grub> ifconfig --address=192.168.1.2 --mask=255.255.255.0 --gateway=192.168.1.1<br />
--server=192.168.1.2<br />
<br />
OR you can use dhcp<br><br />
<br />
grub> dhcp<br> <br />
grub> tftpserver 192.168.1.2<br><br />
<br />
<br />
Setup tftp on your server, we created a directory /tftpboot. <br />
<br />
<br />
===Starting diskless system through GRUB===<br />
This is an alternative boot loader. You can use this for testing, if you don't have a pxeboot chip, otherwise skip this section.<br />
<br />
These commands are half working...<br><br />
<br />
grub> root (nd)<br><br />
grub> kernel /kernel root=ad0s1a<br><br />
grub> pxeboot<br><br />
<br />
==Completely Diskless System (PXEBOOT ROM) (optional)==<br />
<br />
Running completely diskless by booting from a Network ROM Chip.<br />
<br />
We have now got a Intel GD82559 Etherexpress pro/100 Card.<br />
<br />
When we boot up on the client machine with that card it displays:<br /><br />
<br /><br />
Intel UNDI, PXE-2.0 (build 067)<br /><br />
Copyright (C) 1997-1998 Intel Corporation<br /><br />
<br /><br />
Which we cannot get working so we have read that you have to update this version to Build 82.<br /><br />
<br /><br />
<br /><br />
copy /boot/pxeboot to /tftpboot directory we made before<br /><br />
<br /><br />
- Downloaded proboot.exe from support.intel.com and unpacked into a windows box.<br /><br />
- Copied ibautil.exe onto a windows 98 boot disk.<br /><br />
- Rebooted the test box after disabling network boot on the nic (otherwise it'll kick in before the floppy).<br /><br />
- Ran ibautil -iv to see what embedded image versions were available:<br /><br />
<br /><br />
Intel(R) Boot Agent XG v1.0.09<br /><br />
Intel(R) Boot Agent GE v1.2.36<br /><br />
Intel(R) Boot Agent FE v4.1.19<br /><br />
<br /><br />
- Ran ibautil -up to perform the image upgrade.<br /><br />
<br /><br />
It's interesting to note that no version showed up for out intel nic when initially running ibautil. After the upgrade, however, the version corectly showed as 4.1.19.<br /><br /><br />
<br />
I made sure that I had simular features to this in my dhcpd.conf file:<br /><br />
option broadcast-address 192.168.254.255;<br /><br />
option domain-name-servers 192.168.254.3;<br /><br />
option domain-name "simerson.net";<br /><br />
option routers 192.168.254.1;<br /><br />
option subnet-mask 255.255.255.0;<br /><br />
server-name "pxe-gw";<br /><br />
server-identifier 192.168.254.3;<br /><br />
next-server 192.168.254.3;<br /><br />
default-lease-time -1;<br /><br />
<br /><br />
subnet 192.168.254.0 netmask 255.255.255.0 {<br /><br />
range 192.168.254.32 192.168.254.99;<br /><br />
option root-path "/usr/local/export/pxe";<br /><br />
filename "pxeboot";<br /><br />
}<br /><br />
host cm.simerson.net {<br /><br />
hardware ethernet 00:e0:18:98:f0:cc;<br /><br />
fixed-address 192.168.254.126;<br /><br />
}<br /><br />
host c1.simerson.net {<br /><br />
hardware ethernet 00:60:97:0e:bb:a7;<br /><br />
fixed-address 192.168.254.131;<br /><br />
}<br /><br />
<br /><br />
<br />
==X config notes==<br />
On the X server the /etc/X11/xorg.conf file is only used for the X server not the clients.<br />
<br />
To use this same configuration for your X Terminal Clients copy this file to /diskless_rw/<Client IP>/etc/X11 and it will use it.<br />
<br />
==Starting X on the client==<br />
There are two ways of doing this and it depends on your hardware mainly. <br />
<br />
1. run all programs on the server using the servers CPU and Memory this we will call the 'XDM Method'<br />
2. run all programs from the NFS mounts using the clients CPU and Memory but the HD of the server, this we will call the 'NFS Method'<br />
<br />
Both methods will boot from PXE-Boot and can be diskless.<br />
<br />
===XDM Method===<br />
Recommended for machines less than 1Ghz 256MB<br />
<br />
This is quite simple to setup. Change your rc file in the /diskless_ro/etc directory to have this line at the end:<br />
<pre><br />
X -query <server ip><br />
</pre><br />
<br />
Make sure on the server you setup xdm to start on system startup<br />
# vi /etc/ttys<br />
<br />
Search for this line:<br />
ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure<br />
<br />
and change it to:<br />
ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm on secure<br />
<br />
<br />
You can also type this command at the command line on the client to test before hand.<br />
<br />
===NFS Method===<br />
Recommended for machines over 1Ghz 256MB or if you want to utilise any of the clients devices such as local HD, USB, CD/DVD burners, etc.<br />
<br />
This is much trickier.<br />
<br />
Log in<br />
Now type 'startx' at the command line.<br />
<br />
==Custom Kernels==<br />
If you want to create custom kernels for your clients then do this:<br />
<br />
Create your custom kernel<br />
# cd /sys/i386/conf<br />
# cp GENERIC DISKLESS<br />
# vi DISKLESS<br />
<br />
Make changes and build and install<br />
<br />
# cd /usr/src<br />
# make buildkernel KERNCONF=DISKLESS<br />
# make installkernel KERNCONF=DISKLESS DESTDIR=/diskless_ro<br />
<br />
==Convert an Existing system with standard mount points==<br />
If you cannot afford to create /diskless_ro and /diskless_rw then you can use /var/diskless_ro and /usr/diskless_rw instead. <br />
<br />
Use the same notes and replace /diskless_ro with /var/diskless_ro and /diskless_rw with /usr/diskless_rw. Make sure you create these directories first.<br />
<br />
==todo==<br />
Here are some of the jobs left to do to make this secure or generally better:<br />
<br />
- There must be a simplier way to set this up if your going to use XDM in the end. IE: do we need to do half of this tutorial if we are going to run XDM.<br />
<br />
- When the same user logs onto two seperate machines they cannot start firefox or thunderbird as it complains about being open somewhere else. This assumes you have firefox and thunderbird already open on both machines that you logged onto.<br />
<br />
===Known Issues===<br />
<br />
- Doesn't work with HP-COMPAQ-T5525 thin client as it doesn't want to boot, it says it's missing libfreetype.so.9 which we do have it just cannot find it for some reason. It's trying to use the VIA chipset for graphics which is different to all the other clients I've loaded successfully so far.<br />
<br />
- USB mice not working instead use PS/2. If we got this working it may help get the HP T5525 working<br />
<br />
===Keyboard repeating on notebooks===<br />
- typing on some keyboards (like my notebook) causes double characters to display if you type too fast. - This is the notebook, if you go and set the KDE Accessabiltiy options and set the keyboard rate to 50ms, this fixes the problem.<br />
<br />
===USB mouse===<br />
<br />
Editing /etc/devd.conf file and searched for ums<br />
remarked out the action line.<br />
<br />
rebooted.<br />
<br />
Someone off IRC suggested that I build a GENERIC xorg.conf file which has vesa, usb mouse and ps/2 mouse configurations through it.<br />
<br />
I reverted everything back to normal ps/2 mouse config, copying my usb config files to the following:<br />
/etc/devd.conf_usb<br />
/etc/rc.conf_usb<br />
/etc/X11/xorg.conf_usb<br />
<br />
I think we need a seperate configuration for the HP, it uses a weird display driver.<br />
<br />
==links==<br />
<br />
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-diskless.html<br />
<br />
http://www.onlamp.com/pub/a/bsd/2004/09/09/diskless_server.html<br />
<br />
http://www.onlamp.com/pub/a/bsd/2004/09/30/diskless_clients.html<br />
<br />
http://people.freebsd.org/~alfred/pxe/en_US.ISO8859-1/articles/pxe/article.html<br />
<br />
http://www.the-labs.com/FreeBSD/Diskless/<br />
<br />
http://www.nber.org/sys-admin/FreeBSD-diskless.html<br />
<br />
<br />
<br />
http://wikitest.freebsd.org/MarkusBoelter<br />
<br />
http://www.daemonsecurity.com/pub/pxeboot/<br />
<br />
http://www.kano.org.uk/projects/pxe/<br />
<br />
File Examples:<br />
<br />
http://www.watson.org/~robert/freebsd/pxe/<br />
<br />
PXE Information<br />
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=108551<br />
<br />
[[Category:FreeBSD_for_Workstations]]</div>Davehttp://www.freebsdwiki.net/index.php/Talk:OpenVPNTalk:OpenVPN2007-07-20T03:18:46Z<p>Dave: ahhhhh</p>
<hr />
<div>the tunnel marked #0 is the windows one, no? just checking to make sure...<br />
<br />
--[[User:Dave|Dave]] 13:49, 8 June 2007 (EDT)<br />
<br />
== I'm curious here and I dunno ==<br />
<br />
does the network on the inside of the VPN need to be routeable outside the vpn?<br />
<br />
Let's say I'm RoadWarrior#1, public IP is 256.1.1.1 and private IP in the hotel I'm at is 192.168.0.123, and I connect to the VPN as set up on the article page -- I will be getting a 10.10.11./26 address or whatever it is (not checking just now....). Does my traffic from inside the VPN to machines in the VPN's network (a work resource like a share or printer or whatever) get natted out as the VPN itself or the addresses of the taps?<br />
<br />
--[[User:Dave|Dave]] 15:27, 19 July 2007 (EDT)<br />
<br />
== how it works ==<br />
<br />
> public IP is 256.1.1.1 <br />
> private IP in the hotel I'm at is 192.168.0.123<br />
><br />
> I connect to the VPN as set up on the article page<br />
<br />
There is no NAT. You'll have a (static by your openvpn.conf file) private IP address, which your office's network needs to know how to route to. Your office neither knows nor cares what the "Local Area Connection" IP address is, ie the hotel's 192.168.0.123 - the office isn't speaking to that; the office is speaking to the OpenVPN adapter with the 10.10.10.2 address. By contrast, your road warrior workstation gets a route set up (again, statically by way of openvpn.conf) that tells it to route all traffic for the office's subnet(s) through 10.10.10.1 - which is the tap IP address for the OpenVPN server in the office.<br />
<br />
Ideally you want the default gateway for the office to know to route any packets for 10.10.10.x through the office IP address for the OpenVPN server, so that the road warrior can access the entire subnet(s) at the office without having to worry about whether each individual machine there has been set up to route through the OpenVPN server.<br />
<br />
Capiche?<br />
<br />
There are other ways to do it, but that's the way I do it. (PS you only really need a /30 for the OpenVPN subnet - the only two machines on it are the OpenVPN server and the road warrior. The OpenVPN server will probably have quite a few tap interfaces, each with their own tiny subnet, which you connect your road warriors to. Again, that's the way I do it at any rate. It's possible to do it differently, but I currently don't.)<br />
<br />
--[[User:Jimbo|Jimbo]] 19:21, 19 July 2007 (EDT)<br />
<br />
== ahhhhh ==<br />
<br />
i gets it better now. well, my office is a switched environment, but my VPN will be in the DMZ, which because of the placement of the FW will mean my route will go on my FW. Easy-peasy.<br />
<br />
danke schoen Jimboner<br />
<br />
--[[User:Dave|Dave]] 23:18, 19 July 2007 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/Talk:OpenVPNTalk:OpenVPN2007-07-19T19:27:57Z<p>Dave: I'm curious here and I dunno</p>
<hr />
<div>the tunnel marked #0 is the windows one, no? just checking to make sure...<br />
<br />
--[[User:Dave|Dave]] 13:49, 8 June 2007 (EDT)<br />
<br />
== I'm curious here and I dunno ==<br />
<br />
does the network on the inside of the VPN need to be routeable outside the vpn?<br />
<br />
Let's say I'm RoadWarrior#1, public IP is 256.1.1.1 and private IP in the hotel I'm at is 192.168.0.123, and I connect to the VPN as set up on the article page -- I will be getting a 10.10.11./26 address or whatever it is (not checking just now....). Does my traffic from inside the VPN to machines in the VPN's network (a work resource like a share or printer or whatever) get natted out as the VPN itself or the addresses of the taps?<br />
<br />
--[[User:Dave|Dave]] 15:27, 19 July 2007 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/DfDf2007-06-19T03:25:25Z<p>Dave: /* Incorrect df */</p>
<hr />
<div>[[df]] is acronymic for '''disk free'''.<br />
<br />
When this command is used with no parameters, it will display the amount of disk space free on each mounted device in a 512-byte per block count, as well as a percentage.<br />
<br />
You may specify either a device path or plain directory path to retrieve the associated mount-point information. Also, the parameter '''-h''' may be used to have the output displayed in 'human-readable' format.<br />
<br />
[light@splat ~]$ '''/bin/df'''<br />
Filesystem 1K-blocks Used Avail Capacity Mounted on<br />
/dev/ad0s1a 128990 104110 14562 88% /<br />
/dev/ad0s1f 257998 146 237214 0% /tmp<br />
/dev/ad0s1g 18809884 15014076 2291018 87% /usr<br />
/dev/ad0s1e 257998 236788 572 100% /var<br />
procfs 4 4 0 100% /proc<br />
<br />
[light@splat ~]$ '''df /tmp'''<br />
Filesystem 1K-blocks Used Avail Capacity Mounted on<br />
/dev/ad0s1f 257998 146 237214 0% /tmp<br />
<br />
[light@splat ~]$ '''df /dev/ad0s1f'''<br />
Filesystem 1K-blocks Used Avail Capacity Mounted on<br />
/dev/ad0s1f 257998 146 237214 0% /tmp<br />
<br />
[light@splat ~]$ '''df -h /'''<br />
Filesystem Size Used Avail Capacity Mounted on<br />
/dev/ad0s1a 132M 107M 15M 88% /<br />
<br />
== Incorrect df ==<br />
<br />
Sometimes, df reports values that are blatantly wrong.<br />
<br />
Scenario: MySQL is giving you error 28's, and you find /var is completely full. You delete the 200 MB Apache logs, which should put you well within limits... ...for some reason, df still reports that /var appears is completely full?<br />
<br />
The problem is that Apache is still holding on to the log file, even though you deleted. Arguably this is not an error on [df]'s part; the space is still being taken up. In any case, to fix it:<br />
<br />
If you restart apache, (perhaps using [[Apachectl]],) Apache releases the log file, and df shows the value right. MySQL goes back to working.<br />
<br />
[[Category:System Commands]]</div>Davehttp://www.freebsdwiki.net/index.php/OpenVPNOpenVPN2007-06-08T18:28:08Z<p>Dave: </p>
<hr />
<div>[http://openvpn.sourceforge.net OpenVPN] is a very useful open source, cross platform Virtual Private Networking tool. It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC + DES or IPSEC + 3DES solutions. Better yet, it's so simple it can be run entirely from the command line.<br />
<br />
==Installing==<br />
To build it on a FreeBSD machine, just:<br />
<br />
cd /usr/ports/security/openvpn<br />
make install clean<br />
<br />
it's that easy. Actually doing anything with it will require a little more work. There are many MANY ways to do this, but this one's useful, simple, and clean.<br />
<br />
First, generate yourself a private key file and '''chmod''' it so that only its owner can read it:<br />
