From owner-svn-doc-head@FreeBSD.ORG Wed Oct 16 19:40:27 2013 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id CEA277EC; Wed, 16 Oct 2013 19:40:27 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id BAFBE25E8; Wed, 16 Oct 2013 19:40:27 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r9GJeR30028424; Wed, 16 Oct 2013 19:40:27 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r9GJeRNv028423; Wed, 16 Oct 2013 19:40:27 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201310161940.r9GJeRNv028423@svn.freebsd.org> From: Dru Lavigne Date: Wed, 16 Oct 2013 19:40:27 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r42976 - head/en_US.ISO8859-1/books/handbook/network-servers X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Oct 2013 19:40:27 -0000 Author: dru Date: Wed Oct 16 19:40:27 2013 New Revision: 42976 URL: http://svnweb.freebsd.org/changeset/doc/42976 Log: Initial shuffle of the DHCP section. This patch does the following: - fixes acronym tags for DHCP, IP, and UDP - removes superfluous headings - shuffles existing content to organize it into a client section and a server section - replaces deprecated dhcp.org address Subsequent patches will clean up the white space and then move on to review and clarify the content in this section. Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Wed Oct 16 18:17:33 2013 (r42975) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Wed Oct 16 19:40:27 2013 (r42976) @@ -200,7 +200,7 @@ inetd_flags is set to -wW -C 60, which turns on TCP wrapping for inetd's services, and prevents any - single IP address from requesting any service more than 60 + single IP address from requesting any service more than 60 times in any given minute. Although we mention rate-limiting options below, novice @@ -227,7 +227,7 @@ Specify the default maximum number of times a - service can be invoked from a single IP address in one + service can be invoked from a single IP address in one minute; the default is unlimited. May be overridden on a per-service basis with the @@ -250,7 +250,7 @@ Specify the maximum number of times a service can be - invoked from a single IP address at any one time; the + invoked from a single IP address at any one time; the default is unlimited. May be overridden on a per-service basis with the parameter. @@ -347,7 +347,7 @@ server-program-arguments udp, udp4 - UDP IPv4 + UDP IPv4 @@ -357,7 +357,7 @@ server-program-arguments udp6 - UDP IPv6 + UDP IPv6 @@ -367,7 +367,7 @@ server-program-arguments udp46 - Both UDP IPv4 and v6 + Both UDP IPv4 and v6 @@ -403,12 +403,12 @@ server-program-argumentsmax-connections-per-ip-per-minute - limits the number of connections from any particular IP + limits the number of connections from any particular IP address per minutes, e.g., a value of ten would limit - any particular IP address connecting to a particular + any particular IP address connecting to a particular service to ten attempts per minute. limits the number of - children that can be started on behalf on any single IP + children that can be started on behalf on any single IP address at any moment. These options are useful to prevent intentional or unintentional excessive resource consumption and Denial of Service (DoS) attacks to a @@ -430,7 +430,7 @@ server-program-argumentsnowait/10. The same setup with a limit of twenty connections - per IP address per minute and a maximum total limit of + per IP address per minute and a maximum total limit of ten child daemons would read: nowait/10/20. @@ -442,7 +442,7 @@ server-program-argumentsFinally, an example of this field with a maximum of 100 children in total, with a maximum of 5 for any one - IP address would read: + IP address would read: nowait/100/0/5. @@ -723,7 +723,7 @@ mountd_flags="-r" The next example exports /home to three clients - by IP address. This can be useful for networks without + by IP address. This can be useful for networks without DNS. Optionally, /etc/hosts could be configured for internal hostnames; please review &man.hosts.5; for more @@ -953,7 +953,7 @@ rpc_statd_enable="YES" amd looks up the corresponding remote mount and automatically mounts it. /net is used to mount - an exported file system from an IP address, while + an exported file system from an IP address, while /host is used to mount an export from a remote hostname. @@ -1251,7 +1251,7 @@ Exports list on foobar: Machine name - IP address + IP address Machine role @@ -1768,7 +1768,7 @@ nis_client_enable="YES" for providing access control instead of securenets. While either access control mechanism adds some security, they are both vulnerable to - IP spoofing attacks. All + IP spoofing attacks. All NIS-related traffic should be blocked at the firewall. @@ -2617,92 +2617,55 @@ result: 0 Success --> - Automatic Network Configuration (DHCP) + Dynamic Host Configuration Protocol (<acronym>DHCP</acronym>) Dynamic Host Configuration Protocol - DHCP + DHCP Internet Systems Consortium (ISC) - DHCP, the Dynamic Host Configuration Protocol, describes - the means by which a system can connect to a network and - obtain the