<br />
ph34r# '''openvpn --genkey --secret /usr/local/etc/openvpn.key'''<br />
ph34r# '''chmod 400 /usr/local/etc/openvpn.key'''<br />
<br />
==Starting OpenVPN==<br />
Now you'll need a command to start it with. It can be done purely from the command line - and in fact, in one sense, that's exactly what we're going to do - but to make our lives a little easier, we'll ''actually'' use command line stuff from a shell script in '''/usr/local/etc/rc.d'''. So place this - or something similar - in your '''/usr/local/etc/rc.d''':<br />
<br />
#!/bin/sh<br />
<br />
case "$1" in<br />
start)<br />
# VPN subnets are contained in 10.10.x.x / 255.255.0.0<br />
# port range forwarded through the router is 4900-4982 <br />
<br />
# first make sure the TAP module is loaded<br />
kldload if_tap <br />
<br />
# now ensure IP forwarding is enabled<br />
/sbin/sysctl -w net.inet.ip.forwarding=1<br />
<br />
# Now, make sure there are enough tun* / tap* devices in /dev<br />
cd /dev<br />
/bin/sh MAKEDEV tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9<br />
<br />
# Finally, open up for business.<br />
# A tunnel numbered [x] is configured as follows:<br />
# device tun[x], port (4900 + [x]), network 10.10.(10 + [x])<br />
# Client machine is always .2, server is always .1<br />
<br />
# note - ping-restart on server end with disconnected clients<br />
# seems to be the problem resulting in exhausted mbufs. Trying<br />
# ping-restart on client end only and hoping for the best.<br />
<br />
# 0. Server side - dynamic VPN<br />
/usr/local/sbin/openvpn \<br />
--dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \<br />
--tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \<br />
--secret /usr/local/etc/openvpn.key --ping 1 &<br />
<br />
# # 1a. Client side - persistent VPN<br />
# /usr/local/sbin/openvpn \<br />
# --dev tap1 \<br />
# --remote ''ip_or_hostname.to.connect.to'' \<br />
# --secret /usr/local/etc/openvpn.key \<br />
# --key-method 2 \<br />
# --port 4901 \<br />
# --ifconfig 10.10.11.2 255.255.255.252 \<br />
# --route 192.168.1.0 255.255.255.0 10.10.11.1 \<br />
# --tun-mtu 1500 --tun-mtu-extra 32 \<br />
# --fragment 1300 --mssfix \<br />
# --persist-tun --persist-key --resolv-retry 86400 \<br />
# --ping 10 --ping-restart 15 \<br />
# --verb 4 --mute 10 &<br />
<br />
# 1b. Server side - persistent VPN<br />
/usr/local/sbin/openvpn \<br />
--dev tap1 \<br />
--secret /usr/local/etc/openvpn.key \<br />
--key-method 2 \<br />
--port 4901 \<br />
--ifconfig 10.10.11.1 255.255.255.252 \<br />
--route 192.168.1.0 255.255.255.0 10.10.11.2 \<br />
--tun-mtu 1500 --tun-mtu-extra 32 \<br />
--fragment 1300 --mssfix \<br />
--persist-tun --persist-key --resolv-retry 86400 \<br />
--ping 10 --ping-restart 15 \<br />
--verb 4 --mute 10 &<br />
<br />
<br />
# end section<br />
;;<br />
<br />
stop)<br />
killall openvpn<br />
;;<br />
*)<br />
echo "Usage: `basename $0` {start|stop}" >&2<br />
;;<br />
esac<br />
<br />
exit 0<br />
<br />
Don't forget to '''chmod 755 /usr/local/etc/rc.d/openvpn.sh''' to make sure you can execute it.<br />
<br />
What you've got there is a setup (which can be started up or stopped like any other rc.d script - '''/usr/local/etc/rc.d/openvpn.sh start''' or '''stop''') which provides for two tunnels - one coming from a Windows machine, probably a laptop or something (labeled "dynamic VPN"; more on that in a minute) and one (labeled "persistent VPN") from another BSD or other *nix machine. <br />
<br />
All we'll do on the other *nix box is copy over the '''openvpn.key''' we created on this machine, copy over this same script, comment out the:<br />
<br />
* '''# 1b. Server side - persistent VPN''' section<br />
* ''un''comment the '''# 1a. Client side - persistent VPN''' side<br />
* and fire it up. <br />
<br />
Once the scripts have been started on both machines (obviously you'll need a routeable IP address for at least the machine on the "server" side), presto, you've got a tunnel!<br />
<br />
Obviously this article is unfinished, but work beckons. More later.<br />
<br />
http://freshmeat.net/projects/webmin-openvpnadmin/ is a webmin module for controlling the openvpn (and CA-related tunnels), if you're not all CLI-hardcore like Jimbo.<br />
<br />
[[Category:Ports and Packages]][[Category:Common Tasks]]</div>Davehttp://www.freebsdwiki.net/index.php/Talk:OpenVPNTalk:OpenVPN2007-06-08T17:49:55Z<p>Dave: </p>
<hr />
<div>the tunnel marked #0 is the windows one, no? just checking to make sure...<br />
<br />
--[[User:Dave|Dave]] 13:49, 8 June 2007 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/Mounting_ISOs_under_FreeBSD_5.xMounting ISOs under FreeBSD 5.x2007-04-28T19:16:26Z<p>Dave: Reverted edits by 211.143.37.188 (Talk); changed back to last version by Robbak</p>
<hr />
<div>Under FreeBSD 4.x and prior, a utility called [[vnconfig]] was used for both creating and mounting RAMdisks and mounting ISOs as virtual drives. However, vnconfig is no longer used in FreeBSD 5.x. To mount an image under a FreeBSD 5.x system, you'll need to use [[mdconfig]], like this:<br />
<br />
ph34r# '''mdconfig -a -t vnode -f /path/to/image.iso -u 1''' <br />
ph34r# '''mount -t cd9660 /dev/md1 /mnt/cdrom'''<br />
<br />
Note that -u 1 matches up with /dev/md1. If you needed to mount more than one device this way, you would use -u x with /dev/mdx as appropriate.<br />
<br />
To dismount the ISO and destroy the virtual device (thus allowing you to do things like write to the ISO file), you would issue the following:<br />
<br />
ph34r# '''umount /dev/md1'''<br />
ph34r# '''mdconfig -d -u 1'''<br />
<br />
[[Category : Common Tasks]]</div>Davehttp://www.freebsdwiki.net/index.php/DHCPDHCP2007-01-29T20:59:56Z<p>Dave: /* Software */</p>
<hr />
<div>== DHCP ==<br />
<br />
Dynamic Host Configuration Protocol. DHCP allows you to place machines on a network and configure many of their settings (network-wise) via a server that your host machine queries. Usually this is limited to what IP and DNS client information a host uses on the network, and this greatly increases an administrator's ability to configure a large number of hosts to use a network with minimal effort (as opposed to configuring each host individually.)<br />
<br />
The service daemon on most *nix platforms is called dhcpd, the client application (if your *nix box is set up to use DHCP,) is usually dhclient.<br />
<br />
== Software == <br />
<br />
The most common unix implementation of the DHCP service is the [[ISC]]'s [[DHCP]]; Microsoft has their own implementation, as does Sun Microsystems.<br />
<br />
Configuring DHCP, like [[BIND]], is not horribly difficult but it can be a pain; consider using [[Webmin]] to help configure the software. <br />
<br />
There are a few other configuration UIs for ISC's DHCP, see <br />
<br />
1. http://webdhcp.sourceforge.net/<br />
<br />
2. http://freshmeat.net/projects/maintain/<br />
<br />
3. http://sourceforge.net/projects/dixie/<br />
<br />
4. http://webmin.com<br />
<br />
5. http://sauron.jyu.fi/<br />
<br />
== Configuration ==<br />
<br />
The /etc/dhcpd.conf (or /usr/local/etc/dhcpd.conf) file sets the configuration that will be handed to your clients. Things you need to know:<br />
- the interface that will be receiving the DHCP requests must also be on the same network that it will be handing out. If you're handing out 192.168.1.0/24 addresses on your hme0 interface, your hme0 interface must have an address in that /24 network.<br />
- any general statements / config options can be made globally and limited to a specific network; the network-specific options will trump the general options usually.<br />
<br />
You will need to define the following sections:<br />
<br />
general config<br />
<br />
options<br />
<br />
subnets<br />
<br />
- pools<br />
<br />
shared-networks<br />
<br />
<br />
from the FAQ:<br />
<pre><br />
# Sample /etc/dhcpd.conf<br />
# (add your comments here) <br />
default-lease-time 600;<br />
max-lease-time 7200;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.254;<br />
option domain-name-servers 192.168.1.1, 192.168.1.2;<br />
option domain-name "mydomain.org";<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.100;<br />
range 192.168.1.150 192.168.1.200;<br />
}<br />
</pre><br />
<br />
This will result in DHCP server giving a client an IP address from the range 192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will lease an IP address for 600 seconds if the client doesn't ask for specific time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The server will also "advise" the client that it should use 255.255.255.0 as its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers.<br />
<br />
If you need to specify a WINS server for your Windows clients you will need to include the netbios-name-servers option e.g.<br />
<pre><br />
option netbios-name-servers 192.168.1.1;<br />
</pre><br />
You can also assign specific IP addresses based on clients ethernet address e.g.<br />
<pre><br />
host haagen {<br />
hardware ethernet 08:00:2b:4c:59:23;<br />
fixed-address 192.168.1.222;<br />
}<br />
</pre><br />
<br />
<br />
====Installation====<br />
install through package:<br />
# pkg_add -r isc-dhcp3-server<br />
<br />
or ports:<br />
# cd /usr/ports/nets/isc-dhcp3-server && make install clean<br />
<br />
====Setup====<br />
<br />
copy /usr/local/etc/dhcpd.conf.sample to /usr/local/etc/dhcpd.conf<br />
<br />
edit /usr/local/etc/dhcpd.conf as apropriate:.<br />
# dhcpd.conf<br />
#<br />
# Sample configuration file for ISC dhcpd<br />
#<br />
<br />
# option definitions common to all supported networks...<br />
#option domain-name "example.org";<br />
#option domain-name-servers ns1.example.org, ns2.example.org;<br />
# lease times are measured in seconds: <br />
default-lease-time 3600;<br />
max-lease-time 86400;<br />
<br />
# If this DHCP server is the official DHCP server for the local<br />
# network, the authoritative directive should be uncommented.<br />
authoritative;<br />
<br />
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.<br />
ddns-update-style none;<br />
<br />
# Use this to send dhcp log messages to a different log file (you also<br />
# have to hack syslog.conf to complete the redirection).<br />
log-facility local7;<br />
<br />
# No service will be given on this subnet, but declaring it helps the<br />
# DHCP server to understand the network topology.<br />
<br />
# This is a very basic subnet declaration.<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.20;<br />
}<br />
<br />
====Create the leases file====<br />
# touch /var/db/dhcpd.leases<br />
<br />
<br />
====Restart the daemon====<br />
# killall dhcpd<br />
# dhcpd<br />
<br />
<br />
====Setup to run on reboot====<br />
Add to /etc/rc.conf<br />
dhcpd_enable="YES"<br />
<br />
== Problems starting dhcpd ==<br />
==== Errors when trying to start ====<br />
NOTE: This problem was found on this architecture, but may apply to others.<br />
dhcp-1# uname -a<br />
FreeBSD dhcp-1.one.example.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 <br />
root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386<br />
dhcp-1#<br />
<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/run/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: safe_run: chown dhcpd:dhcpd /var/db/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd/dhcpd.leases<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
==== Find out if dhcpd is running ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 94818 0.0 0.6 2188 1536 ?? Is 15Jan07 0:00.05 /usr/local/sbin/dhcpd<br />
root 24289 0.0 1.1 3892 2612 p0 RV 6:22AM 0:00.00 grep dhcp (csh)<br />
<br />
==== Stop dhcpd (if running) ====<br />
dhcp-1# kill -9 94818<br />
<br />
==== Verify that dhcpd has been stopped ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 24293 0.0 0.1 348 208 p0 R+ 6:22AM 0:00.00 grep dhcp<br />
<br />
==== Fix the problem ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh install<br />
Added group "dhcpd".<br />
Added user "dhcpd".<br />
dhcp-1# <br />
<br />
==== Start dhcpd normally ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
[[Category:FreeBSD for Servers]]</div>Davehttp://www.freebsdwiki.net/index.php/DHCPDHCP2007-01-29T20:58:11Z<p>Dave: /* Software */</p>
<hr />
<div>== DHCP ==<br />
<br />
Dynamic Host Configuration Protocol. DHCP allows you to place machines on a network and configure many of their settings (network-wise) via a server that your host machine queries. Usually this is limited to what IP and DNS client information a host uses on the network, and this greatly increases an administrator's ability to configure a large number of hosts to use a network with minimal effort (as opposed to configuring each host individually.)<br />
<br />
The service daemon on most *nix platforms is called dhcpd, the client application (if your *nix box is set up to use DHCP,) is usually dhclient.<br />
<br />
== Software == <br />
<br />
The most common unix implementation of the DHCP service is the [[ISC]]'s [[DHCP]]; Microsoft has their own implementation, as does Sun Microsystems.<br />
<br />
Configuring DHCP, like [[BIND]], is not horribly difficult but it can be a pain; consider using [[Webmin]] to help configure the software. <br />
<br />
There are a few other configuration UIs for ISC's DHCP, see <br />
<br />
1. http://webdhcp.sourceforge.net/<br />
<br />
2. http://freshmeat.net/projects/maintain/<br />
<br />
3. http://sourceforge.net/projects/dixie/<br />
<br />
4. http://webmin.com<br />
<br />
== Configuration ==<br />
<br />
The /etc/dhcpd.conf (or /usr/local/etc/dhcpd.conf) file sets the configuration that will be handed to your clients. Things you need to know:<br />
- the interface that will be receiving the DHCP requests must also be on the same network that it will be handing out. If you're handing out 192.168.1.0/24 addresses on your hme0 interface, your hme0 interface must have an address in that /24 network.<br />
- any general statements / config options can be made globally and limited to a specific network; the network-specific options will trump the general options usually.<br />
<br />
You will need to define the following sections:<br />
<br />
general config<br />
<br />
options<br />
<br />
subnets<br />
<br />
- pools<br />
<br />
shared-networks<br />
<br />
<br />
from the FAQ:<br />
<pre><br />
# Sample /etc/dhcpd.conf<br />
# (add your comments here) <br />
default-lease-time 600;<br />
max-lease-time 7200;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.254;<br />
option domain-name-servers 192.168.1.1, 192.168.1.2;<br />
option domain-name "mydomain.org";<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.100;<br />
range 192.168.1.150 192.168.1.200;<br />
}<br />
</pre><br />
<br />
This will result in DHCP server giving a client an IP address from the range 192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will lease an IP address for 600 seconds if the client doesn't ask for specific time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The server will also "advise" the client that it should use 255.255.255.0 as its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers.<br />
<br />
If you need to specify a WINS server for your Windows clients you will need to include the netbios-name-servers option e.g.<br />
<pre><br />
option netbios-name-servers 192.168.1.1;<br />
</pre><br />
You can also assign specific IP addresses based on clients ethernet address e.g.<br />
<pre><br />
host haagen {<br />
hardware ethernet 08:00:2b:4c:59:23;<br />
fixed-address 192.168.1.222;<br />
}<br />
</pre><br />
<br />
<br />
====Installation====<br />
install through package:<br />
# pkg_add -r isc-dhcp3-server<br />
<br />
or ports:<br />
# cd /usr/ports/nets/isc-dhcp3-server && make install clean<br />
<br />
====Setup====<br />
<br />
copy /usr/local/etc/dhcpd.conf.sample to /usr/local/etc/dhcpd.conf<br />
<br />
edit /usr/local/etc/dhcpd.conf as apropriate:.<br />
# dhcpd.conf<br />
#<br />
# Sample configuration file for ISC dhcpd<br />
#<br />
<br />
# option definitions common to all supported networks...<br />
#option domain-name "example.org";<br />
#option domain-name-servers ns1.example.org, ns2.example.org;<br />
# lease times are measured in seconds: <br />
default-lease-time 3600;<br />
max-lease-time 86400;<br />
<br />
# If this DHCP server is the official DHCP server for the local<br />
# network, the authoritative directive should be uncommented.<br />
authoritative;<br />
<br />
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.<br />
ddns-update-style none;<br />
<br />
# Use this to send dhcp log messages to a different log file (you also<br />
# have to hack syslog.conf to complete the redirection).<br />
log-facility local7;<br />
<br />
# No service will be given on this subnet, but declaring it helps the<br />
# DHCP server to understand the network topology.<br />
<br />
# This is a very basic subnet declaration.<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.20;<br />
}<br />
<br />
====Create the leases file====<br />
# touch /var/db/dhcpd.leases<br />
<br />
<br />
====Restart the daemon====<br />
# killall dhcpd<br />
# dhcpd<br />
<br />
<br />
====Setup to run on reboot====<br />
Add to /etc/rc.conf<br />
dhcpd_enable="YES"<br />
<br />
== Problems starting dhcpd ==<br />
==== Errors when trying to start ====<br />
NOTE: This problem was found on this architecture, but may apply to others.<br />
dhcp-1# uname -a<br />
FreeBSD dhcp-1.one.example.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 <br />
root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386<br />
dhcp-1#<br />
<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/run/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: safe_run: chown dhcpd:dhcpd /var/db/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd/dhcpd.leases<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
==== Find out if dhcpd is running ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 94818 0.0 0.6 2188 1536 ?? Is 15Jan07 0:00.05 /usr/local/sbin/dhcpd<br />
root 24289 0.0 1.1 3892 2612 p0 RV 6:22AM 0:00.00 grep dhcp (csh)<br />
<br />
==== Stop dhcpd (if running) ====<br />
dhcp-1# kill -9 94818<br />
<br />
==== Verify that dhcpd has been stopped ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 24293 0.0 0.1 348 208 p0 R+ 6:22AM 0:00.00 grep dhcp<br />
<br />
==== Fix the problem ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh install<br />
Added group "dhcpd".<br />
Added user "dhcpd".<br />
dhcp-1# <br />
<br />
==== Start dhcpd normally ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
[[Category:FreeBSD for Servers]]</div>Davehttp://www.freebsdwiki.net/index.php/DHCPDHCP2007-01-29T20:58:00Z<p>Dave: /* Software */</p>
<hr />
<div>== DHCP ==<br />
<br />
Dynamic Host Configuration Protocol. DHCP allows you to place machines on a network and configure many of their settings (network-wise) via a server that your host machine queries. Usually this is limited to what IP and DNS client information a host uses on the network, and this greatly increases an administrator's ability to configure a large number of hosts to use a network with minimal effort (as opposed to configuring each host individually.)<br />
<br />
The service daemon on most *nix platforms is called dhcpd, the client application (if your *nix box is set up to use DHCP,) is usually dhclient.<br />
<br />
== Software == <br />
<br />
The most common unix implementation of the DHCP service is the [[ISC]]'s [[DHCP]]; Microsoft has their own implementation, as does Sun Microsystems.<br />
<br />
Configuring DHCP, like [[BIND]], is not horribly difficult but it can be a pain; consider using [[Webmin]] to help configure the software. <br />
<br />
There are a few other configuration UIs for ISC's DHCP, see <br />
1. http://webdhcp.sourceforge.net/<br />
<br />
2. http://freshmeat.net/projects/maintain/<br />
<br />
3. http://sourceforge.net/projects/dixie/<br />
<br />
4. http://webmin.com<br />
<br />
== Configuration ==<br />
<br />
The /etc/dhcpd.conf (or /usr/local/etc/dhcpd.conf) file sets the configuration that will be handed to your clients. Things you need to know:<br />
- the interface that will be receiving the DHCP requests must also be on the same network that it will be handing out. If you're handing out 192.168.1.0/24 addresses on your hme0 interface, your hme0 interface must have an address in that /24 network.<br />
- any general statements / config options can be made globally and limited to a specific network; the network-specific options will trump the general options usually.<br />
<br />
You will need to define the following sections:<br />
<br />
general config<br />
<br />
options<br />
<br />
subnets<br />
<br />
- pools<br />
<br />
shared-networks<br />
<br />
<br />
from the FAQ:<br />
<pre><br />
# Sample /etc/dhcpd.conf<br />
# (add your comments here) <br />
default-lease-time 600;<br />
max-lease-time 7200;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.254;<br />
option domain-name-servers 192.168.1.1, 192.168.1.2;<br />
option domain-name "mydomain.org";<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.100;<br />
range 192.168.1.150 192.168.1.200;<br />
}<br />
</pre><br />
<br />
This will result in DHCP server giving a client an IP address from the range 192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will lease an IP address for 600 seconds if the client doesn't ask for specific time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The server will also "advise" the client that it should use 255.255.255.0 as its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers.<br />
<br />
If you need to specify a WINS server for your Windows clients you will need to include the netbios-name-servers option e.g.<br />
<pre><br />
option netbios-name-servers 192.168.1.1;<br />
</pre><br />
You can also assign specific IP addresses based on clients ethernet address e.g.<br />
<pre><br />
host haagen {<br />
hardware ethernet 08:00:2b:4c:59:23;<br />
fixed-address 192.168.1.222;<br />
}<br />
</pre><br />
<br />
<br />
====Installation====<br />
install through package:<br />
# pkg_add -r isc-dhcp3-server<br />
<br />
or ports:<br />
# cd /usr/ports/nets/isc-dhcp3-server && make install clean<br />
<br />
====Setup====<br />
<br />
copy /usr/local/etc/dhcpd.conf.sample to /usr/local/etc/dhcpd.conf<br />
<br />
edit /usr/local/etc/dhcpd.conf as apropriate:.<br />
# dhcpd.conf<br />
#<br />
# Sample configuration file for ISC dhcpd<br />
#<br />
<br />
# option definitions common to all supported networks...<br />
#option domain-name "example.org";<br />
#option domain-name-servers ns1.example.org, ns2.example.org;<br />
# lease times are measured in seconds: <br />
default-lease-time 3600;<br />
max-lease-time 86400;<br />
<br />
# If this DHCP server is the official DHCP server for the local<br />
# network, the authoritative directive should be uncommented.<br />
authoritative;<br />
<br />
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.<br />
ddns-update-style none;<br />
<br />
# Use this to send dhcp log messages to a different log file (you also<br />
# have to hack syslog.conf to complete the redirection).<br />
log-facility local7;<br />
<br />
# No service will be given on this subnet, but declaring it helps the<br />
# DHCP server to understand the network topology.<br />
<br />
# This is a very basic subnet declaration.<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.20;<br />
}<br />
<br />
====Create the leases file====<br />
# touch /var/db/dhcpd.leases<br />
<br />
<br />
====Restart the daemon====<br />
# killall dhcpd<br />
# dhcpd<br />
<br />
<br />
====Setup to run on reboot====<br />
Add to /etc/rc.conf<br />
dhcpd_enable="YES"<br />
<br />
== Problems starting dhcpd ==<br />
==== Errors when trying to start ====<br />
NOTE: This problem was found on this architecture, but may apply to others.<br />
dhcp-1# uname -a<br />
FreeBSD dhcp-1.one.example.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 <br />
root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386<br />
dhcp-1#<br />
<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/run/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: safe_run: chown dhcpd:dhcpd /var/db/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd/dhcpd.leases<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
==== Find out if dhcpd is running ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 94818 0.0 0.6 2188 1536 ?? Is 15Jan07 0:00.05 /usr/local/sbin/dhcpd<br />
root 24289 0.0 1.1 3892 2612 p0 RV 6:22AM 0:00.00 grep dhcp (csh)<br />
<br />
==== Stop dhcpd (if running) ====<br />
dhcp-1# kill -9 94818<br />
<br />
==== Verify that dhcpd has been stopped ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 24293 0.0 0.1 348 208 p0 R+ 6:22AM 0:00.00 grep dhcp<br />
<br />
==== Fix the problem ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh install<br />
Added group "dhcpd".<br />
Added user "dhcpd".<br />
dhcp-1# <br />
<br />
==== Start dhcpd normally ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
[[Category:FreeBSD for Servers]]</div>Davehttp://www.freebsdwiki.net/index.php/DHCPDHCP2007-01-29T20:54:05Z<p>Dave: /* Configuration */</p>
<hr />
<div>== DHCP ==<br />
<br />
Dynamic Host Configuration Protocol. DHCP allows you to place machines on a network and configure many of their settings (network-wise) via a server that your host machine queries. Usually this is limited to what IP and DNS client information a host uses on the network, and this greatly increases an administrator's ability to configure a large number of hosts to use a network with minimal effort (as opposed to configuring each host individually.)<br />
<br />
The service daemon on most *nix platforms is called dhcpd, the client application (if your *nix box is set up to use DHCP,) is usually dhclient.<br />
<br />
== Software == <br />
<br />
The most common unix implementation of the DHCP service is the [[ISC]]'s [[DHCP]]; Microsoft has their own implementation, as does Sun Microsystems.<br />
<br />
== Configuration ==<br />
<br />
The /etc/dhcpd.conf (or /usr/local/etc/dhcpd.conf) file sets the configuration that will be handed to your clients. Things you need to know:<br />
- the interface that will be receiving the DHCP requests must also be on the same network that it will be handing out. If you're handing out 192.168.1.0/24 addresses on your hme0 interface, your hme0 interface must have an address in that /24 network.<br />
- any general statements / config options can be made globally and limited to a specific network; the network-specific options will trump the general options usually.<br />
<br />
You will need to define the following sections:<br />
<br />
general config<br />
<br />
options<br />
<br />
subnets<br />
<br />
- pools<br />
<br />
shared-networks<br />
<br />
<br />
from the FAQ:<br />
<pre><br />
# Sample /etc/dhcpd.conf<br />
# (add your comments here) <br />
default-lease-time 600;<br />
max-lease-time 7200;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.254;<br />
option domain-name-servers 192.168.1.1, 192.168.1.2;<br />
option domain-name "mydomain.org";<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.100;<br />
range 192.168.1.150 192.168.1.200;<br />
}<br />
</pre><br />
<br />
This will result in DHCP server giving a client an IP address from the range 192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will lease an IP address for 600 seconds if the client doesn't ask for specific time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The server will also "advise" the client that it should use 255.255.255.0 as its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers.<br />
<br />
If you need to specify a WINS server for your Windows clients you will need to include the netbios-name-servers option e.g.<br />
<pre><br />
option netbios-name-servers 192.168.1.1;<br />
</pre><br />
You can also assign specific IP addresses based on clients ethernet address e.g.<br />
<pre><br />
host haagen {<br />
hardware ethernet 08:00:2b:4c:59:23;<br />
fixed-address 192.168.1.222;<br />
}<br />
</pre><br />
<br />
<br />
====Installation====<br />
install through package:<br />
# pkg_add -r isc-dhcp3-server<br />
<br />
or ports:<br />
# cd /usr/ports/nets/isc-dhcp3-server && make install clean<br />
<br />
====Setup====<br />
<br />
copy /usr/local/etc/dhcpd.conf.sample to /usr/local/etc/dhcpd.conf<br />
<br />
edit /usr/local/etc/dhcpd.conf as apropriate:.<br />
# dhcpd.conf<br />
#<br />
# Sample configuration file for ISC dhcpd<br />
#<br />
<br />
# option definitions common to all supported networks...<br />
#option domain-name "example.org";<br />
#option domain-name-servers ns1.example.org, ns2.example.org;<br />
# lease times are measured in seconds: <br />
default-lease-time 3600;<br />
max-lease-time 86400;<br />
<br />
# If this DHCP server is the official DHCP server for the local<br />
# network, the authoritative directive should be uncommented.<br />
authoritative;<br />
<br />
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.<br />
ddns-update-style none;<br />
<br />
# Use this to send dhcp log messages to a different log file (you also<br />
# have to hack syslog.conf to complete the redirection).<br />
log-facility local7;<br />
<br />
# No service will be given on this subnet, but declaring it helps the<br />
# DHCP server to understand the network topology.<br />
<br />
# This is a very basic subnet declaration.<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.20;<br />
}<br />
<br />
====Create the leases file====<br />
# touch /var/db/dhcpd.leases<br />
<br />