necessary information for communication upon that - network. &os; uses the OpenBSD dhclient - taken from OpenBSD 3.7. All information here regarding - dhclient is for use with either of the ISC - or OpenBSD DHCP clients. The DHCP server is the one included - in the ISC distribution. - - This section describes both the client-side components of - the ISC and OpenBSD DHCP client and server-side components of - the ISC DHCP system. The client-side program, - dhclient, comes integrated within &os;, - and the server-side portion is available from the net/isc-dhcp42-server port. Refer to - &man.dhclient.8;, &man.dhcp-options.5;, and - &man.dhclient.conf.5;, in addition to the - references below, for more information. - - - How It Works - - UDP - When dhclient, the DHCP client, is - executed on the client machine, it begins broadcasting - requests for configuration information. By default, these - requests are on UDP port 68. The server replies on UDP 67, - giving the client an IP address and other relevant network - information such as netmask, router, and DNS servers. All of - this information comes in the form of a DHCP - lease and is only valid for a certain time - (configured by the DHCP server maintainer). In this manner, - stale IP addresses for clients no longer connected to the - network can be automatically reclaimed. - - DHCP clients can obtain a great deal of information from - the server. An exhaustive list may be found in - &man.dhcp-options.5;. - - - - &os; Integration - - &os; fully integrates the OpenBSD DHCP client, - dhclient. DHCP client support is provided - within both the installer and the base system, obviating the - need for detailed knowledge of network configurations on any - network that runs a DHCP server. - - - sysinstall - + The Dynamic Host Configuration Protocol (DHCP) allows + a system to connect to a network in order to be assigned + the necessary addressing information for communication on that + network. &os; includes the OpenBSD version of dhclient + which is used by the client to obtain the addressing information. + &os; does not install a DHCP server, but several + servers are available in the &os; Ports Collection. + The DHCP protocol is fully described in + RFC + 2131. Informational resources are also available at + isc.org/downloads/dhcp/. + + This section describes how to use the built-in DHCP client. + It then describes how to install and configure a + DHCP server. - DHCP is supported by - sysinstall. When configuring a - network interface within - sysinstall, the second question - asked is: Do you want to try DHCP configuration of the - interface?. Answering affirmatively will execute - dhclient, and if successful, will fill in - the network configuration information automatically. + + Configuring a <acronym>DHCP</acronym> Client - There are two things required to have the system use - DHCP upon startup: - - DHCP - requirements - - - - Make sure that the bpf device - is compiled into the kernel. To do this, add - device bpf to the kernel configuration - file, and rebuild the kernel. For more information about - building kernels, see - . + DHCP client support is included in the &os; + installer, making it easy to configure a system to automatically + receive its networking addressing information from an existing + DHCP server. + + UDP + When dhclient is + executed on the client machine, it begins broadcasting + requests for configuration information. By default, these + requests use UDP port 68. The server replies on UDP port 67, + giving the client an IP address and other relevant network + information such as a subnet mask, default gateway, and DNS server addresses. + This information is in the form of a DHCP + lease and is valid for a configurable time. This allows + stale IP addresses for clients no longer connected to the + network to automatically be reused. + + DHCP clients can obtain a great deal of information from + the server. An exhaustive list may be found in + &man.dhcp-options.5;. The bpf device is already part of the GENERIC kernel that is @@ -2719,37 +2682,35 @@ result: 0 Success (although they still have to be run as root). bpf is - required to use DHCP; however, the security sensitive + required to use DHCP; however, the security sensitive types should probably not add bpf to the kernel in the expectation that at some point in the future the system - will be using DHCP. + will be using DHCP. - - - By default, DHCP configuration on &os; runs in the + By default, DHCP configuration on &os; runs in the background, or asynchronously. - Other startup scripts continue to run while DHCP + Other startup scripts continue to run while DHCP completes, speeding up system startup. - Background DHCP works well when the DHCP server - responds quickly to requests and the DHCP configuration - process goes quickly. However, DHCP may take a long time + Background DHCP works well when the DHCP server + responds quickly to requests and the DHCP configuration + process goes quickly. However, DHCP may take a long time to complete on some systems. If network services