<br />
====Restart the daemon====<br />
# killall dhcpd<br />
# dhcpd<br />
<br />
<br />
====Setup to run on reboot====<br />
Add to /etc/rc.conf<br />
dhcpd_enable="YES"<br />
<br />
== Problems starting dhcpd ==<br />
==== Errors when trying to start ====<br />
NOTE: This problem was found on this architecture, but may apply to others.<br />
dhcp-1# uname -a<br />
FreeBSD dhcp-1.one.example.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 <br />
root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386<br />
dhcp-1#<br />
<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/run/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: safe_run: chown dhcpd:dhcpd /var/db/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd/dhcpd.leases<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
==== Find out if dhcpd is running ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 94818 0.0 0.6 2188 1536 ?? Is 15Jan07 0:00.05 /usr/local/sbin/dhcpd<br />
root 24289 0.0 1.1 3892 2612 p0 RV 6:22AM 0:00.00 grep dhcp (csh)<br />
<br />
==== Stop dhcpd (if running) ====<br />
dhcp-1# kill -9 94818<br />
<br />
==== Verify that dhcpd has been stopped ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 24293 0.0 0.1 348 208 p0 R+ 6:22AM 0:00.00 grep dhcp<br />
<br />
==== Fix the problem ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh install<br />
Added group "dhcpd".<br />
Added user "dhcpd".<br />
dhcp-1# <br />
<br />
==== Start dhcpd normally ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
[[Category:FreeBSD for Servers]]</div>Davehttp://www.freebsdwiki.net/index.php/DHCPDHCP2007-01-29T20:46:36Z<p>Dave: /* Configuration */</p>
<hr />
<div>== DHCP ==<br />
<br />
Dynamic Host Configuration Protocol. DHCP allows you to place machines on a network and configure many of their settings (network-wise) via a server that your host machine queries. Usually this is limited to what IP and DNS client information a host uses on the network, and this greatly increases an administrator's ability to configure a large number of hosts to use a network with minimal effort (as opposed to configuring each host individually.)<br />
<br />
The service daemon on most *nix platforms is called dhcpd, the client application (if your *nix box is set up to use DHCP,) is usually dhclient.<br />
<br />
== Software == <br />
<br />
The most common unix implementation of the DHCP service is the [[ISC]]'s [[DHCP]]; Microsoft has their own implementation, as does Sun Microsystems.<br />
<br />
== Configuration ==<br />
<br />
The /etc/dhcpd.conf (or /usr/local/etc/dhcpd.conf) file sets the configuration that will be handed to your clients. Things you need to know:<br />
- the interface that will be receiving the DHCP requests must also be on the same network that it will be handing out. If you're handing out 192.168.1.0/24 addresses on your hme0 interface, your hme0 interface must have an address in that /24 network.<br />
- any general statements / config options can be made globally and limited to a specific network; the network-specific options will trump the general options usually.<br />
<br />
You will need to define the following sections:<br />
<br />
general config<br />
options<br />
subnets<br />
shared-networks<br />
<br />
from the FAQ:<br />
<pre><br />
# Sample /etc/dhcpd.conf<br />
# (add your comments here) <br />
default-lease-time 600;<br />
max-lease-time 7200;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.254;<br />
option domain-name-servers 192.168.1.1, 192.168.1.2;<br />
option domain-name "mydomain.org";<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.100;<br />
range 192.168.1.150 192.168.1.200;<br />
}<br />
</pre><br />
<br />
This will result in DHCP server giving a client an IP address from the range 192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will lease an IP address for 600 seconds if the client doesn't ask for specific time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The server will also "advise" the client that it should use 255.255.255.0 as its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers.<br />
<br />
If you need to specify a WINS server for your Windows clients you will need to include the netbios-name-servers option e.g.<br />
<pre><br />
option netbios-name-servers 192.168.1.1;<br />
</pre><br />
You can also assign specific IP addresses based on clients ethernet address e.g.<br />
<pre><br />
host haagen {<br />
hardware ethernet 08:00:2b:4c:59:23;<br />
fixed-address 192.168.1.222;<br />
}<br />
<br />
</pre><br />
<br />
<br />
====Installation====<br />
install through package:<br />
# pkg_add -r isc-dhcp3-server<br />
<br />
or ports:<br />
# cd /usr/ports/nets/isc-dhcp3-server && make install clean<br />
<br />
====Setup====<br />
<br />
copy /usr/local/etc/dhcpd.conf.sample to /usr/local/etc/dhcpd.conf<br />
<br />
edit /usr/local/etc/dhcpd.conf as apropriate:.<br />
# dhcpd.conf<br />
#<br />
# Sample configuration file for ISC dhcpd<br />
#<br />
<br />
# option definitions common to all supported networks...<br />
#option domain-name "example.org";<br />
#option domain-name-servers ns1.example.org, ns2.example.org;<br />
# lease times are measured in seconds: <br />
default-lease-time 3600;<br />
max-lease-time 86400;<br />
<br />
# If this DHCP server is the official DHCP server for the local<br />
# network, the authoritative directive should be uncommented.<br />
authoritative;<br />
<br />
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.<br />
ddns-update-style none;<br />
<br />
# Use this to send dhcp log messages to a different log file (you also<br />
# have to hack syslog.conf to complete the redirection).<br />
log-facility local7;<br />
<br />
# No service will be given on this subnet, but declaring it helps the<br />
# DHCP server to understand the network topology.<br />
<br />
# This is a very basic subnet declaration.<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.20;<br />
}<br />
<br />
====Create the leases file====<br />
# touch /var/db/dhcpd.leases<br />
<br />
<br />
====Restart the daemon====<br />
# killall dhcpd<br />
# dhcpd<br />
<br />
<br />
====Setup to run on reboot====<br />
Add to /etc/rc.conf<br />
dhcpd_enable="YES"<br />
<br />
== Problems starting dhcpd ==<br />
==== Errors when trying to start ====<br />
NOTE: This problem was found on this architecture, but may apply to others.<br />
dhcp-1# uname -a<br />
FreeBSD dhcp-1.one.example.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 <br />
root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386<br />
dhcp-1#<br />
<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/run/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: safe_run: chown dhcpd:dhcpd /var/db/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd/dhcpd.leases<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
==== Find out if dhcpd is running ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 94818 0.0 0.6 2188 1536 ?? Is 15Jan07 0:00.05 /usr/local/sbin/dhcpd<br />
root 24289 0.0 1.1 3892 2612 p0 RV 6:22AM 0:00.00 grep dhcp (csh)<br />
<br />
==== Stop dhcpd (if running) ====<br />
dhcp-1# kill -9 94818<br />
<br />
==== Verify that dhcpd has been stopped ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 24293 0.0 0.1 348 208 p0 R+ 6:22AM 0:00.00 grep dhcp<br />
<br />
==== Fix the problem ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh install<br />
Added group "dhcpd".<br />
Added user "dhcpd".<br />
dhcp-1# <br />
<br />
==== Start dhcpd normally ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
[[Category:FreeBSD for Servers]]</div>Davehttp://www.freebsdwiki.net/index.php/DHCPDHCP2007-01-29T20:40:31Z<p>Dave: /* Configuration */</p>
<hr />
<div>== DHCP ==<br />
<br />
Dynamic Host Configuration Protocol. DHCP allows you to place machines on a network and configure many of their settings (network-wise) via a server that your host machine queries. Usually this is limited to what IP and DNS client information a host uses on the network, and this greatly increases an administrator's ability to configure a large number of hosts to use a network with minimal effort (as opposed to configuring each host individually.)<br />
<br />
The service daemon on most *nix platforms is called dhcpd, the client application (if your *nix box is set up to use DHCP,) is usually dhclient.<br />
<br />
== Software == <br />
<br />
The most common unix implementation of the DHCP service is the [[ISC]]'s [[DHCP]]; Microsoft has their own implementation, as does Sun Microsystems.<br />
<br />
== Configuration ==<br />
<br />
The /etc/dhcpd.conf (or /usr/local/etc/dhcpd.conf) file sets the configuration that will be handed to your clients. Things you need to know:<br />
- the interface that will be receiving the DHCP requests must also be on the same network that it will be handing out. If you're handing out 192.168.1.0/24 addresses on your hme0 interface, your hme0 interface must have an address in that /24 network.<br />
- any general statements / config options can be made globally and limited to a specific network; the network-specific options will trump the general options usually.<br />
<br />
You will need to define the following sections:<br />
<br />
general config<br />
options<br />
subnets<br />
shared-networks<br />
<br />
from the FAQ:<br />
<pre><br />
# Sample /etc/dhcpd.conf<br />
# (add your comments here) <br />
default-lease-time 600;<br />
max-lease-time 7200;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.254;<br />
option domain-name-servers 192.168.1.1, 192.168.1.2;<br />
option domain-name "mydomain.org";<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.100;<br />
range 192.168.1.150 192.168.1.200;<br />
}<br />
<br />
This will result in DHCP server giving a client an IP address from the range 192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will lease an IP address for 600 seconds if the client doesn't ask for specific time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The server will also "advise" the client that it should use 255.255.255.0 as its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers.<br />
<br />
If you need to specify a WINS server for your Windows clients you will need to include the netbios-name-servers option e.g.<br />
<br />
option netbios-name-servers 192.168.1.1;<br />
<br />
You can also assign specific IP addresses based on clients ethernet address e.g.<br />
<br />
host haagen {<br />
hardware ethernet 08:00:2b:4c:59:23;<br />
fixed-address 192.168.1.222;<br />
}<br />
<br />
</pre><br />
<br />
<br />
====Installation====<br />
install through package:<br />
# pkg_add -r isc-dhcp3-server<br />
<br />
or ports:<br />
# cd /usr/ports/nets/isc-dhcp3-server && make install clean<br />
<br />
====Setup====<br />
<br />
copy /usr/local/etc/dhcpd.conf.sample to /usr/local/etc/dhcpd.conf<br />
<br />
edit /usr/local/etc/dhcpd.conf as apropriate:.<br />
# dhcpd.conf<br />
#<br />
# Sample configuration file for ISC dhcpd<br />
#<br />
<br />
# option definitions common to all supported networks...<br />
#option domain-name "example.org";<br />
#option domain-name-servers ns1.example.org, ns2.example.org;<br />
# lease times are measured in seconds: <br />
default-lease-time 3600;<br />
max-lease-time 86400;<br />
<br />
# If this DHCP server is the official DHCP server for the local<br />
# network, the authoritative directive should be uncommented.<br />
authoritative;<br />
<br />
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.<br />
ddns-update-style none;<br />
<br />
# Use this to send dhcp log messages to a different log file (you also<br />
# have to hack syslog.conf to complete the redirection).<br />
log-facility local7;<br />
<br />
# No service will be given on this subnet, but declaring it helps the<br />
# DHCP server to understand the network topology.<br />
<br />
# This is a very basic subnet declaration.<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.20;<br />
}<br />
<br />
====Create the leases file====<br />
# touch /var/db/dhcpd.leases<br />
<br />
<br />
====Restart the daemon====<br />
# killall dhcpd<br />
# dhcpd<br />
<br />
<br />
====Setup to run on reboot====<br />
Add to /etc/rc.conf<br />
dhcpd_enable="YES"<br />
<br />
== Problems starting dhcpd ==<br />
==== Errors when trying to start ====<br />
NOTE: This problem was found on this architecture, but may apply to others.<br />
dhcp-1# uname -a<br />
FreeBSD dhcp-1.one.example.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 <br />
root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386<br />
dhcp-1#<br />
<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/run/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: safe_run: chown dhcpd:dhcpd /var/db/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd/dhcpd.leases<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
==== Find out if dhcpd is running ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 94818 0.0 0.6 2188 1536 ?? Is 15Jan07 0:00.05 /usr/local/sbin/dhcpd<br />
root 24289 0.0 1.1 3892 2612 p0 RV 6:22AM 0:00.00 grep dhcp (csh)<br />
<br />
==== Stop dhcpd (if running) ====<br />
dhcp-1# kill -9 94818<br />
<br />
==== Verify that dhcpd has been stopped ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 24293 0.0 0.1 348 208 p0 R+ 6:22AM 0:00.00 grep dhcp<br />
<br />
==== Fix the problem ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh install<br />
Added group "dhcpd".<br />
Added user "dhcpd".<br />
dhcp-1# <br />
<br />
==== Start dhcpd normally ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
[[Category:FreeBSD for Servers]]</div>Davehttp://www.freebsdwiki.net/index.php/DHCPDHCP2007-01-23T15:31:11Z<p>Dave: /* Configuration */</p>
<hr />
<div>== DHCP ==<br />
<br />
Dynamic Host Configuration Protocol. DHCP allows you to place machines on a network and configure many of their settings (network-wise) via a server that your host machine queries. Usually this is limited to what IP and DNS client information a host uses on the network, and this greatly increases an administrator's ability to configure a large number of hosts to use a network with minimal effort (as opposed to configuring each host individually.)<br />
<br />
The service daemon on most *nix platforms is called dhcpd, the client application (if your *nix box is set up to use DHCP,) is usually dhclient.<br />
<br />
== Software == <br />
<br />
The most common unix implementation of the DHCP service is the [[ISC]]'s [[DHCP]]; Microsoft has their own implementation, as does Sun Microsystems.<br />
<br />
== Configuration ==<br />
<br />
(placeholder...needs info on hosts, networks, shared-networks and the different options)<br />
<br />
<br />
====Installation====<br />
install through package:<br />
# pkg_add -r isc-dhcp3-server<br />
<br />
or ports:<br />
# cd /usr/ports/nets/isc-dhcp3-server && make install clean<br />
<br />
====Setup====<br />
<br />
copy /usr/local/etc/dhcpd.conf.sample to /usr/local/etc/dhcpd.conf<br />
<br />
edit /usr/local/etc/dhcpd.conf aas apropriate:.<br />
<pre><br />
# dhcpd.conf<br />
#<br />
# Sample configuration file for ISC dhcpd<br />
#<br />
<br />
# option definitions common to all supported networks...<br />
#option domain-name "example.org";<br />
#option domain-name-servers ns1.example.org, ns2.example.org;<br />
# lease times are measured in seconds: <br />
default-lease-time 3600;<br />
max-lease-time 86400;<br />
<br />
# If this DHCP server is the official DHCP server for the local<br />
# network, the authoritative directive should be uncommented.<br />
authoritative;<br />
<br />
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.<br />
ddns-update-style none;<br />
<br />
# Use this to send dhcp log messages to a different log file (you also<br />
# have to hack syslog.conf to complete the redirection).<br />
log-facility local7;<br />
<br />
# No service will be given on this subnet, but declaring it helps the<br />
# DHCP server to understand the network topology.<br />
<br />
# This is a very basic subnet declaration.<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.20;<br />
}<br />
</pre><br />
<br />
====Create the leases file====<br />
<pre><br />
# touch /var/db/dhcpd.leases<br />
</pre><br />
<br />
<br />
====Restart the daemon====<br />
<pre><br />
# killall dhcpd<br />
# dhcpd<br />
</pre><br />
<br />
<br />
====Setup to run on reboot====<br />
Add to /etc/rc.conf<br />
<pre><br />
dhcpd_enable="YES"<br />
</pre><br />
<br />
== Problems starting dhcpd ==<br />
==== Errors when trying to start ====<br />
NOTE: This problem was found on this architecture, but may apply to others.<br />
dhcp-1# uname -a<br />
FreeBSD dhcp-1.one.example.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 <br />
root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386<br />
dhcp-1#<br />
<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/run/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: safe_run: chown dhcpd:dhcpd /var/db/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd/dhcpd.leases<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
==== Find out if dhcpd is running ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 94818 0.0 0.6 2188 1536 ?? Is 15Jan07 0:00.05 /usr/local/sbin/dhcpd<br />
root 24289 0.0 1.1 3892 2612 p0 RV 6:22AM 0:00.00 grep dhcp (csh)<br />
<br />
==== Stop dhcpd (if running) ====<br />
dhcp-1# kill -9 94818<br />
<br />
==== Verify that dhcpd has been stopped ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 24293 0.0 0.1 348 208 p0 R+ 6:22AM 0:00.00 grep dhcp<br />
<br />
==== Fix the problem ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh install<br />
Added group "dhcpd".<br />
Added user "dhcpd".<br />
dhcp-1# <br />
<br />
==== Start dhcpd normally ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
[[Category:FreeBSD for Servers]]</div>Davehttp://www.freebsdwiki.net/index.php/DHCPDHCP2007-01-23T15:30:45Z<p>Dave: </p>
<hr />
<div>== DHCP ==<br />
<br />
Dynamic Host Configuration Protocol. DHCP allows you to place machines on a network and configure many of their settings (network-wise) via a server that your host machine queries. Usually this is limited to what IP and DNS client information a host uses on the network, and this greatly increases an administrator's ability to configure a large number of hosts to use a network with minimal effort (as opposed to configuring each host individually.)<br />
<br />
The service daemon on most *nix platforms is called dhcpd, the client application (if your *nix box is set up to use DHCP,) is usually dhclient.<br />
<br />
== Software == <br />
<br />
The most common unix implementation of the DHCP service is the [[ISC]]'s [[DHCP]]; Microsoft has their own implementation, as does Sun Microsystems.<br />
<br />
== Configuration ==<br />
<br />
(placeholder...needs info on hosts, networks, shared-networks and the different options)<br />
<br />
===DHCP - Install and setup===<br />
<br />
====Installation====<br />
install through package:<br />
# pkg_add -r isc-dhcp3-server<br />
<br />
or ports:<br />
# cd /usr/ports/nets/isc-dhcp3-server && make install clean<br />
<br />
====Setup====<br />
<br />
copy /usr/local/etc/dhcpd.conf.sample to /usr/local/etc/dhcpd.conf<br />
<br />
edit /usr/local/etc/dhcpd.conf aas apropriate:.<br />
<pre><br />
# dhcpd.conf<br />
#<br />
# Sample configuration file for ISC dhcpd<br />
#<br />
<br />
# option definitions common to all supported networks...<br />
#option domain-name "example.org";<br />
#option domain-name-servers ns1.example.org, ns2.example.org;<br />
# lease times are measured in seconds: <br />
default-lease-time 3600;<br />
max-lease-time 86400;<br />
<br />
# If this DHCP server is the official DHCP server for the local<br />
# network, the authoritative directive should be uncommented.<br />
authoritative;<br />
<br />
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.<br />
ddns-update-style none;<br />
<br />
# Use this to send dhcp log messages to a different log file (you also<br />
# have to hack syslog.conf to complete the redirection).<br />
log-facility local7;<br />
<br />
# No service will be given on this subnet, but declaring it helps the<br />
# DHCP server to understand the network topology.<br />
<br />
# This is a very basic subnet declaration.<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.20;<br />
}<br />
</pre><br />
<br />
====Create the leases file====<br />
<pre><br />
# touch /var/db/dhcpd.leases<br />
</pre><br />
<br />
<br />
====Restart the daemon====<br />
<pre><br />
# killall dhcpd<br />
# dhcpd<br />
</pre><br />
<br />
<br />
====Setup to run on reboot====<br />
Add to /etc/rc.conf<br />
<pre><br />
dhcpd_enable="YES"<br />
</pre><br />
<br />
== Problems starting dhcpd ==<br />
==== Errors when trying to start ====<br />
NOTE: This problem was found on this architecture, but may apply to others.<br />
dhcp-1# uname -a<br />
FreeBSD dhcp-1.one.example.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 <br />
root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386<br />
dhcp-1#<br />
<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/run/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: safe_run: chown dhcpd:dhcpd /var/db/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd/dhcpd.leases<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
==== Find out if dhcpd is running ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 94818 0.0 0.6 2188 1536 ?? Is 15Jan07 0:00.05 /usr/local/sbin/dhcpd<br />
root 24289 0.0 1.1 3892 2612 p0 RV 6:22AM 0:00.00 grep dhcp (csh)<br />
<br />
==== Stop dhcpd (if running) ====<br />
dhcp-1# kill -9 94818<br />
<br />
==== Verify that dhcpd has been stopped ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 24293 0.0 0.1 348 208 p0 R+ 6:22AM 0:00.00 grep dhcp<br />
<br />
==== Fix the problem ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh install<br />
Added group "dhcpd".<br />
Added user "dhcpd".<br />
dhcp-1# <br />
<br />
==== Start dhcpd normally ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
[[Category:FreeBSD for Servers]]</div>Davehttp://www.freebsdwiki.net/index.php/DHCPDHCP2007-01-23T15:25:34Z<p>Dave: copied over from one of the XDM pages</p>
<hr />
<div>== DHCP ==<br />
<br />
Dynamic Host Configuration Protocol. DHCP allows you to place machines on a network and configure many of their settings (network-wise) via a server that your host machine queries. Usually this is limited to what IP and DNS client information a host uses on the network, and this greatly increases an administrator's ability to configure a large number of hosts to use a network with minimal effort (as opposed to configuring each host individually.)<br />
<br />
The service daemon on most *nix platforms is called dhcpd, the client application (if your *nix box is set up to use DHCP,) is usually dhclient.<br />
<br />
== Software == <br />
<br />
The most common unix implementation of the DHCP service is the [[ISC]]'s [[DHCP]]; Microsoft has their own implementation, as does Sun Microsystems.<br />
<br />
== Configuration ==<br />
<br />
(placeholder...needs info on hosts, networks, shared-networks and the different options)<br />
<br />
==DHCP - Install and setup==<br />
<br />
===Installation===<br />
install through package:<br />
# pkg_add -r isc-dhcp3-server<br />
<br />
or ports:<br />
# cd /usr/ports/nets/isc-dhcp3-server && make install clean<br />
<br />
===Setup===<br />
<br />
copy /usr/local/etc/dhcpd.conf.sample to /usr/local/etc/dhcpd.conf<br />
<br />
edit /usr/local/etc/dhcpd.conf aas apropriate:.<br />
<pre><br />
# dhcpd.conf<br />
#<br />
# Sample configuration file for ISC dhcpd<br />
#<br />
<br />
# option definitions common to all supported networks...<br />
#option domain-name "example.org";<br />
#option domain-name-servers ns1.example.org, ns2.example.org;<br />
# lease times are measured in seconds: <br />
default-lease-time 3600;<br />
max-lease-time 86400;<br />
<br />
# If this DHCP server is the official DHCP server for the local<br />
# network, the authoritative directive should be uncommented.<br />
authoritative;<br />
<br />
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.<br />
ddns-update-style none;<br />
<br />
# Use this to send dhcp log messages to a different log file (you also<br />
# have to hack syslog.conf to complete the redirection).<br />
log-facility local7;<br />
<br />
# No service will be given on this subnet, but declaring it helps the<br />
# DHCP server to understand the network topology.<br />
<br />
# This is a very basic subnet declaration.<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.20;<br />
}<br />
</pre><br />
<br />
===Create the leases file===<br />
<pre><br />
# touch /var/db/dhcpd.leases<br />
</pre><br />
<br />
<br />
===Restart the daemon===<br />
<pre><br />
# killall dhcpd<br />
# dhcpd<br />
</pre><br />
<br />
<br />
===Setup to run on reboot===<br />
Add to /etc/rc.conf<br />
<pre><br />
dhcpd_enable="YES"<br />
</pre><br />
<br />
== Problems starting dhcpd ==<br />
==== Errors when trying to start ====<br />
NOTE: This problem was found on this architecture, but may apply to others.<br />
dhcp-1# uname -a<br />
FreeBSD dhcp-1.one.example.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 <br />
root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386<br />
dhcp-1#<br />
<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/run/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: safe_run: chown dhcpd:dhcpd /var/db/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd/dhcpd.leases<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
==== Find out if dhcpd is running ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 94818 0.0 0.6 2188 1536 ?? Is 15Jan07 0:00.05 /usr/local/sbin/dhcpd<br />
root 24289 0.0 1.1 3892 2612 p0 RV 6:22AM 0:00.00 grep dhcp (csh)<br />
<br />
==== Stop dhcpd (if running) ====<br />
dhcp-1# kill -9 94818<br />
<br />
==== Verify that dhcpd has been stopped ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 24293 0.0 0.1 348 208 p0 R+ 6:22AM 0:00.00 grep dhcp<br />
<br />
==== Fix the problem ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh install<br />
Added group "dhcpd".<br />
Added user "dhcpd".<br />
dhcp-1# <br />
<br />
==== Start dhcpd normally ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
[[Category:FreeBSD for Servers]]</div>Davehttp://www.freebsdwiki.net/index.php/DHCPDHCP2007-01-23T15:17:09Z<p>Dave: </p>
<hr />
<div>== DHCP ==<br />
<br />
Dynamic Host Configuration Protocol. DHCP allows you to place machines on a network and configure many of their settings (network-wise) via a server that your host machine queries. Usually this is limited to what IP and DNS client information a host uses on the network, and this greatly increases an administrator's ability to configure a large number of hosts to use a network with minimal effort (as opposed to configuring each host individually.)<br />
<br />
The service daemon on most *nix platforms is called dhcpd, the client application (if your *nix box is set up to use DHCP,) is usually dhclient.<br />
<br />
== Software == <br />
<br />
The most common unix implementation of the DHCP service is the [[ISC]]'s [[DHCP]]; Microsoft has their own implementation, as does Sun Microsystems.<br />
<br />
== Configuration ==<br />
<br />
(placeholder...needs info on hosts, networks, shared-networks and the different options)<br />
<br />
==DHCP - Install and setup==<br />
Server setup.<br />
<br />
install through package<br />
# pkg_add -r isc-dhcp3-server<br />
<br />
We do this so we can define the root path for the diskless system.<br />
<br />
copy /usr/local/etc/dhcpd.conf.sample to /usr/local/etc/dhcpd.conf<br />
<br />
edit /usr/local/etc/dhcpd.conf and make sure it has these lines in it.<br />
<pre><br />
# dhcpd.conf<br />
#<br />
# Sample configuration file for ISC dhcpd<br />
#<br />
<br />
# option definitions common to all supported networks...<br />
#option domain-name "example.org";<br />
#option domain-name-servers ns1.example.org, ns2.example.org;<br />
<br />
default-lease-time 3600;<br />
max-lease-time 86400;<br />
<br />
# If this DHCP server is the official DHCP server for the local<br />
# network, the authoritative directive should be uncommented.<br />
authoritative;<br />
<br />
# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.<br />
ddns-update-style none;<br />
<br />
option root-path "192.168.1.1:/diskless_ro";<br />
<br />
# lines added for pxeboot client<br />
use-host-decl-names on;<br />
next-server 192.168.1.1;<br />
filename "pxeboot";<br />
<br />
# Use this to send dhcp log messages to a different log file (you also<br />
# have to hack syslog.conf to complete the redirection).<br />
log-facility local7;<br />
<br />
# No service will be given on this subnet, but declaring it helps the<br />
# DHCP server to understand the network topology.<br />
<br />
<br />
# This is a very basic subnet declaration.<br />
<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.20;<br />
}<br />
</pre><br />
<br />
Create the leases file<br />
<pre><br />
# touch /var/db/dhcpd.leases<br />
</pre><br />
<br />
<br />
Restart the daemon<br />
<pre><br />
# killall dhcpd<br />
# dhcpd<br />
</pre><br />
<br />
<br />
Add to /etc/rc.conf<br />
<pre><br />
dhcpd_enable="YES"<br />
</pre><br />
<br />
== Problems starting dhcpd ==<br />
==== Errors when trying to start ====<br />
NOTE: This problem was found on this architecture, but may apply to others.<br />
dhcp-1# uname -a<br />
FreeBSD dhcp-1.one.example.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 <br />
root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386<br />