attempt - to run before DHCP has completed, they will fail. Using - DHCP in synchronous mode prevents - the problem, pausing startup until DHCP configuration has + to run before DHCP has completed, they will fail. Using + DHCP in synchronous mode prevents + the problem, pausing startup until DHCP configuration has completed. - To connect to a DHCP server in the background while + To connect to a DHCP server in the background while other startup continues (asynchronous mode), use the DHCP value in /etc/rc.conf: ifconfig_fxp0="DHCP" - To pause startup while DHCP completes, use + To pause startup while DHCP completes, use synchronous mode with the SYNCDHCP value: @@ -2769,27 +2730,14 @@ result: 0 Success dhclient_program="/sbin/dhclient" dhclient_flags="" - - - DHCP - server + DHCP + configuration files - The DHCP server, dhcpd, is - included as part of the - net/isc-dhcp42-server port - in the ports collection. This port contains the ISC DHCP - server and documentation. - - - Files + The DHCP client uses the following files: - - DHCP - configuration files - /etc/dhclient.conf @@ -2812,7 +2760,7 @@ dhclient_flags="" /sbin/dhclient-script dhclient-script is the - &os;-specific DHCP client configuration script. It + &os;-specific DHCP client configuration script. It is described in &man.dhclient-script.8;, but should not need any user modification to function properly. @@ -2820,50 +2768,47 @@ dhclient_flags="" /var/db/dhclient.leases.interface - The DHCP client keeps a database of valid leases in + The DHCP client keeps a database of valid leases in this file, which is written as a log. &man.dhclient.leases.5; gives a slightly longer - description. + description. Refer to + &man.dhclient.8;, &man.dhcp-options.5;, and + &man.dhclient.conf.5;, in addition to the + references below, for more information. - - Further Reading - - The DHCP protocol is fully described in - RFC - 2131. An informational resource has also been set - up at . - - - Installing and Configuring a DHCP Server - - - What This Section Covers + Installing and Configuring a <acronym>DHCP</acronym> Server This section provides information on how to configure a - &os; system to act as a DHCP server using the ISC - (Internet Systems Consortium) implementation of the DHCP + &os; system to act as a DHCP server using the ISC + (Internet Systems Consortium) implementation of the DHCP server. + + DHCP + server + + + The DHCP server, dhcpd, is + included as part of the + net/isc-dhcp42-server port + in the ports collection. This port contains the ISC DHCP + server and documentation. The server is not provided as part of &os;, and so the net/isc-dhcp42-server port must be installed to provide this service. See for more information on using the Ports Collection. - - - - DHCP Server Installation - DHCP + DHCP installation - In order to configure the &os; system as a DHCP server, + In order to configure the &os; system as a DHCP server, first ensure that the &man.bpf.4; device is compiled into the kernel. To do this, add device bpf to the kernel configuration file, and rebuild the kernel. @@ -2881,7 +2826,7 @@ dhclient_flags="" that allows packet sniffers to function correctly (although such programs still need privileged access). The bpf device - is required to use DHCP, but if the + is required to use DHCP, but if the sensitivity of the system's security is high, this device should not be included in the kernel purely because the use of DHCP may, at some point in the @@ -2895,13 +2840,12 @@ dhclient_flags="" to the actual configuration file, /usr/local/etc/dhcpd.conf. Edits will be made to this new file. - - Configuring the DHCP Server + Configuring the <acronym>DHCP</acronym> Server - DHCP + DHCP dhcpd.conf dhcpd.conf is comprised of @@ -2936,7 +2880,7 @@ host mailhost { This option specifies a comma separated list of - DNS servers that the client should use. + DNS servers that the client should use. @@ -2960,15 +2904,15 @@ host mailhost { - This option specifies whether the DHCP server - should attempt to update DNS when a lease is accepted + This option specifies whether the DHCP server + should attempt to update DNS when a lease is accepted or released. In the ISC implementation, this option is required. - This denotes which IP addresses should be used in - the pool reserved for allocating to clients. IP + This denotes which IP addresses should be used in + the pool reserved for allocating to clients. IP addresses between, and including, the ones stated are handed out to clients. @@ -2980,14 +2924,14 @@ host mailhost { The hardware MAC address of a host (so that the - DHCP server can recognize a host when it makes a + DHCP server can recognize a host when it makes a request). Specifies that the host should always be given the - same IP address. Note that using a hostname is - correct here, since the DHCP server will resolve the + same IP address. Note that using a hostname is + correct here, since the DHCP server will resolve the hostname itself before returning the lease information. @@ -2995,7 +2939,7 @@ host mailhost { Once the configuration