dhcp-1#<br />
<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/run/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: safe_run: chown dhcpd:dhcpd /var/db/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd/dhcpd.leases<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
==== Find out if dhcpd is running ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 94818 0.0 0.6 2188 1536 ?? Is 15Jan07 0:00.05 /usr/local/sbin/dhcpd<br />
root 24289 0.0 1.1 3892 2612 p0 RV 6:22AM 0:00.00 grep dhcp (csh)<br />
<br />
==== Stop dhcpd (if running) ====<br />
dhcp-1# kill -9 94818<br />
<br />
==== Verify that dhcpd has been stopped ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 24293 0.0 0.1 348 208 p0 R+ 6:22AM 0:00.00 grep dhcp<br />
<br />
==== Fix the problem ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh install<br />
Added group "dhcpd".<br />
Added user "dhcpd".<br />
dhcp-1# <br />
<br />
==== Start dhcpd normally ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
[[Category:FreeBSD for Servers]]</div>Davehttp://www.freebsdwiki.net/index.php/ISCISC2007-01-23T14:06:41Z<p>Dave: </p>
<hr />
<div>Internet Systems Consortium, the organization behind some of the software that makes up the backbone of networking and internetworking: [[BIND]], [[DHCP]], [[NTP]] and other software.<br />
<br />
See their website, http://www.isc.org, for more information.</div>Davehttp://www.freebsdwiki.net/index.php/ISCISC2007-01-23T14:06:19Z<p>Dave: needs categorization</p>
<hr />
<div>Internet Systems Consortium, the organization behind some of the software that makes up the backbone of networking and internetworking: BIND, DHCP, NTP and other software.<br />
<br />
See their website, http://www.isc.org, for more information.</div>Davehttp://www.freebsdwiki.net/index.php/DHCPDHCP2007-01-23T14:04:25Z<p>Dave: /* dhcp */</p>
<hr />
<div>== DHCP ==<br />
<br />
Dynamic Host Configuration Protocol. DHCP allows you to place machines on a network and configure many of their settings (network-wise) via a server that your host machine queries. Usually this is limited to what IP and DNS client information a host uses on the network, and this greatly increases an administrator's ability to configure a large number of hosts to use a network with minimal effort (as opposed to configuring each host individually.)<br />
<br />
The service daemon on most *nix platforms is called dhcpd, the client application (if your *nix box is set up to use DHCP,) is usually dhclient.<br />
<br />
== Software == <br />
<br />
The most common unix implementation of the DHCP service is the [[ISC]]'s [[DHCP]]; Microsoft has their own implementation, as does Sun Microsystems.<br />
<br />
== Configuration ==<br />
<br />
(placeholder...needs info on hosts, networks, shared-networks and the different options)<br />
<br />
<br />
=== Problems starting dhcpd ===<br />
==== Errors when trying to start ====<br />
NOTE: This problem was found on this architecture, but may apply to others.<br />
dhcp-1# uname -a<br />
FreeBSD dhcp-1.one.example.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 <br />
root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386<br />
dhcp-1#<br />
<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/run/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: safe_run: chown dhcpd:dhcpd /var/db/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd/dhcpd.leases<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
==== Find out if dhcpd is running ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 94818 0.0 0.6 2188 1536 ?? Is 15Jan07 0:00.05 /usr/local/sbin/dhcpd<br />
root 24289 0.0 1.1 3892 2612 p0 RV 6:22AM 0:00.00 grep dhcp (csh)<br />
<br />
==== Stop dhcpd (if running) ====<br />
dhcp-1# kill -9 94818<br />
<br />
==== Verify that dhcpd has been stopped ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 24293 0.0 0.1 348 208 p0 R+ 6:22AM 0:00.00 grep dhcp<br />
<br />
==== Fix the problem ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh install<br />
Added group "dhcpd".<br />
Added user "dhcpd".<br />
dhcp-1# <br />
<br />
==== Start dhcpd normally ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
[[Category:FreeBSD for Servers]]</div>Davehttp://www.freebsdwiki.net/index.php/DHCPDHCP2007-01-23T14:03:08Z<p>Dave: needs more info on configuring dhcpd</p>
<hr />
<div>== dhcp ==<br />
<br />
Dynamic Host Configuration Protocol. DHCP allows you to place machines on a network and configure many of their settings (network-wise) via a server that your host machine queries. Usually this is limited to what IP and DNS client information a host uses on the network, and this greatly increases an administrator's ability to configure a large number of hosts to use a network with minimal effort (as opposed to configuring each host individually.)<br />
<br />
== Software == <br />
<br />
The most common unix implementation of the DHCP service is the [[ISC]]'s [[DHCP]]; Microsoft has their own implementation, as does Sun Microsystems.<br />
<br />
== Configuration ==<br />
<br />
(placeholder...needs info on hosts, networks, shared-networks and the different options)<br />
<br />
<br />
=== Problems starting dhcpd ===<br />
==== Errors when trying to start ====<br />
NOTE: This problem was found on this architecture, but may apply to others.<br />
dhcp-1# uname -a<br />
FreeBSD dhcp-1.one.example.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 <br />
root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386<br />
dhcp-1#<br />
<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/run/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: safe_run: chown dhcpd:dhcpd /var/db/dhcpd<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd<br />
chown: dhcpd: Invalid argument<br />
/usr/local/etc/rc.d/isc-dhcpd.sh: WARNING: unable to change permissions of /var/db/dhcpd/dhcpd.leases<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
==== Find out if dhcpd is running ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 94818 0.0 0.6 2188 1536 ?? Is 15Jan07 0:00.05 /usr/local/sbin/dhcpd<br />
root 24289 0.0 1.1 3892 2612 p0 RV 6:22AM 0:00.00 grep dhcp (csh)<br />
<br />
==== Stop dhcpd (if running) ====<br />
dhcp-1# kill -9 94818<br />
<br />
==== Verify that dhcpd has been stopped ====<br />
dhcp-1# ps -auwx | grep dhcp<br />
root 24293 0.0 0.1 348 208 p0 R+ 6:22AM 0:00.00 grep dhcp<br />
<br />
==== Fix the problem ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh install<br />
Added group "dhcpd".<br />
Added user "dhcpd".<br />
dhcp-1# <br />
<br />
==== Start dhcpd normally ====<br />
dhcp-1# /usr/local/etc/rc.d/isc-dhcpd.sh start<br />
Starting dhcpd.<br />
dhcp-1#<br />
<br />
[[Category:FreeBSD for Servers]]</div>Davehttp://www.freebsdwiki.net/index.php/DdDd2007-01-20T05:48:59Z<p>Dave: needs to be categorized & expanded..</p>
<hr />
<div>Utility to directly copy a file/input-stream somewhere else, at the bit level if necessary.</div>Davehttp://www.freebsdwiki.net/index.php/ScreenScreen2006-09-09T06:17:49Z<p>Dave: </p>
<hr />
<div>Available via ports, [[screen]] allows you to create a session that you can detach from and attach to irrespective of whether or not your current connection to the machine remains active; e.g. if you're ssh'ed into a machine, start screen, name a session, start up a long process and then detach screen. Logout and then either go to a new computer or start a new ssh session and you can re-attach to your screen session and still find your process running.<br />
<br />
Compare to [[at]] and [[nohup]].<br />
<br />
[http://www.gnu.org/software/screen/ official gnu page]<br />
<br />
[http://www.kuro5hin.org/story/2004/3/9/16838/14935 a tutorial]</div>Davehttp://www.freebsdwiki.net/index.php/ScreenScreen2006-09-09T02:19:47Z<p>Dave: </p>
<hr />
<div>Available via ports, [[screen]] allows you to create a session that you can detach from and attach to irrespective of whether or not your current connection to the machine remains active; e.g. if you're ssh'ed into a machine, start screen, name a session, start up a long process and then detach screen. Logout and then either go to a new computer or start a new ssh session and you can re-attach to your screen session and still find your process running.<br />
<br />
Compare to [[at]] and [[nohup]].</div>Davehttp://www.freebsdwiki.net/index.php/NohupNohup2006-09-09T02:16:58Z<p>Dave: info and comparisson w/ GNU screen util</p>
<hr />
<div>'''nohup''' is a godsend for those of us who spend lots of time shelling into remote machines. You can invoke any other command with '''nohup''', like the following:<br />
<br />
ph34r# '''nohup find / -name "*a*" > /home/jimbo/dumbfindcommand.out'''<br />
<br />
And what happens is, your command gets executed but told to ignore all SIGHUP signals. The net impact is, you can now close your shell session, and still have your command continue to run - whereas normally, as soon as your shell died - either due to you closing it or to the vagaries of the internet closing it for you - all processes you had running would immediately die as well.<br />
<br />
The example given above - give me a listing of every single file on my entire server which contains the letter "a" in its name - would obviously take an absurdly long time to run. If you had to accomplish a task like this on a machine hundreds of miles away, it would be nearly impossible without finding some way of detaching it from your shell session. You could also use the [[at]] scheduler, but that can be a real pain because it only fires off every 5 minutes (by default), and you hate to just set something up and walk away without checking to see that it fired up and began doing what it was supposed to. With '''nohup''', you can just fire it up immediately, use a [[ps]] or other command to monitor that it is running and appears to be doing what it ought to be doing, and then quit worrying about it 'til it's done.<br />
<br />
Another alternative is the GNU [[screen]] utility, but that would be geared more towards people who want to attach and detach from shell sessions, not just folks who want a job running in the background to stay alive when not connected.<br />
<br />
[[Category : System Commands]]</div>Davehttp://www.freebsdwiki.net/index.php/Installing_FreeBSD_from_a_Local_FTP_SiteInstalling FreeBSD from a Local FTP Site2006-07-28T17:32:50Z<p>Dave: /* Windows */</p>
<hr />
<div>== Creating a Local FTP Site with a FreeBSD Disc ==<br />
<br />
FreeBSD discs are laid out in the same way as the FTP site. This makes it very easy for you to create a local FTP site that can be used by other machines on your network when installing FreeBSD.<br />
<br />
=== Mount a FreeBSD CDROM ===<br />
==== FreeBSD ====<br />
On the FreeBSD computer that will host the FTP site, ensure that the CDROM is in the drive, and mounted on /cdrom.<br />
<br />
# mount /cdrom<br />
<br />
This only mounts the first CD. To recreate the entire FTP site keep reading.<br />
<br />
=== Mount a FreeBSD CDROM Image ===<br />
==== FreeBSD ====<br />
<br />
[[Mounting ISOs under FreeBSD 5.x]] (also applies to 6.x)<br />
<br />
==== Windows ====<br />
Obtain software that will mount an iso image. <br />
* Daemon Tools 3.4.7 ("Free" for non-commercial use. Not Open Source. Proprietary License.)<br />
** Note: More recent versions contain adware.<br />
** Install the software and mount the iso.<br />
<br />
== Copy All Files to a New Directory to Recreate the FTP Site ==<br />
=== FreeBSD ===<br />
# cp -Rp /cdrom /ftproot<br />
<br />
== Create Anonymous FTP Account ==<br />
Create an account for anonymous FTP in /etc/passwd. Do this by editing /etc/passwd using vipw(8) and adding this line:<br />
<br />
ftp:*:99:99::0:0:FTP:/cdrom:/nonexistent<br />
<br />
== Enable FTP Service ==<br />
=== FreeBSD ===<br />
Ensure that the FTP service is enabled in /etc/inetd.conf.<br />
<br />
=== Windows ===<br />
* Obtain FTP Server software.<br />
** [http://filezilla.sourceforge.net/ Filezilla (server) ]<br />
** [http://support.jgaa.com/index.php?MenuPage=download WarFTPD ("Free" Proprietary License)]<br />
Anyone with network connectivity to your machine can now chose a media type of FTP and type in <nowiki>ftp://your machine</nowiki> after picking “Other” in the FTP sites menu during the install.<br />
<br />
Note: If the boot media (floppy disks, usually) for your FTP clients is not precisely the same version as that provided by the local FTP site, then sysinstall will not let you complete the installation. If the versions are not similar and you want to override this, you must go into the Options menu and change distribution name to any.<br />
<br />
Warning: This approach is OK for a machine that is on your local network, and that is protected by your firewall. Offering up FTP services to other machines over the Internet (and not your local network) exposes your computer to the attention of crackers and other undesirables. We strongly recommend that you follow good security practices (ie, use [[sftp]] instead of straight-up [[ftp]]) if you do this.<br />
<br />
[[Category:Installation]]</div>Davehttp://www.freebsdwiki.net/index.php/Installing_FreeBSD_from_a_Local_FTP_SiteInstalling FreeBSD from a Local FTP Site2006-07-28T17:32:37Z<p>Dave: /* Windows */</p>
<hr />
<div>== Creating a Local FTP Site with a FreeBSD Disc ==<br />
<br />
FreeBSD discs are laid out in the same way as the FTP site. This makes it very easy for you to create a local FTP site that can be used by other machines on your network when installing FreeBSD.<br />
<br />
=== Mount a FreeBSD CDROM ===<br />
==== FreeBSD ====<br />
On the FreeBSD computer that will host the FTP site, ensure that the CDROM is in the drive, and mounted on /cdrom.<br />
<br />
# mount /cdrom<br />
<br />
This only mounts the first CD. To recreate the entire FTP site keep reading.<br />
<br />
=== Mount a FreeBSD CDROM Image ===<br />
==== FreeBSD ====<br />
<br />
[[Mounting ISOs under FreeBSD 5.x]] (also applies to 6.x)<br />
<br />
==== Windows ====<br />
Obtain software that will mount an iso image. <br />
* Daemon Tools 3.4.7 ("Free" for non-commercial use. Not Open Source. Proprietary License.)<br />
** Note: More recent versions contain adware.<br />
** Install the software and mount the iso.<br />
<br />
== Copy All Files to a New Directory to Recreate the FTP Site ==<br />
=== FreeBSD ===<br />
# cp -Rp /cdrom /ftproot<br />
<br />
== Create Anonymous FTP Account ==<br />
Create an account for anonymous FTP in /etc/passwd. Do this by editing /etc/passwd using vipw(8) and adding this line:<br />
<br />
ftp:*:99:99::0:0:FTP:/cdrom:/nonexistent<br />
<br />
== Enable FTP Service ==<br />
=== FreeBSD ===<br />
Ensure that the FTP service is enabled in /etc/inetd.conf.<br />
<br />
=== Windows ===<br />
* Obtain FTP Server software.<br />
** [http://filezilla.sourceforge.net/ Filezilla (server) ]<br />
** [http://support.jgaa.com/index.php?MenuPage=download WarFTPD ("Free" Proprietary License)]<br />
Anyone with network connectivity to your machine can now chose a media type of FTP and type in <nowiki>ftp://your machine</nowiki> after picking “Other” in the FTP sites menu during the install.<br />
<br />
Note: If the boot media (floppy disks, usually) for your FTP clients is not precisely the same version as that provided by the local FTP site, then sysinstall will not let you complete the installation. If the versions are not similar and you want to override this, you must go into the Options menu and change distribution name to any.<br />
<br />
Warning: This approach is OK for a machine that is on your local network, and that is protected by your firewall. Offering up FTP services to other machines over the Internet (and not your local network) exposes your computer to the attention of crackers and other undesirables. We strongly recommend that you follow good security practices (ie, use [[sftp]] instead of straight-up [[ftp]] if you do this.<br />
<br />
[[Category:Installation]]</div>Davehttp://www.freebsdwiki.net/index.php/Installing_FreeBSD_from_a_Local_FTP_SiteInstalling FreeBSD from a Local FTP Site2006-07-28T17:32:03Z<p>Dave: added filezilla</p>
<hr />
<div>== Creating a Local FTP Site with a FreeBSD Disc ==<br />
<br />
FreeBSD discs are laid out in the same way as the FTP site. This makes it very easy for you to create a local FTP site that can be used by other machines on your network when installing FreeBSD.<br />
<br />
=== Mount a FreeBSD CDROM ===<br />
==== FreeBSD ====<br />
On the FreeBSD computer that will host the FTP site, ensure that the CDROM is in the drive, and mounted on /cdrom.<br />
<br />
# mount /cdrom<br />
<br />
This only mounts the first CD. To recreate the entire FTP site keep reading.<br />
<br />
=== Mount a FreeBSD CDROM Image ===<br />
==== FreeBSD ====<br />
<br />
[[Mounting ISOs under FreeBSD 5.x]] (also applies to 6.x)<br />
<br />
==== Windows ====<br />
Obtain software that will mount an iso image. <br />
* Daemon Tools 3.4.7 ("Free" for non-commercial use. Not Open Source. Proprietary License.)<br />
** Note: More recent versions contain adware.<br />
** Install the software and mount the iso.<br />
<br />
== Copy All Files to a New Directory to Recreate the FTP Site ==<br />
=== FreeBSD ===<br />
# cp -Rp /cdrom /ftproot<br />
<br />
== Create Anonymous FTP Account ==<br />
Create an account for anonymous FTP in /etc/passwd. Do this by editing /etc/passwd using vipw(8) and adding this line:<br />
<br />
ftp:*:99:99::0:0:FTP:/cdrom:/nonexistent<br />
<br />
== Enable FTP Service ==<br />
=== FreeBSD ===<br />
Ensure that the FTP service is enabled in /etc/inetd.conf.<br />
<br />
=== Windows ===<br />
* Obtain FTP Server software.<br />
** [http://filezilla.sourceforge.net/ Filezilla (server) ]<br />
** [http://support.jgaa.com/index.php?MenuPage=download WarFTPD ("Free" Proprietary License)]<br />
Anyone with network connectivity to your machine can now chose a media type of FTP and type in <nowiki>ftp://your machine</nowiki> after picking “Other” in the FTP sites menu during the install.<br />
<br />
Note: If the boot media (floppy disks, usually) for your FTP clients is not precisely the same version as that provided by the local FTP site, then sysinstall will not let you complete the installation. If the versions are not similar and you want to override this, you must go into the Options menu and change distribution name to any.<br />
<br />
Warning: This approach is OK for a machine that is on your local network, and that is protected by your firewall. Offering up FTP services to other machines over the Internet (and not your local network) exposes your computer to the attention of crackers and other undesirables. We strongly recommend that you follow good security practices if you do this.<br />
<br />
[[Category:Installation]]</div>Davehttp://www.freebsdwiki.net/index.php/Talk:Mailman,_InstallingTalk:Mailman, Installing2006-05-15T01:44:01Z<p>Dave: oh, ricky!</p>
<hr />
<div>Can somebody please add a quick intro that says what mailman ''is''? =) --[[User:Jimbo|Jimbo]] 10:42, 13 May 2006 (EDT)<br />
<br />
== oh, ricky! ==<br />
<br />
i'm not done yet :) it's going to explain well and have screenshots and all that jazz. --[[User:Dave|Dave]] 21:44, 14 May 2006 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/IpfwIpfw2006-05-04T16:02:32Z<p>Dave: </p>
<hr />
<div>'''ipfw''' is the kernel firewall used by FreeBSD systems. If you want to run '''ipfw''', you need to create a firewall ruleset and the system will dynamically load the kernel module when the rc.conf statement firewall_enable="YES" is used. You do not need to compile IPFW into the FreeBSD kernel unless you want NAT function enabled. If you '''do''' plan on NAT'ing, you'll need to [[Custom Kernel|build a custom kernel]] with several '''ipfw'''-related options.<br />
<br />
see [[Firewall, Configuring]]<br />
[[Category:System Commands]]<br />
[[Category: Securing FreeBSD]]</div>Davehttp://www.freebsdwiki.net/index.php/Firewall,_ConfiguringFirewall, Configuring2006-05-04T16:01:08Z<p>Dave: no nat, no kernel rebuild</p>
<hr />
<div>==Don't need NAT? don't rebuild the kernel!==<br />
The system will dynamically load the kernel module when the rc.conf statement firewall_enable="YES" is used. You do not need to compile IPFW into the FreeBSD kernel unless you want NAT function enabled. You'll still need a ruleset to deal with the traffic your machine gets, of course.<br />
<br />
<br />
== Building an [[ipfw]]-enabled kernel ==<br />
<br />
You're going to need to rebuild your kernel with the appropriate options for the firewall you want to build. We've already got an [[Custom Kernel|article]] on building a custom kernel, but to start you off, here are some kernel options you'll almost certainly want and need:<br />
<br />
options IPFIREWALL # you need this to enable ipfw<br />
options IPFIREWALL_VERBOSE # you need this to enable ipfw logging<br />
options IPFIREWALL_VERBOSE_LIMIT=10 # limit to 10 identical log entries<br />
options IPDIVERT # enable NAT<br />
<br />
It would be advisable to check out the NOTES files for your particular BSD version and architecture to check out other interesting kernel packet-filtering capabilities that you might or might not want to consider. For example, some kernels support IPSEC (or FAST_IPSEC) security, TCP_DROP_SYNFIN (to defeat FIN scanning), IPSTEALTH (for "invisible" firewalls that don't show up in traceroutes)... but it varies by both BSD version and architecture, so check [[ /usr/src/sys/conf/NOTES]] for general options and [[ /usr/src/sys/(arch)/conf/NOTES]] for hardware-specific options.<br />
<br />
== Sample [[ipfw]] firewall ruleset ==<br />
<br />
This ruleset sets up a firewall on a "bastion" server that both runs publicly accessible services and acts as a NAT-enabled firewall for a protected network running behind it. <br />
<br />
'''ipfw''' rulesets are shell scripts that can be run directly from the command line (assuming you have an ipfw-enabled kernel loaded) - but remember, if you're running this on a [[default deny]] system, you will '''lose network connectivity''' on execution of the very first line of this script - meaning that you CANNOT run the script from a remote shell session, or it will stop running before it ever gets past '''deny all from any to any'''.<br />
<br />
So if you need to restart a firewall remotely, you'll have to use some minor trickery - like scheduling it with the [[at]] scheduler. THAT will work, since jobs started from [[at]] don't depend on network connectivity to continue running. However, if you're running untested modifications, you'll probably want to schedule ANOTHER job with [[at]] for 5 minutes later to pull your firewall back to a "known accessible" configuration, just in case there's a really bad bug in your new rules that will deny you access. NOT leaving yourself a scheduled "oops" to bring you back to a known accessible condition, just in case, could end up costing you a very long drive out to wherever your server is.<br />
<br />
With no further ado, here's the sample ipfw ruleset script.<br />
<br />
#!/bin/sh<br />
<br />
#Quietly flush out rules<br />
/sbin/ipfw -q -f flush<br />
<br />
#Set command prefix (add "-q" option after development to turn on quiet mode)<br />
cmd="/sbin/ipfw add"<br />
<br />
# set outside and inside network interfaces<br />
oif="xl0"<br />
iif="ed0"<br />
<br />
# set private IP of this server and the netmask of the whole LAN side<br />
server="192.168.0.1"<br />
inside="192.168.0.0/24"<br />
<br />
######Localhost stuff<br />
#<br />
#allow the computer to talk to itself<br />
$cmd 00080 allow ip from any to any via lo0<br />
<br />
#don't let anything from the "outside" talk to localhost<br />
$cmd 00081 deny ip from any to 127.0.0.0/8<br />
<br />
#don't let the computer talk other computers as localhost<br />
$cmd 00082 deny log ip from 127.0.0.0/8 to any<br />
#<br />
#######<br />
<br />
####### DHCP stuff<br />
#<br />
# you need this to be able to renew your DHCP lease from your ISP<br />
$cmd 00083 allow udp from any 67 to any 68 in recv rl0<br />
#<br />
#####<br />
<br />
######### deny-and-log bogus packets by tcpflags<br />
#<br />
# XMAS tree<br />
$cmd 00084 deny log tcp from any to any in tcpflags fin,psh,urg recv $oif<br />
# NULL scan (no flag set at all)<br />
$cmd 00085 deny log tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg recv $oif<br />
# SYN flood (SYN,FIN)<br />
$cmd 00086 deny log tcp from any to any in tcpflags syn,fin recv $oif<br />
# Stealth FIN scan (FIN,RST)<br />
$cmd 00087 deny log tcp from any to any in tcpflags fin,rst recv $oif<br />
# forced packet routing<br />
$cmd 00089 deny log ip from any to any in ipoptions ssrr,lsrr,rr,ts recv $oif<br />
#<br />
#######<br />
<br />
<br />
<br />
######### Things served via this machine directly <br />
######### Any services on this machine should be placed here,<br />
######### before the NAT Divert rule<br />
#<br />
#HTTP<br />
$cmd 00500 allow tcp from any to any 80 in via $oif<br />
#SSH<br />
$cmd 00510 allow tcp from any to any 22 in via $oif<br />
#FTP<br />
$cmd 00570 allow ip from any to any 20 in via $oif<br />
$cmd 00571 allow ip from any to any 21 in via $oif<br />
$cmd 00572 allow tcp from any 21 to any out via $oif<br />
#<br />
####<br />
<br />
<br />
#####NATD stuff<br />
<br />
#natd Divert rule<br />
$cmd 01000 divert natd all from any to any via $oif<br />
<br />
######<br />
<br />
<br />
####All connections originating from my network are allowed<br />
<br />
# check to see if a dynamic rule has been created that matches this packet<br />
$cmd 01100 check-state<br />
# let everything on your internal network talk to the firewall<br />
$cmd 01101 allow all from any to any via $iif keep-state <br />
# setup a dynamic rule for any connections being started from inside<br />
$cmd 01102 allow all from any to any out via $oif keep-state <br />
# deny ACK packets that did not match the dynamic rule table - do not log, too many false positives<br />
$cmd 01103 deny tcp from any to any established in via $oif <br />
#deny fragments as bogus packets<br />
$cmd 01104 deny log all from any to any frag in via $oif <br />
#####<br />
<br />
<br />
####### ICMP stuff<br />
<br />
#allow path-mtu in both directions<br />
$cmd 01200 allow icmp from any to any icmptypes 3<br />
<br />
#allow source quench in and out<br />
$cmd 01201 allow icmp from any to any icmptypes 4<br />
<br />
#allow outbound traceroutes<br />
$cmd 01204 allow icmp from any to any icmptypes 11 in<br />
<br />
#allow outbound pings and incoming ping responses<br />
$cmd 01202 allow icmp from any to any icmptypes 8 out<br />
$cmd 01203 allow icmp from any to any icmptypes 0 in<br />
<br />
########<br />
<br />
<br />
<br />
##### This section is for exposing services to the internet from the LAN<br />
##### It is placed AFTER the NATD Divert rule, so these services can be<br />
##### diverted in /etc/natd.conf<br />
<br />
#VNC - allow it, but log connection attempts (though DON'T log traffic for established sessions)<br />
$cmd 01550 allow log tcp from any to any 5900 in setup<br />
$cmd 01551 allow tcp from any to any 5900 in<br />
#KAZAA<br />
$cmd 01580 allow ip from any to $inside 1214 in via $oif<br />
#SOULSEEK<br />
$cmd 01590 allow ip from any to $inside 2234 in via $oif<br />
$cmd 01591 allow ip from any to $inside 5534 in via $oif<br />
#EMULE<br />
$cmd 01600 allow tcp from any to $inside 4662 in via $oif<br />
$cmd 01601 allow udp from any to $inside 4672 in via $oif<br />
#BITTORRENT<br />
$cmd 01610 allow ip from any to $inside 30000-40000 in via $oif<br />
<br />
####<br />
<br />
######## SOME THINGS ARE TOO NOISY TO LIVE<br />
######## In this section we deny things that would be denied anyway, but that we just<br />
######## don't want logged. Be careful with this - in general, you probably want to <br />
######## avoid putting anything in here that doesn't specify a known source address that<br />
######## is relatively trustworthy. You also want to be very careful about who knows<br />
######## what this section of your firewall configs looks like, because they can then<br />
######## use the info to craft probes and attacks they know you won't see or log.<br />
<br />
# Don't bother logging IGMP crap from the ISP<br />
$cmd 9004 deny igmp from 172.16.210.1 to any in via $oif<br />
<br />
# Don't bother logging DNS garbage inbound from the ISP's DNS boxes<br />
$cmd 9006 deny udp from 4.31.99.0/24\{100-103\} 53 to any dst-port 50000-65535 in via rl0<br />
<br />
#####<br />
<br />
######## Stealth scans of closed ports<br />
######## this section is to deny and log stealth scans that we can't really deny <br />
######## on open ports because doing so would disrupt legitimate services.<br />
<br />
# ACK scan (ACK,RST)<br />
$cmd 60000 deny log tcp from any to any in tcpflags ack,rst recv $oif<br />
<br />
#####<br />
<br />
#############<br />
############# DEFAULT RULE - deny it, and log it, 'cause we're secure like that.<br />
#############<br />
#<br />
$cmd 65000 deny log all from any to any<br />
<br />
== Sample /etc/natd.conf ==<br />
<br />
Our bastion firewall/server will also need to handle NAT duties for the boxes it's protecting on the LAN side. [[ /etc/natd.conf]] is the configuration file for natd, and will allow you to redirect ports from the public side to services on the LAN side, as well as handling standard NATting of connection requests from our protected network to the big bad Internet. Here's a sample [[ /etc/natd.conf]].<br />
<br />
(Note that for redirection of services to work, you need matching entries in your IPFW ruleset after the NAT Divert rule to allow those services inbound access as well as entries in this [[ /etc/natd.conf]]!)<br />