of dhcpd.conf has been completed, - enable the DHCP server in + enable the DHCP server in /etc/rc.conf, i.e., by adding: dhcpd_enable="YES" @@ -3003,7 +2947,7 @@ dhcpd_ifaces="dc0" Replace the dc0 interface name with the interface (or interfaces, separated by whitespace) - that the DHCP server should listen on for DHCP client + that the DHCP server should listen on for DHCP client requests. Proceed to start the server by issuing @@ -3023,7 +2967,7 @@ dhcpd_ifaces="dc0" Files - DHCP + DHCP configuration files @@ -3056,7 +3000,7 @@ dhcpd_ifaces="dc0" /var/db/dhcpd.leases - The DHCP server keeps a database of leases it has + The DHCP server keeps a database of leases it has issued in this file, which is written as a log. The port installs &man.dhcpd.leases.5;, which gives a slightly longer description. @@ -3066,8 +3010,8 @@ dhcpd_ifaces="dc0" /usr/local/sbin/dhcrelay dhcrelay is used in - advanced environments where one DHCP server forwards a - request from a client to another DHCP server on a + advanced environments where one DHCP server forwards a + request from a client to another DHCP server on a separate network. If this functionality is required, then install the net/isc-dhcp42-relay @@ -3150,7 +3094,7 @@ dhcpd_ifaces="dc0" DNS must be understood. resolver - reverse DNS + reverse DNS root zone @@ -3168,7 +3112,7 @@ dhcpd_ifaces="dc0" Forward DNS - Mapping of hostnames to IP addresses. + Mapping of hostnames to IP addresses. @@ -3492,7 +3436,7 @@ options { /* - Modern versions of BIND use a random UDP port for each outgoing + Modern versions of BIND use a random UDP port for each outgoing query by default in order to dramatically reduce the possibility of cache poisoning. All users are strongly encouraged to utilize this feature, and to configure their firewalls to accommodate it. @@ -3817,11 +3761,11 @@ www IN CNAME example. recordname IN recordtype value - DNS + DNS records - The most commonly used DNS records: + The most commonly used DNS records: @@ -3861,7 +3805,7 @@ www IN CNAME example. a domain name pointer (used in reverse - DNS) + DNS) @@ -3940,7 +3884,7 @@ mail IN A 192.168. IN A 192.168.1.1 - This line assigns IP address + This line assigns IP address 192.168.1.1 to the current origin, in this case example.org. @@ -3975,7 +3919,7 @@ mail IN A 192.168. priority number), then the second highest, etc, until the mail can be properly delivered. - For in-addr.arpa zone files (reverse DNS), the same + For in-addr.arpa zone files (reverse DNS), the same format is used, except with PTR entries instead of A or CNAME. @@ -3997,7 +3941,7 @@ mail IN A 192.168. 4 IN PTR mx.example.org. 5 IN PTR mail.example.org. - This file gives the proper IP address to hostname + This file gives the proper IP address to hostname mappings for the above fictitious domain. It is worth noting that all names on the right side @@ -4026,7 +3970,7 @@ mail IN A 192.168. BIND - DNS security extensions + DNS security extensions Domain Name System Security Extensions, or Security - Although BIND is the most common implementation of DNS, + Although BIND is the most common implementation of DNS, there is always the issue of security. Possible and exploitable security holes are sometimes found. @@ -4437,7 +4381,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key O'Reilly - DNS and BIND 5th Edition + DNS and BIND 5th Edition @@ -4469,21 +4413,21 @@ $include Kexample.com.+005+nnnnn.ZSK.key RFC4033 - - DNS Security Introduction and + - DNS Security Introduction and Requirements RFC4034 - - Resource Records for the DNS Security + - Resource Records for the DNS Security Extensions RFC4035 - - Protocol Modifications for the DNS Security + - Protocol Modifications for the DNS Security Extensions @@ -4496,7 +4440,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key RFC 5011 - - Automated Updates of DNS Security + - Automated Updates of DNS Security (DNSSEC Trust Anchors @@ -4686,7 +4630,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key types of Virtual Hosting. The first method is Name-based Virtual Hosting. Name-based virtual hosting uses the clients HTTP/1.1 headers to figure out the hostname. This allows many - different domains to share the same IP address. + different domains to share the same IP address. To setup Apache to use Name-based Virtual Hosting add an entry like the following to @@ -5252,7 +5196,7 @@ DocumentRoot /www/someotherdomain.tld This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component of - the host's DNS name. + the host's DNS name. @@ -5580,7 +5524,7 @@ driftfile /var/db/ntp.driftrestrict 192.168.1.0 mask 255.255.255.0 nomodify notrap instead, where - 192.168.1.0 is an IP address + 192.168.1.0 is an IP address on the network and 255.255.255.0 is the network's netmask. @@ -6207,7 +6151,7 @@ iqn.2012-06.com.example:target0 iqn.2012-06.com.example:target0 10.10.10.10 Waiting for iscsid(8) The following suggests network-level problem, such as - wrong IP address or port: + wrong IP address or port: Target name Target addr State iqn.2012-06.com.example:target0 10.10.10.11 Connection refused