<br />
# "interface" should be the WAN interface<br />
interface xl0<br />
use_sockets yes<br />
same_ports yes<br />
# set "dynamic" if the WAN interface is controlled by DHCP<br />
dynamic yes<br />
<br />
#VNC<br />
redirect_port tcp 192.168.0.10:5900 5900<br />
#KAZAA<br />
redirect_port tcp 192.168.0.25:1214 1214<br />
#SOULSEEK<br />
redirect_port tcp 192.168.0.25:2234 2234<br />
redirect_port tcp 192.168.0.25:5534 5534<br />
#EMULE<br />
redirect_port tcp 192.168.0.25:4662 4662<br />
redirect_port udp 192.168.0.25:4672 4672<br />
#BITTORRENT<br />
redirect_port tcp 192.168.0.25:30000-40000 30000-40000<br />
<br />
== Sample /usr/local/etc/dhcpd.conf file ==<br />
<br />
We're also going to want our bastion firewall/server to deliver DHCP leases to the computers on the protected network. So after installing the dhcp daemon from the '''/usr/ports/net/isc-dhcp3''' port, you'll need to minimally configure it to actually deliver the leases to the clients. Here's a sample [[ /usr/local/etc/dhcpd.conf]] file:<br />
<br />
# dhcpd.conf<br />
#<br />
# Configuration file for ISC dhcpd<br />
#<br />
# option definitions common to all supported networks...<br />
option domain-name "yourdomain.local";<br />
option domain-name-servers 192.168.0.99;<br />
default-lease-time 604800;<br />
max-lease-time 2592000;<br />
<br />
ddns-update-style none;<br />
<br />
# If you have more than one subnet, list them seperately.<br />
subnet 192.168.0.0 netmask 255.255.255.0 {<br />
range 192.168.0.200 192.168.100.250;<br />
option routers 192.168.0.1;<br />
option broadcast-address 192.168.0.255;<br />
default-lease-time 4800;<br />
max-lease-time 7200;<br />
}<br />
<br />
# This would be for a second subnet, if you had one:<br />
# subnet 192.168.5.0 netmask 255.255.255.0 {<br />
# range 192.168.5.200 192.168.5.254;<br />
# option routers 192.168.5.1;<br />
# option broadcast-address 192.168.5.255;<br />
# default-lease-time 4800;<br />
# max-lease-time 7200;<br />
# }<br />
<br />
# EOF<br />
<br />
see also: [[Firewall, Monitoring]]<br />
<br />
<br />
== Helpful External Links ==<br />
<br />
http://www.freebsddiary.org/ipfw.php<br />
<br />
http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html<br />
<br />
http://blogs.geekdojo.net/andy/articles/1807.aspx VERY VERY helpful <br />
<br />
http://www.acme.com/firewall.html more with the SUPER helpfulness<br />
<br />
http://www.daniweb.com/tutorials/2949.html for getting dhcpd running<br />
<br />
[[Category:Common Tasks]]<br />
[[Category:FreeBSD for Servers]]<br />
[[Category: Securing FreeBSD]]</div>Davehttp://www.freebsdwiki.net/index.php/Category_talk:Important_Config_FilesCategory talk:Important Config Files2006-04-27T13:46:30Z<p>Dave: /* is there a reason? */</p>
<hr />
<div>==Naming convention==<br />
Should the articles called '''''Etc/'''etc'' be moved to '''''/etc'''/etc'' ? [[User:Ninereasons|Ninereasons]] 21:53, 26 April 2006 (EDT)<br />
<br />
== they really can't be ==<br />
<br />
The wiki automatically capitalizes the first letter of an article, whether you entered it that way or not. --[[User:Jimbo|Jimbo]] 08:20, 27 April 2006 (EDT)<br />
<br />
== is there a reason? ==<br />
<br />
for the way it sometimes takes the / out?--[[User:Dave|Dave]] 09:46, 27 April 2006 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/Category_talk:Important_Config_FilesCategory talk:Important Config Files2006-04-27T13:46:21Z<p>Dave: is there a reason?</p>
<hr />
<div>==Naming convention==<br />
Should the articles called '''''Etc/'''etc'' be moved to '''''/etc'''/etc'' ? [[User:Ninereasons|Ninereasons]] 21:53, 26 April 2006 (EDT)<br />
<br />
== they really can't be ==<br />
<br />
The wiki automatically capitalizes the first letter of an article, whether you entered it that way or not. --[[User:Jimbo|Jimbo]] 08:20, 27 April 2006 (EDT)<br />
<br />
== is there a reason? ==<br />
<br />
for the way it sometimes takes the / out?</div>Davehttp://www.freebsdwiki.net/index.php/NTP,_configuringNTP, configuring2006-04-26T14:12:34Z<p>Dave: /* NTP Servers */</p>
<hr />
<div>After installing [[Ntp]], you'll want to configure it properly. Remember to allow TCP and UDP ports 123 if you're firewalling the client/server.<br />
<br />
==NTP Clients==<br />
If you're a client, you'll need to listen locally if you've got an NTP server locally to get the time. To start, edit [[/etc/ntp.conf]] and make sure it has something like this in it: <br />
<br />
# Because the computer clocks drift, keep the drift info somewhere:<br />
driftfile /etc/ntp.drift <br />
<br />
# if we are a client that listens to NTP broadcasts on the LAN, uncomment this line:<br />
#broadcastclient<br />
<br />
# Let's setup a log file for NTP:<br />
logfile /var/log/ntp.log<br />
<br />
==NTP Servers==<br />
<br />
First, synchronize to a known good time server -- there are many listed at ntp.isc.org, and due to common sense and politeness, I won't list one particular server here, but [http://tycho.usno.navy.mil/ntp.html the US Navy] has some servers available -- be sure to read their policies for allowed use. Once you've got a server that you can use, run<br />
ntpdate time.someserver.somewhere.com <br />
and your system will update to that time. You may want to verify that the time is correct, if you've got a Java-capable browser handy, [http://time.gov time.gov] will give you the correct time for the timezone you're in.<br />
<br />
Once you've got that done, find a server that you can update from regularly -- be sure you've read through [http://ntp.isc.org/bin/view/Servers/WebHome the documentation] and obtained permission to use the server (seriously, this is important, folks have no sense of humor about this, see links below for why) -- it's time to set up your [[/etc/ntpd.conf]] which will at a minimum need to have three lines:<br />
server time.someserver.somewhere.com prefer<br />
driftfile /var/db/ntpd.drift<br />
restrict default notrust nomodify nopeer<br />
The server line may be repeated (you'll want more than one and less than 5 -- although it's recommended you don't go over 3), and if you leave out the "prefer" keyword and have multiple server lines, then you'll round-robin through the list. If you have multiple server lines and leave the "prefer" keyword in, you'll only go to the other servers (without the "prefer") if your "preferred" server can't be reached. <br />
<br />
The ''restrict'' keyword is basically an allow statement that restricts how your NTP service on your server may be used (and by who); modifier options after restrict help with this:<br />
<br />
restrict Address [ mask Number | default ] [ Parameter ... ] <br />
<br />
Allowed parameters are:<br />
ignore <br />
Specifies to ignore all packets from hosts which match this entry. <br />
Does not respond to queries nor time server polls. <br />
<br />
limited <br />
Specifies that these hosts are subject to limitation of number of <br />
clients from the same net. Net in this context refers to the IP notion <br />
of net (class A, class B, class C, and so on). Only accepts the first <br />
client_limit hosts that have shown up at the server and that have been<br />
active during the last client_limit_period seconds. Rejects requests <br />
from other clients from the same net. Only takes into account time <br />
request packets. Private, control, and broadcast packets are not subject<br />
to client limitation and therefore do not contribute to client count. <br />
The monitoring capability of the xntpd daemon keeps a history of clients.<br />
When you use this option, monitoring remains active. The default value for<br />
client_limit is 3. The default value for client_limit_period is 3600 seconds. <br />
<br />
nomodify <br />
Specifies to ignore all NTP mode 6 and 7 packets which attempt to modify the<br />
state of the server (run time reconfiguration). Permits queries which return<br />
information. <br />
<br />
nopeer <br />
Specifies to provide stateless time service to polling hosts, but not to <br />
allocate peer memory resources to these hosts. <br />
<br />
noquery <br />
Specifies to ignore all NTP mode 6 and 7 packets (information queries and<br />
configuration requests) from the source. Does not affect time service. <br />
<br />
noserve <br />
Specifies to ignore NTP packets whose mode is not 6 or 7. This denies time<br />
service, but permits queries. <br />
<br />
notrap <br />
Specifies to decline to provide mode 6 control message trap service to<br />
matching hosts. The trap service is a subsystem of the mode 6 control message<br />
protocol intended for use by remote event-logging programs. <br />
<br />
notrust <br />
Specifies to treat these hosts normally in other respects, but never use<br />
them as synchronization sources. <br />
<br />
ntpport <br />
Specifies to match the restriction entry only if the source port in the<br />
packet is the standard NTP UDP port (123). <br />
<br />
Note that using no parameters means "open access" for your server.<br />
<br />
Now that you've configured your ntp.conf file and want to use your server, start up the program manually:<br />
# ntpd -p /var/run/ntpd.pid<br />
<br />
===NTP pool servers===<br />
Please consider using the [http://ntp.isc.org/bin/view/Servers/NTPPoolServers NTP Pool servers]. These are public time servers selected by round-robin. The DNS reference changes each hour. These time servers have ''volunteered'' to offer their services through the pool. As the server pool grows, the service regions will become increasingly more specific, and the results will be even more reliable. To [http://www.pool.ntp.org/use.html use the pool], for example, users in the U.S. would add these lines to their /etc/ntp.conf <br />
server 0.us.pool.ntp.org<br />
server 1.us.pool.ntp.org<br />
server 2.us.pool.ntp.org<br />
<br />
Some say that you do not need, and should not use, more than three server lines in your /etc/ntp.conf. [http://ntp.isc.org/bin/view/Support/ConfiguringNTP Others disagree].<br />
<br />
Similarly, if you need to quickly set your system clock, to use the pool (if your ISP does not offer a time service) you would say (e.g. in the U.S.):<br />
# /usr/sbin/ntpdate 0.us.pool.ntp.org<br />
<br />
It is usually considered poor manners to regularly hit even a server pool more than a few times in a 24 hour period. If you're one of those many who are in the habit of synching every clock on your LAN against a single public server, every few seconds, your IP may end up on the clock-master's list of Folks We Don't Like, and your network's time of reckoning will eventually arrive - or worse, you will contribute to stopping these vital services.<br />
<br />
==Auto-starting ntpd==<br />
Edit your /etc/rc.conf and add this to the end; <br />
<br />
# ntpd sets the time in small increments, ntpdate sets the time<br />
# no matter how large the discrepancy is. If you're running ntpd<br />
# you'll want to weigh the risks of getting a wildly different time<br />
# given to your system from whatever system _you_ are getting the<br />
# time from. If you're polling time data from absolutely known-good<br />
# servers, it might not be a bad idea to get the time from them on boot-up.<br />
# If you want to do that, uncomment this line;<br />
# ntpdate_enable="NO"<br />
# turn on the ntp daemon:<br />
ntpd_enable="YES"<br />
# The NTP program is located here:<br />
ntpd_program="/usr/local/bin/ntpd"<br />
# and we want to use it with these options; see man page for details<br />
ntpd_flags="-A -g -N -c /etc/ntp.conf -p /var/run/ntpd.pid -l /var/log/ntpd.log"<br />
<br />
<br />
''Note: ntpd_enable was xntpd_enable in older FreeBSD releases (before FreeBSD-5). If you're running FreeBSD-4, replace every instance of ntpd with xntpd (xntpd_enable="YES", for example).''<br />
<br />
==NTP etiquette==<br />
<br />
The N stands for Network, but if you've got your own network, it behooves you -- and you're expected to -- either keep an ntp server for it or use one that you're allowed to; your ISP's or one you setup yourself. NTP stratum 1 servers are neither ubiquitous nor fair use for everyone. If you have a GPS or atomic-clock enabled server, then you can run your own stratum 1 server. More than likely you'll want to run a stratum 3 (or higher) server for your network, and you'll want to pull time from stratum 2 or 1 servers that are more accurate for you. <br />
<br />
Horror stories on why you want to only use servers you're allowed to:<br />
<br />
http://www.cs.wisc.edu/~plonka/netgear-sntp/<br />
<br />
http://people.freebsd.org/~phk/dlink/<br />
<br />
http://www.lightbluetouchpaper.org/2006/04/07/when-firmware-attacks-ddos-by-d-link/</div>Davehttp://www.freebsdwiki.net/index.php/Talk:NTP,_configuringTalk:NTP, configuring2006-04-26T13:30:25Z<p>Dave: incidentally,</p>
<hr />
<div>Yikes - thanks for the link to the Netgear and DLink SNTPd issues! Thankfully I'm enough of a time geek that I've always manually spec'ed the NTP server to a very nearby one (that I am within rights to use as frequently as the DLink products go out for info) on the DLink routers I've bought, so I haven't contributed to the Stratum 1 abuse problem directly. But yikes. =( --[[User:Jimbo|Jimbo]] 01:30, 26 April 2006 (EDT)<br />
<br />
== yeah ==<br />
<br />
those guys are jerks....it's been in the news lately because of the norway dude's NTP server getting hosed --[[User:Dave|Dave]] 09:25, 26 April 2006 (EDT)<br />
<br />
== incidentally, ==<br />
<br />
the netgear issue is older, but check out http://www.doit.wisc.edu/news/story.asp?filename=322 ....netgear wound up uh, "donating" 375K to the U of Wisc....<br />
Sometimes you get lucky. But more often you're just good. DoIT is the recent recipient of <br />
two gifts -- one of $50,000 from AT&T, and another of $375,000 over three years from NETGEAR, <br />
Inc. -- that reflect positively on the dedication and talent of University staff.<br />
which would be a good example on why it's wise not to use ntp servers that aren't yours to use.<br />
--[[User:Dave|Dave]] 09:30, 26 April 2006 (EDT)</div>Davehttp://www.freebsdwiki.net/index.php/Talk:NTP,_configuringTalk:NTP, configuring2006-04-26T13:25:23Z<p>Dave: yeah</p>
<hr />
<div>Yikes - thanks for the link to the Netgear and DLink SNTPd issues! Thankfully I'm enough of a time geek that I've always manually spec'ed the NTP server to a very nearby one (that I am within rights to use as frequently as the DLink products go out for info) on the DLink routers I've bought, so I haven't contributed to the Stratum 1 abuse problem directly. But yikes. =( --[[User:Jimbo|Jimbo]] 01:30, 26 April 2006 (EDT)<br />
<br />
== yeah ==<br />
<br />
those guys are jerks....it's been in the news lately because of the norway dude's NTP server getting hosed --[[User:Dave|Dave]] 09:25, 26 April 2006 (EDT)</div>Dave